11-08-2011 06:21 AM - edited 03-11-2019 02:47 PM
hello good people,
We have just acquired a cisco profile 42 video conferencing equipment and am required to open ports for SIP and H232, any pointers on hw that can be acquired i have a cisco ASA 5510, Some one told me to open port 16384 but i need pointers on how to do it becuase I already set an access list to any.
the config
Internet -> ASA 5510 -> Switch -> Profile 42 and other devices
any help will be apprciated
11-10-2011 06:39 AM
Hi George,
Are you trying to open ports for inbound or outbound calls? Is the ASA using NAT or PAT for the video equipment on the inside when it goes out to the Internet?
-Mike
11-10-2011 07:01 AM
Thank you Mike,
I need to open both inbound and outbound calls, I need to be able to call
and also recive. so i think st some point i need to forword traffic to the
VC equipment form the firewall., Like I directed smtp to the mail server .
Thanks
On Thu, Nov 10, 2011 at 5:39 PM, mirober2 <
11-10-2011 07:03 AM
I think NAT would be Better as I already see some NAT commands. in the
config
11-10-2011 07:08 AM
Hi George,
In that case, you'll need to permit at least the signaling ports through your interface ACLs. For example, SIP uses port 5060 for signaling by default:
access-list outside_in permit udp any host
eq 5060 access-group outside_in in interface outside
An ACL on the inside interface is not required unless you already have one configured there (all traffic is permitted to the outside by default).
You can use the ASA's inspection engines to dynamically open the other ports required for the call on a per-session basis. This way, you only need to open the signaling ports and the inspection will automatically take care of the media ports:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect sip
service-policy global_policy global
You can read more about the voice inspections here:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_voicevideo.html
If the ASA is configured for NAT, these inspections are absolutely required. This will allow the ASA to also perform NAT on any embedded IP addresses in the voice payload.
Hope that helps.
-Mike
11-10-2011 07:39 AM
Let me try that then i will let you know.
Thank you so much
On Thu, Nov 10, 2011 at 6:09 PM, mirober2 <
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide