×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Opening ports for Video conferencing

Unanswered Question
Nov 8th, 2011
User Badges:

hello good people,


We have just acquired a cisco profile 42 video conferencing equipment and am required to open ports for SIP and H232, any pointers on hw that can be acquired i have a cisco ASA 5510, Some one told me to open port 16384 but i need pointers on how to do it becuase I already set an access list to any.


the config


Internet -> ASA 5510 -> Switch -> Profile 42 and other devices


any help will be apprciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Thu, 11/10/2011 - 06:39
User Badges:
  • Cisco Employee,

Hi George,


Are you trying to open ports for inbound or outbound calls? Is the ASA using NAT or PAT for the video equipment on the inside when it goes out to the Internet?


-Mike

mukalazisnr Thu, 11/10/2011 - 07:01
User Badges:

Thank you Mike,


I need to open both inbound and outbound calls, I need to be able to call

and also recive. so i think st some point i need to forword traffic to the

VC equipment form the firewall., Like I directed smtp to the mail server .


Thanks


On Thu, Nov 10, 2011 at 5:39 PM, mirober2 <

mukalazisnr Thu, 11/10/2011 - 07:03
User Badges:

I think NAT would be Better as I already see some NAT commands. in the

config

mirober2 Thu, 11/10/2011 - 07:08
User Badges:
  • Cisco Employee,

Hi George,


In that case, you'll need to permit at least the signaling ports through your interface ACLs. For example, SIP uses port 5060 for signaling by default:


access-list outside_in permit udp any host eq 5060

access-group outside_in in interface outside


An ACL on the inside interface is not required unless you already have one configured there (all traffic is permitted to the outside by default).


You can use the ASA's inspection engines to dynamically open the other ports required for the call on a per-session basis. This way, you only need to open the signaling ports and the inspection will automatically take care of the media ports:


class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect sip

service-policy global_policy global


You can read more about the voice inspections here:


http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_voicevideo.html


If the ASA is configured for NAT, these inspections are absolutely required. This will allow the ASA to also perform NAT on any embedded IP addresses in the voice payload.


Hope that helps.


-Mike

mukalazisnr Thu, 11/10/2011 - 07:39
User Badges:

Let me try that then i will let you know.


Thank you so much


On Thu, Nov 10, 2011 at 6:09 PM, mirober2 <

Actions

This Discussion

Related Content