Hi
I am facing an issue for Video Conf conneciton over SR520 with Zone based-firewall.
I can call out from inside to outside but cannot recieve call from outside.
below shows what i have done for this... am i missing any?
appreciate if some one can help me. any advice will helpfull! Thanks much!
what i have done is :
1) add NAT translation
ip nat inside source static 172.16.92.15 xxx.xxx.xxx.xxx
2) create an access-list with following ports to allow the traffic.
ip access-list extended TANDBERG
permit tcp any any eq 389
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 1720
permit tcp any any gt 1023
permit udp any any gt 1023
3) create a class-map with following protocols with "access-group name TANDBERG" as above.
class-map type inspect match-any SDM-Voice-permit
match protocol sip
match protocol h323
match protocol icmp
match protocol telnet
match protocol ssh
match protocol skinny
match protocol h225ras
match protocol h323-annexe
match protocol h323-nxg
match access-group name TANDBERG
4) added class-map to policy-map as below which is for inside > outside.
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit <<<<<<<<<<<<<<<<<<
inspect
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect z1-z2-pmap
class type inspect sdm-invalid-src
inspect
class type inspect PPTP-Pass-Through-Traffic
pass
class type inspect All-Traffic
inspect
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
inspect
class type inspect PPTP-Pass-Through-Traffic
pass
class type inspect SDM-inspect-staticnat-in
inspect
class type inspect L2L_VPN_10.188.18.0_23
inspect
class class-default
drop
zone security out-zone
zone security in-zone
zone security pptp
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security pptp-in source pptp destination in-zone
service-policy type inspect PPTP-In-Policy
zone-pair security pptp-out source pptp destination out-zone
service-policy type inspect sdm-inspect
!
5) also added for outside > inside
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit <<<<<<<<<<<<<<<<<
inspect
class type inspect PPTP-Pass-Through-Traffic
pass
class type inspect SDM-inspect-staticnat-in
inspect
class type inspect L2L_VPN_10.188.18.0_23
inspect
class class-default
drop
zone security out-zone
zone security in-zone
zone security pptp
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone <<<<<<<<<<<<<<<<<<<
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone <<<<<<<<<<<<<<<<<<
service-policy type inspect sdm-inspect
zone-pair security pptp-in source pptp destination in-zone
service-policy type inspect PPTP-In-Policy
zone-pair security pptp-out source pptp destination out-zone
service-policy type inspect sdm-inspect
!