Solved

Cisco IOS firewall won't allow h323 connections

Posted on 2007-04-02
3
3,004 Views
Last Modified: 2013-11-16
I've got a Cisco 2851 router that acting as a firewall. It's running IOS 12.4 and I'm using the IOS firewall in it. My problem is I can't get h323 (specifically for polycom video conferencing) to work properly while passing throught he device. All other traffic in either direction works as advertised. I've disabled the ACLs and the inspect statments, and the problem stays. Any thoughts?
0
Comment
Question by:HSBSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 18857223
In your inspect statments were you inspecting h323?  Can you post a sanatized config that you were trying?  If you are doing PAT, it will not work without the inspects.
0
 
LVL 1

Author Comment

by:HSBSupport
ID: 18858222
Below is the inspect section of the config, and the setup of the interface. The access-list has the correct ports open to the VC units, and each video conference units has a static public IP that is NATed. To add to this, I've setup a test router with a PC on either side running VC software. The router is exactly the same as the the one we're having issues with, right down to using the same configuration. Just after the router boots, I can creata a connection between te two PCs using the software, after the router runs for about 10 - 15 minutes, I can no longer create the same connection.

Insepct statments (I know the sessions are set really high. Just haven't cut them back yet)
ip inspect max-incomplete high 10000
ip inspect max-incomplete low 9000
ip inspect one-minute high 6000
ip inspect one-minute low 5000
ip inspect tcp max-incomplete host 250 block-time 0
ip inspect name Inspect-g1 cuseeme
ip inspect name Inspect-g1 dns
ip inspect name Inspect-g1 ftp
ip inspect name Inspect-g1 https
ip inspect name Inspect-g1 icmp
ip inspect name Inspect-g1 imap
ip inspect name Inspect-g1 pop3
ip inspect name Inspect-g1 netshow
ip inspect name Inspect-g1 rcmd
ip inspect name Inspect-g1 realaudio
ip inspect name Inspect-g1 esmtp
ip inspect name Inspect-g1 sqlnet
ip inspect name Inspect-g1 streamworks
ip inspect name Inspect-g1 tftp
ip inspect name Inspect-g1 vdolive
ip inspect name Inspect-g1 rtsp
ip inspect name Inspect-g1 tcp
ip inspect name Inspect-g1 udp
ip inspect name Inspect-g1 h323
ip inspect name Inspect-g1 h323callsigalt
ip inspect name Inspect-g1 h323gatestat


Interface config (we're using a 4 port module inorder to gain more ports for all the connections we needed)
interface Vlan19
 description InternetLink
 bandwidth 9216
 ip address 165.166.5.130 255.255.255.128
 ip access-group ACL_OUT2 in
 ip verify unicast reverse-path
 no ip unreachables
 ip nbar protocol-discovery
 ip nat outside
 ip inspect Inspect-g1 out
 ip virtual-reassembly
 no ip route-cache cef
 service-policy output COL_OUT-MPLS
0
 
LVL 1

Accepted Solution

by:
HSBSupport earned 0 total points
ID: 19768698
After a few days and long hours with TAC....

The fix was reverse route maps and ACLs to keep the h323 traffic out of NAT.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question