09-04-2003 10:55 PM - edited 02-20-2020 10:58 PM
H.323 net (10.0.0.?) --(in)PIX(out)-- netw A and W
Hi Experts.
In the scenario drawn above, I need the H.323 network on the inside to appear as two different networks on the outside, fixing up the H.323 protocol.
In other words, I need the H.323 network (10.0.0.?) to appear:
- as network a.b.c.? to network A.B.C.D, and
- as network w.x.y.? to network W.X.Y.Z
I'm going to implement the following Pix configuration (PixOS 6.3):
!
!statements 1
static (inside, outside) a.b.c.d1 access-list GK-TO-NET-A
static (inside, outside) a.b.c.d2 access-list GW-TO-NET-A
access-list GK-TO-NET-A permit ip host 10.0.0.1 A.B.C.D <mask1>
access-list GW-TO-NET-A permit ip host 10.0.0.2 A.B.C.D <mask1>
!
!statements 2
static (inside, outside) w.x.y.z1 access-list GK-TO-NET-W
static (inside, outside) w.x.y.z2 access-list GW-TO-NET-W
access-list GK-TO-NET-W permit ip host 10.0.0.1 W.X.Y.Z <mask2>
access-list GW-TO-NET-W permit ip host 10.0.0.2 W.X.Y.Z <mask2>
!
fixup protocol h323 h225
fixup protocol h323 ras
!
As far as I understand, the Policy NAT feature will translate traffic destined for the A.B.C.D network from 10.0.0.1 as a.b.c.d1,
and traffic destined for the W.X.Y.Z network from host 10.0.0.1 as w.x.y.z1.
In a notation:
[SA=10.0.0.1; DA=A.B.C.?] (in) >>>>> (out)[SA=a.b.c.d1; DA=A.B.C.?]
[SA=10.0.0.2; DA=A.B.C.?] (in) >>>>> (out) [SA=a.b.c.d2; DA=A.B.C.?]
[SA=10.0.0.1; DA=W.X.Y.?] (in) >>>>> (out) [SA=w.x.y.z1; DA=W.X.Y.?]
[SA=10.0.0.2; DA=W.X.Y.?] (in) >>>>> (out) [SA=w.x.y.z2; DA=W.X.Y.?]
Now, I have 3 questions for you:
Q1.
Did I understand the Policy NAT feature correctly?
Q2.
If answer to Q1 is yes, does the reverse hold *for connections initiated from the outside*, that is:
[SA=A.B.C.?; DA=a.b.c.d1] (out) >>>>> (in) [SA=A.B.C.?; DA=10.0.0.1]
[SA=A.B.C.?; DA=a.b.c.d2] (out) >>>>> (in) [SA=A.B.C.?; DA=10.0.0.2]
[SA=W.X.Y.?; DA=w.x.y.z1] (out) >>>>> (in) [SA=W.X.Y.?; DA=10.0.0.1]
[SA=A.B.C.?; DA=w.x.y.z2] (out) >>>>> (in) [SA=W.X.Y.?; DA=10.0.0.1]
Q3.
If 10.0.0.1 (H.323 Gatekeeper) returns IP address 10.0.0.2 (H.323 Gateway) in a LCF RAS message when queried with a LRQ, will the Pix apply statements 1 and statements 2 *on the same packet* and transform the LCF message as follows:
LRQ: [SA=A.B.C.?; DA=a.b.c.d1](H.323 LRQ: looking for number=1234) (outside) >>>>> (inside) [SA=A.B.C.?; DA=10.0.0.1](H.323 LRQ: looking for number=1234)
LCF: [SA=10.0.0.1; DA=A.B.C.?](H.323 LCF: for 1234, use GW 10.0.0.2) (inside) >>>>> (outside) [SA=a.b.c.d1; DA=A.B.C.?](H.323 LCF: for 1234, use GW a.b.c.d2)
LRQ: [SA=W.X.Y.?; DA=w.x.y.z1](H.323 LRQ: looking for number=1234) (outside) >>>>> (inside) [SA=W.X.Y.?; DA=10.0.0.1](H.323 LRQ: looking for number=1234)
LCF: [SA=10.0.0.1; DA=W.X.Y.?](H.323 LCF: for 1234, use GW 10.0.0.2) (inside) >>>>> (outside) [SA=w.x.y.z1; DA=W.X.Y.?](H.323 LCF: for 1234, use GW w.x.y.z2)
Thank you!
michele
09-10-2003 09:08 AM
Please give me an update on this, I would like to implement same .....
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide