I have a customer testing Polycom video conferencing over the Internet through their PIX 506. They have a single public IP address so all outbound traffic is PAT. When they initiate the connection the recipient sees their video feed but they see none. The only denys I can see in the syslog are:
106012: Deny IP from x.x.x.x to y.y.y.y, IP options: "0x14"
The following fixups are active:
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
The local subnet has and access-list allowing all IP traffic to pass outbound and just for testing we allowed the address we're trying to communicate with all IP access inbound.
I see messages in the syslog that the PIX recognizes h323 conversations.
Is there anything else I should be looking for or am I trying to get an unsupported protocol to work here? Is the deny IP options message relevant, can it be worked around?
The deny IP did show the same addresses that were testing the video. I assumed the IP options in question were QoS as video is known to insert in packets. I will check the Polycom client to see if this can be turned off.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...