topic Re: PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside in Network Security

PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside

cperroquin — Fri, 21 Feb 2020 07:54:15 GMT

I tried to protect an IOS H323 Gateway with a PIX. The IOS gatekeeper is outside.

That's for a customer demo so I can't open a ticket.

I want the pix to allow the connection to the inside gateway only if there is an ACF between the gateway and the gatekeeper.

As stated in the documentation :

"The PIX Firewall administrator must open an access list for the well-known H.323 port 1720 for the H.225 call signaling. However, the H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper is used, the PIX Firewall opens an H.225 connection based on inspection of the ACF message."

In the real network, my customer will know the IP addresses of the remote Gatekeepers but not the IP addresses of the remote Gateways. He want to accept/refuse calls on his gatekeeper.

For my lab, I use 3*2600 with IOS (tm) C2600 Software (C2600-IS3X-M), Version 12.3(10a), RELEASE SOFTWARE (fc2) and 1 Pix 515E release 6.3.4.

This configuration :

- Gateway :

interface Ethernet0/0

ip address 192.168.0.5 255.255.255.0

h323-gateway voip interface

h323-gateway voip id gk.in.com ipaddr 10.30.100.153 1719

h323-gateway voip h323-id gw@in.com

h323-gateway voip tech-prefix 1#

voice-port 1/0/0

cptone FR

ip route 0.0.0.0 0.0.0.0 192.168.0.1

dial-peer voice 10 pots

destination-pattern 1234

port 1/0/0

dial-peer voice 11 voip

destination-pattern 2T

session target ras

gateway

- Firewall

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

access-list 103 permit ip host 10.30.100.153 host 10.30.100.152

ip address outside 10.30.100.151 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

static (inside,outside) 10.30.100.152 192.168.0.5 netmask 255.255.255.255 0 0

access-group 103 in interface outside

- Gatekeeper

interface Ethernet0/0

ip address 10.30.100.153 255.255.255.0

gatekeeper

zone local gk.in.com in.com

zone remote gk.out.com out.com 10.30.100.154 1719

zone prefix gk.out.com 2*

no shutdown

- Remote Gateway/Gatekeeper :

interface Ethernet0/0

ip address 10.30.100.154 255.255.255.0

h323-gateway voip interface

h323-gateway voip id gk.out.com ipaddr 10.30.100.154 1719

h323-gateway voip h323-id gw@out.com

h323-gateway voip tech-prefix 1#

voice-port 1/0/0

cptone FR

dial-peer voice 10 voip

destination-pattern 1T

session target ras

dial-peer voice 11 pots

destination-pattern 2345

port 1/0/0

gateway

gatekeeper

zone local gk.out.com out.com

zone remote gk.in.com in.com 10.30.100.153 1719

zone prefix gk.in.com 1*

no shutdown

- I could call outside but I can't receive calls.

- Is there a way to do it or did I misunderstand the documentation ?

- If this can't work with a PIX, what could be the solution ?

Regards

Charles Perroquin

Re: PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside

nataraj_v — Sun, 30 Jan 2005 19:17:19 GMT

Dear charles ,

According to ur present access-list and static nat , ur pix allow return traffic from 10.30.100.153 (which is gatekeeper) to 192.168.10.5 . Make sure wether connections r initiated from only 10.30.100.153 r some other . And i advice nt to use ip in access-list. pls try to make a object-group for services.

Thanks and Regards.

Nataraj

Re: PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside

cperroquin — Sun, 30 Jan 2005 19:56:01 GMT

Dear Nataraj,

I agree that I should modify this line :

access-list 103 permit ip host 10.30.100.153 host 10.30.100.152

like this

access-list 103 permit tcp host 10.30.100.153 host 10.30.100.152 1720

Also I agree that I will have others connections from 10.30.100.154. The point is that, I believe (wrongly/truly ?) that those connections will be open dynamicaly by the "fixup protocol h323 h225 1720" command.

Kind regards.

Charles

PS: My customer can't know the IP addresses of all the gateways (managed by other providers). And I can't allow everybody to connect to the gateway.

Re: PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside

nataraj_v — Sun, 30 Jan 2005 20:12:30 GMT

Dear charles,

if u have other connections from 10.30.100.154 , u need to have access-list for them also. fixup protocol will not open any connections dynamically.

as per ur PS : to write a access-list u need to have either source address and destination address r u have to use any. if u dont have either choice ,nothing can be done.

Regards

Nataraj

Re: PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside

cperroquin — Sun, 30 Jan 2005 20:28:02 GMT

I quoted below the documentation of the "fixup protocol H323 H225" command:

"When an H.323 gatekeeper is used, the PIX Firewall opens an H.225 connection based on inspection of the ACF message."

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1079378

To me, it seems that the firewall should opens an H225 connection based on the ACF message. This message is between the inside gateway and the gatekeeper.

Kind regards

Charles

Re: PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside

cperroquin — Sun, 30 Jan 2005 22:25:27 GMT

Hi,

I'd just found a workaround : putting an H323 proxy on the gatekeeper:

- Gatekeeper/Proxy

interface Ethernet0/0

ip address 10.30.100.153 255.255.255.0

ip access-group 101 in

h323 interface

h323 h323-id px@in.com

h323 gatekeeper ipaddr 10.30.100.153

h323 t120 bypass

access-list 101 permit udp host 10.30.100.152 host 10.30.100.153 eq 1719

access-list 101 permit udp host 10.30.100.154 host 10.30.100.153 eq 1719

access-list 101 permit udp host 10.30.100.153 host 10.30.100.153 eq 1719

access-list 101 deny udp any host 10.30.100.153 eq 1719

access-list 101 permit ip any any

gatekeeper

zone local gk.in.com in.com

zone remote gk.out.com out.com 10.30.100.154 1719

use-proxy gk.in.com remote-zone out.com inbound-to gateway

use-proxy gk.in.com remote-zone out.com outbound-from gateway

use-proxy gk.in.com default inbound-to gateway

use-proxy gk.in.com default outbound-from gateway

zone prefix gk.out.com 2*

no shutdown

But the problem is still open (h323 proxy are CPU intense...).

Could it work without the h323 proxy ?

Kind regards,

Charles Perroquin

Re: PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside

nataraj_v — Mon, 31 Jan 2005 03:00:42 GMT

Dear charles,

Pls look at this link.

www.njedge.net/documents/h323-video-pix.ppt

Thanks and Regards

Nataraj

Re: PIX protecting H323 IOS Gateway with IOS Gatekeeper Outside

nataraj_v — Mon, 31 Jan 2005 03:34:34 GMT

Dear Charles,

Pls go through these links too , hope they may help u.pls tell me the configuration once u fixed the issue.

http://www.njedge.net/techsection/firewall-codecs.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801fc74a.shtml

Thanks and Regards

Nataraj