Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix - Policy NAT and H.323 protocol fixup

H.323 net (10.0.0.?) --(in)PIX(out)-- netw A and W

Hi Experts.

In the scenario drawn above, I need the H.323 network on the inside to appear as two different networks on the outside, fixing up the H.323 protocol.

In other words, I need the H.323 network (10.0.0.?) to appear:

- as network a.b.c.? to network A.B.C.D, and

- as network w.x.y.? to network W.X.Y.Z

I'm going to implement the following Pix configuration (PixOS 6.3):

!

!statements 1

static (inside, outside) a.b.c.d1 access-list GK-TO-NET-A

static (inside, outside) a.b.c.d2 access-list GW-TO-NET-A

access-list GK-TO-NET-A permit ip host 10.0.0.1 A.B.C.D <mask1>

access-list GW-TO-NET-A permit ip host 10.0.0.2 A.B.C.D <mask1>

!

!statements 2

static (inside, outside) w.x.y.z1 access-list GK-TO-NET-W

static (inside, outside) w.x.y.z2 access-list GW-TO-NET-W

access-list GK-TO-NET-W permit ip host 10.0.0.1 W.X.Y.Z <mask2>

access-list GW-TO-NET-W permit ip host 10.0.0.2 W.X.Y.Z <mask2>

!

fixup protocol h323 h225

fixup protocol h323 ras

!

As far as I understand, the Policy NAT feature will translate traffic destined for the A.B.C.D network from 10.0.0.1 as a.b.c.d1,

and traffic destined for the W.X.Y.Z network from host 10.0.0.1 as w.x.y.z1.

In a notation:

[SA=10.0.0.1; DA=A.B.C.?] (in) >>>>> (out)[SA=a.b.c.d1; DA=A.B.C.?]

[SA=10.0.0.2; DA=A.B.C.?] (in) >>>>> (out) [SA=a.b.c.d2; DA=A.B.C.?]

[SA=10.0.0.1; DA=W.X.Y.?] (in) >>>>> (out) [SA=w.x.y.z1; DA=W.X.Y.?]

[SA=10.0.0.2; DA=W.X.Y.?] (in) >>>>> (out) [SA=w.x.y.z2; DA=W.X.Y.?]

Now, I have 3 questions for you:

Q1.

Did I understand the Policy NAT feature correctly?

Q2.

If answer to Q1 is yes, does the reverse hold *for connections initiated from the outside*, that is:

[SA=A.B.C.?; DA=a.b.c.d1] (out) >>>>> (in) [SA=A.B.C.?; DA=10.0.0.1]

[SA=A.B.C.?; DA=a.b.c.d2] (out) >>>>> (in) [SA=A.B.C.?; DA=10.0.0.2]

[SA=W.X.Y.?; DA=w.x.y.z1] (out) >>>>> (in) [SA=W.X.Y.?; DA=10.0.0.1]

[SA=A.B.C.?; DA=w.x.y.z2] (out) >>>>> (in) [SA=W.X.Y.?; DA=10.0.0.1]

Q3.

If 10.0.0.1 (H.323 Gatekeeper) returns IP address 10.0.0.2 (H.323 Gateway) in a LCF RAS message when queried with a LRQ, will the Pix apply statements 1 and statements 2 *on the same packet* and transform the LCF message as follows:

LRQ: [SA=A.B.C.?; DA=a.b.c.d1](H.323 LRQ: looking for number=1234) (outside) >>>>> (inside) [SA=A.B.C.?; DA=10.0.0.1](H.323 LRQ: looking for number=1234)

LCF: [SA=10.0.0.1; DA=A.B.C.?](H.323 LCF: for 1234, use GW 10.0.0.2) (inside) >>>>> (outside) [SA=a.b.c.d1; DA=A.B.C.?](H.323 LCF: for 1234, use GW a.b.c.d2)

LRQ: [SA=W.X.Y.?; DA=w.x.y.z1](H.323 LRQ: looking for number=1234) (outside) >>>>> (inside) [SA=W.X.Y.?; DA=10.0.0.1](H.323 LRQ: looking for number=1234)

LCF: [SA=10.0.0.1; DA=W.X.Y.?](H.323 LCF: for 1234, use GW 10.0.0.2) (inside) >>>>> (outside) [SA=w.x.y.z1; DA=W.X.Y.?](H.323 LCF: for 1234, use GW w.x.y.z2)

Thank you!

michele

1 REPLY
New Member

Re: Pix - Policy NAT and H.323 protocol fixup

Please give me an update on this, I would like to implement same .....

Thanks.

242
Views
0
Helpful
1
Replies
CreatePlease to create content