Mike-

Here's the config:

PIX Version 8.0(4)

!

hostname OBPS-PIX525

domain-name obps.org

enable password jtL8xjLlAxThYiA/ encrypted

passwd jtL8xjLlAxThYiA/ encrypted

names

name 208.81.64.0 MX-Logic

name 10.2.0.8 ADMIN-OWA description Outlook Web Access

<--- More ---> name 10.2.0.11 STUDENT

name 10.2.0.32 ADMINEXCHSRVR

name 10.130.0.16 WEBCTRL description HVAC-Maintenance

name 10.2.0.250 ADMIN-FINANCE-INSIDE description SMARTS

name 204.8.197.45 ADMIN-FINANCE-OUTSIDE

name 208.65.144.0 MX_Logic_Subnet_1

name 208.81.66.0 MX_Logic_Subnet_10

name 208.81.67.0 MX_Logic_Subnet_11

name 208.65.145.0 MX_Logic_Subnet_2

name 208.65.146.0 MX_Logic_Subnet_3

<--- More ---> name 208.65.147.0 MX_Logic_Subnet_4

name 208.65.148.0 MX_Logic_Subnet_5

name 208.65.149.0 MX_Logic_Subnet_6

name 208.65.150.0 MX_Logic_Subnet_7

name 208.65.151.0 MX_Logic_Subnet_8

name 208.81.65.0 MX_Logic_Subnet_9

name 10.2.0.28 FTP-Server

name 69.253.124.219 RealTime_IP_1 description RealTime-FTP access

name 204.12.13.17 RealTime_IP_2 description RealTime-FTP access

name 65.36.243.0 RealTime_IP_3 description RealTime-FTP access

<--- More ---> name 173.161.190.1 CSI description Computer Solutions

name 71.187.160.210 NJN description Digital Classroom servers-OBHS

name 71.187.160.211 NJN-2 description Digital Classroom servers-OBHS

name 216.27.100.165 MAGPI description Video conference-OBHS

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 204.8.197.34 255.255.255.224

<--- More ---> ospf cost 10

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.1.0.7 255.255.0.0

ospf cost 10

!

<--- More ---> interface Ethernet2

shutdown

nameif intf2

security-level 4

no ip address

ospf cost 10

!

boot system flash:/pix804.bin

ftp mode passive

clock timezone EST -5

<--- More ---> clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name obps.org

object-group service MAGPI5802 tcp

description Video conference

port-object eq 5802

object-group service MAGPI_H323 tcp

port-object range 1718 h323

access-list 101 remark CSI Remote Access

access-list 101 extended permit tcp host CSI host ADMIN-FINANCE-OUTSIDE eq 3389

<--- More ---> access-list 101 remark NJN Digital Classroom remote access

access-list 101 extended permit tcp host NJN host 204.8.197.44 eq 14730

access-list 101 remark NJN Digital Classroom remote access

access-list 101 extended permit tcp host NJN host 204.8.197.44 eq 14731

access-list 101 remark MX Logic inbound SMTP

access-list 101 extended permit tcp MX_Logic_Subnet_1 255.255.248.0 host 204.8.1

97.40 eq smtp

access-list 101 remark OWA access

access-list 101 extended permit tcp any host 204.8.197.37 eq www

access-list 101 remark OWA access

access-list 101 extended permit tcp any host 204.8.197.37 eq https

<--- More ---> access-list 101 remark Telnet from outside to WAN Router

access-list 101 extended permit tcp any host 204.8.197.39 eq telnet

access-list 101 remark CSI Remote Access

access-list 101 extended permit tcp host 67.133.205.68 host 204.8.197.43 eq 3389

access-list 101 extended permit icmp any any

access-list 101 remark BCT Access to HVAC server at Maintenance

access-list 101 extended permit ip host 65.51.167.66 host 204.8.197.36

access-list 101 remark MX Logic inbound SMTP

access-list 101 extended permit tcp MX-Logic 255.255.252.0 host 204.8.197.40 eq

smtp

access-list 101 remark MX Logic Inbound

<--- More ---> access-list 101 extended permit tcp MX_Logic_Subnet_2 255.255.255.0 host 204.8.1

97.40 eq smtp

access-list 101 remark MX Logic Inbound

access-list 101 extended permit tcp MX_Logic_Subnet_3 255.255.255.0 host 204.8.1

97.40 eq smtp

access-list 101 remark MX Logic Inbound

access-list 101 extended permit tcp MX_Logic_Subnet_4 255.255.255.0 host 204.8.1

97.40 eq smtp

access-list 101 remark MX Logic Inbound

access-list 101 extended permit tcp MX_Logic_Subnet_5 255.255.255.0 host 204.8.1

97.40 eq smtp

access-list 101 remark MX Logic Inbound

access-list 101 extended permit tcp MX_Logic_Subnet_6 255.255.255.0 host 204.8.1

97.40 eq smtp

access-list 101 remark MX Logic Inbound

<--- More ---> access-list 101 extended permit tcp MX_Logic_Subnet_7 255.255.255.0 host 204.8.1

97.40 eq smtp

access-list 101 remark MX Logic Inbound

access-list 101 extended permit tcp MX_Logic_Subnet_8 255.255.255.0 host 204.8.1

97.40 eq smtp

access-list 101 remark MX Logic Inbound

access-list 101 extended permit tcp MX_Logic_Subnet_9 255.255.255.0 host 204.8.1

97.40 eq smtp

access-list 101 remark MX Logic Inbound

access-list 101 extended permit tcp MX_Logic_Subnet_10 255.255.255.0 host 204.8.

197.40 eq smtp

access-list 101 remark MX Logic Inbound

access-list 101 extended permit tcp MX_Logic_Subnet_11 255.255.255.0 host 204.8.

197.40 eq smtp

access-list 101 extended permit tcp host 204.8.197.33 host 204.8.197.47 eq ftp

<--- More ---> access-list 101 extended permit tcp host RealTime_IP_2 host 204.8.197.47 eq ftp

access-list 101 extended permit tcp host RealTime_IP_1 host 204.8.197.47 eq ftp

access-list 101 extended permit tcp RealTime_IP_3 255.255.255.0 host 204.8.197.4

7 eq ftp

access-list 101 extended permit tcp host NJN-2 host 204.8.197.44 eq 14730

access-list 101 remark NJN Digital Classroom servers-OBHS

access-list 101 extended permit tcp host NJN-2 host 204.8.197.44 eq 14731

access-list 102 extended permit tcp any any eq www

access-list 102 extended permit tcp any any eq https

access-list 102 extended permit tcp any any eq telnet

access-list 102 extended permit tcp any any eq domain

<--- More ---> access-list 102 extended permit udp any any eq domain

access-list 102 extended permit tcp any any eq pop3

access-list 102 extended permit udp any any eq 110

access-list 102 extended permit icmp any any

access-list 102 extended permit tcp any any eq ftp

access-list 102 extended permit tcp any any eq aol

access-list 102 extended permit tcp any any eq ftp-data

access-list 102 extended permit tcp any any eq ldap

access-list 102 extended permit tcp any any eq 522

access-list 102 extended permit tcp any any eq 1503

<--- More ---> access-list 102 extended permit tcp any any eq h323

access-list 102 extended permit tcp any any eq 1731

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.

0

access-list split standard permit 10.0.0.0 255.0.0.0

pager lines 10

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu intf2 1500

<--- More ---> ip local pool VPNC 172.16.10.1-172.16.10.254

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image flash:/asdm-61557.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 204.8.197.35 netmask 255.255.255.0

nat (inside) 0 access-list nonat

<--- More ---> nat (inside) 1 10.0.0.0 255.0.0.0

static (inside,outside) tcp 204.8.197.44 14730 10.4.0.8 14730 netmask 255.255.25

5.255

static (inside,outside) tcp 204.8.197.44 14731 10.4.0.9 14731 netmask 255.255.25

5.255

static (inside,outside) ADMIN-FINANCE-OUTSIDE ADMIN-FINANCE-INSIDE netmask 255.2

55.255.255

static (inside,outside) 204.8.197.39 10.1.0.1 netmask 255.255.255.255

static (inside,outside) 204.8.197.36 WEBCTRL netmask 255.255.255.255

static (inside,outside) 204.8.197.43 STUDENT netmask 255.255.255.255

static (inside,outside) 204.8.197.37 ADMIN-OWA netmask 255.255.255.255

static (inside,outside) 204.8.197.40 ADMINEXCHSRVR netmask 255.255.255.255

static (inside,outside) 204.8.197.47 FTP-Server netmask 255.255.255.255

<--- More ---> access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 204.8.197.33 1

route inside 10.0.0.0 255.0.0.0 10.1.0.1 1

route inside 192.168.0.0 255.255.0.0 10.1.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

<--- More ---> aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec transform-set mytrans esp-des esp-md5-hmac

<--- More ---> crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set transform-set mytrans

crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800

crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

<--- More ---> authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption des

hash sha

group 2

<--- More ---> lifetime 86400

crypto isakmp nat-traversal 30

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 1

console timeout 0

threat-detection basic-threat

threat-detection statistics port

<--- More ---> threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy remote internal

group-policy remote attributes

wins-server value 10.2.0.33 10.2.0.25

dns-server value 10.2.0.25 10.2.0.33

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

<--- More ---> username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15

username obpsra password oXNcK0VrEUAOE26p encrypted privilege 0

tunnel-group VPN_Client type remote-access

tunnel-group VPN_Client general-attributes

address-pool VPNC

default-group-policy remote

tunnel-group VPN_Client ipsec-attributes

pre-shared-key *

!

class-map class_h323_ras

<--- More ---> match port udp eq 1718

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

<--- More ---> inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

<--- More ---> inspect tftp

inspect sip

inspect xdmcp

class class_h323_ras

inspect h323 ras

!

service-policy global_policy global

smtp-server 10.2.0.32

prompt hostname context

Cryptochecksum:8f8cf9a4a3efc80fa4ce66d601270a1f

<--- More ---> : end

OBPS-PIX525# EXIT

Logoff

Hello,

The line would be like this

access-list 101 permit tcp any host 216.27.100.165 eq 1720

Also, we need to know what is the real (Private IP) of the Video conference device in order to do the NAT translation.

Cheers.

Mike

Mike-

The video conference device is not on my network. I just want to allow those specified ports from 216.27.100.165 to any PC behind my PIX. Do we still need to do a NAT translation to the specific PC on my private network?

Hi Sean,

By default the ASA will allow oubound traffic and will block inbound traffic.

But the ASA will allow inbound traffic if that traffic is a response from traffic originated from the inside.

If you need to allow inbound ports through the ASA you need two things:

1. Static NAT

2. ACL permitting the ports

If  you need to allow those ports but it's part of a videoconference  application that originates from the inside, then the inspection engine  on the ASA will open those ports dynamically for you.

If the computers internal to the PIX will initiate the outbound connection to the videoconference server, then the H.323 inspection should handle the communication for you.

Question:

Have you tried the actual communication and it's not working?

Federico.

Federico-

I have entered the IP into the access list as Mike mentioned. I tried to connect via the URL provided from PC to the video conferene device and I get the following:

Call ended due to network errors

When the PC goes to the URL is going to 216.27.100.165 correct?

Can you add:

policy-map global_policy
class inspection_default
  inspect icmp

And then check if you can PING that IP address from the PC.

If the PING is succesfull, you know you have connectivity.

Next step is verify the application access.

I don't see from the configuration the ACL applied to the outside interface, please include:

sh run access-group

We might need to open those ports and that's it.

If the problem persists, we can then capture the communication between the PC and the Server.

Federico.

Federico-

I'm currently able to PING that address without adding :

policy-map global_policy
class inspection_default
  inspect icmp

When I put a filter based on that IP address in ADSM, I see no traffic. I get the following when I do the sh run access-group command:

access-group 101 in interface outside

Any other thoughts?

Hello,

Sorry guys I was having lunch, I saw that Federico is online today... great help. Would you please enable the real time log viewer on the ASDM and try to do the connection again? See why the connection is being closed? You can add a filter and put the public IP address of the Video conference device and check the logs only related to that.

Cheers.

Mike

Maykol,

I hope I have those 3-hour lunch you guys take ;-)

Sean,

Let us know how it goes please.

Federico.