Solved

Open ports on a Cisco 2921 for video conferencing unit.

Posted on 2015-02-17
13
242 Views
Last Modified: 2015-04-13
I’m having troubles modifying an inherited router to open ports for video conferencing. I need to have an internal local video conferencing unit be able to make calls through a site to site VPN tunnel and be able to accept and make calls to/from the outside. With the current setup I am able to make calls thru the site to site tunnel and calls to the outside connect but have no video and audio. Nothing makes it in.
The router is currently setup with a mixture of zone based firewall and ACL. If there is a part of the configuration I can post to help, let me know. The config is really long and confusing. I have tried setting up a 1 to 1 nat to make calls in but this does not help the in to out calls and breaks the site to site vpn calls. It does partially work because I am able to access the web interface from the external ip I assigned to it. The ports that will need opened are below.
Gatekeeper Discovery (RAS)
1718-1719 UDP
Q.931 Call Setup
1720 TCP
Audio Call Control
1731 TCP
Video Range
3230-3253 TCP/UDP
Audio Range
3230-3253 TCP/UDP
Data/FECC Range
3230-3253 TCP/UDP
0
Comment
Question by:MMHDU
  • 8
  • 5
13 Comments
 
LVL 6

Expert Comment

by:Daniel Sheppard
Comment Utility
Do you have a zone-based firewall in place?  Are you using NAT?

Can you give these sections (Sanitize your public IP information):

show running policy-map
show running class-map
show running | sec nat
0
 

Author Comment

by:MMHDU
Comment Utility
Yes, Yes.


Show running policy-map
sho running-config policy-map
Building configuration...

Current configuration : 2302 bytes
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect PM_INSIDE_TO_OUTSIDE
 class type inspect CM_GRE_PROTOCOLS
  pass
 class class-default
  drop
policy-map type inspect PM_OUTSIDE_TO_INSIDE
 class type inspect CM_GRE_PROTOCOLS
  pass
 class class-default
  drop
policy-map type inspect sdm-permit-gre
 class type inspect SDM_GRE
  pass
 class class-default
  drop log
 policy-map type inspect ccp-inspect
 class type inspect ccp-cls-ccp-inspect-1
  inspect
 class type inspect gre-in
  pass
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect Polycom
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
 inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_DMVPN_PT
  pass
 class type inspect SDM_VPN_PT
  pass
 class type inspect ccp-cls-ccp-permit-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-pol-outToIn
 class type inspect gre
  pass
 class type inspect ccp-cls-ccp-pol-outToIn-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-4
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-3
  inspect
 class type inspect sdm-nat--1
 inspect
 class type inspect ccp-cls-ccp-pol-outToIn-2
  inspect
 class type inspect sdm-nat--3
  inspect
 class type inspect sdm-nat--4
  inspect
 class type inspect sdm-nat--5
  inspect
 class type inspect sdm-nat--6
  inspect
 class type inspect sdm-nat--8
  inspect
 class type inspect sdm-nat--9
  inspect
 class type inspect sdm-nat--10
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
  pass
 class type inspect sdm-cls-VPNOutsideToInside-4
  pass
 class class-default
 drop log
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
end
Show Running Class-map
sho running-config class-map
Building configuration...

Current configuration : 6200 bytes
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 116
class-map type inspect match-any VID_CONF
 match protocol tcp - Changed today have not tested. They were lower in the list though
 match protocol udp - Changed today have not tested.
 match protocol h225ras
 match protocol h323
 match protocol h323-nxg
 match protocol mgcp
 match protocol sip-tls
 match protocol sip
 match protocol skinny
 match protocol h323-annexe
 match protocol https
 match protocol icmp
 match protocol user-BES-TCP-Range
 match protocol user-BES-UDP-Range
class-map type inspect match-any SDM_SSLVPN
 match access-group name SDM_SSLVPN
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 120
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 119
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 124
class-map type inspect match-any PolycomPro
 match protocol tcp
 match protocol udp
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any TSG
 match protocol https
 match protocol user-TSG-TCP-5504
class-map type inspect match-all sdm-nat--8
 match access-group 111
 match class-map TSG
class-map type inspect match-any EEVPN
 match protocol user-EEV-TCP-14500
class-map type inspect match-all sdm-nat--9
 match access-group 112
 match class-map EEVPN
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 115
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any BES
 match protocol user-BES-TCP-301
 match protocol user-BES-TCP-4054
 match protocol user-BES-TCP-8080
 match protocol user-BES-TCP-8443
 match protocol dns
 match protocol smtp
 match protocol h323
 match protocol ssp
 match protocol user-BES-TCP-Range
 match protocol user-BES-UDP-Range
 match protocol sip
class-map type inspect match-all sdm-nat--4
 match access-group 107
 match class-map BES
 class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any Vault
 match protocol https
 match protocol http
 class-map type inspect match-all sdm-nat--5
 match access-group 108
 match class-map Vault
class-map type inspect match-any FIleShare
 match protocol http
 match protocol https
 match protocol ssh
class-map type inspect match-all sdm-nat--6
 match access-group 109
 match class-map FIleShare
class-map type inspect match-any CM_GRE_PROTOCOLS
 match access-group name GRE
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any OWA
 match protocol http
 match protocol https
 match protocol user-OutAny-TCP
class-map type inspect match-all sdm-nat--1
 match access-group 104
 match class-map OWA
class-map type inspect match-any Min12
 match protocol ftp
 match protocol ftps
 match protocol user-FTP-Auth
class-map type inspect match-all sdm-nat--3
 match access-group 106
 match class-map Min12
class-map type inspect match-any SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any SDM_DMVPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_GRE
 match class-map SDM_ESP
class-map type inspect match-all SDM_DMVPN_PT
 match access-group 121
 match class-map SDM_DMVPN_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any EEPMC
 match protocol http
 match protocol user-EEPC-10021
class-map type inspect match-all sdm-nat--10
 match access-group 113
 match class-map EEPMC
class-map type inspect match-any ccp-cls-icmp-access
 match protocol tcp
 match protocol udp
class-map type inspect match-any 443
 match protocol http
 match protocol https
class-map type inspect match-any Bih
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
 match class-map 443
 match access-group name adp
class-map type inspect match-all ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-all Polycom
 match class-map PolycomPro
 match access-group name AccPolycom
class-map type inspect match-any Email
 match protocol smtp
class-map type inspect match-any gre-in
 match class-map CM_GRE_PROTOCOLS
class-map type inspect match-any NXXX1-SXXXX1-ICMP
 match protocol icmp
 class-map type inspect match-all ccp-cls-ccp-permit-1
 match class-map NXXX1-SXXXX1-ICMP
 match access-group name NXXX1-SXXXX1-ICMP
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
 match class-map Email
 match access-group name Email
class-map type inspect match-any TMG2
 match protocol pptp
 match protocol http
 match protocol https
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
 match class-map TMG2
 match access-group name tmg
class-map type inspect match-all ccp-invalid-src
 match access-group 103
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3
 match class-map VID_CONF
 match access-group name SIP_Vid_Conf
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-4
 match class-map Bih
 match access-group name Vid-GMBH
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-any gre
 match class-map CM_GRE_PROTOCOLS
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
end
Show Running | sec nat
sho running-config | section nat
ip ips signature-category
  category all
   retired true
  category ios_ips advanced
   retired false
class-map type inspect match-all sdm-nat--8
 match access-group 111
 match class-map TSG
class-map type inspect match-all sdm-nat--9
 match access-group 112
 match class-map EEVPN
class-map type inspect match-all sdm-nat--4
 match access-group 107
 match class-map BES
class-map type inspect match-all sdm-nat--5
 match access-group 108
 match class-map Vault
class-map type inspect match-all sdm-nat--6
 match access-group 109
 match class-map FIleShare
class-map type inspect match-all sdm-nat--1
 match access-group 104
 match class-map OWA
class-map type inspect match-all sdm-nat--3
 match access-group 106
 match class-map Min12
class-map type inspect match-all sdm-nat--10
 match access-group 113
 match class-map EEPMC
 class type inspect sdm-nat--1
  inspect
 class type inspect sdm-nat--3
  inspect
 class type inspect sdm-nat--4
  inspect
 class type inspect sdm-nat--5
  inspect
 class type inspect sdm-nat--6
  inspect
 class type inspect sdm-nat--8
  inspect
 class type inspect sdm-nat--9
  inspect
 class type inspect sdm-nat--10
  inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-gre-in1 source dmvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-gre source out-zone destination dmvpn-zone
 service-policy type inspect sdm-permit-gre
zone-pair security sdm-zp-in-gre1 source in-zone destination dmvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-gre-out source dmvpn-zone destination out-zone
 service-policy type inspect sdm-permit-gre
 ip nat inside
 ip nat outside
 ip nat inside
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static 172.16.10.10 X.X.X.X.3 route-map BiffRAS
ip nat inside source static 172.16.10.5 X.X.X.X.4 route-map Biff3
ip nat inside source static 172.16.30.171 X.X.X.X.5 route-map BES
ip nat inside source static 172.16.10.12 X.X.X.X.6 route-map Biff12
ip nat inside source static 172.16.10.60 X.X.X.X.8 route-map Vault
ip nat inside source static 172.16.10.61 X.X.X.X.9 route-map FileShare
ip nat inside source static 172.16.1.1 X.X.X.X.10 route-map Android-VPN
ip nat inside source static 172.16.10.56 X.X.X.X.11 route-map TSG
ip nat inside source static 172.16.19.14 X.X.X.X.12 route-map EEvpn
ip nat inside source static 172.16.19.25 X.X.X.X.13 route-map pmconnect
0
 

Author Comment

by:MMHDU
Comment Utility
Was any of that helpful? Is there any more info I need to supply?
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
Comment Utility
It looks like someone set up this with SDM/CCP.  Are you familiar with CCP?  IF you are,I would recommend you utilize CCP to configure the port forwards as anything I can give you will not follow their "format" and be readable by CCP.

If you still need help, I can get something specific to you by the end of the week (sick right now).  But to break it down in general steps, what you need to do is:

For each protocol:
- Create a class map for the NAT (similar to one the existing ones like sdm-nat--1)
- Create a route map that "matches" that route (do a "show running | sec route-map" to see what they look like)
- Create a class map for the policy firewall
- Attach the class map to the policy firewall using either "inspect" (this creates a flow, you only need one in the Out->In direction) or "allow" (This is single direction, you need one in the out->in and one in the in->out direction)


Before you make any changes, I always recommend to backup your existing running configuration/startup configuration.
0
 

Author Comment

by:MMHDU
Comment Utility
To reduce complexity would the commands below allow the polycom unit to make calls to the outside? I assume its not a good Idea to do what i did in PolycomPro is there a better way to match all of the ports the vendor needs?

zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect


policy-map type inspect ccp-inspect
 class type inspect Polycom
  inspect

class-map type inspect match-all Polycom
 match class-map PolycomPro
 match access-group name AccPolycom

class-map type inspect match-any PolycomPro
 match protocol tcp
 match protocol udp
 
ip access-list extended AccPolycom
 permit ip host 172.16.30.171 any
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
Comment Utility
Those commands would actually leave your firewall wide-open.

I am going to get this done today, so stand by.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 6

Expert Comment

by:Daniel Sheppard
Comment Utility
What external IP are you natting this Polycom on?
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
Comment Utility
Nevermind, looks like .5

Can you do:

show route-map BES
?


Also, here is half of what you should need:

ip nbar custom gatekeeper destination udp range 1718 1719
ip nbar custom Q931 destination tcp 1720
ip nbar custom ACC destination tcp 1731
ip nbar custom TCP_Polycom destination tcp range 3230 3253
ip nbar custom UDP_Polycom destination udp range 3230 3253

class-map type inspect match-all ZBF-Polycom-Gatekeeper
 match protocol gatekeeper
class-map type inspect match-all ZBF-Polycom-Q931
 match protocol Q931
class-map type inspect match-all ZBF-Polycom-ACC
 match protocol ACC
class-map type inspect match-any ZBF-Polycom-Range
 match protocol TCP_Polycom
 match protocol UDP_Polycom


class-map type inspect match-any ZBF-Polycom
 match class ZBF-Polycom-Gatekeeper
 match class ZBF-Polycom-Q931
 match class ZBF-Polycom-ACC
 match class ZBF-Polycom-Range

policy-map type inspect ccp-pol-outToIn
 class ZBF-Polycom
  pass

policy-map type inspect ccp-inspect
 class ZBF-Polycom
  pass

Open in new window


It looks like you still need a NAT and I will need the route-map for that.
0
 

Author Comment

by:MMHDU
Comment Utility
route-map BES, permit, sequence 10
  Match clauses:
    ip address (access-lists): BES
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
Comment Utility
show ip access-list BES
0
 

Author Comment

by:MMHDU
Comment Utility
Extended IP access list BES
    10 deny ip host 172.16.30.171 172.20.0.0 0.0.0.255
    20 deny ip host 172.16.30.171 172.17.0.0 0.0.255.255
    30 deny ip host 172.16.30.171 172.18.0.0 0.0.255.255
    40 permit ip host 172.16.30.171 any
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
Comment Utility
If you change:

ip nat inside source static 172.16.30.171 X.X.X.X.5 route-map BES

For the .5 to whatever your PolyCom is, that should complete the configuration.
0
 
LVL 6

Accepted Solution

by:
Daniel Sheppard earned 500 total points
Comment Utility
Also, as an aside, if you need to do complex configuration, you can always contact Cisco TAC if you have a valid support contract.  They will basically do all the work for you.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now