Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow video conferencing thru PIX

Hello, need helps on video conferencing.

I have mapped a public IP to an internal IP for our Polycam video cam device. I want to allow remote branch to initiate video conference calls. Configuration added to my PIX (version 6.2)is:

static (inside,outside) 210.187.x.x 192.168.1.2 netmask 255.255.255.255 0 0

Questions:

(1) Does static map mean all IP traffic to this device is openned thru PIX (all ports are openned)?

(2) If yes, will it affect the security ? Any access lists need to apply?

Thanks in advance for any advice.

4 REPLIES
New Member

Re: Allow video conferencing thru PIX

A static only defines the mapping. You need either an access list or a conduit statement to allow traffic that you want in. Conduits are being phased out in favor of access lists, so I would use those.

You also need to use the access-group command to bind the access-list tot he interface (PIX access lists only work for inbound traffic to the interface).

New Member

Re: Allow video conferencing thru PIX

I am a bit confused here. What do you mean PIX access lists only work for inbound traffic to the interface? Could I apply access lists for outbound traffic?

If I have a mail relay server at DMZ zone, do I have to apply any access lists at DMZ interface for incoming traffic? I have mapped a public IP to mail relay server at DMZ (testing only) but external users can't access the server thru POP3 to retrieve emails (POP3 and SMTP being set to external public IP). Internal users can retrieve mails only using DMZ subnet address (10.0.0.x) but not public IP. Why?

Please help since this is going to be the next thing that I must implement. Thanks a lot for your helps.

Cisco Employee

Re: Allow video conferencing thru PIX

Hi,

Answers to your question

1) All traffic is not opened unless you open it using access-list

2) No security threat unless you open all IP access to this host. You would only need to open up ports for H323. If you do so, you also need to have fixup protocol H323. You would also need to consider using a newer code e.g. 6.3.3 , since it supports H323 V3 and V4.

Thanks

Nadeem

New Member

Re: Allow video conferencing thru PIX

Fixup protocol for H323 is already there. But remote site users sometimes have difficult time to connect. I am using PAT for all outgoing traffic. Will it be the reason, since video conference calls might use some UDP ports and those ports might not be available? Thanks.

285
Views
0
Helpful
4
Replies
CreatePlease login to create content