Showing results for 
Search instead for 
Did you mean: 
Walkthrough Wednesdays

NAT on 3945 with H323 security and SRTP


We have implemented a 3945 router for H.323 videoconference purpose.

On LAN side, there is a MCU (Polycom) and on the WAN, many endpoints.

MCU <-> 3945 <-> Internet <-> Endpoints

NAT is implemented on the router.

H.323 security with SRTP is not working when endpoint try to establish videoconference with the  MCU. We do not encounter any problem  with non-encrypted videoconference.

When we bypass the router (MCU directly connected to Internet), H.323 security with SRTP is working.

We have desactivate all the ip inspect, the acl on all the interfaces but nothing works.

Does the NAT on the router support the h323 security / SRTP ?

In attachment, the result of the debug ip nat for a encrypted session and for a non-encrypted session.

Thanks a lot for your help.

// Version

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)

Technical Support:

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Sun 18-Jul-10 06:43 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M6, RELEASE SOFTWARE (fc1)

R1-3945 uptime is 39 weeks, 6 days, 17 hours, 4 minutes

System returned to ROM by power-on

System restarted at 15:49:22 FR Tue Nov 23 2010

System image file is "flash0:c3900-universalk9-mz.SPA.150-1.M3.bin"

Last reload type: Normal Reload


Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 987136K/61440K bytes of memory.

Processor board ID FCZ1431706Y

4 Gigabit Ethernet interfaces

1 terminal line

1 Virtual Private Network (VPN) Module

DRAM configuration is 72 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

254464K bytes of ATA System CompactFlash 0 (Read/Write)


// Configuration

interface GigabitEthernet0/0

description **to WAN**

ip address X.X.X.X

ip access-group wan_access_in in

ip nat outside

ip inspect FW in

ip virtual-reassembly

duplex full

speed 1000


interface GigabitEthernet1/0

description **to LAN**

ip address

ip nat inside

ip inspect FW in

ip virtual-reassembly


ip nat inside source static X.X.X.Y

Javier Cuadros

Hi Alexis,

im having the same issue here, h323 ip phones on  remote network and a 39xx ios proxy did you make it work? can you please  share the config?


Content for Community-Ad

Spotlight Awards 2021