cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3957
Views
0
Helpful
9
Replies

CBAC with NAT and H.323 problem

Thorsten997
Level 1
Level 1

Hi all,

There is Cisco 1921 router at the edge of the network performing NAT service with software (C1900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2). Router is successfully performing NAT on IP packets, but IP address inside the payload (H.323 messages) remains unchanged (private). Because of that users on the inside network cannot establish video conferencing with remote users. VC is established normally among local users (because IP address both in IP header and in H.323 messages remains the same). How I can make NAT to change both address (in IP header and in H.323 messages) ? CBAC hasn't resolved my problem as well. I've done these things on router just to test CBAC:

      -Created extended access-list with permit ip any any

      -Applied it both to inside and outside interfaces of router   

      -Created ip inspect rule:

           ip inspect name TEST h323

           ip inspect name TEST h323-annexe

           ip inspect name TEST h323-nxg          {Last two lines I've added just to use all possible inspection with H.323}

      -Applied inspection rule to inside interface in incoming direction. No success.

      -Applied inspection rule to outside interface in outgoing direction. No success.

So how I can use NAT in conjunction with CBAC (or which another solution I can use) to NAT address both in IP header and inside H.323 message to make video conferencing succeed? Thanks.

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

CBAC restrictions regarding H.323:

H.323 V2 and RTSP protocol inspection supports only the following multimedia client-server applications: Cisco IP/TV, RealNetworks RealAudio G2 Player, Apple QuickTime 4.

Are you using one of those clients?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Unfortunately we are using Polycom devices. Are there any other ways to make that work?

Hello Thorr,

In fact I think this should be working, is there a way you can post your config (with some changes due to security purposes)

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

There are the configs:

show access-lists

Extended IP access list 101

    10 permit ip any any (1964 matches)

show ip inspect all

Inspection Rule Configuration

Inspection name TEST

    h323 alert is on audit-trail is off timeout 3600

    h323-annexe alert is on audit-trail is off timeout 30

    h323-nxg alert is on audit-trail is off timeout 30

show running-config {some fragment}

interface GigabitEthernet0/0  {connects to provider}

ip address x.x.x.x x.x.x.x

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

interface GigabitEthernet0/1 {connects to inside network}

description connect to ASA outside

ip address Y.Y.Y.Y Y.Y.Y.Y

ip access-group 101 in

ip nat inside

ip inspect TEST in

ip virtual-reassembly

duplex auto

speed auto

standby delay minimum 20 reload 20

standby 10 ip Z.Z.Z.Z

standby 10 priority 110

standby 10 preempt delay minimum 20 reload 20 sync 10

standby 10 name Redundancy

{NATing Polycom's local IP to global one:}

ip nat inside source static A.A.A.A V.V.V.V redundancy Redundancy mapping-id 1  

ip nat inside source static B.B.B.B W.W.W.W redundancy Redundancy mapping-id 1

P.S.

There is Cisco ASA 5510 between router and internal switch. All ports (both in and out) are opened on ASA for Polycom devices.

Hello Thorr,

Are you doing inspection on the ASA for h323 and h323 ras??

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

No, I've turned off both h323 and h323 ras inspection on ASA. (The same result is achieved with inspection turned on on the ASA)

Hello Thorr,

ASA??? Isn't his a router running CBAC?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

No, ASA is between router and local network switch. As I'm doing NAT on border router I need addresses inside H.323 messages to be NATed too, so that's why I'm trying to use CBAC. (Some people states that CBAC in conjunction with NAT can translate addresses both in IP header and in H.323 messages)

Hello Thor,

That is correct, the embedded ip address should be translated, all you need is the H323 inspection

ip inspect xxxx h323            

ip inspect xxxx h323callsigalt

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card