Link to home
Start Free TrialLog in
Avatar of foobar_666uk
foobar_666uk

asked on

Problems allowing H323 through CISCO 877 Router with Firewall enabled

I am having a problem with a CISCO 877 router with H323 traffic. I can initiate connections from inside to outside, but when someone initiates a connection from outside to inside the connection starts, but then fails.

I strongly suspect the problem to be related to this issue:
https://www.experts-exchange.com/questions/22488534/Cisco-IOS-firewall-won't-allow-h323-connections.html?sfQueryTermInfo=1+10+cisco+h323+inspect

In which HSBSupport had this solution:

After a few days and long hours with TAC....

The fix was reverse route maps and ACLs to keep the h323 traffic out of NAT.

Or it may be something with my NAT statements? (do I need extendable no-payload commands?) but how do I implement this on interface DIaler0?

Help here is very much appreciated!! Thanks

Please find config attached.
!This is the running config of the router: 10.0.6.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 secret
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.6.100 10.0.6.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.0.6.0 255.255.255.0
   dns-server 10.0.0.50 62.189.123.90 
   default-router 10.0.6.1 
   domain-name domain.local
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip tcp synwait-time 10
no ip bootp server
ip domain name domain
ip name-server 10.0.0.50
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1490771268
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1490771268
 revocation-check none
 rsakeypair TP-self-signed-1490771268
!
!
crypto pki certificate chain TP-self-signed-1490771268
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31343930 37373132 3638301E 170D3038 30353239 31353437 
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34393037 
  37313236 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D1E9 0E91DDD3 7DF5A052 6647DE5B 28BA9AEA 7FA8C886 B97DF711 20B7BCCA 
  D4E7FE3B A268EE65 C2FF2B0C 54374198 F9512761 AFA5D4EC FDC7155D 63D1B787 
  4363A5CC 5DF2E65D 4F73444E AB7E22DB E2FF809A D411D598 0B60E134 0574D587 
  E027E09F 0EE61CEC 12EAE511 00673871 F9535E14 D4A6BA0C 9BA97996 483AEC5D 
  5D0B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 144C9E56 C6FE1C73 D39A1A62 CC894E99 6D641CE4 
  37301D06 03551D0E 04160414 4C9E56C6 FE1C73D3 9A1A62CC 894E996D 641CE437 
  300D0609 2A864886 F70D0101 04050003 8181006F 15649A91 9D608F36 F9CF0B15 
  BBB3B27F CB7E700A 5B912F43 1D62D7F3 4B24949E CFB05A3D 95253045 668B39D8 
  9A31BF16 ED8263CA 4C172F1A 9E341F13 3A384DAF 17E7EA92 7A63A807 1A56786D 
  61A0A1D2 FC9E5629 62F23C5A F7D24ABA BE51465D 585BECD9 A46D9202 4028BFB9 
  3D2ACF7F FE84D4F3 97929052 3E9B8EFF F8C811
  quit
username admin privilege 15 secret 5 secret
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key secret address *.*.*.*
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to*.*.*.*
 set peer *.*.*.*
 set transform-set ESP-3DES-SHA1 
 match address 103
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.0.6.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname B250600@hg7.btclick.com
 ppp chap password 7 101C5B110A1043585E51797B
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.0.6.100 1719 interface Dialer0 1719
ip nat inside source static udp 10.0.6.100 1719 interface Dialer0 1719
ip nat inside source static tcp 10.0.6.100 80 interface Dialer0 80
ip nat inside source static tcp 10.0.6.100 1720 interface Dialer0 1720
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.6.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.6.0 0.0.0.255
access-list 100 permit udp host 178.86.205.41 host 10.0.6.1 eq non500-isakmp
access-list 100 permit udp host 178.86.205.41 host 10.0.6.1 eq isakmp
access-list 100 permit esp host 178.86.205.41 host 10.0.6.1
access-list 100 permit ahp host 178.86.205.41 host 10.0.6.1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 1720
access-list 101 permit udp host 10.0.0.50 eq domain any
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.0.6.0 0.0.0.255
access-list 101 permit udp host 78.86.205.141 any eq non500-isakmp
access-list 101 permit udp host 78.86.205.141 any eq isakmp
access-list 101 permit esp host 78.86.205.141 any
access-list 101 permit ahp host 78.86.205.141 any
access-list 101 permit udp host 62.189.123.90 eq domain any
access-list 101 deny   ip 10.0.6.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 101 permit udp any any eq 1719
access-list 101 permit tcp any any eq 1719
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.0.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 104 permit ip 10.0.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
control-plane
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

Avatar of HSBSupport
HSBSupport

Looks like you may not have enough ports open for h323 to come in. I see 1720 for call setup which is why it looks like it starts. What VC equipment/software are you using?
Avatar of foobar_666uk

ASKER

Hi HSBSupport,

I didnt list all of the ports in my config, as it makes it very long, but here are all the additional ports I have opened...

(I have configured this to allow both Tandberg & Polycom Video Conferencing endpoints through, as I am creating a base config for different sites with different systems)

\\ H323 Generic Ports
ip nat inside source static udp 10.0.7.100 1719 interface Dialer0 1719
ip nat inside source static tcp 10.0.7.100 1720 interface Dialer0 1720

\\ Management Ports
ip nat inside source static tcp 10.0.7.100 80 interface Dialer0 80
ip nat inside source static tcp 10.0.7.100 443 interface Dialer0 443
ip nat inside source static tcp 10.0.7.100 23 interface Dialer0 23
ip nat inside source static tcp 10.0.7.100 57 interface Dialer0 57
ip nat inside source static udp 10.0.7.100 161 interface Dialer0 161
ip nat inside source static udp 10.0.7.100 162 interface Dialer0 162
ip nat inside source static tcp 10.0.7.100 21 interface Dialer0 21
ip nat inside source static udp 10.0.7.100 20 interface Dialer0 20

\\ Tandberg Static Ports
ip nat inside source static tcp 10.0.7.100 5555 interface Dialer0 5555
ip nat inside source static tcp 10.0.7.100 5556 interface Dialer0 5556
ip nat inside source static tcp 10.0.7.100 5557 interface Dialer0 5557
ip nat inside source static tcp 10.0.7.100 5558 interface Dialer0 5558
ip nat inside source static tcp 10.0.7.100 5559 interface Dialer0 5559
ip nat inside source static tcp 10.0.7.100 5560 interface Dialer0 5560
ip nat inside source static tcp 10.0.7.100 5561 interface Dialer0 5561
ip nat inside source static tcp 10.0.7.100 5562 interface Dialer0 5562
ip nat inside source static tcp 10.0.7.100 5563 interface Dialer0 5563
ip nat inside source static tcp 10.0.7.100 5564 interface Dialer0 5564
ip nat inside source static tcp 10.0.7.100 5565 interface Dialer0 5565
ip nat inside source static tcp 10.0.7.100 5566 interface Dialer0 5566
ip nat inside source static tcp 10.0.7.100 5567 interface Dialer0 5567
ip nat inside source static tcp 10.0.7.100 5568 interface Dialer0 5568
ip nat inside source static tcp 10.0.7.100 5569 interface Dialer0 5569
ip nat inside source static tcp 10.0.7.100 5570 interface Dialer0 5570
ip nat inside source static tcp 10.0.7.100 5571 interface Dialer0 5571
ip nat inside source static tcp 10.0.7.100 5572 interface Dialer0 5572
ip nat inside source static tcp 10.0.7.100 5573 interface Dialer0 5573
ip nat inside source static tcp 10.0.7.100 5574 interface Dialer0 5574
ip nat inside source static udp 10.0.7.100 2326 interface Dialer0 2326
ip nat inside source static udp 10.0.7.100 2327 interface Dialer0 2327
ip nat inside source static udp 10.0.7.100 2328 interface Dialer0 2328
ip nat inside source static udp 10.0.7.100 2329 interface Dialer0 2329
ip nat inside source static udp 10.0.7.100 2330 interface Dialer0 2330
ip nat inside source static udp 10.0.7.100 2331 interface Dialer0 2331
ip nat inside source static udp 10.0.7.100 2332 interface Dialer0 2332
ip nat inside source static udp 10.0.7.100 2333 interface Dialer0 2333
ip nat inside source static udp 10.0.7.100 2334 interface Dialer0 2334
ip nat inside source static udp 10.0.7.100 2335 interface Dialer0 2335
ip nat inside source static udp 10.0.7.100 2336 interface Dialer0 2336
ip nat inside source static udp 10.0.7.100 2337 interface Dialer0 2337
ip nat inside source static udp 10.0.7.100 2338 interface Dialer0 2338
ip nat inside source static udp 10.0.7.100 2339 interface Dialer0 2339
ip nat inside source static udp 10.0.7.100 2340 interface Dialer0 2340
ip nat inside source static udp 10.0.7.100 2341 interface Dialer0 2341
ip nat inside source static udp 10.0.7.100 2342 interface Dialer0 2342
ip nat inside source static udp 10.0.7.100 2343 interface Dialer0 2343
ip nat inside source static udp 10.0.7.100 2344 interface Dialer0 2344
ip nat inside source static udp 10.0.7.100 2345 interface Dialer0 2345
ip nat inside source static udp 10.0.7.100 2346 interface Dialer0 2346
ip nat inside source static udp 10.0.7.100 2347 interface Dialer0 2347
ip nat inside source static udp 10.0.7.100 2348 interface Dialer0 2348
ip nat inside source static udp 10.0.7.100 2349 interface Dialer0 2349
ip nat inside source static udp 10.0.7.100 2350 interface Dialer0 2350
ip nat inside source static udp 10.0.7.100 2351 interface Dialer0 2351
ip nat inside source static udp 10.0.7.100 2352 interface Dialer0 2352
ip nat inside source static udp 10.0.7.100 2353 interface Dialer0 2353
ip nat inside source static udp 10.0.7.100 2354 interface Dialer0 2354
ip nat inside source static udp 10.0.7.100 2355 interface Dialer0 2355
ip nat inside source static udp 10.0.7.100 2356 interface Dialer0 2356
ip nat inside source static udp 10.0.7.100 2357 interface Dialer0 2357
ip nat inside source static udp 10.0.7.100 2358 interface Dialer0 2358
ip nat inside source static udp 10.0.7.100 2359 interface Dialer0 2359
ip nat inside source static udp 10.0.7.100 2360 interface Dialer0 2360
ip nat inside source static udp 10.0.7.100 2361 interface Dialer0 2361
ip nat inside source static udp 10.0.7.100 2362 interface Dialer0 2362
ip nat inside source static udp 10.0.7.100 2363 interface Dialer0 2363
ip nat inside source static udp 10.0.7.100 2364 interface Dialer0 2364
ip nat inside source static udp 10.0.7.100 2365 interface Dialer0 2365
ip nat inside source static udp 10.0.7.100 2366 interface Dialer0 2366
ip nat inside source static udp 10.0.7.100 2367 interface Dialer0 2367
ip nat inside source static udp 10.0.7.100 2368 interface Dialer0 2368
ip nat inside source static udp 10.0.7.100 2369 interface Dialer0 2369
ip nat inside source static udp 10.0.7.100 2370 interface Dialer0 2370
ip nat inside source static udp 10.0.7.100 2371 interface Dialer0 2371
ip nat inside source static udp 10.0.7.100 2372 interface Dialer0 2372
ip nat inside source static udp 10.0.7.100 2373 interface Dialer0 2373
ip nat inside source static udp 10.0.7.100 2374 interface Dialer0 2374
ip nat inside source static udp 10.0.7.100 2375 interface Dialer0 2375
ip nat inside source static udp 10.0.7.100 2376 interface Dialer0 2376
ip nat inside source static udp 10.0.7.100 2377 interface Dialer0 2377
ip nat inside source static udp 10.0.7.100 2378 interface Dialer0 2378
ip nat inside source static udp 10.0.7.100 2379 interface Dialer0 2379
ip nat inside source static udp 10.0.7.100 2380 interface Dialer0 2380
ip nat inside source static udp 10.0.7.100 2381 interface Dialer0 2381
ip nat inside source static udp 10.0.7.100 2382 interface Dialer0 2382
ip nat inside source static udp 10.0.7.100 2383 interface Dialer0 2383
ip nat inside source static udp 10.0.7.100 2384 interface Dialer0 2384
ip nat inside source static udp 10.0.7.100 2385 interface Dialer0 2385
ip nat inside source static udp 10.0.7.100 2386 interface Dialer0 2386
ip nat inside source static udp 10.0.7.100 2387 interface Dialer0 2387
ip nat inside source static udp 10.0.7.100 2388 interface Dialer0 2388
ip nat inside source static udp 10.0.7.100 2389 interface Dialer0 2389
ip nat inside source static udp 10.0.7.100 2390 interface Dialer0 2390
ip nat inside source static udp 10.0.7.100 2391 interface Dialer0 2391
ip nat inside source static udp 10.0.7.100 2392 interface Dialer0 2392
ip nat inside source static udp 10.0.7.100 2393 interface Dialer0 2393
ip nat inside source static udp 10.0.7.100 2394 interface Dialer0 2394
ip nat inside source static udp 10.0.7.100 2395 interface Dialer0 2395
ip nat inside source static udp 10.0.7.100 2396 interface Dialer0 2396
ip nat inside source static udp 10.0.7.100 2397 interface Dialer0 2397
ip nat inside source static udp 10.0.7.100 2398 interface Dialer0 2398
ip nat inside source static udp 10.0.7.100 2399 interface Dialer0 2399
ip nat inside source static udp 10.0.7.100 2400 interface Dialer0 2400
ip nat inside source static udp 10.0.7.100 2401 interface Dialer0 2401
ip nat inside source static udp 10.0.7.100 2402 interface Dialer0 2402
ip nat inside source static udp 10.0.7.100 2403 interface Dialer0 2403
ip nat inside source static udp 10.0.7.100 2404 interface Dialer0 2404
ip nat inside source static udp 10.0.7.100 2405 interface Dialer0 2405
ip nat inside source static udp 10.0.7.100 2406 interface Dialer0 2406
ip nat inside source static udp 10.0.7.100 2407 interface Dialer0 2407
ip nat inside source static udp 10.0.7.100 2408 interface Dialer0 2408
ip nat inside source static udp 10.0.7.100 2409 interface Dialer0 2409
ip nat inside source static udp 10.0.7.100 2410 interface Dialer0 2410
ip nat inside source static udp 10.0.7.100 2411 interface Dialer0 2411
ip nat inside source static udp 10.0.7.100 2412 interface Dialer0 2412
ip nat inside source static udp 10.0.7.100 2413 interface Dialer0 2413
ip nat inside source static udp 10.0.7.100 2414 interface Dialer0 2414
ip nat inside source static udp 10.0.7.100 2415 interface Dialer0 2415
ip nat inside source static udp 10.0.7.100 2416 interface Dialer0 2416
ip nat inside source static udp 10.0.7.100 2417 interface Dialer0 2417
ip nat inside source static udp 10.0.7.100 2418 interface Dialer0 2418
ip nat inside source static udp 10.0.7.100 2419 interface Dialer0 2419
ip nat inside source static udp 10.0.7.100 2420 interface Dialer0 2420
ip nat inside source static udp 10.0.7.100 2421 interface Dialer0 2421
ip nat inside source static udp 10.0.7.100 2422 interface Dialer0 2422
ip nat inside source static udp 10.0.7.100 2423 interface Dialer0 2423
ip nat inside source static udp 10.0.7.100 2424 interface Dialer0 2424
ip nat inside source static udp 10.0.7.100 2425 interface Dialer0 2425
ip nat inside source static udp 10.0.7.100 2426 interface Dialer0 2426
ip nat inside source static udp 10.0.7.100 2427 interface Dialer0 2427
ip nat inside source static udp 10.0.7.100 2428 interface Dialer0 2428
ip nat inside source static udp 10.0.7.100 2429 interface Dialer0 2429
ip nat inside source static udp 10.0.7.100 2430 interface Dialer0 2430
ip nat inside source static udp 10.0.7.100 2431 interface Dialer0 2431
ip nat inside source static udp 10.0.7.100 2432 interface Dialer0 2432
ip nat inside source static udp 10.0.7.100 2433 interface Dialer0 2433
ip nat inside source static udp 10.0.7.100 2434 interface Dialer0 2434
ip nat inside source static udp 10.0.7.100 2435 interface Dialer0 2435
ip nat inside source static udp 10.0.7.100 2436 interface Dialer0 2436
ip nat inside source static udp 10.0.7.100 2437 interface Dialer0 2437
ip nat inside source static udp 10.0.7.100 2438 interface Dialer0 2438
ip nat inside source static udp 10.0.7.100 2439 interface Dialer0 2439
ip nat inside source static udp 10.0.7.100 2440 interface Dialer0 2440
ip nat inside source static udp 10.0.7.100 2441 interface Dialer0 2441
ip nat inside source static udp 10.0.7.100 2442 interface Dialer0 2442
ip nat inside source static udp 10.0.7.100 2443 interface Dialer0 2443
ip nat inside source static udp 10.0.7.100 2444 interface Dialer0 2444
ip nat inside source static udp 10.0.7.100 2445 interface Dialer0 2445
ip nat inside source static udp 10.0.7.100 2446 interface Dialer0 2446
ip nat inside source static udp 10.0.7.100 2447 interface Dialer0 2447
ip nat inside source static udp 10.0.7.100 2448 interface Dialer0 2448
ip nat inside source static udp 10.0.7.100 2449 interface Dialer0 2449
ip nat inside source static udp 10.0.7.100 2450 interface Dialer0 2450
ip nat inside source static udp 10.0.7.100 2451 interface Dialer0 2451
ip nat inside source static udp 10.0.7.100 2452 interface Dialer0 2452
ip nat inside source static udp 10.0.7.100 2453 interface Dialer0 2453
ip nat inside source static udp 10.0.7.100 2454 interface Dialer0 2454
ip nat inside source static udp 10.0.7.100 2455 interface Dialer0 2455
ip nat inside source static udp 10.0.7.100 2456 interface Dialer0 2456
ip nat inside source static udp 10.0.7.100 2457 interface Dialer0 2457
ip nat inside source static udp 10.0.7.100 2458 interface Dialer0 2458
ip nat inside source static udp 10.0.7.100 2459 interface Dialer0 2459
ip nat inside source static udp 10.0.7.100 2460 interface Dialer0 2460
ip nat inside source static udp 10.0.7.100 2461 interface Dialer0 2461
ip nat inside source static udp 10.0.7.100 2462 interface Dialer0 2462
ip nat inside source static udp 10.0.7.100 2463 interface Dialer0 2463
ip nat inside source static udp 10.0.7.100 2464 interface Dialer0 2464
ip nat inside source static udp 10.0.7.100 2465 interface Dialer0 2465
ip nat inside source static udp 10.0.7.100 2466 interface Dialer0 2466
ip nat inside source static udp 10.0.7.100 2467 interface Dialer0 2467
ip nat inside source static udp 10.0.7.100 2468 interface Dialer0 2468
ip nat inside source static udp 10.0.7.100 2469 interface Dialer0 2469
ip nat inside source static udp 10.0.7.100 2470 interface Dialer0 2470
ip nat inside source static udp 10.0.7.100 2471 interface Dialer0 2471
ip nat inside source static udp 10.0.7.100 2472 interface Dialer0 2472
ip nat inside source static udp 10.0.7.100 2473 interface Dialer0 2473
ip nat inside source static udp 10.0.7.100 2474 interface Dialer0 2474
ip nat inside source static udp 10.0.7.100 2475 interface Dialer0 2475
ip nat inside source static udp 10.0.7.100 2476 interface Dialer0 2476
ip nat inside source static udp 10.0.7.100 2477 interface Dialer0 2477
ip nat inside source static udp 10.0.7.100 2478 interface Dialer0 2478
ip nat inside source static udp 10.0.7.100 2479 interface Dialer0 2479
ip nat inside source static udp 10.0.7.100 2480 interface Dialer0 2480
ip nat inside source static udp 10.0.7.100 2481 interface Dialer0 2481
ip nat inside source static udp 10.0.7.100 2482 interface Dialer0 2482
ip nat inside source static udp 10.0.7.100 2483 interface Dialer0 2483
ip nat inside source static udp 10.0.7.100 2484 interface Dialer0 2484
ip nat inside source static udp 10.0.7.100 2485 interface Dialer0 2485


\\ Polycom Static Ports
ip nat inside source static tcp 10.0.7.100 3230 interface Dialer0 3230
ip nat inside source static tcp 10.0.7.100 3231 interface Dialer0 3231
ip nat inside source static tcp 10.0.7.100 3232 interface Dialer0 3232
ip nat inside source static tcp 10.0.7.100 3233 interface Dialer0 3233
ip nat inside source static tcp 10.0.7.100 3234 interface Dialer0 3234
ip nat inside source static tcp 10.0.7.100 3235 interface Dialer0 3235
ip nat inside source static tcp 10.0.7.100 3236 interface Dialer0 3236
ip nat inside source static tcp 10.0.7.100 3237 interface Dialer0 3237
ip nat inside source static tcp 10.0.7.100 3238 interface Dialer0 3238
ip nat inside source static tcp 10.0.7.100 3239 interface Dialer0 3239
ip nat inside source static tcp 10.0.7.100 3240 interface Dialer0 3240
ip nat inside source static tcp 10.0.7.100 3241 interface Dialer0 3241
ip nat inside source static tcp 10.0.7.100 3242 interface Dialer0 3242
ip nat inside source static tcp 10.0.7.100 3243 interface Dialer0 3243
ip nat inside source static udp 10.0.7.100 3230 interface Dialer0 3230
ip nat inside source static udp 10.0.7.100 3231 interface Dialer0 3231
ip nat inside source static udp 10.0.7.100 3232 interface Dialer0 3232
ip nat inside source static udp 10.0.7.100 3233 interface Dialer0 3233
ip nat inside source static udp 10.0.7.100 3234 interface Dialer0 3234
ip nat inside source static udp 10.0.7.100 3235 interface Dialer0 3235
ip nat inside source static udp 10.0.7.100 3236 interface Dialer0 3236
ip nat inside source static udp 10.0.7.100 3237 interface Dialer0 3237
ip nat inside source static udp 10.0.7.100 3238 interface Dialer0 3238
ip nat inside source static udp 10.0.7.100 3239 interface Dialer0 3239
ip nat inside source static udp 10.0.7.100 3240 interface Dialer0 3240
ip nat inside source static udp 10.0.7.100 3241 interface Dialer0 3241
ip nat inside source static udp 10.0.7.100 3242 interface Dialer0 3242
ip nat inside source static udp 10.0.7.100 3243 interface Dialer0 3243
ip nat inside source static udp 10.0.7.100 3244 interface Dialer0 3244
ip nat inside source static udp 10.0.7.100 3245 interface Dialer0 3245
ip nat inside source static udp 10.0.7.100 3246 interface Dialer0 3246
ip nat inside source static udp 10.0.7.100 3247 interface Dialer0 3247
ip nat inside source static udp 10.0.7.100 3248 interface Dialer0 3248
ip nat inside source static udp 10.0.7.100 3249 interface Dialer0 3249
ip nat inside source static udp 10.0.7.100 3250 interface Dialer0 3250
ip nat inside source static udp 10.0.7.100 3251 interface Dialer0 3251
ip nat inside source static udp 10.0.7.100 3252 interface Dialer0 3252
ip nat inside source static udp 10.0.7.100 3253 interface Dialer0 3253
ip nat inside source static udp 10.0.7.100 3254 interface Dialer0 3254
ip nat inside source static udp 10.0.7.100 3255 interface Dialer0 3255
ip nat inside source static udp 10.0.7.100 3256 interface Dialer0 3256
ip nat inside source static udp 10.0.7.100 3257 interface Dialer0 3257
ip nat inside source static udp 10.0.7.100 3258 interface Dialer0 3258
ip nat inside source static udp 10.0.7.100 3259 interface Dialer0 3259
ip nat inside source static udp 10.0.7.100 3260 interface Dialer0 3260
ip nat inside source static udp 10.0.7.100 3261 interface Dialer0 3261
ip nat inside source static udp 10.0.7.100 3262 interface Dialer0 3262
ip nat inside source static udp 10.0.7.100 3263 interface Dialer0 3263
ip nat inside source static udp 10.0.7.100 3264 interface Dialer0 3264
ip nat inside source static udp 10.0.7.100 3265 interface Dialer0 3265
ip nat inside source static udp 10.0.7.100 3266 interface Dialer0 3266
ip nat inside source static udp 10.0.7.100 3267 interface Dialer0 3267
ip nat inside source static udp 10.0.7.100 3268 interface Dialer0 3268
ip nat inside source static udp 10.0.7.100 3269 interface Dialer0 3269
ip nat inside source static udp 10.0.7.100 3270 interface Dialer0 3270
ip nat inside source static udp 10.0.7.100 3271 interface Dialer0 3271
ip nat inside source static udp 10.0.7.100 3272 interface Dialer0 3272
ip nat inside source static udp 10.0.7.100 3273 interface Dialer0 3273
ip nat inside source static udp 10.0.7.100 3274 interface Dialer0 3274
ip nat inside source static udp 10.0.7.100 3275 interface Dialer0 3275
ip nat inside source static udp 10.0.7.100 3276 interface Dialer0 3276
ip nat inside source static udp 10.0.7.100 3277 interface Dialer0 3277
ip nat inside source static udp 10.0.7.100 3278 interface Dialer0 3278
ip nat inside source static udp 10.0.7.100 3279 interface Dialer0 3279
ip nat inside source static udp 10.0.7.100 3280 interface Dialer0 3280
ip nat inside source static udp 10.0.7.100 3281 interface Dialer0 3281
ip nat inside source static udp 10.0.7.100 3282 interface Dialer0 3282
ip nat inside source static udp 10.0.7.100 3283 interface Dialer0 3283
ip nat inside source static udp 10.0.7.100 3284 interface Dialer0 3284
ip nat inside source static udp 10.0.7.100 3285 interface Dialer0 3285



\\ H323 Generic Ports
access-list 101 permit udp any any eq 1719
access-list 101 permit tcp any any eq 1720

\\ Management Ports
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 23
access-list 101 permit tcp any any eq 57
access-list 101 permit udp any any eq 161
access-list 101 permit udp any any eq 162
access-list 101 permit tcp any any eq 21
access-list 101 permit udp any any eq 20

\\ Tandberg Static Ports
access-list 101 permit tcp any any eq 5555
access-list 101 permit tcp any any eq 5556
access-list 101 permit tcp any any eq 5557
access-list 101 permit tcp any any eq 5558
access-list 101 permit tcp any any eq 5559
access-list 101 permit tcp any any eq 5560
access-list 101 permit tcp any any eq 5561
access-list 101 permit tcp any any eq 5562
access-list 101 permit tcp any any eq 5563
access-list 101 permit tcp any any eq 5564
access-list 101 permit tcp any any eq 5565
access-list 101 permit tcp any any eq 5566
access-list 101 permit tcp any any eq 5567
access-list 101 permit tcp any any eq 5568
access-list 101 permit tcp any any eq 5569
access-list 101 permit tcp any any eq 5570
access-list 101 permit tcp any any eq 5571
access-list 101 permit tcp any any eq 5572
access-list 101 permit tcp any any eq 5573
access-list 101 permit tcp any any eq 5574
access-list 101 permit udp any any eq 2326
access-list 101 permit udp any any eq 2327
access-list 101 permit udp any any eq 2328
access-list 101 permit udp any any eq 2329
access-list 101 permit udp any any eq 2330
access-list 101 permit udp any any eq 2331
access-list 101 permit udp any any eq 2332
access-list 101 permit udp any any eq 2333
access-list 101 permit udp any any eq 2334
access-list 101 permit udp any any eq 2335
access-list 101 permit udp any any eq 2336
access-list 101 permit udp any any eq 2337
access-list 101 permit udp any any eq 2338
access-list 101 permit udp any any eq 2339
access-list 101 permit udp any any eq 2340
access-list 101 permit udp any any eq 2341
access-list 101 permit udp any any eq 2342
access-list 101 permit udp any any eq 2343
access-list 101 permit udp any any eq 2344
access-list 101 permit udp any any eq 2345
access-list 101 permit udp any any eq 2346
access-list 101 permit udp any any eq 2347
access-list 101 permit udp any any eq 2348
access-list 101 permit udp any any eq 2349
access-list 101 permit udp any any eq 2350
access-list 101 permit udp any any eq 2351
access-list 101 permit udp any any eq 2352
access-list 101 permit udp any any eq 2353
access-list 101 permit udp any any eq 2354
access-list 101 permit udp any any eq 2355
access-list 101 permit udp any any eq 2356
access-list 101 permit udp any any eq 2357
access-list 101 permit udp any any eq 2358
access-list 101 permit udp any any eq 2359
access-list 101 permit udp any any eq 2360
access-list 101 permit udp any any eq 2361
access-list 101 permit udp any any eq 2362
access-list 101 permit udp any any eq 2363
access-list 101 permit udp any any eq 2364
access-list 101 permit udp any any eq 2365
access-list 101 permit udp any any eq 2366
access-list 101 permit udp any any eq 2367
access-list 101 permit udp any any eq 2368
access-list 101 permit udp any any eq 2369
access-list 101 permit udp any any eq 2370
access-list 101 permit udp any any eq 2371
access-list 101 permit udp any any eq 2372
access-list 101 permit udp any any eq 2373
access-list 101 permit udp any any eq 2374
access-list 101 permit udp any any eq 2375
access-list 101 permit udp any any eq 2376
access-list 101 permit udp any any eq 2377
access-list 101 permit udp any any eq 2378
access-list 101 permit udp any any eq 2379
access-list 101 permit udp any any eq 2380
access-list 101 permit udp any any eq 2381
access-list 101 permit udp any any eq 2382
access-list 101 permit udp any any eq 2383
access-list 101 permit udp any any eq 2384
access-list 101 permit udp any any eq 2385
access-list 101 permit udp any any eq 2386
access-list 101 permit udp any any eq 2387
access-list 101 permit udp any any eq 2388
access-list 101 permit udp any any eq 2389
access-list 101 permit udp any any eq 2390
access-list 101 permit udp any any eq 2391
access-list 101 permit udp any any eq 2392
access-list 101 permit udp any any eq 2393
access-list 101 permit udp any any eq 2394
access-list 101 permit udp any any eq 2395
access-list 101 permit udp any any eq 2396
access-list 101 permit udp any any eq 2397
access-list 101 permit udp any any eq 2398
access-list 101 permit udp any any eq 2399
access-list 101 permit udp any any eq 2400
access-list 101 permit udp any any eq 2401
access-list 101 permit udp any any eq 2402
access-list 101 permit udp any any eq 2403
access-list 101 permit udp any any eq 2404
access-list 101 permit udp any any eq 2405
access-list 101 permit udp any any eq 2406
access-list 101 permit udp any any eq 2407
access-list 101 permit udp any any eq 2408
access-list 101 permit udp any any eq 2409
access-list 101 permit udp any any eq 2410
access-list 101 permit udp any any eq 2411
access-list 101 permit udp any any eq 2412
access-list 101 permit udp any any eq 2413
access-list 101 permit udp any any eq 2414
access-list 101 permit udp any any eq 2415
access-list 101 permit udp any any eq 2416
access-list 101 permit udp any any eq 2417
access-list 101 permit udp any any eq 2418
access-list 101 permit udp any any eq 2419
access-list 101 permit udp any any eq 2420
access-list 101 permit udp any any eq 2421
access-list 101 permit udp any any eq 2422
access-list 101 permit udp any any eq 2423
access-list 101 permit udp any any eq 2424
access-list 101 permit udp any any eq 2425
access-list 101 permit udp any any eq 2426
access-list 101 permit udp any any eq 2427
access-list 101 permit udp any any eq 2428
access-list 101 permit udp any any eq 2429
access-list 101 permit udp any any eq 2430
access-list 101 permit udp any any eq 2431
access-list 101 permit udp any any eq 2432
access-list 101 permit udp any any eq 2433
access-list 101 permit udp any any eq 2434
access-list 101 permit udp any any eq 2435
access-list 101 permit udp any any eq 2436
access-list 101 permit udp any any eq 2437
access-list 101 permit udp any any eq 2438
access-list 101 permit udp any any eq 2439
access-list 101 permit udp any any eq 2440
access-list 101 permit udp any any eq 2441
access-list 101 permit udp any any eq 2442
access-list 101 permit udp any any eq 2443
access-list 101 permit udp any any eq 2444
access-list 101 permit udp any any eq 2445
access-list 101 permit udp any any eq 2446
access-list 101 permit udp any any eq 2447
access-list 101 permit udp any any eq 2448
access-list 101 permit udp any any eq 2449
access-list 101 permit udp any any eq 2450
access-list 101 permit udp any any eq 2451
access-list 101 permit udp any any eq 2452
access-list 101 permit udp any any eq 2453
access-list 101 permit udp any any eq 2454
access-list 101 permit udp any any eq 2455
access-list 101 permit udp any any eq 2456
access-list 101 permit udp any any eq 2457
access-list 101 permit udp any any eq 2458
access-list 101 permit udp any any eq 2459
access-list 101 permit udp any any eq 2460
access-list 101 permit udp any any eq 2461
access-list 101 permit udp any any eq 2462
access-list 101 permit udp any any eq 2463
access-list 101 permit udp any any eq 2464
access-list 101 permit udp any any eq 2465
access-list 101 permit udp any any eq 2466
access-list 101 permit udp any any eq 2467
access-list 101 permit udp any any eq 2468
access-list 101 permit udp any any eq 2469
access-list 101 permit udp any any eq 2470
access-list 101 permit udp any any eq 2471
access-list 101 permit udp any any eq 2472
access-list 101 permit udp any any eq 2473
access-list 101 permit udp any any eq 2474
access-list 101 permit udp any any eq 2475
access-list 101 permit udp any any eq 2476
access-list 101 permit udp any any eq 2477
access-list 101 permit udp any any eq 2478
access-list 101 permit udp any any eq 2479
access-list 101 permit udp any any eq 2480
access-list 101 permit udp any any eq 2481
access-list 101 permit udp any any eq 2482
access-list 101 permit udp any any eq 2483
access-list 101 permit udp any any eq 2484
access-list 101 permit udp any any eq 2485

\\ Polycom Static Ports
access-list 101 permit tcp any any eq 3230
access-list 101 permit tcp any any eq 3231
access-list 101 permit tcp any any eq 3232
access-list 101 permit tcp any any eq 3233
access-list 101 permit tcp any any eq 3234
access-list 101 permit tcp any any eq 3235
access-list 101 permit tcp any any eq 3236
access-list 101 permit tcp any any eq 3237
access-list 101 permit tcp any any eq 3238
access-list 101 permit tcp any any eq 3239
access-list 101 permit tcp any any eq 3240
access-list 101 permit tcp any any eq 3241
access-list 101 permit tcp any any eq 3242
access-list 101 permit tcp any any eq 3243
access-list 101 permit udp any any eq 3230
access-list 101 permit udp any any eq 3231
access-list 101 permit udp any any eq 3232
access-list 101 permit udp any any eq 3233
access-list 101 permit udp any any eq 3234
access-list 101 permit udp any any eq 3235
access-list 101 permit udp any any eq 3236
access-list 101 permit udp any any eq 3237
access-list 101 permit udp any any eq 3238
access-list 101 permit udp any any eq 3239
access-list 101 permit udp any any eq 3240
access-list 101 permit udp any any eq 3241
access-list 101 permit udp any any eq 3242
access-list 101 permit udp any any eq 3243
access-list 101 permit udp any any eq 3244
access-list 101 permit udp any any eq 3245
access-list 101 permit udp any any eq 3246
access-list 101 permit udp any any eq 3247
access-list 101 permit udp any any eq 3248
access-list 101 permit udp any any eq 3249
access-list 101 permit udp any any eq 3250
access-list 101 permit udp any any eq 3251
access-list 101 permit udp any any eq 3252
access-list 101 permit udp any any eq 3253
access-list 101 permit udp any any eq 3254
access-list 101 permit udp any any eq 3255
access-list 101 permit udp any any eq 3256
access-list 101 permit udp any any eq 3257
access-list 101 permit udp any any eq 3258
access-list 101 permit udp any any eq 3259
access-list 101 permit udp any any eq 3260
access-list 101 permit udp any any eq 3261
access-list 101 permit udp any any eq 3262
access-list 101 permit udp any any eq 3263
access-list 101 permit udp any any eq 3264
access-list 101 permit udp any any eq 3265
access-list 101 permit udp any any eq 3266
access-list 101 permit udp any any eq 3267
access-list 101 permit udp any any eq 3268
access-list 101 permit udp any any eq 3269
access-list 101 permit udp any any eq 3270
access-list 101 permit udp any any eq 3271
access-list 101 permit udp any any eq 3272
access-list 101 permit udp any any eq 3273
access-list 101 permit udp any any eq 3274
access-list 101 permit udp any any eq 3275
access-list 101 permit udp any any eq 3276
access-list 101 permit udp any any eq 3277
access-list 101 permit udp any any eq 3278
access-list 101 permit udp any any eq 3279
access-list 101 permit udp any any eq 3280
access-list 101 permit udp any any eq 3281
access-list 101 permit udp any any eq 3282
access-list 101 permit udp any any eq 3283
access-list 101 permit udp any any eq 3284
access-list 101 permit udp any any eq 3285
First off, use can use ranges with ACLs.
so..
access-list 101 permit tcp any any eq xxxx - yyyy
Second, do you have your VC devices configured to only use these ports? My ploycom systems have to be set else will will pick a random port between 1024 and 65535.
Third, try adding the line below to your inspect rule.
Last, I'm assuming you only have one public IP correct?
 

ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 h323callsigalt
ip inspect name DEFAULT100 h323gatestat

Open in new window

It does not allow me to use ACL ranges? I did try before and I have checked again, but I get the following;

router(config)#access-list 101 permit tcp any any eq 5555 - 5574
                                                                                              ^
% Invalid input detected at '^' marker.
router(config)#access-list 101 permit tcp any any eq 5555?
<0-65535>
router(config)#access-list 101 permit tcp any any eq 5555-?
% Unrecognized command
router(config)#access-list 101 permit tcp any any eq 5555-5574
                                                              ^
% Invalid input detected at '^' marker.

sh ver

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(4)T7, REL
EASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 29-Nov-06 00:43 by kellythw
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE
router uptime is 23 hours, 49 minutes
System returned to ROM by reload
System restarted at 15:42:15 PCTime Wed Apr 22 2009
System image file is "flash:c870-advsecurityk9-mz.124-4.T7.bin"
Last reload reason: Reload Command

Any ideas on that one? Should I be able to use ACL ranges? (It would help if I could!!) :)

Secondly yes both the Tandberg & Polycom endpoints are fixed to use static ports (not dyanmic ports as standard) the statically defined ports are those I have created the NAT & ACL rules for above.

I have added the additional ip inspect commands, but that doesnt appear to have made any difference? Also as I understand it, CISCO only support H323 v4, whereas the equipment (Tandberg & Polycom) are using H323 v6 and so some features of H323 do not work when using packet inspection on Cisco Firewalls & Routers. What I am trying to do is to tottally disable any inspection of the packets and simply NAT the ports without any inspection. I think the problem is that even though I specify no ip inspect h323 etc the cisco still tries to inspect any NAT statements? There is an extendable no-payload command that you can issue to static nats with IP address, but not to interfaces? So im at a bit of a loss?

Any further suggestions is very much appreciated....
SOLUTION
Avatar of HSBSupport
HSBSupport

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I agree with what you are saying, and this has also confused me (hence my post here!) lol

The only thing I could think of is that on the way out the packets are not inspected, but when packets are coming in they are being inspection by the cisco.

As a test I did a telnet to port 1720 (h323 control port) from an outside device to the H323 device. It appeared to connect. So I switched the inside H323 device off and expected the same test to result in a time-out, however it still connected to something? I can only assume the CISCO Router picked it up?

I am quite sure if I disabled all inspection on the CISCO Router it would work fine, but how can I do this?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No solution found to this problem. I beleive it is a limitation of the CISCO Router
I realize this is a 3+ year old post, but I had a similar issue.  I finally found it after a few hours of debugging.

Remove ip nat service h225, which is enabled by default.  Works like a charm now!

I didn't need all the ACL tweaks either.

Hopefully, this will help someone along the way!