Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PixFirewall Problems.

Hi. In my office I have a Pix Firewall 525. That equipment had the 6.3 software version and it was updated to 7.2(4) and now I have a problem: When I try to do a Videoconference with a Polycom Camera, is no possible to connect. I've checked the protocols and I see that with this version, the PixFirewall doesn't manage the "fixup" command for use the h323 protocol. this was changed for a MPF command, because when in the pix I wrote "fixup protocol h323" I recieve an answer "INFO: converting 'fixup protocol h323' to MPF commands". Somebady can tell me how can I do to activate this service again? I think that for this reason I can't use the Videoconferece System. Thanks a lot.

4 REPLIES
New Member

Re: PixFirewall Problems.

Check the last part of your config. You should have several entries under a heading titled "policy-map global_policy" that looks something like this:

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect pptp

inspect snmp

service-policy global_policy global

If the 'inspect h323' line is not in there, that is where you would add it instead of doing a 'fixup'

HTH,

Paul

New Member

Re: PixFirewall Problems.

Hi Paul and I apreciate your help, but it was the first instruction I checked, and that instruction is ok. I don't now if is necesary all the protocols that you say me, because my pix only has the following: policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect ptp inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map --- Thanks a lot.

Bronze

Re: PixFirewall Problems.

I once setup Polycom and I had to add the followings:

1. Create an object group for the ports used by polycom

object-group service VIDEO tcp-udp

port-object range 3230 3235

port-object eq 1720

port-object eq 3603

port-object eq 389

port-object range 1718 1719

port-object range 3235 3258

2. Create an acl to allow video traffic

access-list from-Internet-In extended permit object-group TCP_UDP any host 208.x.x.x bject-group VIDEO

Hope this helps.

New Member

Re: PixFirewall Problems.

I gotta ask, what does the PIX say? You either have a ACL drop or a policy drop. The PIX will log both.

Have you run packet tracer?

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1724426

136
Views
0
Helpful
4
Replies
CreatePlease to create content