KnowledgeServices
asked on
Port fowarding configuration, can't establish inbound H323 connection
Hi,
I am setting up Video Conferencing between two DVC1000 video conference units.
I would like to be able to establish inbound H323 calls from other Video conference units however currently not able to. When viewing a sniffer capture on the inside of the Cisco router I am only able to see the 1720 TCP initiation traffic, the router is not allowing the 15328 - 15333 tcp / udp traffic to pass into the router.
I have setup a MIP connection on a netscreen, and am able to dial outbound from the Cisco into the Netscreen however not vice versa.
Any suggestions would be appreciated, below is my config.
Thanks
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ContractorsLAN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$.4H.$rwx2Wc5ZoN8Lu4a9mM
!
no aaa new-model
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.151 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server xxx.xxx.xxx.xxx
default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 210.48.65.2
ip name-server 210.48.66.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3476989018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3476989018
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.224
ip access-group 101 in
ip access-group 102 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 XXXXXXXX
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.50 1720 interface FastEthernet4 1720
ip nat inside source static tcp 192.168.1.50 15328 interface FastEthernet4 15328
ip nat inside source static tcp 192.168.1.50 15329 interface FastEthernet4 15329
ip nat inside source static tcp 192.168.1.50 15330 interface FastEthernet4 15330
ip nat inside source static tcp 192.168.1.50 15331 interface FastEthernet4 15331
ip nat inside source static tcp 192.168.1.50 15332 interface FastEthernet4 15332
ip nat inside source static tcp 192.168.1.50 15333 interface FastEthernet4 15333
ip nat inside source static udp 192.168.1.50 15333 interface FastEthernet4 15333
ip nat inside source static udp 192.168.1.50 15332 interface FastEthernet4 15332
ip nat inside source static udp 192.168.1.50 15331 interface FastEthernet4 15331
ip nat inside source static udp 192.168.1.50 15330 interface FastEthernet4 15330
ip nat inside source static udp 192.168.1.50 15329 interface FastEthernet4 15329
ip nat inside source static udp 192.168.1.50 15328 interface FastEthernet4 15328
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.50 2500 interface FastEthernet4 2500
ip nat inside source static udp 192.168.1.50 2500 interface FastEthernet4 2500
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any eq 15328
access-list 101 permit tcp any any eq 15329
access-list 101 permit tcp any any eq 15330
access-list 101 permit tcp any any eq 15331
access-list 101 permit tcp any any eq 15332
access-list 101 permit tcp any any eq 15333
access-list 101 permit udp any any eq 15333
access-list 101 permit udp any any eq 15332
access-list 101 permit udp any any eq 15331
access-list 101 permit udp any any eq 15330
access-list 101 permit udp any any eq 15329
access-list 101 permit udp any any eq 15328
access-list 101 permit tcp any any eq telnet
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 2500
access-list 101 permit udp any any eq 2500
access-list 101 permit ip any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
access-list 102 permit icmp any any
no cdp run
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
password 7 013F0310532B0A22711C6D590E
login
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
I am setting up Video Conferencing between two DVC1000 video conference units.
I would like to be able to establish inbound H323 calls from other Video conference units however currently not able to. When viewing a sniffer capture on the inside of the Cisco router I am only able to see the 1720 TCP initiation traffic, the router is not allowing the 15328 - 15333 tcp / udp traffic to pass into the router.
I have setup a MIP connection on a netscreen, and am able to dial outbound from the Cisco into the Netscreen however not vice versa.
Any suggestions would be appreciated, below is my config.
Thanks
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ContractorsLAN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$.4H.$rwx2Wc5ZoN8Lu4a9mM
!
no aaa new-model
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.151 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server xxx.xxx.xxx.xxx
default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 210.48.65.2
ip name-server 210.48.66.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3476989018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3476989018
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.224
ip access-group 101 in
ip access-group 102 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 XXXXXXXX
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.50 1720 interface FastEthernet4 1720
ip nat inside source static tcp 192.168.1.50 15328 interface FastEthernet4 15328
ip nat inside source static tcp 192.168.1.50 15329 interface FastEthernet4 15329
ip nat inside source static tcp 192.168.1.50 15330 interface FastEthernet4 15330
ip nat inside source static tcp 192.168.1.50 15331 interface FastEthernet4 15331
ip nat inside source static tcp 192.168.1.50 15332 interface FastEthernet4 15332
ip nat inside source static tcp 192.168.1.50 15333 interface FastEthernet4 15333
ip nat inside source static udp 192.168.1.50 15333 interface FastEthernet4 15333
ip nat inside source static udp 192.168.1.50 15332 interface FastEthernet4 15332
ip nat inside source static udp 192.168.1.50 15331 interface FastEthernet4 15331
ip nat inside source static udp 192.168.1.50 15330 interface FastEthernet4 15330
ip nat inside source static udp 192.168.1.50 15329 interface FastEthernet4 15329
ip nat inside source static udp 192.168.1.50 15328 interface FastEthernet4 15328
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.50 2500 interface FastEthernet4 2500
ip nat inside source static udp 192.168.1.50 2500 interface FastEthernet4 2500
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any eq 15328
access-list 101 permit tcp any any eq 15329
access-list 101 permit tcp any any eq 15330
access-list 101 permit tcp any any eq 15331
access-list 101 permit tcp any any eq 15332
access-list 101 permit tcp any any eq 15333
access-list 101 permit udp any any eq 15333
access-list 101 permit udp any any eq 15332
access-list 101 permit udp any any eq 15331
access-list 101 permit udp any any eq 15330
access-list 101 permit udp any any eq 15329
access-list 101 permit udp any any eq 15328
access-list 101 permit tcp any any eq telnet
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 2500
access-list 101 permit udp any any eq 2500
access-list 101 permit ip any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
access-list 102 permit icmp any any
no cdp run
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
password 7 013F0310532B0A22711C6D590E
login
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER
Thank you for your comments, I have have just made the change to the router and the H323 connection is still not able to establish, no change.
Just as a test to make sure my access lists and rules are working correctly, I placed an XP workstation on the same network as the video conference unit and added TCP 3389 to the router access list and nat rule. I was able to successfully connect to the workstation via RDP so it appears my access lists and rules are working correctly.
There must be something different about trying to establish an H323 connection, do you have any other suggestions?
Just as a test to make sure my access lists and rules are working correctly, I placed an XP workstation on the same network as the video conference unit and added TCP 3389 to the router access list and nat rule. I was able to successfully connect to the workstation via RDP so it appears my access lists and rules are working correctly.
There must be something different about trying to establish an H323 connection, do you have any other suggestions?
ASKER
I have just removed all the 'ip nat inside source static routes on specific ports and added the command ip nat inside source static xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx extendable. This appears to have resolved the issue however still takes 3 - 4 attempts before a session can extablish correctly. I am going to try changing the default route to the outside interface instead of the next hop router and see if that helps.
Would appreciate your suggestions.
Thanks
Would appreciate your suggestions.
Thanks
Check the default gateway settings on the Video server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks heaps for you help guys. Jon you put me on the right track.
When issuing the command ip nat inside source static xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx extendable no-payload the H323 connection establishes without any problems.
Thanks again,
Christian
When issuing the command ip nat inside source static xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx extendable no-payload the H323 connection establishes without any problems.
Thanks again,
Christian
ASKER
Thanks heaps for you accurate help, I appreciate all the information you provided.
> ip access-group 102 out
Try removing the outbound acl. Your intent with acl 102 is to permit all traffic, then by simply removing the acl you are actually permitting all.