12-28-2011 09:57 PM - edited 03-11-2019 03:07 PM
Hi All,
There are two Polycom devices behind ASA (Terminal HDX7000 and MCU RMX1000), ASA is connected to Cisco 1900 router which is connected to ISP.
Polycom devices are NATed (unique global address per device) on router and h323 inspection is done on ASA. The issue is that when trying to connect from outside to conference on MCU I don't receive any video (but MCU shows me like a connected participant). The same is true when MCU try to call outside terminals, they are shown as connected participants, but there is just a black screen. On ASA all ports are opened (both in and out) and there are no ACLs on router. And what means NAT configuration on Polycom devices, why it is needed when NATing is done on router (such configuration option I've seen also on Tandberg and another vendor's devices)?
12-28-2011 10:44 PM
Hello Thor,
If nat is done on the Router, you can just do a identity nat on the ASA, I mean if nat control is enable you will need to have the nat as a requirement to allow the connection from the lower security level to the higher security level.
Now for the communication issue you can create some captures and see if the ASA is dropping some packets or if the problem is due to one of the sides of the connection.
Do rate helpful posts!
Regards,
Julio
12-29-2011 11:29 PM
Hello Julio,
I have read some papers which stands that there are embedded IP addresses in H323 messages and the common problem of call setup is that called endpoint uses IP address in received H323 messages as destination address - this problem exists in our network. Our network also have a gatekeeper (Polycom PathNavigator). As I understand the reason of problem is:
When local terminal with IP address A.A.A.A (registered to GK) calls outside terminal it begins sending H323 messages to GK. {address in both IP header and embedded in H323 msg is A.A.A.A}, then GK rewrites embedded address to its own (e.g. B.B.B.B) and sends it to outside terminal {now address in IP header is A.A.A.A but address in H323 msg is B.B.B.B}, then packet arrives at border router which NATs local A.A.A.A address to global unique G.G.G.G and translates it to outside terminal {now address in IP header is G.G.G.G but address in H323 msg is B.B.B.B}, when outside terminal receives that message it will try to respond to address in H323 msg - B.B.B.B (which is not routable address) and sends it to its def. gateway and this pkt eventually will be dropped by provider. So I need to to change embeded address in H323 msgs to global NAT'd IP address. When I check NAT option in Polycom terminal configuration it uses global NAT'd address in H323 msgs instead of local, but that makes problem for local endpoints trying to call that terminal (as they need to send pkts to global address) and also there would be problems with GK (as it will rewrite H323 address to its own). My question is how I can change embedded address in H323 msgs. Is it possible on ASA 5510 to rewrite that address to specified one (required to modify only H323 embedded address, not IP header address because border router is doing that NAT) or is it possible to rewrite embedded address on border router (Cisco 1900 with IOS Software (C1900-UNIVERSALK9-M), Version 15.0(1)M5). What you could suggest to solve that problem?
12-29-2011 11:55 PM
Pl check H323 inspection in ASA 5510 , there could be chance dropping H323 packets , and check the OS version.
thanks
12-30-2011 12:11 AM
ASA version:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Inspection-related config:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect rtsp
inspect skinny
inspect h323 ras
inspect h323 h225
Can I NAT only embedded in H323 msgs local addresses to global ones, not addresses in IP header (because they are NAT'd on border router) ?
12-30-2011 04:15 AM
Hi
Pl do packet capturing from your firewall interface and check NAT translation in your router .
The following are some of the known issues and limitations when using H.323 application inspection:
•Static PAT may not properly translate IP addresses embedded in optional fields within H.323 messages. If you experience this kind of problem, do not use static PAT with H.323.
•H.323 application inspection is not supported with NAT between same-security-level interfaces.
•When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that is also registered with the H.323 gatekeeper, the connection is established but no voice is heard in either direction. This problem is unrelated to the ASA.
•If you configure a network static address where the network static address is the same as a third-party netmask and address, then any outbound H.323 connection fails.
pl check the URL
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_voicevideo.html
from FW check
sh service-policy inspect h323 ras
sh service-policy inspect h323 h225
check any drops
thanks
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide