Pix 501 and H323?

Unanswered Question
Oct 8th, 2007
User Badges:

I have a pix 501 and 4 video conference units. I have static nat setup for them and allow inbound any network with range 1024-65535. Are there any tips or configs to make sure those h323 packets/frames traverse the firewall as quickly as possible? Should I leave or disable these statements:

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

since I have those ports open with the acl? Should I alter these statements:

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

I was wondering if there was anyway to turn off packet inspection for h323 connections other than the checking the acl. If you need anymore info let me know, thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tstanik Fri, 10/12/2007 - 13:21
User Badges:
  • Bronze, 100 points or more

You should rather consider upgrading your PIX hardware if you want it to handle large video data flows. Your config for h323 packets is fine and there is no need to open ports using acl's unless you face packets drops or dis connectivity.


This Discussion