https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161616#M877277 <HTML><HEAD></HEAD><BODY><P>I once setup Polycom and I had to add the followings:</P><P>1. Create an object group for the ports used by polycom</P><P></P><P>object-group service VIDEO tcp-udp</P><P> port-object range 3230 3235</P><P> port-object eq 1720</P><P> port-object eq 3603</P><P> port-object eq 389</P><P> port-object range 1718 1719</P><P> port-object range 3235 3258</P><P></P><P>2. Create an acl to allow video traffic</P><P></P><P>access-list from-Internet-In extended permit object-group TCP_UDP any host 208.x.x.x bject-group VIDEO</P><P></P><P>Hope this helps.</P></BODY></HTML> Mon, 26 Jan 2009 13:59:14 GMT Tshi M 2009-01-26T13:59:14Z https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161613#M877274 <P>Hi. In my office I have a Pix Firewall 525. That equipment had the 6.3 software version and it was updated to 7.2(4) and now I have a problem: When I try to do a Videoconference with a Polycom Camera, is no possible to connect. I've checked the protocols and I see that with this version, the PixFirewall doesn't manage the "fixup" command for use the h323 protocol. this was changed for a MPF command, because when in the pix I wrote "fixup protocol h323" I recieve an answer "INFO: converting 'fixup protocol h323' to MPF commands". Somebady can tell me how can I do to activate this service again? I think that for this reason I can't use the Videoconferece System. Thanks a lot.</P> Mon, 11 Mar 2019 14:41:29 GMT https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161613#M877274 fvelasco_rojas 2019-03-11T14:41:29Z https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161614#M877275 <HTML><HEAD></HEAD><BODY><P>Check the last part of your config. You should have several entries under a heading titled "policy-map global_policy" that looks something like this:</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns migrated_dns_map_1</P><P> inspect ftp</P><P> inspect h323</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect http</P><P> inspect netbios</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect skinny</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect sunrpc</P><P> inspect tftp</P><P> inspect sip</P><P> inspect xdmcp</P><P> inspect icmp</P><P> inspect pptp</P><P> inspect snmp</P><P>service-policy global_policy global</P><P></P><P>If the 'inspect h323' line is not in there, that is where you would add it instead of doing a 'fixup'</P><P></P><P>HTH,</P><P>Paul</P></BODY></HTML> Fri, 23 Jan 2009 22:57:03 GMT https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161614#M877275 pstebner10 2009-01-23T22:57:03Z https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161615#M877276 <HTML><HEAD></HEAD><BODY><P>Hi Paul and I apreciate your help, but it was the first instruction I checked, and that instruction is ok. I don't now if is necesary all the protocols that you say me, because my pix only has the following: policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect ptp inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map --- Thanks a lot.</P></BODY></HTML> Mon, 26 Jan 2009 13:00:13 GMT https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161615#M877276 fvelasco_rojas 2009-01-26T13:00:13Z https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161616#M877277 <HTML><HEAD></HEAD><BODY><P>I once setup Polycom and I had to add the followings:</P><P>1. Create an object group for the ports used by polycom</P><P></P><P>object-group service VIDEO tcp-udp</P><P> port-object range 3230 3235</P><P> port-object eq 1720</P><P> port-object eq 3603</P><P> port-object eq 389</P><P> port-object range 1718 1719</P><P> port-object range 3235 3258</P><P></P><P>2. Create an acl to allow video traffic</P><P></P><P>access-list from-Internet-In extended permit object-group TCP_UDP any host 208.x.x.x bject-group VIDEO</P><P></P><P>Hope this helps.</P></BODY></HTML> Mon, 26 Jan 2009 13:59:14 GMT https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161616#M877277 Tshi M 2009-01-26T13:59:14Z https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161617#M877278 <HTML><HEAD></HEAD><BODY><P> I gotta ask, what does the PIX say? You either have a ACL drop or a policy drop. The PIX will log both.</P><P></P><P>Have you run packet tracer?</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1724426" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1724426</A></P></BODY></HTML> Mon, 26 Jan 2009 16:53:43 GMT https://community.cisco.com/t5/network-security/pixfirewall-problems/m-p/1161617#M877278 duncanm 2009-01-26T16:53:43Z