topic Re: h323 and NAT issue in Network Security

h323 and NAT issue

olivier1977 — Wed, 13 Mar 2019 01:05:40 GMT

Hello all,

I have a router 1812 Version 12.4(15)T16, RELEASE SOFTWARE (fc2). Router is doing NAT.

I have a lifesize videoconference system. Calls with h323 are dropped after 30 seconds.

I have ip inspect rule :

[...]

- ip inspect name SDM_LOW h323

- ip inspect name SDM_LOW h323callsigalt

[...]

interface FastEthernet0

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip access-group 102 in

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

crypto map SDM_CMAP_1

service-policy input sdmappfwp2p_SDM_LOW

service-policy output sdmappfwp2p_SDM_LOW

When I start a communication, I have

sh ip inspect sessions

Session 85AE7150 (50.59.87.241:60118)=>(192.168.200.200:60016) h323-RTP-audio SIS_OPEN

Session 85AE12C0 (50.59.87.241:60119)=>(192.168.200.200:60017) h323-RTCP-audio SIS_OPEN

Session 85AE39B0 (192.168.200.200:60001)=>(50.59.87.241:62830) h245-media-control SIS_OPEN

Session 841F7CEC (192.168.200.200:60005)=>(50.59.87.241:1720) h323 SIS_OPEN

Session 85AE20A8 (50.59.87.241:60120)=>(192.168.200.200:60018) h323-RTP-video SIS_OPENING

Session 85ADE0B0 (50.59.87.241:60121)=>(192.168.200.200:60019) h323-RTCP-video SIS_OPENING

Session 85AE4D28 (50.59.87.241:60122)=>(192.168.200.200:60020) h323-RTP-data SIS_OPENING

Session 85ADCD38 (50.59.87.241:60123)=>(192.168.200.200:60021) h323-RTCP-data SIS_OPENING

Pre-gen session 85ADA648 192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio

Pre-gen session 85AD92D0 192.168.200.200[1024:65535]=>50.59.87.241[60121:60121] h323-RTCP-video

Pre-gen session 85ADB6F8 192.168.200.200[1024:65535]=>50.59.87.241[60123:60123] h323-RTCP-data

Pre-gen session 85AD9008 192.168.200.200[1024:65535]=>50.59.87.241[60118:60118] h323-RTP-audio

Pre-gen session 85AE5848 192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio

Where 192.168.200.200 is local IP and 50.59.87.241 the server I try to reach.

Any idea of what is going on ? Why calls are dropped after 30 seconds ?

Something with NAT ?

Re: h323 and NAT issue

alessandro.s — Tue, 01 Oct 2013 14:35:34 GMT

Hi Oliver,
try to disable h323 inspections, some videoconference systems does not work properly with inspection enabled and nat

hope this helps.

Regards

Sent from Cisco Technical Support iPad App

h323 and NAT issue

olivier1977 — Tue, 01 Oct 2013 15:11:20 GMT

Hi Alessandro.

I turned of h323.

Still the same. Communications shut down after 30 sec

Re: h323 and NAT issue

alessandro.s — Tue, 01 Oct 2013 15:17:16 GMT

Hi Oliver,
you turned off all h323 inspections ?
can you post complete configurtion of your router?

regards

Sent from Cisco Technical Support iPad App

Re: h323 and NAT issue

olivier1977 — Wed, 02 Oct 2013 08:29:47 GMT

Hi Alessandro,

configuration below :

ip inspect tcp reassembly queue length 200

ip inspect tcp reassembly timeout 10

ip inspect name SDM_LOW appfw SDM_LOW

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW http

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW h323callsigalt

ip inspect name SDM_LOW skinny

ip inspect name SDM_LOW sip-tls

ip inspect name SDM_LOW sip

ip inspect name SDM_LOW esmtp max-data 50000000

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW streamworks

WAN_INTERFACE = xxx.xxx.xxx

interface FastEthernet0

ip address WAN_INTERFACE.226 255.255.255.248

ip access-group 102 in

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

crypto map SDM_CMAP_1

service-policy input sdmappfwp2p_SDM_LOW

service-policy output sdmappfwp2p_SDM_LOW

Inbound ACL

access-list 102 remark SDM_ACL Category=3

access-list 102 permit tcp any host WAN_INTERFACE.228 eq www log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 443 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 558 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1023 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1024 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1503 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1718 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1719 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1720 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 4001 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 11720 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 17518 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60000 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60001 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60002 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60003 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60004 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60005 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60000 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 1023 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 1024 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 1718 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 1719 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 1720 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 5060 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 17518 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60001 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60002 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60003 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60004 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60005 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60006 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60007 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60008 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60009 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60010 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60011 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60012 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60013 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60014 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60015 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60016 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60017 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60018 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60019 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60020 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60021 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60022 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60023 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60024 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 60025 log

access-list 102 permit udp any host WAN_INTERFACE.228 eq 3389 log

access-list 102 permit tcp any host WAN_INTERFACE.228 eq 3389 log

[ Some ipsec rubles]

access-list 102 permit tcp any host WAN_INTERFACE.230 eq 22

access-list 102 permit tcp any host WAN_INTERFACE.230 eq www

access-list 102 permit tcp any host WAN_INTERFACE.227 eq smtp

access-list 102 permit udp any host WAN_INTERFACE.227 eq 80

access-list 102 permit tcp any host WAN_INTERFACE.227 eq www

access-list 102 permit tcp any host WAN_INTERFACE.227 eq ftp

access-list 102 permit tcp any host WAN_INTERFACE.226 eq 1723

access-list 102 permit tcp any host WAN_INTERFACE.226 eq 47

ip nat inside source static udp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_32 extendable

ip nat inside source static tcp LAN_INTERFACE 80 WAN_INTERFACE.228 80 route-map SDM_RMAP_15 extendable

ip nat inside source static tcp LAN_INTERFACE 443 WAN_INTERFACE.228 443 route-map SDM_RMAP_7 extendable

ip nat inside source static tcp LAN_INTERFACE 558 WAN_INTERFACE.228 558 route-map SDM_RMAP_47 extendable

ip nat inside source static tcp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_77 extendable

ip nat inside source static udp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_78 extendable

ip nat inside source static tcp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_73 extendable

ip nat inside source static udp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_74 extendable

ip nat inside source static tcp LAN_INTERFACE 1503 WAN_INTERFACE.228 1503 route-map SDM_RMAP_75 extendable

ip nat inside source static tcp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_86 extendable

ip nat inside source static udp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_87 extendable

ip nat inside source static tcp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_42 extendable

ip nat inside source static udp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_43 extendable

ip nat inside source static tcp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_28 extendable

ip nat inside source static udp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_44 extendable

ip nat inside source static tcp LAN_INTERFACE 4001 WAN_INTERFACE.228 4001 route-map SDM_RMAP_72 extendable

ip nat inside source static udp LAN_INTERFACE 5060 WAN_INTERFACE.228 5060 route-map SDM_RMAP_29 extendable

ip nat inside source static tcp LAN_INTERFACE 11720 WAN_INTERFACE.228 11720 route-map SDM_RMAP_71 extendable

ip nat inside source static tcp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_45 extendable

ip nat inside source static udp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_46 extendable

ip nat inside source static tcp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_30 extendable

ip nat inside source static tcp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_31 extendable

ip nat inside source static udp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_33 extendable

ip nat inside source static tcp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_66 extendable

ip nat inside source static udp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_34 extendable

ip nat inside source static tcp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_67 extendable

ip nat inside source static udp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_35 extendable

ip nat inside source static tcp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_68 extendable

ip nat inside source static udp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_36 extendable

ip nat inside source static tcp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_69 extendable

ip nat inside source static udp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_37 extendable

ip nat inside source static udp LAN_INTERFACE 60006 WAN_INTERFACE.228 60006 route-map SDM_RMAP_38 extendable

ip nat inside source static udp LAN_INTERFACE 60007 WAN_INTERFACE.228 60007 route-map SDM_RMAP_39 extendable

ip nat inside source static udp LAN_INTERFACE 60008 WAN_INTERFACE.228 60008 route-map SDM_RMAP_48 extendable

ip nat inside source static udp LAN_INTERFACE 60009 WAN_INTERFACE.228 60009 route-map SDM_RMAP_49 extendable

ip nat inside source static udp LAN_INTERFACE 60010 WAN_INTERFACE.228 60010 route-map SDM_RMAP_50 extendable

ip nat inside source static udp LAN_INTERFACE 60011 WAN_INTERFACE.228 60011 route-map SDM_RMAP_51 extendable

ip nat inside source static udp LAN_INTERFACE 60012 WAN_INTERFACE.228 60012 route-map SDM_RMAP_52 extendable

ip nat inside source static udp LAN_INTERFACE 60013 WAN_INTERFACE.228 60013 route-map SDM_RMAP_53 extendable

ip nat inside source static udp LAN_INTERFACE 60014 WAN_INTERFACE.228 60014 route-map SDM_RMAP_54 extendable

ip nat inside source static udp LAN_INTERFACE 60015 WAN_INTERFACE.228 60015 route-map SDM_RMAP_55 extendable

ip nat inside source static udp LAN_INTERFACE 60016 WAN_INTERFACE.228 60016 route-map SDM_RMAP_56 extendable

ip nat inside source static udp LAN_INTERFACE 60017 WAN_INTERFACE.228 60017 route-map SDM_RMAP_57 extendable

ip nat inside source static udp LAN_INTERFACE 60018 WAN_INTERFACE.228 60018 route-map SDM_RMAP_58 extendable

ip nat inside source static udp LAN_INTERFACE 60019 WAN_INTERFACE.228 60019 route-map SDM_RMAP_59 extendable

ip nat inside source static udp LAN_INTERFACE 60020 WAN_INTERFACE.228 60020 route-map SDM_RMAP_60 extendable

ip nat inside source static udp LAN_INTERFACE 60021 WAN_INTERFACE.228 60021 route-map SDM_RMAP_61 extendable

ip nat inside source static udp LAN_INTERFACE 60022 WAN_INTERFACE.228 60022 route-map SDM_RMAP_62 extendable

ip nat inside source static udp LAN_INTERFACE 60023 WAN_INTERFACE.228 60023 route-map SDM_RMAP_63 extendable

ip nat inside source static udp LAN_INTERFACE 60024 WAN_INTERFACE.228 60024 route-map SDM_RMAP_64 extendable

ip nat inside source static udp LAN_INTERFACE 60025 WAN_INTERFACE.228 60025 route-map SDM_RMAP_65 extendable

ip nat inside source static LAN_INTERFACE WAN_INTERFACE.228 route-map SDM_RMAP_76

All SMD_RMAP are like this one below

route-map SDM_RMAP_32 permit 1

match ip address 141

access-list 141 remark SDM_ACL Category=2

access-list 141 deny ip host LAN_INTERFACE 10.0.5.0 0.0.0.31

access-list 141 deny ip host LAN_INTERFACE 10.0.5.40 0.0.0.1

access-list 141 permit udp host LAN_INTERFACE eq 60000 any

Re: h323 and NAT issue

alessandro.s — Wed, 02 Oct 2013 10:19:33 GMT

Hi Olivier,
first i suggest you to group pots you're using in acl in a service group to make your configuration simplest and easiest tor ead.
in most case the issue you're encountering it's port related, so be sure that ports you're permitting on your acl are the same your vdc is using for audio and video traffic. As i know H323 calls uses tcp 1720 port to estabilish connection then a random range of tcp/udp ports for audio and video. In your VDC system you can restrict this random range of ports so it uses always those ports for audio and video traffic.
then i suggest you to try configuring a 1:1 exclusive nat for the vdc system and restrict access from outside just with the acl. Also disable all h323 inspection.

hope this helps.

Regards

Sent from Cisco Technical Support iPad App

h323 and NAT issue

olivier1977 — Thu, 03 Oct 2013 10:24:19 GMT

Hi Alessandro,

So, I turned off h323

ip inspect name SDM_LOW appfw SDM_LOW

ip inspect name SDM_LOW http

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW esmtp max-data 50000000

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW sip-tls

ip inspect name SDM_LOW sip

I removed PAT

RTRSJM#sh run | i ip nat inside source

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip nat inside source route-map SDM_RMAP_3 interface FastEthernet0 overload

ip nat inside source route-map SDM_RMAP_79 interface FastEthernet0 overload

ip nat inside source route-map SDM_RMAP_80 interface FastEthernet0 overload

ip nat inside source route-map SDM_RMAP_81 interface FastEthernet0 overload

ip nat inside source static 192.168.200.200 WAN_INTERFACE.228 route-map SDM_RMAP_76

ip nat inside source static tcp 10.0.1.49 47 WAN_INTERFACE.226 47 route-map SDM_RMAP_83 extendable

ip nat inside source static tcp 10.0.1.49 1723 WAN_INTERFACE.226 1723 route-map SDM_RMAP_82 extendable

ip nat inside source static tcp 10.0.1.59 21 WAN_INTERFACE.227 21 route-map SDM_RMAP_14 extendable

ip nat inside source static tcp 10.0.1.42 25 WAN_INTERFACE.227 25 route-map SDM_RMAP_13 extendable

ip nat inside source static tcp 10.0.1.59 80 WAN_INTERFACE.227 80 route-map SDM_RMAP_5 extendable

ip nat inside source static udp 10.0.1.59 80 WAN_INTERFACE.227 80 route-map SDM_RMAP_9 extendable

ip nat inside source static tcp 10.0.1.42 110 WAN_INTERFACE.227 110 route-map SDM_RMAP_12 extendable

ip nat inside source static tcp 10.0.1.45 3389 WAN_INTERFACE.227 3389 route-map SDM_RMAP_11 extendable

ip nat inside source static udp 10.0.1.45 3389 WAN_INTERFACE.227 3389 route-map SDM_RMAP_8 extendable

ip nat inside source static udp 10.0.1.134 21 WAN_INTERFACE.229 21 route-map SDM_RMAP_26 extendable

ip nat inside source static tcp 10.0.1.134 80 WAN_INTERFACE.229 80 route-map SDM_RMAP_21 extendable

ip nat inside source static udp 10.0.1.134 80 WAN_INTERFACE.229 80 route-map SDM_RMAP_22 extendable

ip nat inside source static tcp 10.0.1.134 443 WAN_INTERFACE.229 443 route-map SDM_RMAP_23 extendable

ip nat inside source static udp 10.0.1.134 443 WAN_INTERFACE.229 443 route-map SDM_RMAP_24 extendable

ip nat inside source static tcp 10.0.1.139 22 WAN_INTERFACE.230 22 route-map SDM_RMAP_85 extendable

ip nat inside source static tcp 10.0.1.139 80 WAN_INTERFACE.230 80 route-map SDM_RMAP_84 extendable

RTRSJM#

route-map SDM_RMAP_76 permit 1

match ip address 188

access-list 188 remark SDM_ACL Category=2

access-list 188 deny ip host 192.168.200.200 10.0.5.0 0.0.0.31

access-list 188 deny ip host 192.168.200.200 10.0.5.40 0.0.0.1

access-list 188 permit ip host 192.168.200.200 any

But I also have dynamic NAT for subnet 192.168.200.0 /24

ip nat inside source route-map SDM_RMAP_79 interface FastEthernet0 overload

route-map SDM_RMAP_79 permit 1

match ip address 193

I still have the issue. Most of the time call ends after 30 sec, but now sometimes call ends after 5 or 6 minutes.

I wonder if i should have put the VDC in a separate VLAN and having only static NAT no dynamic.

Thx for your help.

Regards.

Re: h323 and NAT issue

alessandro.s — Thu, 03 Oct 2013 10:39:45 GMT

Hi Oliver,
what about access-lists? did you checked ports used by VDC for audio and video calls? I see that you have access-list 102 applied on your outside interface, is any access-list applied on inside interface?

Sent from Cisco Technical Support iPad App

h323 and NAT issue

olivier1977 — Thu, 03 Oct 2013 12:08:33 GMT

Hi Alessandro,

Please find below router's and VDC's configuration

RTRSJM#sh ip int brie

Interface IP-Address OK? Method Status Protocol

FastEthernet0 WAN_INTERFACE.226 YES NVRAM up up

Vlan1 10.0.0.254 YES NVRAM up up

Vlan2 192.168.0.254 YES NVRAM up up

Vlan5 192.168.71.1 YES NVRAM up up

Vlan192 192.168.200.1 YES NVRAM up up

RTRSJM#

RTRSJM#sh ip int fa0

FastEthernet0 is up, line protocol is up

Internet address is WAN_INTERFACE.226/29

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is 102

RTRSJM#sh ip int vl192

Vlan192 is up, line protocol is up

Internet address is 192.168.200.1/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

I have ACL in inbound WAN interface and fot NAT.

ACL 102 in the one hereabove.

does it matter if i have static and dynamic NAT for the same adress ?

Dynamic for the subnet and static for the VDC.

ip nat inside source route-map SDM_RMAP_79 interface FastEthernet0 overload

ip nat inside source static 192.168.200.200 WAN_INTERFACE.228 route-map SDM_RMAP_76

VDC configuration

Network • Reserved Ports

UDP Lowest Value: 60000

UDP Highest Value: 60023

TCP Lowest Value: 60000

TCP Highest Value: 60005

Network • NAT

Static NAT: Enabled

NAT Public IP Address: WAN_INTERFACE.228

thx for your help

Regards

Re: h323 and NAT issue

alessandro.s — Thu, 03 Oct 2013 14:20:46 GMT

Hi Olivier,
i think it does not matter if you use both static and dynamic nat, i often use this configuration with polycom VDC systems and they works great!
I noticed you are using an old IOS so i suggest you to upgrade to a15 IOS version then retry.
If you can, post some acl logs captured during a video call.

Regards

Sent from Cisco Technical Support iPad App

h323 and NAT issue

olivier1977 — Thu, 03 Oct 2013 14:37:53 GMT

Hi Qlessqndrom

Unfortunatly I'm not able to dl c181x-advipservicesk9-mz.124-15.T17.bin.

I don't have a service contract

Re: h323 and NAT issue

alessandro.s — Thu, 03 Oct 2013 14:59:55 GMT

hi Olivier,
according to lifesize admin guide

http://www.lifesize.com/~/media/Documents/Product%20Documentation/Video%20Systems/Guides%20and%20Reference/Video%20User%20Administrator%20Guide%2048%20EN.ashx

at page 41 try to enable static nat on your VDC appliance using public ip address you intend to use as outside address.

regards

Sent from Cisco Technical Support iPad App

h323 and NAT issue

olivier1977 — Thu, 03 Oct 2013 16:25:10 GMT

Yes it's already done

Network • NAT

Static NAT: Enabled

NAT Public IP Address: 86.xxx.xxx.228

regards

Re: h323 and NAT issue

alessandro.s — Thu, 03 Oct 2013 16:41:38 GMT

have you ever tried to disable this NAT rule on VDC appliance and make a videocall?

regards

Sent from Cisco Technical Support iPad App

h323 and NAT issue

olivier1977 — Mon, 14 Oct 2013 12:20:57 GMT

Hi,

I disabled NAT on the VDC. I'm not able to make calls anymore.

So I enabled NAT.

Anyway we ordered a new ADSL line dedicated to the visioconf.

Re: h323 and NAT issue

Ivaylo Georgiev — Mon, 27 Jan 2014 01:18:27 GMT

Oliver,

Did the additional line solve the problem?