Polycom HdX8000 behind ASA Firewall

samirshaikh52 · ‎12-29-2012

Hi,

I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540

I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.

3230-3243 tcp

h323 tcp

h323 udp

3230-3285 udp

Here is the problem.

I get connected to the call but I cannot the remote site cannot see and hear me.

But I can see and hear them.

Please can someone help me in this very important matter.

Thanks

Jouni Forss · ‎12-29-2012

Hi,

I can't probably give you an exact answer to your problem but I remember some customer once having probems with Polycom devices through Cisco firewalls.

To my understanding one thing recommended is to avoid using the inspect/fixup commands on the PIX/ASA firewall. I think I've also read on a Cisco document that there has been some problems between Cisco firewalls and Polycom devices in general but cant find that document right now.

policy-map global_policy

class inspection_default

no inspect h323 h225

no inspect h323 ras

Or something similiar depending on your firewall software.

You could try the above perhaps.

Have you tried to monitor the logs through ASDM to see if there is anything that is getting blocked while you try to form the connections?

- Jouni

samirshaikh52 · ‎12-29-2012

Hi Thanks for your quick response.

Yes I have trid before disabling h323 inspection and then disabling NAT is h323 compatible on Polycom

In my ASDM logs I have seen any dropped or denied connection. Please see the attached.

Thanks for the help.

Jouni Forss · ‎12-29-2012

Hi,

Only special thing about that output is that the ICMP is getting block from "inside" to "outside"

Also since its ICMP Type 3 Code 3 it would seem that the "inside" device is sending some "Port Unreachable" to the host on the "outside".

Is the "inside" Polycom device not accepting some connection and why?

I guess its probably related to some UDP connection not getting through to the Polycom device?

Personally I am not really familiar with video conferencing or its firewall related things. I have only been lately trying to troubleshoot some situations.

I would perhaps also try to take some packet captures on the ASA itself and go through them.

- Jouni

samirshaikh52 · ‎12-29-2012

I have also record one more log Please have a look at the attached..

Jouni Forss · ‎12-29-2012

Hi,

The single log message included in that file seems to be indicating that traffic from the Polycom device is being blocked from leaving from your network to the remote device.

Could you try and open everything for the Polycom device so no access-list is blocking its connections?

Seems you have an ACL named "inside_access_in" attached to the "inside" interface which is blocking some connection.

Could you perhaps for testing purposes open all traffic from the Polycom device to the destination IP address? (if the one in the logs is the only one.

access-list inside_access_in line 1 permit ip host host

The source and destination port look a bit wierd (high port as destination) but maybe you could give the above a go and see if it helps.

- Jouni

samirshaikh52 · ‎12-29-2012

I have also tried by opening all the ports ( incoming and outgoing) but it was the same.

Something weird Really !

Samir

samirshaikh52 · ‎12-30-2012

I have found a very interesting thing

I assigned public ip address to the LAN interface of my laptop and placed a call to polycom. It was successfully Both way I can see and hear

But when I assigned dhcp private ip to the laptop and placed a call. Then polycom is not able to send audio and video.

Polycom see a private ip address while recieving a call

What is mean by that Can anyone pleas help me. ?

Peter Koltl · ‎12-31-2012

Try to set up a static NAT to a dedicated public IP for all ports.

samirshaikh52 · ‎12-31-2012

Hi,

I have already a static NAT for a fixed public IP allowing all ports. ( outgoing)

Thanks.