I have several H.323 Polycom boxes and I am trying to get them working behinde the firewall. I've PIX 525 that runs Version 5.3(1)200. And I am using static NAT translation. I can establish a call with the remote site, however, it times out in 40 min. or so.
Debug log does not report anything unusual. Connection is just terminated. If I move H.323 outside of the firewall it works great.
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
First of all, i am not quite sure what type of h323 device the Polycom box is , but my guest is probably a gateway/h323 client device. Either way, as far the h323 signaling goes, the dynamism in port assignment and h245 negociations is what makes most firewalls fail miserably when it comes to real time traffic such as voice. Using an ordinary firewall, you can probably get most of the static signaling through by defining the well known ports for them (h225 RAS, and most Q.931 stuff), but when you get down to media negociation (h245) there is no way of predicting what port# the parties will be using, since it is random (dynamic). I haven't worked with PIX FW extensively and i can only guess that it also falls in the category of the other firewalls i have tested and noticed the problem with. Very few companies are working on developing a real-time traffic firewall that can dynamically open pinwholes for voice traffic on a per-call basis, providing for the best security in the industry. I can lead you to one specifically that i test day-in day-out if you are interested.
My guest on what you will try to do next is to check with the Plycom vendor to see what ports to open on your PIX fw, but i can tell you this for sure: by the time you are done opening all the ports (port ranges, to be more specific), you will realize that your firewall has no real purpose, really. That is the catch. The technology is moving; you might want to tag along.
As the other respondee to your message indicated NAT and H.323 generally don't mix well. However Ridgeway have developed solutions specifically to enable the deployment of multiple H.323 end-points behind NAT routers and firewalls (whether H.323 enabled or not).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...