Video Conference through ASA 5510

andy_4578 · ‎01-11-2011

Were trying to use our polycom VC through our ASA 5510 but everytime someone calls in we see a Deny Outside_in destination port 1720 tcp in the syslog.

It doesnt make sense as we have all the following ports open on the outside interface (H323 coloum)...

Anyone got any ideas???

80	Static TCP	HTTP Interface (optional)			x
389	Static TCP	ILS v2.0 Registration (LDAP)	x	x
1002	Static TCP	Win 2000 ILS Registration	x	x
1503	Static TCP	T.120	x	x
1718	Static TCP	Gatekeeper Discovery	x		x	x
1719	Static TCP	Gatekeeper RAS	x		x	x
1720	Static TCP	H.323 Call Setup	x		x
1731	Static TCP	Audio Call Control	x		x
2253 - 2263	TCP	Sony endpoints	x
3230 - 3253	TCP & UDP	Polycom endpoints	x
5001	TCP & UDP	Polycom PPCIP client	x
5004 - 6004	TCP & UDP	Emblaze-VCON endpoints	x
8080	Static TCP	HTTP Server Push (optional)			x
22136	Static TCP	MXM endpoint administration	x			x (MXM)
26505	Static TCP	MXM remote admin login				x (MXM)
49152-49239	UDP	Sony endpoints	x
1024 - 65535	Dynamic TCP	H.245 (Call Parameters)	x		x
1024 - 65535	Dynamic UDP	RTP (Video Stream Data)	x		x
1024 - 65535	Dynamic UDP	RTP (Audio Stream Data)	x		x
1024 - 65535	Dynamic UDP	RTCP (Control Information)	x		x

sean_evershed · ‎01-11-2011

Hi,

Have you seen this reference for configuring H323 through a firewall?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml#h323

What inspection policies have you have configured? Does it included H323?

Have you also tried the Polycom Knowledge base?

http://knowledgebase.polycom.com/kb/supportcentral/supportcentral.do?id=m1

Please remember to rate all posts that are helpful.

PAUL GILBERT ARIAS · ‎01-11-2011

How the traffic is flowing, the conference gets initiated on the outside? If so, the traffic is reaching correctly your outside interface so you should have a static translation and the proper ACLs allowing the inbound connection.

Can you share the correct traffic flow and maybe the specific portions of the configuration so that we can get a better idea?

andy_4578 · ‎01-11-2011

This is the current config...

NPS-ASA# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname NPS-ASA
domain-name Probation.local
enable password a1QpEEJ7ns4C2z8N encrypted
passwd a1QpEEJ7ns4C2z8N encrypted
names
name 10.0.1.0 Wellingborough
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name Probation.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Northampton
subnet 10.0.0.0 255.255.255.0
object network VPN_Clients
subnet 10.0.10.0 255.255.255.240
object network Wellingborough
subnet 10.0.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network Video_Conferenceing
host 10.0.0.100
object network Video_Outside
host x.x.x.43
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network Kettering
network-object 10.0.2.0 255.255.255.0
object-group network Corby
network-object 10.0.3.0 255.255.255.0
object-group service PolyCom
service-object tcp-udp destination eq 1718
service-object tcp-udp destination eq 1719
service-object tcp-udp destination eq 1720
service-object tcp destination range 3230 3235
service-object udp destination eq 1503
service-object tcp-udp destination eq 1731
service-object tcp destination range 3220 3225
service-object udp destination range 3230 3247
service-object tcp destination range 1024 65535
service-object tcp destination eq 1503
service-object tcp destination range 2253 2263
service-object tcp destination eq ldap
service-object tcp destination eq h323
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list AcSVpN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.
10.0 255.255.255.240
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 objec
t Wellingborough
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 objec
t-group Kettering
access-list NPSVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object
Wellingborough
access-list Outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object
-group Corby
access-list Outside_3_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object
-group Kettering
access-list Outside_access_in extended permit object-group PolyCom any object Vi
deo_Outside
access-list Outside_access_in extended permit ip any object Video_Outside
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN_Pool 10.0.10.1-10.0.10.10 mask 255.255.255.0
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (Inside,any) source static Northampton Northampton destination static VPN_Cl
ients VPN_Clients
nat (Inside,any) source static Northampton Northampton destination static Wellin
gborough Wellingborough
nat (Inside,any) source static Northampton Northampton destination static Ketter
ing Kettering
nat (Inside,any) source static Northampton Northampton destination static Corby
Corby
nat (Inside,any) source static Video_Conferenceing Video_Outside
!
object network Northampton
nat (Inside,Outside) dynamic interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Remote_VPN protocol radius
aaa-server Remote_VPN (Inside) host 10.0.0.1
key *****
radius-common-pw *****
aaa authentication enable console Remote_VPN LOCAL
aaa authentication http console Remote_VPN LOCAL
aaa authentication telnet console Remote_VPN LOCAL
http server enable
http 10.0.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer x.x.x.129
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 2 match address Outside_2_cryptomap
crypto map Outside_map 2 set peer x.x.x.97
crypto map Outside_map 2 set transform-set ESP-3DES-SHA
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set peer x.x.x.1
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy AcSVpN internal
group-policy AcSVpN attributes
dns-server value 10.0.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AcSVpN_splitTunnelAcl
default-domain value probation.local
group-policy NPSVPN internal
group-policy NPSVPN attributes
dns-server value 10.0.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NPSVPN_splitTunnelAcl
default-domain value probation.local
username administrator password PszPtwkjAGVnHxyQ encrypted privilege 15
tunnel-group AcSVpN type remote-access
tunnel-group AcSVpN general-attributes
address-pool VPN_Pool
authentication-server-group Remote_VPN
default-group-policy AcSVpN
tunnel-group AcSVpN ipsec-attributes
pre-shared-key *****
tunnel-group NPSVPN type remote-access
tunnel-group NPSVPN general-attributes
address-pool VPN_Pool
authentication-server-group Remote_VPN
default-group-policy NPSVPN
tunnel-group NPSVPN ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.223 type ipsec-l2l
tunnel-group x.x.x.223 ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.97 type ipsec-l2l
tunnel-group x.x.x.97 ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.95 type ipsec-l2l
tunnel-group x.x.x.95 ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.129 type ipsec-l2l
tunnel-group x.x.x.129 ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.1 type ipsec-l2l
tunnel-group x.x.x.1 ipsec-attributes
pre-shared-key *****
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-open
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:29b66749c94887058872843e2dff213b
: end
NPS-ASA#

PAUL GILBERT ARIAS · ‎01-11-2011

thanks for adding the config. As far as I can understand your translation is between the outside address x.x.x.43 and the inside address 10.0.0.100. The traffic is initiated on the inside going out and it can be initiated on the outside going in, right?

Can you paste the complete syslog message you are getting when the connection fails?

Also I would like to know if x.x.x.43 is the IP of the outside interface of the ASA or if that is just an extra available IP you own.

I am trying to figure out if this is a NAT issue that is why I am asking those things.

Thanks.