cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12223
Views
0
Helpful
5
Replies

Polycom behind ASA 5510 issues

Thorsten997
Level 1
Level 1

Hi All,

There are two Polycom devices behind ASA (Terminal HDX7000 and MCU RMX1000), ASA is connected to Cisco 1900 router which is connected to ISP.

Polycom devices are NATed (unique global address per device) on router and h323 inspection is done on ASA. The issue is that when trying to connect from outside to conference on MCU I don't receive any video (but MCU shows me like a connected participant). The same is true when MCU try to call outside terminals, they are shown as connected participants, but there is just a black screen. On ASA all ports are opened (both in and out) and there are no ACLs on router. And what means NAT configuration on Polycom devices, why it is needed when NATing is done on router (such configuration option I've seen also on Tandberg and another vendor's devices)?

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Thor,

If nat is done on the Router, you can just do a identity nat on the ASA, I mean if nat control is enable you will need to have the nat as a requirement to allow the connection from the lower security level to the higher security level.

Now for the communication issue you can create some captures and see if the ASA is dropping some packets or if the problem is due to one of the sides of the connection.

Do rate helpful posts!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

I have read some papers which stands that there are embedded IP addresses in H323 messages and the common problem of call setup is that called endpoint uses IP address in received H323 messages as destination address - this problem exists in our network. Our network also have a gatekeeper (Polycom PathNavigator). As I understand the reason of problem is:

  When local terminal with IP address A.A.A.A (registered to GK) calls outside terminal it begins sending H323 messages to GK. {address in both IP header and embedded in H323 msg is A.A.A.A}, then GK rewrites embedded address to its own (e.g. B.B.B.B) and sends it to outside terminal {now address in IP header is A.A.A.A but address in H323 msg is B.B.B.B}, then packet arrives at border router which NATs local A.A.A.A address to global unique G.G.G.G and translates it to outside terminal {now address in IP header is G.G.G.G but address in H323 msg is B.B.B.B}, when outside terminal receives that message it will try to respond to address in H323 msg - B.B.B.B (which is not routable address) and sends it to its def. gateway and this pkt eventually will be dropped by provider. So  I need to to change embeded address in H323 msgs to global NAT'd IP address. When I check NAT option in Polycom terminal configuration it uses global NAT'd address in H323 msgs instead of local, but that makes problem for local endpoints trying to call that terminal (as they need to send pkts to global address) and also there would be problems with GK (as it will rewrite H323 address to its own). My question is how I can change embedded address in H323 msgs. Is it possible on ASA 5510 to rewrite that address to specified one (required to modify only H323 embedded address, not IP header address because border router is doing that NAT) or is it possible to rewrite embedded address on border router (Cisco 1900 with IOS Software (C1900-UNIVERSALK9-M), Version 15.0(1)M5). What you could suggest to solve that problem?

searskarthik
Level 1
Level 1

Pl check H323 inspection in ASA 5510 , there could be chance dropping H323 packets , and check the OS version.

thanks

ASA version:

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.3(1)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Inspection-related config:

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect rsh

  inspect sqlnet

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect rtsp

  inspect skinny

  inspect h323 ras

  inspect h323 h225

Can I NAT only embedded in H323 msgs local addresses to global ones, not addresses in IP header (because they are NAT'd on border router) ?

Hi

Pl do packet capturing from your firewall interface and check NAT translation in your router .

Limitations and Restrictions

The following are some of the known issues and limitations when using H.323 application inspection:

Static PAT may not properly translate IP addresses embedded in optional fields within H.323 messages. If you experience this kind of problem, do not use static PAT with H.323.

H.323 application inspection is not supported with NAT between same-security-level interfaces.

When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that is also registered with the H.323 gatekeeper, the connection is established but no voice is heard in either direction. This problem is unrelated to the ASA.

If you configure a network static address where the network static address is the same as a third-party netmask and address, then any outbound H.323 connection fails.

pl check the URL

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_voicevideo.html

from FW  check

sh service-policy inspect h323 ras

sh service-policy inspect h323  h225

check any drops

thanks

Karthik

Review Cisco Networking for a $25 gift card