10-17-2003 08:56 AM - edited 03-13-2019 02:07 AM
Hi,
I have a Call Manager and IP Phones behind a Firewall. At the other side of the firewall i have a router with 2 FXS ports. I have connected two analog phones to these FXS ports. Now in the Call Manager i have added the router as a H 323 Gateway in order to have communication between the IP Phones and the Analog phones.
I want to know what ports are to be opened at the Firewall so that this communication can occur.
Thanks in advance
10-17-2003 09:05 AM
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml
Also make sure your firewall is "H.323 aware" so that it can dynamically open up the UDP ports used during H.245 negotiation.
10-17-2003 09:34 AM
Hi,
Thanks for the reply.
If i correctly understand i need to open the following ports at the Firewall
UDP 16384 - 32667 ( for rtp traffic b/w Phones )
UDP 1719
TCP 1720
TCP 11000-65535 ( for H 323 Communications )
My doubt is can the communication between the phones be established by only opening up UDP 16384 - 32667.
Because If i have to open up all the ports mentioned as above then i am opening up almost all the TCP ports.
Awaiting your reply
Thanks
10-17-2003 09:39 AM
Yes, you are right. This is why you need a firewall that is "H.323 aware", so that it can detect automagically what UDP ports are negotiated, and allow that traffic through.
Cisco IOS and PIX do this, so if you firewall is one of these youre OK.
11-03-2003 05:47 AM
Why can't you enable H245 tunnelling so that H245 communication takes place over port 1720?
02-12-2004 02:58 PM
Dustin,
When I go to that link it says it's "under construction" so I assume it's being updated. Do you know when it will be published again?
10-24-2003 11:33 AM
If it's an h323-aware firewall ala PIX, you need a "fixup protocol h323 1720" which tells the FW to start to eavsdrop on port 1720 (h225 call setup) so it can glean the remainder of the ports to be opened (h245 & RTP).
The PIX acl or conduit must also allow the GW IP address in on port 1720 to begin the signalling process.
If you don't have an H323-aware FW, you have to allow ALOT of ports inbound from the GW:
TCP 1720 for h225,
TCP 4000-4999 for H245 (I think - the IOS gw's used a different range of ports than the AS5xxx gw's,
UDP 16384-32768 for RTP
Good luck,
/dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide