from inside to outside cannot share desktop

Omar Abdelhalim · ‎11-16-2012

Dear All,

I have a VC system "Tandberg C60 Model", and ASA firewall. C60 unit is in the inside zone of the firewall and mapped to real IP, from the outside anyone can call me and make a video call and share his presentation "desktop" without any problem, and also when I make a call is works well, but the problem when trying to share my desktop to the other site, he didn't see the presentation and the call will disconnect after a few seconds.

Hint:

when the VC system put directly to the router with real IP it works well bidirectional.

ASA Config:

ASA Version 7.0(8)

!

hostname CRFW

domain-name CR.org

enable password ja7JlGww/OCQtJ0v encrypted

passwd zv/jqe4Rp2ry75// encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 196.221.68.97 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.65 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 40

ip address 10.0.0.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

access-list vc_daks_acl extended permit tcp any host 196.221.68.100 eq https

access-list vc_daks_acl extended permit tcp any host 196.221.68.100 eq h323

access-list vc_daks_acl extended permit udp any host 196.221.68.100 eq 1719

access-list vc_daks_acl extended permit udp any host 196.221.68.100 range 2326 2485

access-list vc_daks_acl extended permit tcp any host 196.221.68.100 range 5555 5574

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

icmp permit any echo-reply outside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 196.221.68.100 192.168.10.30 netmask 255.255.255.255

access-group vc_daks_acl in interface outside

route outside 0.0.0.0 0.0.0.0 196.221.68.96 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password 78oT4ziTSBGKRwvH encrypted privilege 15

username shereif password biVxeeF8XD3bj8xW encrypted privilege 15

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 15

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:877d1f83588a0db98a4e9db5eee70038

: end

Please, everyone help me to solve this issue...

Thanks

Omar Mahmoud

Harish Balakrishnan · ‎11-17-2012

Hello Mahmoud,

Could you try to disable the h323 inspection as follows and give a try

configure terminal

policy-map global_policy

class inspection_default

no inspect h323 h225

no inspect h323 ras

exi

clear local-host all

regards

Harish

Omar Abdelhalim · ‎11-20-2012

Hi Harish,

I did what you say, but the problem now, I cannot be reached from the outside "could be called and hear tone only, and then the call will disconnect".

what i have to do?, please advice me...

Thanks

Omar Mahmoud