PIX 520 and H323

tasksrl7808 · ‎02-10-2006

Hi!

As I wrote in my previous post I have problems on permitting H323 traffic through a PIX 520 IOS ver 6.3 (3).

I used a configuration like the one reported in this documentation by CISCO:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801fc74a.shtml

but without any results.

Can someone help me?

Regards

Francesco

varakantam · ‎02-10-2006

Can you post your complete config; enable logging buffered at debug level and post the syslog received as well. 6.3 Supports H323 v3/4.

tasksrl7808 · ‎02-13-2006

This is the PIX configuration:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 inside1 security50

[...]

hostname pixfirewall

domain-name [......]

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

[...]

access-list acl_outside permit tcp any host PIX-PUBLIC-IP eq h323

-----------> I have added these ACL on the basis of PIX LOGS:

access-list acl_outside permit udp any host PIX-PUBLIC-IP eq 1719

access-list acl_outside permit udp any host PIX-PUBLIC-IP range 20000 21000

access-list acl_outside permit udp any host PIX-PUBLIC-IP eq www

access-list acl_outside permit tcp any host PIX-PUBLIC-IP eq 20080

----------

logging on

logging trap debugging

logging host inside IP-ADDRESS

static (inside,outside) PIX-PUBLIC-IP PRIVATE-IP netmask 255.255.255.255 0 0

[...]

access-group acl_outside in interface outside

[...]

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

[...]

In particular I cannot do the registration of an H323 outside-endpoint to a Gatekeeper that is behind my PIX 520 :

Feb 13 17:15:08 %PIX-6-302015: Built inbound UDP connection 65301120 for outside:OUTSIDE ENDPOINT/20084 (OUTSIDE ENDPOINT/20084) to inside:INSIDE ENDPOINT/80 (PIX PUBLIC INTERFACE/80)

Feb 13 17:15:08 %PIX-6-302015: Built inbound UDP connection 65301122 for outside:OUTSIDE ENDPOINT/20085 (OUTSIDE ENDPOINT/20085) to inside:INSIDE ENDPOINT/80 (PIX PUBLIC INTERFACE/80)

Feb 13 17:15:11 %PIX-6-302015: Built inbound UDP connection 65301154 for outside:OUTSIDE ENDPOINT/20087 (OUTSIDE ENDPOINT/20087) to inside:INSIDE ENDPOINT/1719 (PIX PUBLIC INTERFACE/1719)

Feb 13 17:15:17 %PIX-6-302015: Built inbound UDP connection 65301221 for outside:OUTSIDE ENDPOINT/20089 (OUTSIDE ENDPOINT/20089) to inside:INSIDE ENDPOINT/80 (PIX PUBLIC INTERFACE/80)

Feb 13 17:15:17 %PIX-6-302015: Built inbound UDP connection 65301222 for outside:OUTSIDE ENDPOINT/20090 (OUTSIDE ENDPOINT/20090) to inside:INSIDE ENDPOINT/80 (PIX PUBLIC INTERFACE/80)

..........

Feb 13 17:17:10 %PIX-6-302016: Teardown UDP connection 65301120 for outside:OUTSIDE ENDPOINT/20084 to inside:INSIDE ENDPOINT/80 duration 0:02:01 bytes 125

Feb 13 17:17:10 %PIX-6-302016: Teardown UDP connection 65301122 for outside:OUTSIDE ENDPOINT/20085 to inside:INSIDE ENDPOINT/80 duration 0:02:01 bytes 125

Feb 13 17:17:19 %PIX-6-302016: Teardown UDP connection 65301221 for outside:OUTSIDE ENDPOINT/20089 to inside:INSIDE ENDPOINT/80 duration 0:02:01 bytes 125

.......... and so on for each UDP port!

Thank you for the interest.

Regards

Francesco