H.323 over NAT

leo.vaughn · ‎10-30-2001

Hello,

I have several H.323 Polycom boxes and I am trying to get them working behinde the firewall. I've PIX 525 that runs Version 5.3(1)200. And I am using static NAT translation. I can establish a call with the remote site, however, it times out in 40 min. or so.

Debug log does not report anything unusual. Connection is just terminated. If I move H.323 outside of the firewall it works great.

Thanks a lot

ciscomoderator · ‎11-04-2001

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

eyabane · ‎11-05-2001

First of all, i am not quite sure what type of h323 device the Polycom box is , but my guest is probably a gateway/h323 client device. Either way, as far the h323 signaling goes, the dynamism in port assignment and h245 negociations is what makes most firewalls fail miserably when it comes to real time traffic such as voice. Using an ordinary firewall, you can probably get most of the static signaling through by defining the well known ports for them (h225 RAS, and most Q.931 stuff), but when you get down to media negociation (h245) there is no way of predicting what port# the parties will be using, since it is random (dynamic). I haven't worked with PIX FW extensively and i can only guess that it also falls in the category of the other firewalls i have tested and noticed the problem with. Very few companies are working on developing a real-time traffic firewall that can dynamically open pinwholes for voice traffic on a per-call basis, providing for the best security in the industry. I can lead you to one specifically that i test day-in day-out if you are interested.

My guest on what you will try to do next is to check with the Plycom vendor to see what ports to open on your PIX fw, but i can tell you this for sure: by the time you are done opening all the ports (port ranges, to be more specific), you will realize that your firewall has no real purpose, really. That is the catch. The technology is moving; you might want to tag along.

Regards

Eyabane

MCSE, CCNP+VOICE, CCDP

grseabrook · ‎11-15-2001

Leo,

As the other respondee to your message indicated NAT and H.323 generally don't mix well. However Ridgeway have developed solutions specifically to enable the deployment of multiple H.323 end-points behind NAT routers and firewalls (whether H.323 enabled or not).

Check out the website at www.ridgewaysystems.com for more info.

Graham

turnbull · ‎11-15-2001

The pix fixup for h323 has been improved with later versions of code on the pix and may be worth looking into.

There were a few bugs with the version you are running such as CSCdu39748

Check the release notes on the later versions as a guide.

http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/relnotes/pixrn532.htm

http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/relnotes/pixrn611.htm

Just run a search on h323

grseabrook · ‎11-16-2001

Paul,

Does PIX support multiple H.323 devices? i.e. how does one support many H.323 devices when they are deployed behind the NAT?

Thanks.