Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

H.323 Behind NAT


I have an ATA 186 behind NAT (C 1720). What ports do I have to statically

open so I could "talk" to the gate-keeper on the other side of the NAT ?

I'm using H.323 not SIP.

Is this possible at all ?



New Member

Re: H.323 Behind NAT

Take a look at the following documents (search the CCO for the titles):

- NAT support of H.323 RAS

- NAT - Support of H.323 v2 Call Signalling (Fast Connect)

New Member

Re: H.323 Behind NAT

OK, i read those document but haven't found the answer.

I have IOS 12.2(4)T3, but I suppose that I should do some configuration to enable this features ? The documents you directed me to has no examples nor command reference :


Configuration Tasks


Configuration Examples


Command Reference



The way I see it, router should be content sensitive and when it detects call setup process over NAT it should "dinamiclly" staticaly map coresponding addresses and UDP ports. The problem with h.323 and RTP is that UDP/RTP ports are not "fixed" and could take any value form 1024 to 65535. The side on the public address space can hear me (there is a rtp traffic going) but the side in the private address space can't.

more ideas ?

New Member

Re: H.323 Behind NAT

The public can hear you because they have a public IP address. But as you have a private address, the public side can't reply. In fact, your pacts get public addresses when they are NAT'ed; but it seems that NAT is not working on the H.323 layer, so the IP addresses inside the H.323 layer remain private, which means that the public side will never be able to reply.

I haven't worked with NAT x H.323 on the pratical side; I have read just some theory on it. But the IOS router with NAT supports H.323 from a specific version on. I'm not from which version, but the later versions do that. I'm almost sure that, in the H.323 layer, it's not necessary to convert the RTP ports; just the IP addresses.

New Member

Re: H.323 Behind NAT

Try permitting the folowing H.323 TCP ports on the PIX:

tcp any any eq 1720

tcp any eq 1720 any.

But you have to keep one thing in mind. If you're using dynamic NAT, than you are going to have a problem because of that very issue that you've mentioned, RTP ports are not fixed. Unless you open the entire RTP port range 16384 to 32767.

Good luck.