Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Setup PIX for Video Conferencing

PIX 515

6.2(2)

Need help opening ports for video conf equip.

Here are the instructions provided with the video equip with my comments indicated by ***:

1. On the Firewall, open up: TCP ports 1720, 3230-3231; UDP ports 3230-3235

***TCP port 1720 is already open for H.323. Not sure how to open other ports.***

2. Set up a static NAT address on your NAT tables corresponding to the internal IP address of the ViewStation. This must be a static one-to-one NAT.

***Looked at Translation Table in PDM. Can setup PAT. Wouldn't this require obtaining a new outside address? Since we want to communicate between offices, can we use our VPN?***

3. On the ViewStation, go to System Info>Admin Setup>LAN/H.323>H.323>QoS and turn on "Use Fixed Ports" and "System is Behind a NAT".

***OK, this is easy, but what if we use the VPN***

4. Under the "NAT Outside (WAN) Address" type in the public NAT address that was assigned in the NAT table.

***VPN?***

Thanks!

1 REPLY
New Member

Re: Setup PIX for Video Conferencing

I'm assuming because you mentioned Viewstation that you have a Polycom product. Which firmware rev are you running on the Viewstation? I ran into an issue in April 2003 where the latest Polycom release (5.0 for FX, 7.2.4 for SP) did not support H323 through NAT. Check with Polycom, they may have a patch available by now, however, we've had to run the previous firmware level (5.0 FX, 7.2 SP).

Also, if you are using a Polycom FX (Multisite), you may need to open more ports. We have the following setup on our PIX with a Polycom Viewstation FX:

access-list 101 permit udp any host 12.xx.xx.xx range 3230 3247

access-list 101 permit tcp any host 12.xx.xx.xx range 3230 3235

access-list 101 permit tcp any host 12.xx.xx.xx eq 1731

access-list 101 permit tcp any host 12.xx.xx.xx range 3220 3225

access-list 101 permit tcp any host 12.xx.xx.xx eq 1503

access-list 101 permit udp any host 12.xx.xx.xx eq 1718

access-list 101 permit udp any host 12.xx.xx.xx eq 1719

...and yes 12.xx.xx.xx has to be a valid internet address setup as a static translation.

The most secure is to DMZ and VPN your Polycom, however, we haven't gone that that extent due to time issues. If I had a job where I didn't have to also deal with user issues I would do it.

181
Views
0
Helpful
1
Replies
CreatePlease to create content