cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2645
Views
0
Helpful
5
Replies

VideoConferencing Question

sdvandeslunt
Level 1
Level 1

We trying to do videoconferencing from a Polycom box through the internet to another polycom box. The boxes use H232 and H239 for the video conferencing and the content streaming.

Setup:

At our site we have the internet coming into a DMZ switch that goes into an internet router/firewall. The FW is a Cisco 2811 running AdvIPServices IOS 12.4.22T. I have a one to one NAT setup from the internal address of the polycom to the external address I'd like to give it. I currently have "tcp" and "udp" open for all sources in my firewall config from the internet to the polycom.

The Problem:

People can connect to our unit but cannot see video. I was running an older version of the IOS (12.4.9(t6)) and it was working (except for H.239). They also cannot ping the WAN IP address anymore since the upgrade. The firewall is using inspect class-map and zones. I also cannot ping the WAN side IP from inside. I used to beable to do that before the upgrade.

Any ideas? Anything about the 2811 in FW mode that might alter and/or block H232 or H239 in an abnormal way (like the PIX and h232 fixup)?

Thanks,

-Scott

5 Replies 5

milan.kulik
Level 10
Level 10

Hi,

I also had a problem with Polycom on my Checkpoint FW.

I had to disable protocol inspect for H.232/H.239 to make it running.

How does your inspect class-map look like?

Regarding Pings, is ICMP open the same way as tcp and udp in your FW config?

BR,

Milan

Note, my goal at the moment is to have it work the way it's suppose to so right now I'm just trying to open any and all ports and then I'm going to harden it later.

Note, this config works with version 12.4-9.T6 with all but the H.239 stuff (the H.232 stuff seems to pass through properly). Using the same configuration with 12.4-22T however results in not being able to even ping the outside interface... though it does open some ports as I can get incoming video calls from outside...

---------------------------------------------

class-map type inspect match-any VideoConfInspect

match protocol tcp

match protocol udp

match protocol icmp

match protocol h323

match protocol skinny

match protocol h323callsigalt

match protocol h323gatestat

match protocol http

match protocol https

ip access-list extended VideoConfACL

permit ip any host

class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-3

match class-map VideoConfInspect

match access-group name VideoConfACL

------------------------------------------

Hello,

Have you found a solution ?

I have the same issue.

On my 2811 running IOS 12.4(22)T and inspect h323 and inspect rtsp, the router just "see" a regular h323 connection, and don't modify the packets to nat the protocol.

On a ship 1812 running IOS 12.4(15)T, and the same inspects setup, the router is able to do the nat.

Ie: is I do a show ip inspect sessions, I see that it is able to detect all the connections.

On an other hand the 2811 just see one h323 link and udp connections.

The only solution is to activate the polycom NAT, but in this case, I'm not able to reach private device behind my vpn.

Any idea ?

Yup.  Basically activate the NAT on the polycom unit.  Ensure the public address is correct.  The main "silver bullet" is on the cisco device.  Issue the following commands at a (config)# prompt:

no ip nat service H225
no ip nat service ras

If I recall those commands were the ones that really started to allow this to work properly.

-Scott

Hello,

If you don't need to access private address, it works with just activating nat feature on the video device and add inspect h323 and rtsp.

If you need to access both private and public addresses, then I'm stucked with 2811.

The strange thing is that it perfectly works with 1812 ?!

It looks like the 2811 has telephony features that maybe interact with firewall features (it is the unique difference between 28xx and 181x).

I wasn't able to find how to deactivate those features.

Ie: sh gateway on the 2811 replies h323 enabled (by default)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco