Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Pix 501 and H323?

I have a pix 501 and 4 video conference units. I have static nat setup for them and allow inbound any network with range 1024-65535. Are there any tips or configs to make sure those h323 packets/frames traverse the firewall as quickly as possible? Should I leave or disable these statements:

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

since I have those ports open with the acl? Should I alter these statements:

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

I was wondering if there was anyway to turn off packet inspection for h323 connections other than the checking the acl. If you need anymore info let me know, thanks in advance.


Re: Pix 501 and H323?

You should rather consider upgrading your PIX hardware if you want it to handle large video data flows. Your config for h323 packets is fine and there is no need to open ports using acl's unless you face packets drops or dis connectivity.

CreatePlease to create content