Solved

Port fowarding configuration, can't establish inbound H323 connection

Posted on 2008-06-16
7
1,296 Views
Last Modified: 2010-04-21
Hi,
I am setting up Video Conferencing between two DVC1000 video conference units.  

I would like to be able to establish inbound H323 calls from other Video conference units however currently not able to. When viewing a sniffer capture on the inside of the Cisco router I am only able to see the 1720 TCP initiation traffic, the router is not allowing the 15328 - 15333 tcp / udp traffic to pass into the router.

I have setup a MIP connection on a netscreen, and am able to dial outbound from the Cisco into the Netscreen however not vice versa.

Any suggestions would be appreciated, below is my config.

Thanks  


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ContractorsLAN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$.4H.$rwx2Wc5ZoN8Lu4a9mMfVN.
!
no aaa new-model
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.151 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server xxx.xxx.xxx.xxx
   default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 210.48.65.2
ip name-server 210.48.66.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3476989018
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3476989018
 revocation-check none
 rsakeypair TP-self-signed-3476989018
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address XXX.XXX.XXX.XXX 255.255.255.224
 ip access-group 101 in
 ip access-group 102 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 XXXXXXXX
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.50 1720 interface FastEthernet4 1720
ip nat inside source static tcp 192.168.1.50 15328 interface FastEthernet4 15328
ip nat inside source static tcp 192.168.1.50 15329 interface FastEthernet4 15329
ip nat inside source static tcp 192.168.1.50 15330 interface FastEthernet4 15330
ip nat inside source static tcp 192.168.1.50 15331 interface FastEthernet4 15331
ip nat inside source static tcp 192.168.1.50 15332 interface FastEthernet4 15332
ip nat inside source static tcp 192.168.1.50 15333 interface FastEthernet4 15333
ip nat inside source static udp 192.168.1.50 15333 interface FastEthernet4 15333
ip nat inside source static udp 192.168.1.50 15332 interface FastEthernet4 15332
ip nat inside source static udp 192.168.1.50 15331 interface FastEthernet4 15331
ip nat inside source static udp 192.168.1.50 15330 interface FastEthernet4 15330
ip nat inside source static udp 192.168.1.50 15329 interface FastEthernet4 15329
ip nat inside source static udp 192.168.1.50 15328 interface FastEthernet4 15328
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.50 2500 interface FastEthernet4 2500
ip nat inside source static udp 192.168.1.50 2500 interface FastEthernet4 2500
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any eq 15328
access-list 101 permit tcp any any eq 15329
access-list 101 permit tcp any any eq 15330
access-list 101 permit tcp any any eq 15331
access-list 101 permit tcp any any eq 15332
access-list 101 permit tcp any any eq 15333
access-list 101 permit udp any any eq 15333
access-list 101 permit udp any any eq 15332
access-list 101 permit udp any any eq 15331
access-list 101 permit udp any any eq 15330
access-list 101 permit udp any any eq 15329
access-list 101 permit udp any any eq 15328
access-list 101 permit tcp any any eq telnet
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 2500
access-list 101 permit udp any any eq 2500
access-list 101 permit ip any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
access-list 102 permit icmp any any
no cdp run
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 013F0310532B0A22711C6D590E56
 login
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
Comment
Question by:KnowledgeServices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 21801987
>interface FastEthernet4
> ip access-group 102 out

Try removing the outbound acl. Your intent with acl 102 is to permit all traffic, then by simply removing the acl you are actually permitting all.

0
 

Author Comment

by:KnowledgeServices
ID: 21807345
Thank you for your comments, I have have just made the change to the router and the H323 connection is still not able to establish, no change.

Just as a test to make sure my access lists and rules are working correctly, I placed an XP workstation on the same network as the video conference unit and added TCP 3389 to the router access list and nat rule. I was able to successfully connect to the workstation via RDP so it appears my access lists and rules are working correctly.

There must be something different about trying to establish an H323 connection, do you have any other suggestions?
0
 

Author Comment

by:KnowledgeServices
ID: 21807820
I have just removed all the 'ip nat inside source static routes on specific ports and added the command ip nat inside source static xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx extendable. This appears to have resolved the issue however still takes 3 - 4 attempts before a session can extablish correctly. I am going to try changing the default route to the outside interface instead of the next hop router and see if that helps.

Would appreciate your suggestions.

Thanks
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 
LVL 79

Expert Comment

by:lrmoore
ID: 21812530
Check the default gateway settings on the Video server.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 21817006
I'm surprised it works at all - H323 AFAIK is technically "unroutable", since it includes IP information typically necessary required to establish the connection in the data section of the packet (not in the header - "bad protocol, no dessert for you!")

There *are* some workarounds for this, IIRC - usually in the server and /or client config (generally you tell them to ignore the IP in the data portion, and indicate that if you're receiving the packet, you want to process it regardless.  (That advice is based upon my dealings with VoIP protocols, which act in an equally annoying manner).

If you want it to work properly every time, you might want to look into an H323 gatekeeper:

http://www.cisco.com/warp/public/788/voip/understand-gatekeepers.html
http://www.gnugk.org/h323-intro.html

Cheers,
-Jon
0
 

Author Comment

by:KnowledgeServices
ID: 21818556
Thanks heaps for you help guys. Jon you put me on the right track.

When issuing the command ip nat inside source static xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx extendable no-payload the H323 connection establishes without any problems.

Thanks again,

Christian
0
 

Author Closing Comment

by:KnowledgeServices
ID: 31467803
Thanks heaps for you accurate help, I appreciate all the information you provided.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question