asked on
Deny TCP outbound connection Polycom and Cisco ASA 5540
Hi,
I am encountering a problem to successfully setup my Polycom HDX 8000 behind Cisco 5540 ASA Firewall.
I am not able to a response the far site after answering the call ( like no video and audio) and the far site keep seeing " Connecting to 1.1.1.1 when I answered the call
I have recorded the logs on ASA saying
Deny TCP outbound connection and Flags AcK on interface outside
I have allow full access from inside and outside for Polycom
Here is the config
Internal IP 10.1.1.247
External IP: 1.1.1.1 ( Fictious IP)
nat (inside) 10 10.1.1.247 255.255.255.255
static (inside,Outside) 1.1.1.1 10.1.1.247 netmask 255.255.255.255
access-list Outside_access_in line 41 extended permit ip 0.0.0.0 0.0.0.0 host 1.1.1.1
access-list inside_access_in line 64 extended permit ip host 10.1.1.247 0.0.0.0 0.0.0.0
I have disabled inspection for H323 protocols
Please can someone help me.
Thanks
I am encountering a problem to successfully setup my Polycom HDX 8000 behind Cisco 5540 ASA Firewall.
I am not able to a response the far site after answering the call ( like no video and audio) and the far site keep seeing " Connecting to 1.1.1.1 when I answered the call
I have recorded the logs on ASA saying
Deny TCP outbound connection and Flags AcK on interface outside
I have allow full access from inside and outside for Polycom
Here is the config
Internal IP 10.1.1.247
External IP: 1.1.1.1 ( Fictious IP)
nat (inside) 10 10.1.1.247 255.255.255.255
static (inside,Outside) 1.1.1.1 10.1.1.247 netmask 255.255.255.255
access-list Outside_access_in line 41 extended permit ip 0.0.0.0 0.0.0.0 host 1.1.1.1
access-list inside_access_in line 64 extended permit ip host 10.1.1.247 0.0.0.0 0.0.0.0
I have disabled inspection for H323 protocols
Please can someone help me.
Thanks
CiscoConferencing SoftwareHardware FirewallsNetworkingNetwork Security
Last Comment
Techrunner
ASKER
So far I managed to the resolve the connection problem by unchecking the option on Polycom device " NAT is h.323 compatible"
I get connected but far site cannot see me and hear me.
But I can see them and hear them.
Can someone help me to fix this.
I get connected but far site cannot see me and hear me.
But I can see them and hear them.
Can someone help me to fix this.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for the reply.
I am running ASA version 8.0(4). I believe something is wrong with the NAT configuration I am not getting what
I enabled now H323 inspection and also enabled NAT is h323 compatible option on polycom device.
When call is made and established I have collected some ASDM logs for your review.
Thanks.
logs.txt
I am running ASA version 8.0(4). I believe something is wrong with the NAT configuration I am not getting what
I enabled now H323 inspection and also enabled NAT is h323 compatible option on polycom device.
When call is made and established I have collected some ASDM logs for your review.
Thanks.
logs.txt
ASKER
Any suggestion ?
I have also tried to open all the ports on ASA but nothing happened.
I didn't understand by that
"You now need to use the REAL IP in the access lost, not the public NAT IP. I would permit IP from any to 10.1.1.247 on the Outside and see if that helps"
Thanks
I have also tried to open all the ports on ASA but nothing happened.
I didn't understand by that
"You now need to use the REAL IP in the access lost, not the public NAT IP. I would permit IP from any to 10.1.1.247 on the Outside and see if that helps"
Thanks
I mean that your access list is wrong, because when the ASA evaluates the access list on the outside interface, it evaluates AFTER NAT, so you need to put the private IP address of your Polycom in the access list, not the public IP address of your Polycom. Cisco says that this is less confusing and leads to fewer mistakes in the access when your devices change IP addresses.
nat (inside) 10 10.1.1.247 255.255.255.255
static (inside,Outside) 1.1.1.1 10.1.1.247 netmask 255.255.255.255
access-list Outside_access_in line 41 extended permit ip 0.0.0.0 0.0.0.0 host 10.1.1.247
access-list inside_access_in line 64 extended permit ip host 10.1.1.247 0.0.0.0 0.0.0.0
nat (inside) 10 10.1.1.247 255.255.255.255
static (inside,Outside) 1.1.1.1 10.1.1.247 netmask 255.255.255.255
access-list Outside_access_in line 41 extended permit ip 0.0.0.0 0.0.0.0 host 10.1.1.247
access-list inside_access_in line 64 extended permit ip host 10.1.1.247 0.0.0.0 0.0.0.0
ASKER
Hi,
I have tried above access-list, it's not completely not working.
Thanks.
I have tried above access-list, it's not completely not working.
Thanks.
ASKER
Hi,
I have taken a log from ASA denying a connection after the call was established.
Any suggestions?
Thanks for your support
ASA-logs.txt
I have taken a log from ASA denying a connection after the call was established.
Any suggestions?
Thanks for your support
ASA-logs.txt
ASKER
I have found a very interesting thing
I assigned public ip address to the LAN interface of my laptop and placed a call to polycom. It was successfully Both way I can see and hear
But when I assigned dhcp private ip to the laptop and placed a call. Then polycom is not able to send audio and video.
Polycom see a private ip address while recieving a call
What is mean by that Can anyone pleas help me. ?
I assigned public ip address to the LAN interface of my laptop and placed a call to polycom. It was successfully Both way I can see and hear
But when I assigned dhcp private ip to the laptop and placed a call. Then polycom is not able to send audio and video.
Polycom see a private ip address while recieving a call
What is mean by that Can anyone pleas help me. ?
ASKER
Please help.
Could we see a bit more of your config (sanitized)? Perhaps there is another ACE blocking something but it's hard to tell right now.
ASKER
Ok, looking at:
global (Outside) 10 interface
global (inside) 10 interface
nat (inside) 10 HDX8000-Internal 255.255.255.255
static (inside,Outside) 11.22.33.44 HDX8000-Internal netmask 255.255.255.255
That's a bit of a mess. Any particular reason you set this up like that or were you just trying out?
If it's the last I first would try the following:
no global (inside) 10 interface
no nat (inside) 10 HDX8000-Internal 255.255.255.255
nat (inside) 10 10.1.2.0 255.255.255.0
no access-group inside_access_in in interface inside
clear xlate
And see what happens.
The nat (inside) 10 10.1.2.0 255.255.255.0 is added so the rest of your network will also have internet access (not NATted=no access). Of course if you need that (?)
global (Outside) 10 interface
global (inside) 10 interface
nat (inside) 10 HDX8000-Internal 255.255.255.255
static (inside,Outside) 11.22.33.44 HDX8000-Internal netmask 255.255.255.255
That's a bit of a mess. Any particular reason you set this up like that or were you just trying out?
If it's the last I first would try the following:
no global (inside) 10 interface
no nat (inside) 10 HDX8000-Internal 255.255.255.255
nat (inside) 10 10.1.2.0 255.255.255.0
no access-group inside_access_in in interface inside
clear xlate
And see what happens.
The nat (inside) 10 10.1.2.0 255.255.255.0 is added so the rest of your network will also have internet access (not NATted=no access). Of course if you need that (?)
ASKER
Thanks for the reply.
I have sent you the edit configuration.
In my LAN I have different VLAN's. Subnet 10.1.2.0 is one of them.
global (Outside) 10 interface
This is my outside global NAT
nat (inside) 10 HDX8000-Internal 255.255.255.255
This is NAT to allow HDX device from inside to outside.
static (inside,Outside) 11.22.33.44 HDX8000-Internal netmask 255.255.255.255
This is the static to allow from outside to inside
MY HDX device is in vlan subnet 10.1.1.X.
I have sent you the edit configuration.
In my LAN I have different VLAN's. Subnet 10.1.2.0 is one of them.
global (Outside) 10 interface
This is my outside global NAT
nat (inside) 10 HDX8000-Internal 255.255.255.255
This is NAT to allow HDX device from inside to outside.
static (inside,Outside) 11.22.33.44 HDX8000-Internal netmask 255.255.255.255
This is the static to allow from outside to inside
MY HDX device is in vlan subnet 10.1.1.X.
Ok,
In that case you can leave those. Then try:
no global (inside) 10 interface
no access-group inside_access_in in interface inside (for now)
clear xlate
In that case you can leave those. Then try:
no global (inside) 10 interface
no access-group inside_access_in in interface inside (for now)
clear xlate
ASKER
Hi,
I cannot remove
access-group inside_access_in in interface inside
Becoz I have lot of access-lists applied to this.
no global (inside) 10 interface
And I am not sure what this command will make change
Thanks.
Samir
I cannot remove
access-group inside_access_in in interface inside
Becoz I have lot of access-lists applied to this.
no global (inside) 10 interface
And I am not sure what this command will make change
Thanks.
Samir
Oh? So there's more than just:
access-list inside_access_in remark Polycom HDX8000 Internal to External
access-list inside_access_in extended permit ip host HDX8000-Internal any
?
Ok.
The nat and global command work together. With the nat command you specify what address(es) you NAT from and with global you specify what address(es) to NAT to.
Normally that would be:
global (Outside) 10 interface
nat (inside) 10 HDX8000-Internal 255.255.255.255
Now imagine what happens when you add:
global (inside) 10 interface
My gues is that's messing things up.
access-list inside_access_in remark Polycom HDX8000 Internal to External
access-list inside_access_in extended permit ip host HDX8000-Internal any
?
Ok.
The nat and global command work together. With the nat command you specify what address(es) you NAT from and with global you specify what address(es) to NAT to.
Normally that would be:
global (Outside) 10 interface
nat (inside) 10 HDX8000-Internal 255.255.255.255
Now imagine what happens when you add:
global (inside) 10 interface
My gues is that's messing things up.
ASKER
ok I would do that but before I will just inform you that
I have publice remote access server in my inside network and some public webserver in my dmz network.
And the users in my inside network are accessing those servers in the inside network and dmz network using Public IP's Will these change affect anything.
Thanks.
I have publice remote access server in my inside network and some public webserver in my dmz network.
And the users in my inside network are accessing those servers in the inside network and dmz network using Public IP's Will these change affect anything.
Thanks.
ASKER
Also it very risky for me to apply these change in my live environment.
As far as I can see removing the global shouldn't heave a big impact for that matter. But it looks like you didn't post the entire config (did you), so I can't be 100% sure.
Of course you need to be carefull when making changes in a live environment. I can't assess that risk for you because you know the situation and I don't. Normally it would be best to do that during off hours (if any) so you can rollback without users noticing anything.
Of course you need to be carefull when making changes in a live environment. I can't assess that risk for you because you know the situation and I don't. Normally it would be best to do that during off hours (if any) so you can rollback without users noticing anything.
ASKER
Hi,
I have applied the alternative way.
I moved the polycom device to the DMZ zone.
Here is the config
global (Outside) 10 interface
nat ( dmz) 10 192.168.4.5 255,255,255,255
static (dmz,Outside) 11.22.33.44 192.168.4.5 netmask 255.255.255.255
access-list Outside_access_in line 29 extended permit ip any host 11.22.33.44
access-list TMG-Proxy_access_in_1 line 3 extended permit ip host 192.168.4.5 any
Now there is no command for
global ( dmz) 10 interface
I have noted a good signal
I tried to make a call it was successful. Polycom see a far site number as public ip.
Perhaps, I tried to make call from another ISP provide internet line. It was unsuccesful. Polycom see far site number as private ip.
Something strange.
Any suggestions ?
Thanks
I have applied the alternative way.
I moved the polycom device to the DMZ zone.
Here is the config
global (Outside) 10 interface
nat ( dmz) 10 192.168.4.5 255,255,255,255
static (dmz,Outside) 11.22.33.44 192.168.4.5 netmask 255.255.255.255
access-list Outside_access_in line 29 extended permit ip any host 11.22.33.44
access-list TMG-Proxy_access_in_1 line 3 extended permit ip host 192.168.4.5 any
Now there is no command for
global ( dmz) 10 interface
I have noted a good signal
I tried to make a call it was successful. Polycom see a far site number as public ip.
Perhaps, I tried to make call from another ISP provide internet line. It was unsuccesful. Polycom see far site number as private ip.
Something strange.
Any suggestions ?
Thanks
By this:
Perhaps, I tried to make call from another ISP provide internet line. It was unsuccesful. Polycom see far site number as private ip.
You mean the situation as it was before?
That could be caused by that global (inside) 10 interface command.
Perhaps, I tried to make call from another ISP provide internet line. It was unsuccesful. Polycom see far site number as private ip.
You mean the situation as it was before?
That could be caused by that global (inside) 10 interface command.
ASKER
I am amazed how it can be caused by this global (inside) 10 interface command.
Now there are no relations with inside network.
I have tried to make call from completely two different ISP's not connected to my network..
Thanks I appreciate your help.
Samir
Now there are no relations with inside network.
I have tried to make call from completely two different ISP's not connected to my network..
Thanks I appreciate your help.
Samir
Sometimes little things can have great impact ;)
I take it everything is working now?
I take it everything is working now?
ASKER
Why its not working ISP1 and working with ISP2 ???
It seems that there are no issues with ASA config. I am scratching my head how to solve the problem successfully.
Samir
It seems that there are no issues with ASA config. I am scratching my head how to solve the problem successfully.
Samir
ASKER
Is it something related with ASA version. Currently I have version 8.2. What if upgrade to 8.3 ???
Looks like we're getting lost in translation here.
So you tried to connect from a remote location using ISP1 and it didn't work. Then you tried from another location using another ISP (ISP2) and it did work.
Furthermore, your ASA and polycom are using yet antoher ISP (3)
Am I right so far?
Then it would seem that either:
-the router/firewall configuration at the ISP side is not correct, or
-the ISP might be blocking certain services.
So you tried to connect from a remote location using ISP1 and it didn't work. Then you tried from another location using another ISP (ISP2) and it did work.
Furthermore, your ASA and polycom are using yet antoher ISP (3)
Am I right so far?
Then it would seem that either:
-the router/firewall configuration at the ISP side is not correct, or
-the ISP might be blocking certain services.
ASKER
Let's make it easy
Location A, B and C
Location A - ( Our DataCenter) ( ISP3)
Location B - ( My home) ( ISP1)
Location C - ( My Freeing Home) (ISP2)
They are located in same city. Location B and Location C have Cisco 857 ADSL routers
Its working fine from Location C and but not from Location B
Thanks.
Location A, B and C
Location A - ( Our DataCenter) ( ISP3)
Location B - ( My home) ( ISP1)
Location C - ( My Freeing Home) (ISP2)
They are located in same city. Location B and Location C have Cisco 857 ADSL routers
Its working fine from Location C and but not from Location B
Thanks.
Ok, that's clear :)
Did you compare the configuration of the routers to see if there are any differences that might cause this issue?
Did you compare the configuration of the routers to see if there are any differences that might cause this issue?
ASKER
I will contact my 3rd friend who has same provider but using Wireless Wimax not cisco router. I'll get back to you soon.
Thanks.
Samir
Thanks.
Samir
I'll be here (probably ;)
ASKER
Hi,
Its working.
I have moved my polycom device to inside network from DMZ---also its working.
But I would like to let you know this miracle took place after I upgrade my ASA from 8.0 to 8.2 !!!!
Its working.
I have moved my polycom device to inside network from DMZ---also its working.
But I would like to let you know this miracle took place after I upgrade my ASA from 8.0 to 8.2 !!!!
I know its not correct to say but I am in urgent need help of that.
Thanks