Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6470
Views
0
Helpful
5
Replies

Opening ports for Video conferencing

mukalazisnr
Level 1
Level 1

‎11-08-2011 06:21 AM - edited ‎03-11-2019 02:47 PM

hello good people,

We have just acquired a cisco profile 42 video conferencing equipment and am required to open ports for SIP and H232, any pointers on hw that can be acquired i have a cisco ASA 5510, Some one told me to open port 16384 but i need pointers on how to do it becuase I already set an access list to any.

the config

Internet -> ASA 5510 -> Switch -> Profile 42 and other devices

any help will be apprciated

Labels:
0 Helpful
5 Replies 5

mirober2
Cisco Employee
Cisco Employee

‎11-10-2011 06:39 AM

Hi George,

Are you trying to open ports for inbound or outbound calls? Is the ASA using NAT or PAT for the video equipment on the inside when it goes out to the Internet?

-Mike

0 Helpful

mukalazisnr
Level 1
Level 1
In response to mirober2

‎11-10-2011 07:01 AM

Thank you Mike,

I need to open both inbound and outbound calls, I need to be able to call

and also recive. so i think st some point i need to forword traffic to the

VC equipment form the firewall., Like I directed smtp to the mail server .

Thanks

On Thu, Nov 10, 2011 at 5:39 PM, mirober2 <

0 Helpful

mukalazisnr
Level 1
Level 1
In response to mirober2

‎11-10-2011 07:03 AM

I think NAT would be Better as I already see some NAT commands. in the

config

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to mukalazisnr

‎11-10-2011 07:08 AM

Hi George,

In that case, you'll need to permit at least the signaling ports through your interface ACLs. For example, SIP uses port 5060 for signaling by default:

access-list outside_in permit udp any host  eq 5060
access-group outside_in in interface outside

An ACL on the inside interface is not required unless you already have one configured there (all traffic is permitted to the outside by default).

You can use the ASA's inspection engines to dynamically open the other ports required for the call on a per-session basis. This way, you only need to open the signaling ports and the inspection will automatically take care of the media ports:

class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect sip
service-policy global_policy global

You can read more about the voice inspections here:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_voicevideo.html

If the ASA is configured for NAT, these inspections are absolutely required. This will allow the ASA to also perform NAT on any embedded IP addresses in the voice payload.

Hope that helps.

-Mike

0 Helpful

mukalazisnr
Level 1
Level 1
In response to mirober2

‎11-10-2011 07:39 AM

Let me try that then i will let you know.

Thank you so much

On Thu, Nov 10, 2011 at 6:09 PM, mirober2 <

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card