NAT Issue

Hello All Experts,

We have Cisco 877 w router, I plugged Polycom video Conferencing unit  into Cisco, & gave Static IP 10.10.10.2,  I am able to access this unit on browser by http://10.10.10.2, we have Public Ip address 203.X.X.X as soon someone dial that IP using their VC unit it should rich our internal IP address 10.10.10.2  also should we be able to get to that when we type203.X.X.X,
from out of office, I think issue is in NAT, but I can't understand

Can anyone help me ?

Regards
comteam#sh run
Building configuration...

Current configuration : 7986 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname comteam
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-814900924
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-814900924
 revocation-check none
 rsakeypair TP-self-signed-814900924
!
!
crypto pki certificate chain TP-self-signed-814900924
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38313439 30303932 34301E17 0D313031 32313230 38323934
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3831 34393030
  39323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E9EF51C3 C77CA2DA 2C06B1DD 4099F308 CBBAA8CB 963E1531 E74C5260 DD9ED17E
  7C1FF7F7 624D3C8A 75894902 BBF2B7CF BE3D8386 B8655693 DCA7E7CB C282D672
  8FC4360C EE032BA2 B685627D DE4DFC39 F39F8D65 23EE720D F5BE2297 96BBF6E4
  65F8947A FFBCDEC9 17772266 0105B4D5 1A81796C 10836ADC F6272826 271C29E3
  02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
  11041A30 18821663 6F6D7465 616D2E79 6F757264 6F6D6169 6E2E636F 6D301F06
  03551D23 04183016 8014F899 77021298 0AD7AB9E 668987B0 2D2810EF BC93301D
  0603551D 0E041604 14F89977 0212980A D7AB9E66 8987B02D 2810EFBC 93300D06
  092A8648 86F70D01 01040500 03818100 2006DF1D 4379C8C3 9A36A316 79A98E01
  B4474F4F 435A0BE2 3B7014D8 6E78176C 2FC623D0 8AD528B3 193ED349 6CC844DD
  DD82F74C D60A0E6B FF7CCA37 DBE7E8FA 32385098 3A94F2B2 BBA04F6C C3AFCA2C
  38CA6741 7E2690D5 BCD31E58 1D7B8638 0007545E 9F11EB3B 72AE0044 A26AC50E
  8D2DF0D3 35EE4C48 B18533C9 3A643261
        quit
dot11 syslog
!
dot11 ssid comteam
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXXXXXXXX
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.2
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 10.10.10.1
   lease 0 2
!
!
ip domain name yourdomain.com
ip name-server 203.0.178.191
ip name-server 203.215.29.191
!
!
!
username XXXXXXXXX privilege 15 password XXXXXXXXX
!
!
archive
 log config
  hidekeys
!
!
!
class-map match-all Streaming-Video
 match access-group 103
class-map match-all video-conf
 match access-group 102
class-map match-all Video-Conf
 match access-group 102
!
!
policy-map qos-policy
 class video-conf
  bandwidth 512
 class class-default
  fair-queue
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid comteam
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 mtu 1454
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username computerteam password 7 030E71051F0B74696F18
!
interface BVI1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 ATM0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.2 389 interface Dialer0 389
ip nat inside source static tcp 10.10.10.2 1503 interface Dialer0 1503
ip nat inside source static tcp 10.10.10.2 1720 interface Dialer0 1720
ip nat inside source static udp 10.10.10.2 80 interface Dialer0 80
ip nat inside source static udp 10.10.10.2 389 interface Dialer0 389
ip nat inside source static udp 10.10.10.2 1503 interface Dialer0 1503
ip nat inside source static udp 10.10.10.2 1720 interface Dialer0 1720
ip nat inside source static tcp 10.10.10.2 3230 interface Dialer0 3230
ip nat inside source static tcp 10.10.10.2 3231 interface Dialer0 3231
ip nat inside source static tcp 10.10.10.2 3232 interface Dialer0 3232
ip nat inside source static tcp 10.10.10.2 3233 interface Dialer0 3233
ip nat inside source static tcp 10.10.10.2 3234 interface Dialer0 3234
ip nat inside source static tcp 10.10.10.2 3235 interface Dialer0 3235
ip nat inside source static udp 10.10.10.2 3230 interface Dialer0 3230
ip nat inside source static udp 10.10.10.2 3231 interface Dialer0 3231
ip nat inside source static udp 10.10.10.2 3232 interface Dialer0 3232
ip nat inside source static udp 10.10.10.2 3233 interface Dialer0 3233
ip nat inside source static udp 10.10.10.2 3234 interface Dialer0 3234
ip nat inside source static udp 10.10.10.2 3235 interface Dialer0 3235
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
!
no cdp run
!
!
!
control-plane
!
bridge 1 route ip

!
line con 0
 password 7 011009094B1E120A33584B08145346445A
 login local
 no modem enable
line aux 0
 password 7 011009094B1E120A33584B08145346445A
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 011009094B1E120A33584B08145346445A
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

LVL 6
vikrantambhoreAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lost_enigmaVP of IT infrastructureCommented:
NAt is configured in correct way. but that is not all ports necessary for h.323
You cant connect to your device from external network? what about 80 port?
BTW, it is not secure to open 80 port to external network.

Read more from manufacture about your device.

here is shortly about h.323 necessary ports..
H.323 Ports:
• 80 - Static TCP - HTTP Interface (optional) web access
• 389 - Static TCP - ILS Registration (LDAP)
• 1503 - Static TCP - T.120
• 1718 - Static UDP - Gatekeeper discovery (Must be bidirectional)
• 1719 - Static UDP - Gatekeeper RAS (Must be bidirectional)
• 1720 - Static TCP - H.323 call setup (Must be bidirectional)
• 1731 - Static TCP - Audio Call Control (Must be bidirectional)
• 1024-65535 Dynamic TCP H245
• 1024-65535 Dynamic UDP - RTP (Video data)
• 1024-65535 Dynamic UDP - RTP (Audio data)
• 1024-65535 Dynamic UDP RTCP (Control Information)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vikrantambhoreAuthor Commented:
Hello,

My customer said he required it, he want to access VC through Static IP,

don't know why
vikrantambhoreAuthor Commented:
Anyone is there to help me, we need to access Polycom from Outside
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

lost_enigmaVP of IT infrastructureCommented:
wait, NAT is looks correct.
What is the question?
I gave you full specify about other ports. some of them is not opened at your firewall/NAT.
Did you make NAT rules for other ports necessary for h323?
vikrantambhoreAuthor Commented:
I know dear, NAT is looks correct, then why I am unable to access Polycom from Outside
I am using below fixed ports for video & Audio in Polycom, all ports are working fine exclude Port 80

ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.2 389 interface Dialer0 389
ip nat inside source static tcp 10.10.10.2 1503 interface Dialer0 1503
ip nat inside source static tcp 10.10.10.2 1720 interface Dialer0 1720
ip nat inside source static udp 10.10.10.2 80 interface Dialer0 80
ip nat inside source static udp 10.10.10.2 389 interface Dialer0 389
ip nat inside source static udp 10.10.10.2 1503 interface Dialer0 1503
ip nat inside source static udp 10.10.10.2 1720 interface Dialer0 1720
ip nat inside source static tcp 10.10.10.2 3230 interface Dialer0 3230
ip nat inside source static tcp 10.10.10.2 3231 interface Dialer0 3231
ip nat inside source static tcp 10.10.10.2 3232 interface Dialer0 3232
ip nat inside source static tcp 10.10.10.2 3233 interface Dialer0 3233
ip nat inside source static tcp 10.10.10.2 3234 interface Dialer0 3234
ip nat inside source static tcp 10.10.10.2 3235 interface Dialer0 3235
ip nat inside source static udp 10.10.10.2 3230 interface Dialer0 3230
ip nat inside source static udp 10.10.10.2 3231 interface Dialer0 3231
ip nat inside source static udp 10.10.10.2 3232 interface Dialer0 3232
ip nat inside source static udp 10.10.10.2 3233 interface Dialer0 3233
ip nat inside source static udp 10.10.10.2 3234 interface Dialer0 3234
ip nat inside source static udp 10.10.10.2 3235 interface Dialer0 3235
lost_enigmaVP of IT infrastructureCommented:
so, cant access - you mean by web only?

Calls are making correctly?

I think easiest way try to view nat translations or try to debug nat rules (if it is working)

try to change the web publishing rule like this
ip nat inside source static tcp 10.10.10.2 80 interface Dialer0 80 extendable

If not help - i think you should check your device settings, i mean polycom. possibly some web restrictions or misconfiguration are there.
vikrantambhoreAuthor Commented:
Hi bro,

I can Access this untit perfectly in LAN by http://10.10.10.2
I can make Call correctly
I need to access this unit through Outside
ArneLoviusCommented:

Unlike say HTTP traffic where the address is only in the packet header, with H323 it is also in the payload, and so needs the router to be able to rewrite the addresses in the payload.

This can be done in IOS, but the IOS level and feature set is critical

In no particular order...

https://supportforums.cisco.com/thread/209723
http://knowledgebase.polycom.com/kb/search.do?cmd=displayKC&docType=kc&externalId=10171&sliceId=SAL_PUBLIC_1_2&dialogID=6358598&stateId=0%200%206350123
https://cisco-support.hosted.jivesoftware.com/thread/206743
ArneLoviusCommented:
just requesting a delete without any reason ?
vikrantambhoreAuthor Commented:
Issue has been solved by my own level ?

Thank for giving time to help
ArneLoviusCommented:
If you post the solution it would be appreciated.
vikrantambhoreAuthor Commented:
No prob,

Issue has been fix only by ip nat sourse static tcp 10.10.10.2 80 interface Dialer 0 8080
 
anyway thanks for your Help ArneLovius, Sorry I can't accept ur solution in this comment
ArneLoviusCommented:
Your "solution" is not valid
vikrantambhoreAuthor Commented:
Can u explain why it's not Valid, My issue has been solved by entering above command now I'm able  to access VC unti by http://203.X.X.X:8080 from Out side,

I know My issue is fix so please  can't say Your "solution" is not valid
 anyway i posted my solution on ur request
ArneLoviusCommented:
It does't answer the original question, it only answers a later additional question...
vikrantambhoreAuthor Commented:
Please read carefully on end of my orignal question (should we be able to get to that when we type203.X.X.X, from out of office ) I mean I was unable to access VC unit from outside even after open POrt 80 on Cisco, Now I am able That's all

If I was wrong while post question then Sorry for that
lost_enigmaVP of IT infrastructureCommented:
wait, did i tell u to check configuration settings of your device?

@@@If not help - i think you should check your device settings, i mean polycom. possibly some web restrictions or misconfiguration are there.@@@
lost_enigmaVP of IT infrastructureCommented:
wait, did i tell u to check configuration settings of your device?

@@@If not help - i think you should check your device settings, i mean polycom. possibly some web restrictions or misconfiguration are there.@@@
vikrantambhoreAuthor Commented:
Hi lost_enigma,

I need to know,
Can u please suggest me How to open above mention Port  Bi-directional ?


Regards

Vikrant
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.