Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
1
Replies

Configure PIX to allow IP video to hosts

neonetsup
Level 1
Level 1

‎11-16-2004 11:45 AM - edited ‎03-17-2019 08:18 PM

Hello,

Would anybody be willing to share their configuration settings in the PIX to allow IP video from the Internet through to internal users? Currently, we have a Polycom Viewstation FX on the inside statically mapped to a Public IP, and the associated ACL entries configured as follows:

static (inside,outside) 156.x.x.x 10.x.x.x netmask 255.255.255.255 0 0 norandomseq

access-list 101 permit tcp any host 156.x.x.x eq h323

access-list 101 permit tcp any host 156.x.x.x eq 3230

access-list 101 permit tcp any host 156.x.x.x eq 3231

access-list 101 permit tcp any host 156.x.x.x eq 3232

access-list 101 permit tcp any host 156.x.x.x eq 3233

access-list 101 permit tcp any host 156.x.x.x eq 3235

access-list 101 permit tcp any host 156.x.x.x eq 1503

access-list 101 permit udp any host 156.x.x.x eq 3230

access-list 101 permit udp any host 156.x.x.x eq 3231

access-list 101 permit udp any host 156.x.x.x eq 3232

access-list 101 permit udp any host 156.x.x.x eq 3233

access-list 101 permit udp any host 156.x.x.x eq 3234

access-list 101 permit udp any host 156.x.x.x eq 3235

access-list 101 permit udp any host 156.x.x.x eq 1721

access-list 101 permit udp any host 156.x.x.x eq 1718

access-list 101 permit udp any host 156.x.x.x eq 1719

access-list 101 permit tcp any host 156.x.x.x eq 1731

Are those the right ports? Should there be any more or less?

Thanks in advance!!

Labels:
0 Helpful
1 Reply 1

elaird
Level 1
Level 1

‎11-17-2004 11:12 AM

We do a lot of video and have PIX's at TAMU.EDU

H.323 uses TCP and UDP ports above 1024 and can be anywhere unless you set the firewall settings in the Polycom to use specific port.

The call comes in on TCP port 1720 and the codecs negotiate another TCP connection above 1024 which then negotiates at least 3 UDP data streams each direction on UDP ports above 1024.

The Polycom firewall setting allows you to statically set those ports so you don't have to open a large range in the firewall.

The PIX has a H323 FIXUP command that attempts to track the ports and dynamically open them.

If you are using NAT the Polycom has spaces for the inside and WAN addresses because the Ip address is embedded in the negotiation.

One other issue with the PIX is the negotiated TCP connection can be closed prematurely by the PIX if you don't increase the half-closed settings. Closing it will disconnect the call which was typically around 30 minutes to one hour if not set correctly.

Also the FIXUP doesn't always work if a call is hung up and immediately retried unless you have the ports statically set in the Codec.

0 Helpful
Customers Also Viewed These Support Documents