10-30-2001 01:54 PM - edited 03-08-2019 09:01 PM
Hello,
I have several H.323 Polycom boxes and I am trying to get them working behinde the firewall. I've PIX 525 that runs Version 5.3(1)200. And I am using static NAT translation. I can establish a call with the remote site, however, it times out in 40 min. or so.
Debug log does not report anything unusual. Connection is just terminated. If I move H.323 outside of the firewall it works great.
Thanks a lot
11-04-2001 08:47 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
11-05-2001 03:03 PM
First of all, i am not quite sure what type of h323 device the Polycom box is , but my guest is probably a gateway/h323 client device. Either way, as far the h323 signaling goes, the dynamism in port assignment and h245 negociations is what makes most firewalls fail miserably when it comes to real time traffic such as voice. Using an ordinary firewall, you can probably get most of the static signaling through by defining the well known ports for them (h225 RAS, and most Q.931 stuff), but when you get down to media negociation (h245) there is no way of predicting what port# the parties will be using, since it is random (dynamic). I haven't worked with PIX FW extensively and i can only guess that it also falls in the category of the other firewalls i have tested and noticed the problem with. Very few companies are working on developing a real-time traffic firewall that can dynamically open pinwholes for voice traffic on a per-call basis, providing for the best security in the industry. I can lead you to one specifically that i test day-in day-out if you are interested.
My guest on what you will try to do next is to check with the Plycom vendor to see what ports to open on your PIX fw, but i can tell you this for sure: by the time you are done opening all the ports (port ranges, to be more specific), you will realize that your firewall has no real purpose, really. That is the catch. The technology is moving; you might want to tag along.
Regards
Eyabane
MCSE, CCNP+VOICE, CCDP
11-15-2001 10:00 AM
Leo,
As the other respondee to your message indicated NAT and H.323 generally don't mix well. However Ridgeway have developed solutions specifically to enable the deployment of multiple H.323 end-points behind NAT routers and firewalls (whether H.323 enabled or not).
Check out the website at www.ridgewaysystems.com for more info.
Graham
11-15-2001 02:04 PM
The pix fixup for h323 has been improved with later versions of code on the pix and may be worth looking into.
There were a few bugs with the version you are running such as CSCdu39748
Check the release notes on the later versions as a guide.
http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/relnotes/pixrn532.htm
http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/relnotes/pixrn611.htm
Just run a search on h323
11-16-2001 06:41 AM
Paul,
Does PIX support multiple H.323 devices? i.e. how does one support many H.323 devices when they are deployed behind the NAT?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide