CUBE in DMZ, H323 calls to CUBE, Ports need to be opened?

Unanswered Question
Aug 31st, 2009
User Badges:


I am putting in a CUBE in a DMZ that will have a public address that will NAT to it's internal address.

First off, what scenario is the CUBE really used for? Does it make since to have an outside IP Video Station register to the CUBE using the public IP and then make calls to internal video endpoints?

If so, does H323 work well with this?

And lastly, what do I need to do on the firewall besides mapping the public IP to the private IP? Do I need to open ports or add certain commands?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Nicholas Matthews Mon, 08/31/2009 - 13:04
User Badges:
  • Red, 2250 points or more

You'll need TCP 1720 for H225 negotiation. You will also need random ports between 25000-50000 on both sides as H245 is negotiated dynamically between two random ports. If you're using SIP, TCP/UDP 5060 would be opened up.

Having the CUBE can help centralize your dial plan, as well as add security since it will be the border element between your internal devices and the external IP network.

For what you're doing, H323 would be the best option, yes.


Bryan Geoghan Mon, 08/31/2009 - 13:08
User Badges:

Yes, but isn't there some feature to the CUBE or Cisco ASA that automatically opens the ports when needed and then closes them? Maybe its those random ports? If so, what needs to be configured on the ASA for that.

Would that just leave TCP 1720 needing to be opened to the CUBE?

Nicholas Matthews Mon, 08/31/2009 - 14:33
User Badges:
  • Red, 2250 points or more

Yes, H323 inspection should take care of the H245 ports automatically. It's worth noting, however.

If it's just H323, TCP port 1720 is what you're looking at.



This Discussion