How do I unblock ports on cisco 2801 router?
I'm having a problem with a polycom trying to dial to a remote location(the service center) from our office.
The service center has tried dialing this office through a video bridge many times from the there. It rings here, but the Polycom will not pickup. However when a call is initiated from here to the bridge at the service center it will connect.
They did a port scan from there to the private IP number, 10.26.1.5, which is NATed in my router(cisco 2801) to another IP number here (192.168.1.150). The port scan shows only a few ports open, 21,23,24,80,443,990,992,99
According to Polycom the following ports need to be open for a successful video conference:
H.323 Ports (IP based video conferencing):
• 80 - Static TCP - HTTP Interface (optional)
• 389 - Static TCP - ILS Registration (LDAP)
• 1503 - Static TCP - T.120
• 1718 - Static UDP - Gatekeeper discovery (Must be bidirectional)
• 1719 - Static UDP - Gatekeeper RAS (Must be bidirectional)
• 1720 - Static TCP - H.323 call setup (Must be bidirectional)
• 1731 - Static TCP - Audio Call Control (Must be bidirectional)
• 1024-65535 Dynamic TCP H245
• 1024-65535 Dynamic UDP - RTP (Video data)
• 1024-65535 Dynamic UDP - RTP (Audio data)
• 1024-65535 Dynamic UDP RTCP (Control Information)
As you can see that means that just about every port in existence needs to be open. The fact that they are not is probably why the video call does not connect from the bridge. It may be when this condition exists the Inbound ports are being blocked by a firewall or other device- maybe with an access list in a switch.But this is not the case here. The path is: Internet---cisco---switch-
In the meantime, a video call can connect if it is initiated from here to the service center. The question is how to open the ports up in the cisco 2801 router?
The service center has tried dialing this office through a video bridge many times from the there. It rings here, but the Polycom will not pickup. However when a call is initiated from here to the bridge at the service center it will connect.
They did a port scan from there to the private IP number, 10.26.1.5, which is NATed in my router(cisco 2801) to another IP number here (192.168.1.150). The port scan shows only a few ports open, 21,23,24,80,443,990,992,99
According to Polycom the following ports need to be open for a successful video conference:
H.323 Ports (IP based video conferencing):
• 80 - Static TCP - HTTP Interface (optional)
• 389 - Static TCP - ILS Registration (LDAP)
• 1503 - Static TCP - T.120
• 1718 - Static UDP - Gatekeeper discovery (Must be bidirectional)
• 1719 - Static UDP - Gatekeeper RAS (Must be bidirectional)
• 1720 - Static TCP - H.323 call setup (Must be bidirectional)
• 1731 - Static TCP - Audio Call Control (Must be bidirectional)
• 1024-65535 Dynamic TCP H245
• 1024-65535 Dynamic UDP - RTP (Video data)
• 1024-65535 Dynamic UDP - RTP (Audio data)
• 1024-65535 Dynamic UDP RTCP (Control Information)
As you can see that means that just about every port in existence needs to be open. The fact that they are not is probably why the video call does not connect from the bridge. It may be when this condition exists the Inbound ports are being blocked by a firewall or other device- maybe with an access list in a switch.But this is not the case here. The path is: Internet---cisco---switch-
In the meantime, a video call can connect if it is initiated from here to the service center. The question is how to open the ports up in the cisco 2801 router?
Soulja
Post your current acl.
ASKER
When I do
#show access-list, I get:
Standard IP access list 99
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (1484 matches)
I don't know much about this cisco router. can you tell me the specific command you want me to use?
Thanks.
#show access-list, I get:
Standard IP access list 99
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (1484 matches)
I don't know much about this cisco router. can you tell me the specific command you want me to use?
Thanks.
do
sh ip access-list
sh ip access-list
ASKER
OK, i did that and got the same thing:
#show access-list
Standard IP access list 99
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (1484 matches)
#show access-list
Standard IP access list 99
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (1484 matches)
Okay, just post your entire config. That can't possibly be the only ACL, at least I hope not.
ASKER
!This is the running config of the router: 192.168.1.1
!-------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLSEC_2801
!
boot-start-marker
boot-end-marker
!
card type t1 0 2
logging buffered 8192 debugging
enable secret 5
!
no aaa new-model
no network-clock-participate wic 2
no network-clock-participate wic 3
ip cef
!
!
!
!
!
!
!
controller T1 0/2/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/2/1
framing esf
linecode b8zs
!
controller T1 0/3/0
framing esf
linecode b8zs
!
controller T1 0/3/1
framing esf
linecode b8zs
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
duplex auto
speed auto
!
interface Serial0/2/0:0
ip address 10.26.254.2 255.255.255.0
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 10.26.254.1
!
ip http server
ip nat pool NATP 10.26.1.10 10.26.1.254 netmask 255.255.255.0
ip nat inside source list 99 pool NATP
ip nat inside source static 192.168.1.216 10.26.1.2
ip nat inside source static 192.168.1.150 10.26.1.5
ip nat inside source static 192.168.1.3 10.26.1.6
ip nat inside source static 192.168.1.2 10.26.1.7
ip nat inside source static 192.168.1.9 10.26.1.8
!
access-list 99 permit 192.168.1.0 0.0.0.255
disable-eadi
!
control-plane
!
!
line con 0
password 7
login
line aux 0
line vty 0 4
password 7
login
!
scheduler allocate 20000 1000
end
!-------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLSEC_2801
!
boot-start-marker
boot-end-marker
!
card type t1 0 2
logging buffered 8192 debugging
enable secret 5
!
no aaa new-model
no network-clock-participate wic 2
no network-clock-participate wic 3
ip cef
!
!
!
!
!
!
!
controller T1 0/2/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/2/1
framing esf
linecode b8zs
!
controller T1 0/3/0
framing esf
linecode b8zs
!
controller T1 0/3/1
framing esf
linecode b8zs
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
duplex auto
speed auto
!
interface Serial0/2/0:0
ip address 10.26.254.2 255.255.255.0
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 10.26.254.1
!
ip http server
ip nat pool NATP 10.26.1.10 10.26.1.254 netmask 255.255.255.0
ip nat inside source list 99 pool NATP
ip nat inside source static 192.168.1.216 10.26.1.2
ip nat inside source static 192.168.1.150 10.26.1.5
ip nat inside source static 192.168.1.3 10.26.1.6
ip nat inside source static 192.168.1.2 10.26.1.7
ip nat inside source static 192.168.1.9 10.26.1.8
!
access-list 99 permit 192.168.1.0 0.0.0.255
disable-eadi
!
control-plane
!
!
line con 0
password 7
login
line aux 0
line vty 0 4
password 7
login
!
scheduler allocate 20000 1000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help. Do you think the problem could be at the service center, because it looks like everything is good on this end?
Thanks again.
Thanks again.
All I am saying is that it is not a port issue on your end because you don't have any acl's applied to your interfaces. I don't know what is inside your network. There could be ACL applied on L3 switches if you have them.
ASKER
Thank you.