Cisco PIX 501, Vonage, and QoS

Posts: 3 · New Forum Member Joined: Mar 08, 2005 Posts: 3

I searched the groups to find answers to my questions, but didn't quite find what I was looking for, so I appologize if this has been beaten to death...

I have a Cisco PIX 501 running a small home network. I am fairly new to the PIX, but understand the basics. My current configuration is:

[Internet]

[Cable Modem]

[PIX 501]

{ [MOTOROLA VT1005V] [PC] [PC] [PC] }

Basically the devices between the { } are in my private NAT network.

I have had pretty good success with Vonage; my cable connection is seems very fast and is rarely (if ever) congested, however I tend to use the Internet via my PCs a lot, which can dramatically affect call quality.

I started reading about QoS and it sounds like the recommended approach (from Vonage mind you), is to put the [VT1005] between the [PIX 501] and the [Cable Modem]. I am not too comfortable with this only because from a security standpoint, I have no idea what that opens up. I am comfortable with everything behind the PIX.

As I said things _work_ and I didn't have to change anything on the PIX, but is there a way I can take advantage of QoS, however? Does the PIX support this? I have read about opening ports, but not sure what the best approach is.

I don't know what fixup is, so if that is a suggestion, could someone please explain it to me.

I have the [VT1005] with a hard-coded IP on my local LAN. Should I open up ports 5060-5063 (incoming) to that device? UDP or TCP? What about ports 10000 - 10011 (as the Motorola doc recommends)? Are all these forwarding rules inbound rules?

This mainly stems from a review I just read about the new Linksys Router/Firewall/Wireless/VOIP device (from Cisco). It sounds like it does a lot--more importantly, the reviewer said since all of this is in one device, it handles QoS seamlessly and calls always sound great, even while downloading a lot from the internal network.

Also when I try to add a translation rule (via the PDM) to forward UDP 5061 to my [VT1005], I get the following warning:

Quote:

This static port mapping translation rule is overlapping with a dynamic address translation rule for inside: 0.0.0.0/0.0.0.0(any) using global pool 1. Do you wish to proceed?

I have no idea what this means, but I did notice that there is a rule in the list for port 5061--I know I didn't add it and I am the only one using the PIX. It's a dynamic mapping too, which I am not sure what that is either.

Any help would be appreciated.

Posts: 196

webview wrote:

I searched the groups to find answers to my questions, but didn't quite find what I was looking for, so I appologize if this has been beaten to death...

I have a Cisco PIX 501 running a small home network. I am fairly new to the PIX, but understand the basics. My current configuration is:

[Internet]

[Cable Modem]

[PIX 501]

{ [MOTOROLA VT1005V] [PC] [PC] [PC] }

Basically the devices between the { } are in my private NAT network.

I have had pretty good success with Vonage; my cable connection is seems very fast and is rarely (if ever) congested, however I tend to use the Internet via my PCs a lot, which can dramatically affect call quality.

I started reading about QoS and it sounds like the recommended approach (from Vonage mind you), is to put the [VT1005] between the [PIX 501] and the [Cable Modem]. I am not too comfortable with this only because from a security standpoint, I have no idea what that opens up. I am comfortable with everything behind the PIX.

As I said things _work_ and I didn't have to change anything on the PIX, but is there a way I can take advantage of QoS, however? Does the PIX support this? I have read about opening ports, but not sure what the best approach is.

I don't know what fixup is, so if that is a suggestion, could someone please explain it to me.

I have the [VT1005] with a hard-coded IP on my local LAN. Should I open up ports 5060-5063 (incoming) to that device? UDP or TCP? What about ports 10000 - 10011 (as the Motorola doc recommends)? Are all these forwarding rules inbound rules?

This mainly stems from a review I just read about the new Linksys Router/Firewall/Wireless/VOIP device (from Cisco). It sounds like it does a lot--more importantly, the reviewer said since all of this is in one device, it handles QoS seamlessly and calls always sound great, even while downloading a lot from the internal network.

Also when I try to add a translation rule (via the PDM) to forward UDP 5061 to my [VT1005], I get the following warning:

Quote:

This static port mapping translation rule is overlapping with a dynamic address translation rule for inside: 0.0.0.0/0.0.0.0(any) using global pool 1. Do you wish to proceed?

I have no idea what this means, but I did notice that there is a rule in the list for port 5061--I know I didn't add it and I am the only one using the PIX. It's a dynamic mapping too, which I am not sure what that is either.

Any help would be appreciated.

Don't waste your time. The Motorola does a cruddy job of QoS anyway. If your service works like it is, leave it alone. If you want to take a dive into QoS, buy the Linksys WRT54GS router and subscribe to Sveasoft.com to get their upgraded firmware for it.

Bottom line, "If it ain't broke, don't fix it."

Posts: 14 · Vonage Forum Associate Joined: Apr 01, 2003 Posts: 14

I know it's been a while since this post was originally made, but if you want to use the QoS, I would actually suggest that you put the Motorola unit between the modem and the PIX.

Especially for a "Security" standpoint, this is actually suggested. I would suggest that you set the IP of your PIX and set that as the DMZ of the Motorola unit.

Why do I say this is better for security? It's not that I don't trust Vonage, but is for some reason someone were to "hack" the Voip system, your LAN will be protected from the attacks, by having the Motorola unit behind the PIX, you actually give someone the ability to access your local LAN if they have the right hacks.

Posts: 3 · New Forum Member Joined: Mar 08, 2005 Posts: 3

Right now my PIX gets its IP via DHCP from the cable modem and then dishes out IPs to my private subnet (where the Motorola Voip sits). I understand that you said to put the device in between the cable modem and the PIX. Who gets the IP then? I only get one from my ISP

Posts: 14 · Vonage Forum Associate Joined: Apr 01, 2003 Posts: 14

The Vonage will get the IP. Your PIX will recieve a DHCP address from the Vonage box.

Posts: 3 · New Forum Member Joined: Mar 08, 2005 Posts: 3

Thanks for the reply.

Will the motorola Voip device pass through the IP or will it be in another subnet, such as:

motorola device gets 24.x.x.x from cable modem
cisco gets 192.0.x.x.x from motorola
PCs/lan get 192.1.x.x.x from pix

Posts: 14 · Vonage Forum Associate Joined: Apr 01, 2003 Posts: 14

Quote:

motorola device gets 24.x.x.x from cable modem
cisco gets 192.0.x.x.x from motorola
PCs/lan get 192.1.x.x.x from pix

Close. I belive the default subnet from the Motorola will be 192.15.x.x, but the theory is correct.

Posts: 533 · Posted: Wed Aug 03, 2005 9:40 am Post subject:

To answer the inbound/outbound port question, Vonage says they need both inbound and outbound for various services such as DNS, TFTP, SIP, RTP audio. Just from that statement you know they are just covering all bases by saying inbound and outbound because the TAs are not DNS or TFTP servers. Also, because of the range of ports they use for RTP audio (udp 10000-20000) it would be a headache to allow them inbound on a PIX to a device on the inside (since your inside addresses are private) without compromising security too much. So, I decided to just allow the ports outbound and everything has worked fine. I don't ever see Vonage trying to initiate any connections to my Linksys TA, except for ping, which you do need to make sure you allow inbound.

As far as the PIX in general supporting QoS, yes it does, BUT NOT on the 501. You need PIX code 7.0.x to support QoS, which is not yet available for the 501. Cisco says it's planned, but there is no timeframe for it. Most certainly Cisco will pull features from 7.0.x to allow it to function on a 501, so it's not even guaranteed that QoS will even be there when a 7.0.x version is issued for the 501.

If you put your PIX behind the Moto, the outside (WAN) interface of the Moto will get an IP address from the cable modem via DHCP. Then if you connect the outside interface of the PIX to the Moto, you can leave it setup for DHCP and it will get it's outside interface IP address from the Moto address pool. Then, just connect your PCs to the four ports of the PIX and it will still hand out IP addresses to them. You really don't have to worry about setting up the PIX in the DMZ of the Moto, I don't think that'll buy you anything.

I see what ghcjeff is saying about using this configuration. Basically you have a bit of an "untrusted' device on your network, the Moto. Both you and Vonage have access to it. So if a disgruntled Vonage employee comprimised the Moto, maybe they could to something to the rest of your network. However, I don't know what they could even do from a device like that. It's not all that functional to begin with. Personally I'd leave your setup like it is as I'd be more worried that someone could DoS the Moto if it is out in front of the PIX. Also, you lose PIX "protected" ports for your PCs if the Moto is out in front. If the PIX is out in front, you get three ethernet ports for the PC (the forth for the Moto) and all the ports on the Moto.

webview wrote:

Right now my PIX gets its IP via DHCP from the cable modem and then dishes out IPs to my private subnet (where the Motorola Voip sits). I understand that you said to put the device in between the cable modem and the PIX. Who gets the IP then? I only get one from my ISP