thread1329-1528299
Looking for the diagram, and updated notes for current versions of IOS - 9.2
email - tewmaned at gmail dot com
Mitelmatt (Vendor) 9 Feb 09 13:48
here you go but there is a diagram with examples on.
Let me know if you want an email:
The following are the Rules and NAT statements that are required for Mitel Teleworker to work through a Cisco PIX firewall, when the Teleworker is situated in a physical DMZ off the firewall as per the below diagram.
The operation of the Teleworker is that a phone on the internal network will access the outside IP address (public) of the Teleworker, in the case of the diagram above the IP address is 192.168.2.253 255.255.255.0. The call is then redirected to the Teleworker actual IP address in the DMZ, in this case 192.168.4.1. The Teleworker then directs it out to the remote phone sitting in the internet.
The remote phone sitting on the internet makes a connection to the Teleworkers public IP address. The connection is redirected to the Teleworker on the DMZ and then directed to the phone sitting on the internal network.
The Teleworker also communicates with the 3300 on the internal network for its call control and call setup, before the voice stream takes the path as described above.
It is therefore necessary to allow both the 3300 and internal phones to communicate with Teleworker and also to allow remote phones to communicate to the Teleworker via its public IP address. The firewall will also need NAT the traffic from both the DMZ to the internet and the DMZ to the internal network.
The following configuration example is based on the above network diagram and assumes that there is an implicit rule that allows all internal traffic out of the firewall to both the internet and the DMZ. Although the configuration below shows two named access lists. These names have been picked for this example. In most cases these access lists will already be in existence for other network access and applied to the relevant interfaces, so they just need appending with lists below.
Object-group service out_teleworker_to_networks_tcp_ports tcp
Port-object eq 22
Port-object eq 80
Port-object eq 3300
Port-object eq 2114
Port-object eq 2116
Port-object eq 35000
Port-object eq 37000
Port-object range 6800 6803
Port-object range 3998 3999
Port-object eq 6880
Object-group service out_teleworker_to_networks_udp_ports udp
Port-object eq 53
Port-object range 1024 65535
Port-object range 20000 23000
Object-group service in_internet_to_teleworker_tcp_ports tcp
Port-object eq 3300
Port-object eq 2114
Port-object eq 2116
Port-object eq 35000
Port-object eq 37000
Port-object eq 443
Port-object range 6801 6802
Port-object eq 3998
Port-object eq 6880
Object-group service in_internet_to_teleworker_udp_ports udp
Port-object range 20000 23000
!
Access-list outside_to_DMZ remark allows any outside device connection to teleworker
Access-list outside_to_DMZ extended permit tcp in_internet_to_teleworker_tcp_ports any host 192.168.2.253
Access-list outside_to_DMZ extended permit udp in_internet_to_teleworker_udp_ports any host 192.168.2.253
Access-list DMZ_to_networks remark allows teleworker to connect to any network device
Access-list DMZ_to_networks permit tcp out_teleworker_to_networks_tcp_ports host 192.168.4.1 any
Access-list DMZ_to_networks permit udp out_teleworker_to_networks_udp_ports host 192.168.4.1 any
!
Access-group outside_to_DMZ in interface outside_interface
Access-group DMZ_to_networks in interface DMZ_interface
!
Static (DMZ,outside) 192.168.2.253 192.168.4.1 netmask 255.255.255.0
Static (DMZ,inside) 192.168.2.253 192.168.4.1 netmask 255.255.255.0
In most cases the changes that will need to be made are to allow the specific ports in and out for the Teleworker and to make sure the NAT is correct. The NAT statements are what Cisco refer to as bidirectional NAT and without this there will be an issue with one-way voice.
Looking for the diagram, and updated notes for current versions of IOS - 9.2
email - tewmaned at gmail dot com
Mitelmatt (Vendor) 9 Feb 09 13:48
here you go but there is a diagram with examples on.
Let me know if you want an email:
The following are the Rules and NAT statements that are required for Mitel Teleworker to work through a Cisco PIX firewall, when the Teleworker is situated in a physical DMZ off the firewall as per the below diagram.
The operation of the Teleworker is that a phone on the internal network will access the outside IP address (public) of the Teleworker, in the case of the diagram above the IP address is 192.168.2.253 255.255.255.0. The call is then redirected to the Teleworker actual IP address in the DMZ, in this case 192.168.4.1. The Teleworker then directs it out to the remote phone sitting in the internet.
The remote phone sitting on the internet makes a connection to the Teleworkers public IP address. The connection is redirected to the Teleworker on the DMZ and then directed to the phone sitting on the internal network.
The Teleworker also communicates with the 3300 on the internal network for its call control and call setup, before the voice stream takes the path as described above.
It is therefore necessary to allow both the 3300 and internal phones to communicate with Teleworker and also to allow remote phones to communicate to the Teleworker via its public IP address. The firewall will also need NAT the traffic from both the DMZ to the internet and the DMZ to the internal network.
The following configuration example is based on the above network diagram and assumes that there is an implicit rule that allows all internal traffic out of the firewall to both the internet and the DMZ. Although the configuration below shows two named access lists. These names have been picked for this example. In most cases these access lists will already be in existence for other network access and applied to the relevant interfaces, so they just need appending with lists below.
Object-group service out_teleworker_to_networks_tcp_ports tcp
Port-object eq 22
Port-object eq 80
Port-object eq 3300
Port-object eq 2114
Port-object eq 2116
Port-object eq 35000
Port-object eq 37000
Port-object range 6800 6803
Port-object range 3998 3999
Port-object eq 6880
Object-group service out_teleworker_to_networks_udp_ports udp
Port-object eq 53
Port-object range 1024 65535
Port-object range 20000 23000
Object-group service in_internet_to_teleworker_tcp_ports tcp
Port-object eq 3300
Port-object eq 2114
Port-object eq 2116
Port-object eq 35000
Port-object eq 37000
Port-object eq 443
Port-object range 6801 6802
Port-object eq 3998
Port-object eq 6880
Object-group service in_internet_to_teleworker_udp_ports udp
Port-object range 20000 23000
!
Access-list outside_to_DMZ remark allows any outside device connection to teleworker
Access-list outside_to_DMZ extended permit tcp in_internet_to_teleworker_tcp_ports any host 192.168.2.253
Access-list outside_to_DMZ extended permit udp in_internet_to_teleworker_udp_ports any host 192.168.2.253
Access-list DMZ_to_networks remark allows teleworker to connect to any network device
Access-list DMZ_to_networks permit tcp out_teleworker_to_networks_tcp_ports host 192.168.4.1 any
Access-list DMZ_to_networks permit udp out_teleworker_to_networks_udp_ports host 192.168.4.1 any
!
Access-group outside_to_DMZ in interface outside_interface
Access-group DMZ_to_networks in interface DMZ_interface
!
Static (DMZ,outside) 192.168.2.253 192.168.4.1 netmask 255.255.255.0
Static (DMZ,inside) 192.168.2.253 192.168.4.1 netmask 255.255.255.0
In most cases the changes that will need to be made are to allow the specific ports in and out for the Teleworker and to make sure the NAT is correct. The NAT statements are what Cisco refer to as bidirectional NAT and without this there will be an issue with one-way voice.