cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
0
Helpful
1
Replies

NAT on 3945 with H323 security and SRTP

afroissart
Level 1
Level 1

Hello,

We have implemented a 3945 router for H.323 videoconference purpose.

On LAN side, there is a MCU (Polycom) and on the WAN, many endpoints.

MCU <-> 3945 <-> Internet <-> Endpoints

NAT is implemented on the router.

H.323 security with SRTP is not working when endpoint try to establish videoconference with the  MCU. We do not encounter any problem  with non-encrypted videoconference.

When we bypass the router (MCU directly connected to Internet), H.323 security with SRTP is working.

We have desactivate all the ip inspect, the acl on all the interfaces but nothing works.

Does the NAT on the router support the h323 security / SRTP ?

In attachment, the result of the debug ip nat for a encrypted session and for a non-encrypted session.

Thanks a lot for your help.

// Version

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Sun 18-Jul-10 06:43 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M6, RELEASE SOFTWARE (fc1)

R1-3945 uptime is 39 weeks, 6 days, 17 hours, 4 minutes

System returned to ROM by power-on

System restarted at 15:49:22 FR Tue Nov 23 2010

System image file is "flash0:c3900-universalk9-mz.SPA.150-1.M3.bin"

Last reload type: Normal Reload

...

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 987136K/61440K bytes of memory.

Processor board ID FCZ1431706Y

4 Gigabit Ethernet interfaces

1 terminal line

1 Virtual Private Network (VPN) Module

DRAM configuration is 72 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

254464K bytes of ATA System CompactFlash 0 (Read/Write)

..

// Configuration

interface GigabitEthernet0/0

description **to WAN**

ip address X.X.X.X 255.255.255.0

ip access-group wan_access_in in

ip nat outside

ip inspect FW in

ip virtual-reassembly

duplex full

speed 1000

!

interface GigabitEthernet1/0

description **to LAN**

ip address 10.27.0.254 255.255.255.0

ip nat inside

ip inspect FW in

ip virtual-reassembly

!

ip nat inside source static 10.27.0.2 X.X.X.Y

1 Reply 1

Javier Cuadros
Level 1
Level 1

Hi Alexis,

im having the same issue here, h323 ip phones on  remote network and a 39xx ios proxy did you make it work? can you please  share the config?

thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: