Solved

Port fowarding configuration, can't establish inbound H323 connection

Posted on 2008-06-16
7
1,275 Views
Last Modified: 2010-04-21
Hi,
I am setting up Video Conferencing between two DVC1000 video conference units.  

I would like to be able to establish inbound H323 calls from other Video conference units however currently not able to. When viewing a sniffer capture on the inside of the Cisco router I am only able to see the 1720 TCP initiation traffic, the router is not allowing the 15328 - 15333 tcp / udp traffic to pass into the router.

I have setup a MIP connection on a netscreen, and am able to dial outbound from the Cisco into the Netscreen however not vice versa.

Any suggestions would be appreciated, below is my config.

Thanks  


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ContractorsLAN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$.4H.$rwx2Wc5ZoN8Lu4a9mMfVN.
!
no aaa new-model
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.151 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server xxx.xxx.xxx.xxx
   default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 210.48.65.2
ip name-server 210.48.66.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3476989018
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3476989018
 revocation-check none
 rsakeypair TP-self-signed-3476989018
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address XXX.XXX.XXX.XXX 255.255.255.224
 ip access-group 101 in
 ip access-group 102 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 XXXXXXXX
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.50 1720 interface FastEthernet4 1720
ip nat inside source static tcp 192.168.1.50 15328 interface FastEthernet4 15328
ip nat inside source static tcp 192.168.1.50 15329 interface FastEthernet4 15329
ip nat inside source static tcp 192.168.1.50 15330 interface FastEthernet4 15330
ip nat inside source static tcp 192.168.1.50 15331 interface FastEthernet4 15331
ip nat inside source static tcp 192.168.1.50 15332 interface FastEthernet4 15332
ip nat inside source static tcp 192.168.1.50 15333 interface FastEthernet4 15333
ip nat inside source static udp 192.168.1.50 15333 interface FastEthernet4 15333
ip nat inside source static udp 192.168.1.50 15332 interface FastEthernet4 15332
ip nat inside source static udp 192.168.1.50 15331 interface FastEthernet4 15331
ip nat inside source static udp 192.168.1.50 15330 interface FastEthernet4 15330
ip nat inside source static udp 192.168.1.50 15329 interface FastEthernet4 15329
ip nat inside source static udp 192.168.1.50 15328 interface FastEthernet4 15328
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.50 2500 interface FastEthernet4 2500
ip nat inside source static udp 192.168.1.50 2500 interface FastEthernet4 2500
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any eq 15328
access-list 101 permit tcp any any eq 15329
access-list 101 permit tcp any any eq 15330
access-list 101 permit tcp any any eq 15331
access-list 101 permit tcp any any eq 15332
access-list 101 permit tcp any any eq 15333
access-list 101 permit udp any any eq 15333
access-list 101 permit udp any any eq 15332
access-list 101 permit udp any any eq 15331
access-list 101 permit udp any any eq 15330
access-list 101 permit udp any any eq 15329
access-list 101 permit udp any any eq 15328
access-list 101 permit tcp any any eq telnet
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 2500
access-list 101 permit udp any any eq 2500
access-list 101 permit ip any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
access-list 102 permit icmp any any
no cdp run
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 013F0310532B0A22711C6D590E56
 login
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
Comment
Question by:KnowledgeServices
  • 4
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>interface FastEthernet4
> ip access-group 102 out

Try removing the outbound acl. Your intent with acl 102 is to permit all traffic, then by simply removing the acl you are actually permitting all.

0
 

Author Comment

by:KnowledgeServices
Comment Utility
Thank you for your comments, I have have just made the change to the router and the H323 connection is still not able to establish, no change.

Just as a test to make sure my access lists and rules are working correctly, I placed an XP workstation on the same network as the video conference unit and added TCP 3389 to the router access list and nat rule. I was able to successfully connect to the workstation via RDP so it appears my access lists and rules are working correctly.

There must be something different about trying to establish an H323 connection, do you have any other suggestions?
0
 

Author Comment

by:KnowledgeServices
Comment Utility
I have just removed all the 'ip nat inside source static routes on specific ports and added the command ip nat inside source static xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx extendable. This appears to have resolved the issue however still takes 3 - 4 attempts before a session can extablish correctly. I am going to try changing the default route to the outside interface instead of the next hop router and see if that helps.

Would appreciate your suggestions.

Thanks
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Check the default gateway settings on the Video server.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
Comment Utility
I'm surprised it works at all - H323 AFAIK is technically "unroutable", since it includes IP information typically necessary required to establish the connection in the data section of the packet (not in the header - "bad protocol, no dessert for you!")

There *are* some workarounds for this, IIRC - usually in the server and /or client config (generally you tell them to ignore the IP in the data portion, and indicate that if you're receiving the packet, you want to process it regardless.  (That advice is based upon my dealings with VoIP protocols, which act in an equally annoying manner).

If you want it to work properly every time, you might want to look into an H323 gatekeeper:

http://www.cisco.com/warp/public/788/voip/understand-gatekeepers.html
http://www.gnugk.org/h323-intro.html

Cheers,
-Jon
0
 

Author Comment

by:KnowledgeServices
Comment Utility
Thanks heaps for you help guys. Jon you put me on the right track.

When issuing the command ip nat inside source static xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx extendable no-payload the H323 connection establishes without any problems.

Thanks again,

Christian
0
 

Author Closing Comment

by:KnowledgeServices
Comment Utility
Thanks heaps for you accurate help, I appreciate all the information you provided.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now