Hi Aron / Karuppu.

We have been provided test.exe by the Video Conference managing people, when I ran it in my LAN its getting failed and saying some ports are blocked but as I know there are no ports blocked.

Please find the below the Internet router config for that LAN and suggest me please:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.03.18 11:53:40 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...

Current configuration : 9938 bytes
!
! Last configuration change at 17:58:29 utc Wed Mar 17 2010 by vek
! NVRAM config last updated at 13:42:26 utc Wed Feb 17 2010 by nai
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxx
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.124-11.T.bin
boot-end-marker
!
logging buffered 4096

!
aaa new-model
!
!
aaa authentication banner ^C

^C
aaa authentication fail-message ^C
The Combination entered is not vaild ,this attempt has being logged
^C
aaa authentication login default group radius local
!
!
aaa session-id common
clock timezone utc 2
ip cef
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect max-incomplete low 400
ip inspect max-incomplete high 500
ip inspect one-minute low 400
ip inspect one-minute high 500
ip inspect dns-timeout 10
ip inspect tcp synwait-time 10
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
key chain xxxxxxx
key 1 xxxxxxx

!
crypto pki trustpoint TP-self-signed-472252719
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-472252719
revocation-check none
rsakeypair TP-self-signed-472252719
!
!
crypto pki certificate chain TP-self-signed-472252719
certificate self-signed 01
  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34373232 35323731 39301E17 0D303730 34303930 39353933
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3437 32323532
  37313930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  9888EEEF 03E277FE 49E37161 6C503FF3 0DED1F0E F7D417FA 68FBF58B 3CACC2BA
  0FB5BBA4 61447E3A 5E9F8EB6 B793F27C 4B08D79C E048390E 85A83D6A 8BFFE245
  9895A69A EB47BA4C 157C7D17 DDE212E5 8DCE0F83 A0076BDF 1D91588E 5CD3E6E8
  F3394151 3ADCFAA2 49D787BB 351423CD D91F5135 35DA3B33 C85382D2 15796D9F
  02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D
  11041C30 1A821844 4B474C59 46573031 2E796F75 72646F6D 61696E2E 636F6D30
  1F060355 1D230418 30168014 CC73D14E 2A4EE40D A38A1BDC 4F64D9CD 9FCFBD6A
  301D0603 551D0E04 160414CC 73D14E2A 4EE40DA3 8A1BDC4F 64D9CD9F CFBD6A30
  0D06092A 864886F7 0D010104 05000381 810054FD 0EBF28E2 45DDAE94 69EDFB9F
  4290D44D D5109131 8CC87DAF E4969631 98FA5098 712B3086 C08EF008 04CC34B3
  1F858DCF 3A9CA79E 69F3B83B F236F347 AA52E98B 9B21913B 6807AD63 114378DC
  A232C80C AB9E9EF0 27A84098 AA105250 44D58E29 CFAB92A1 4FC8B5F2 0FF99F17
  7312B637 AA3973C9 4DDE8450 F2A6800A EE3E
  quit
!
!

archive
log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 4
authentication pre-share
group 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 13
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 14
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
hash md5
authentication pre-share
!
crypto isakmp policy 16
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address xxxxxxxxxx no-xauth
!
!
crypto ipsec transform-set dmvpn-trans esp-des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile xxxxxxxx

set security-association lifetime seconds 120
set transform-set strong
!
crypto ipsec profile dmvpn-profile
set transform-set xxxxxx
!
!
!
!
!
interface Tunnel0
bandwidth 2048
ip address 192.xxx.xxx.xx 255.xxx.xxx.0
no ip redirects
ip mtu 1416
ip nbar protocol-discovery
ip nhrp authentication xxxxxx
ip nhrp map multicast dynamic
ip nhrp map xxxxxxxxxxxxx.1 xxxxxxxxxxxxx
ip nhrp map multicast xxxxxxxxxxxxx
ip nhrp map xxxxxxxxxxxxx.2 xxxxxxxxxxxxx
ip nhrp map multicast xxxxxxxxxxxxx
ip nhrp network-id 1
ip nhrp nhs xxxxxxxxxxxxx.1
ip nhrp nhs xxxxxxxxxxxxx.2
ip nhrp cache non-authoritative
ip route-cache flow
ip ospf authentication message-digest
ip ospf message-digest-key 1 xxxxxxx
ip ospf network broadcast
ip ospf priority 0
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key xxxxxx
tunnel protection ipsec profile dmvpn-profile
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address xxxxxxxxx 255.xxx.xxx.xxx
ip access-group vconf in
ip access-group vconf out
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.xx.x.xxx 255.xxx.0.0
ip nbar protocol-discovery
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 xxxxxx
ip ospf priority 0
ip ospf 1 area 0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
!
ip route 0.0.0.0 0.0.0.0 195.xx.x.xx
!
ip flow-export source FastEthernet0/0
ip flow-export version 5 origin-as bgp-nexthop
ip flow-export destination 10.xxx.x.xx 9996
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
ip access-list standard SNMP_ACCESS
permit 10.xxx.x.xxx
permit 10.xxx.x.xx
permit 10.xxx.x.xx
permit 10.xx.x.xx 0.0.0.7
!
ip access-list extended NONAT
permit udp any any eq 1701
deny   ip 10.xx.0.0 0.0.255.255 10.xx.0.0 0.0.255.255
deny   ip 10.xx.0.0 0.0.255.255 10.xxx.0.0 0.0.255.255
deny   ip 10.xx.0.0 0.0.255.255 192.xxx.xxx.0 0.0.0.255
permit ip 10.xx.0.0 0.0.255.255 any
!
ip radius source-interface Tunnel0
logging 10.xxx.x.xx
logging 10.xxx.x.xx
logging 10.xxx.x.xx
access-list 23 permit 10.xx.1.1
access-list 23 permit 10.xxx.x.0 0.0.0.255
access-list 23 permit 10.xx.x.0 0.0.255.255
access-list 23 permit 192.xxx.xxx.0 0.0.0.255
access-list 23 permit 10.xx.x.0 0.0.0.255
snmp-server community xxx RO
snmp-server community xxxxxxxxx RO
!
!
!
route-map nonat permit 10
match ip address NONAT
!
!
!
radius-server host 192.xxx.xxx.xx auth-port 1812 acct-port 1813 key xxx
radius-server host 192.xxx.xxx.xx auth-port 1812 acct-port 1813 key xxxx
radius-server host 10.xxx.x.xx auth-port 1812 acct-port 1813 key xxxxx
!
control-plane
!
!
banner login ^C

^C
alias exec x sh ip int bri
!
line con 0
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
access-class 23 in
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179867
ntp server 10.xxx.x.x
ntp server 10.xxx.x.xx
end

Router# q

Thanks & Regards,

Naidu.

Hi,

If you are facing this problem in LAN itself, then there might be problem with your desktops/servers.

Becasuse might be some desktop firewalls or inbuild firewalls in your antivirus will block those ports and also check the videoconference application..

Regards

Karuppu

Hi,

You can use hping to test connectivity to UDP ports. This can be found at www.hping.org.

Are you sure that port udp 1719 is the only port required for the application?

Naidu

It might be very helpful to know what is in the test.exe that was provided to you by the Video Conferencing people.

Since you are doing address translation with overload (PAT) any connection initiated by a PC on your LAN will go through and will create a translation entry in the router translate table. This will permit any response from the remote device to come through your router. But it will not permit any packets for a session initiated by the remote. So if test.exe sends packets to the remote (where the Video Conference is) and if the remote then attempts to initiate a session to your PC, then this traffic will not be permitted and it will look to the Video Conference like you are blocking ports.

HTH

Rick

Hi Rick,

Thnaks for your response.

I can give you details about the test.exe tomorrow.

But, the same (test.exe) is working fine from the other sites where the same config (attached in my first post).

What needs to be done to permit any packets for a session initiated by the remote? as you said, is it necessary to change any config on the router.

Regards,

Naidu.

Naidu

When you are performing address translation on the router and a remote host attempts to send traffic to an inside host there must be an entry in the router address translation table for the inside host. When you are doing Interface overload (PAT) translation, as you are doing, the entry in the translate table is automatically created when the session is initiated from the inside host. But there is no translation entry when the session is initiated from the outside host. If you want traffic to be initiated from a remote host then you would need to do static translation so that there is always a translation entry for the inside host.

As I look again at this thread I have a couple of questions:

- you state that you are not filtering any ports. But I see that your outside interface has both an inbound access list and an outbound access list. But you do not include either access list in the config that you posted. Can you clarify these access lists:

interface FastEthernet0/0
ip access-group vconf in
ip access-group vconf out

- the title of the thread specifies UDP 1719. But the access list for NONAT specifies UDP 1701 and there is no mention of 1719. Can you clarify what is going on with the UDP ports?

As others have pointed out telnet is TCP based and you can not telnet to a UDP port. Perhaps better detail in explaining how you are testing will help to clarify this.

HTH

Rick

Hi Rick,

Actually the accesslits "ip access-group vconf in & ip access-group vconf out" are just added in the testing phase but there is no any rules in that group and already removed those groups under interface Fa0/0

Regading the port "But the access list for NONAT specifies UDP 1701 and there is no mention of 1719" it is there since long time.

The below are the port list to be opened for video conferenceing testing file.

Port list :
Gatekeeper RAS        1719       UDP
Q.225                        1720       TCP
H.323: Call setup       2776       TCP + UDP
H.245                        2777       TCP
RTCP Media                2777       UDP
SIP                             5060       TCP + UDP
SIP (TLS)                  5061       TCP + UDP
Media                       50000 - 52399     UDP

And regarding the TEST.exe (test for video confericing check). Please find the attached exe.file

Video conferencing is managing by TANBERG a third party company and we have been provided this exe file to check weather it is working or not (however it should get work)

The same exe testing file working from other location where the configuration is same (please find the attached config file of in which site the text exe is working fine).

Regards,

Naidu.

Hi Rick and All,

We got to know that the problem with the IOS version 12.4 (13) on which router the video conf exe file is not working.

Through which router it is working successfully the IOS version of this router is 12.4 (19).

So we upgraded the IOS (12.4 19) to that IOS and it is working fine.

Any way thanks for all your support.

Thanks & Regards,

Naidu.