I have to start by saying sorry for asking for help as I am not a Cisco guy and have no Cisco knowledge
A work for a company that is using A VoIP application across two sites connected via Cisco PIX 501
For the most of the time every thing is working fine but from time to time we get one way transmission on the handsets. The VoIP vendor is saying the problem is due to the PIX configuration but my maintainer of the PIX units is not the best and seems to not know what he is doing.
Here is what the VoIP vendor is saying:
The phones establish an H323 connection at logon time through which the mediastreaming is switched on/off on call activity on the phone. The special thing is here, that the RTP/RTCP ports that are negotiated at logon time are always used by the phone over all calls. The Phone controller relies on this behavior of the phones. The traceline indicates that the H323 negotiation (done in the context of a call) returned ports that are different of the ports negotiated at logon time.
The typical failure on the user interface is that the phone cannot hear, but is heard by the peer.
The H323 connection maintains two TCP connections between Phone controller and phone. What you see with the Pix VPN is that this device monitors and controls TCP connections such that a TCP connection is terminated after a certain time with no traffic on that connection. The PIX firewall sends in that case TCP RESET packets to both sides of the TCP connection. The Phone Controller immediately reestablishes the associated H323 connection and find the phone wants to use different ports.
You can configure the PIX firewall to not do terminate the TCP connections.
Here is the running configuration on the PIX
PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname PIX15 domain-name ****************.co.uk fixup protocol dns maximum-length 512 fixup protocol ftp 21 no fixup protocol h323 h225 1720 no fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 no names access-list 120 permit ip 192.168.8.0 255.255.255.0 192.168.15.02522.214.171.124 access-list 130 permit ip 192.168.8.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list 140 permit ip 192.168.8.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list 150 permit ip 192.168.8.0 255.255.255.0 192.168.18.0 255.255.255.0 access-list 100 permit ip 192.168.8.0 255.255.255.0 192.168.15.0 255.255.255.0 access-list 100 permit ip 192.168.8.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list 100 permit ip 192.168.8.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list 100 permit ip 192.168.8.0 255.255.255.0 192.168.18.0 255.255.255.0 pager lines 24 logging on logging host outside 80.229.XXX.XXX mtu outside 1500 mtu inside 1500 ip address outside XXX.XXX.XXX.XXX 255.255.255.252 ip address inside 192.168.8.151 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.8.150 255.255.255.255 inside pdm location 192.168.8.254 255.255.255.255 inside pdm location XXX.XXX.XXX.XXX 255.255.255.255 outside pdm location 192.168.7.0 255.255.255.0 outside pdm location 192.168.15.0 255.255.255.0 outside pdm location 192.168.16.0 255.255.255.0 outside pdm location 192.168.17.0 255.255.255.0 outside pdm location 192.168.18.0 255.255.255.0 outside pdm location 192.168.3.0 255.255.255.0 inside pdm history enable arp timeout 14400 global (outside) 1 172.16.8.153 netmask 255.255.255.0 nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 126.96.36.199 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.8.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set myset esp-des esp-md5-hmac crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 120 crypto map newmap 20 set peer 188.8.131.52 crypto map newmap 20 set transform-set myset crypto map newmap 30 ipsec-isakmp crypto map newmap 30 match address 130 crypto map newmap 30 set peer 184.108.40.206 crypto map newmap 30 set transform-set myset crypto map newmap 40 ipsec-isakmp crypto map newmap 40 match address 140 crypto map newmap 40 set peer 220.127.116.11 crypto map newmap 40 set transform-set myset crypto map newmap 50 ipsec-isakmp crypto map newmap 50 match address 150 crypto map newmap 50 set peer 18.104.22.168 crypto map newmap 50 set transform-set myset crypto map newmap interface outside isakmp enable outside isakmp key ******** address XXX.XXX.XXX.XXX 66 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address .XXX.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address .XXX.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address .XXX.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet 192.168.8.254 255.255.255.255 inside telnet 192.168.8.150 255.255.255.255 inside telnet timeout 5 ssh .XXX.XXX.XXX 255.255.255.255 outside ssh 192.168.8.0 255.255.255.0 inside ssh 192.168.3.0 255.255.255.0 inside ssh timeout 60 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 required vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username s****l password ********* vpdn enable outside terminal width 132 Cryptochecksum: : end [OK] PIX15#
Can someone help me as I am now desperate