topic CBAC with NAT and H.323 problem in Network Security

CBAC with NAT and H.323 problem

Thorsten997 — Mon, 11 Mar 2019 22:18:18 GMT

Hi all,

There is Cisco 1921 router at the edge of the network performing NAT service with software (C1900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2). Router is successfully performing NAT on IP packets, but IP address inside the payload (H.323 messages) remains unchanged (private). Because of that users on the inside network cannot establish video conferencing with remote users. VC is established normally among local users (because IP address both in IP header and in H.323 messages remains the same). How I can make NAT to change both address (in IP header and in H.323 messages) ? CBAC hasn't resolved my problem as well. I've done these things on router just to test CBAC:

-Created extended access-list with permit ip any any

-Applied it both to inside and outside interfaces of router

-Created ip inspect rule:

ip inspect name TEST h323

ip inspect name TEST h323-annexe

ip inspect name TEST h323-nxg {Last two lines I've added just to use all possible inspection with H.323}

-Applied inspection rule to inside interface in incoming direction. No success.

-Applied inspection rule to outside interface in outgoing direction. No success.

So how I can use NAT in conjunction with CBAC (or which another solution I can use) to NAT address both in IP header and inside H.323 message to make video conferencing succeed? Thanks.

CBAC with NAT and H.323 problem

Julio Carvajal — Tue, 24 Jan 2012 06:59:39 GMT

CBAC restrictions regarding H.323:

H.323 V2 and RTSP protocol inspection supports only the following multimedia client-server applications: Cisco IP/TV, RealNetworks RealAudio G2 Player, Apple QuickTime 4.

Are you using one of those clients?

Regards,

Julio

CBAC with NAT and H.323 problem

Thorsten997 — Tue, 24 Jan 2012 07:10:55 GMT

Unfortunately we are using Polycom devices. Are there any other ways to make that work?

CBAC with NAT and H.323 problem

Julio Carvajal — Tue, 24 Jan 2012 18:08:44 GMT

Hello Thorr,

In fact I think this should be working, is there a way you can post your config (with some changes due to security purposes)

Julio

CBAC with NAT and H.323 problem

Thorsten997 — Wed, 25 Jan 2012 11:27:19 GMT

Julio,

There are the configs:

show access-lists

Extended IP access list 101

10 permit ip any any (1964 matches)

show ip inspect all

Inspection Rule Configuration

Inspection name TEST

h323 alert is on audit-trail is off timeout 3600

h323-annexe alert is on audit-trail is off timeout 30

h323-nxg alert is on audit-trail is off timeout 30

show running-config {some fragment}

interface GigabitEthernet0/0 {connects to provider}

ip address x.x.x.x x.x.x.x

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

interface GigabitEthernet0/1 {connects to inside network}

description connect to ASA outside

ip address Y.Y.Y.Y Y.Y.Y.Y

ip access-group 101 in

ip nat inside

ip inspect TEST in

ip virtual-reassembly

duplex auto

speed auto

standby delay minimum 20 reload 20

standby 10 ip Z.Z.Z.Z

standby 10 priority 110

standby 10 preempt delay minimum 20 reload 20 sync 10

standby 10 name Redundancy

{NATing Polycom's local IP to global one:}

ip nat inside source static A.A.A.A V.V.V.V redundancy Redundancy mapping-id 1

ip nat inside source static B.B.B.B W.W.W.W redundancy Redundancy mapping-id 1

P.S.

There is Cisco ASA 5510 between router and internal switch. All ports (both in and out) are opened on ASA for Polycom devices.

CBAC with NAT and H.323 problem

Julio Carvajal — Wed, 25 Jan 2012 17:14:11 GMT

Hello Thorr,

Are you doing inspection on the ASA for h323 and h323 ras??

Regards,

Julio

CBAC with NAT and H.323 problem

Thorsten997 — Thu, 26 Jan 2012 05:49:12 GMT

Julio,

No, I've turned off both h323 and h323 ras inspection on ASA. (The same result is achieved with inspection turned on on the ASA)

CBAC with NAT and H.323 problem

Julio Carvajal — Thu, 26 Jan 2012 17:10:28 GMT

Hello Thorr,

ASA??? Isn't his a router running CBAC?

CBAC with NAT and H.323 problem

Thorsten997 — Wed, 01 Feb 2012 17:25:06 GMT

Hi Julio,

No, ASA is between router and local network switch. As I'm doing NAT on border router I need addresses inside H.323 messages to be NATed too, so that's why I'm trying to use CBAC. (Some people states that CBAC in conjunction with NAT can translate addresses both in IP header and in H.323 messages)

CBAC with NAT and H.323 problem

Julio Carvajal — Wed, 01 Feb 2012 17:35:54 GMT

Hello Thor,

That is correct, the embedded ip address should be translated, all you need is the H323 inspection

ip inspect xxxx h323

ip inspect xxxx h323callsigalt

Regards,

Julio