Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Private IP address VC directly to public IP address

Hi

I am a little confused as to why a specific call I have observed worked for a couple of clients and am wondering if there have been any developments in the H.323 protocol which allows some form of NAT traversal natively built into the codec's without involving and external gateway function.

the reason i ask is as follows

i have experienced a call from a client with a codec on a private none routable IP address to my system which is on a public IP address, the client did not have any NAT configuration details in the endpoint and was able to call my system directly without issue by calling directly to my public IP address.

now historically if I had a system on a private IP address sat behind a NAT I would expect that the system on the public IP would see the none routable IP address from the H.225 message and attempt to reply to the private IP address for the RTP media which would not go through, this didn't appear to happen.

the call that I experienced appeared to complete without issue, media was flowing in both directions.

my endpoint is a Cisco Edge 85 on firmware version F9.x

the other parties codec is a Edge 85 on firmware version F9.x

my codec is on a public IP address completely open for H.323 ports

the other parties codec is on a private IP address.

whilst I cannot call the other party, the other party can call to me, and I am just wondering how this has worked taking into account that there is no expected H.323 aware gateway service in the call, either a VCS or a H.323 aware firewall.

From experience firewalls and other gateways outside of Tandberg, Polycom, Cisco have struggled to keep up with the new H.323 version, again which is why I am baffled as to why the call worked.

I have done a little reading on the new H.323 version and noticed the multiplex logical channel option, however on a call where I have seen this apparently working again from a lifesize codec to a Codian 4505 MCU shows no evidence of this multiplex logical channel, unless is named differently in the logs to what the ITU document calls the feature.

any any all responses greatly appreciated, I do like to understand exactly how firewalls impact VC calls.

Think with Portals       

Think with Portals
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Private IP address VC directly to public IP address

4 REPLIES
Cisco Employee

Re: Private IP address VC directly to public IP address

From the description, it certainly sounds like ALG on a firewall. A packet capture at both sides of the call would provide much information regarding the call signaling and media path.

Sent from Cisco Technical Support iPhone App

New Member

Re: Private IP address VC directly to public IP address

Hi Zachary

thank you very much for the response, greatly appreciated, I have to say that was my primary suspicion, although I am a little surprised to find an ALG on a firewall that actually works with H.323, from my experience they are very flaky if they work at all, I suppose it depends on the firewall, maybe there has been software improvements of recent.

could you confirm for me if there is any native NAT / Firewall traversal function embedded within any of the newer Cisco codec's, talking about MXP series from F9.x upwards (C series, EX, SX, etc...). (that is that doesn't require the intervention of a VCS, or other H.460 / Accent ALG)

Much appreciated

Cheers

Dave

Think with Portals

Think with Portals
Cisco Employee

Re: Private IP address VC directly to public IP address

New Member

Private IP address VC directly to public IP address

Hi Zachary

thanks for pointing those out to me, I was already aware of those options which are not configured in the endpoint.

I guess the conclusion I can confidently bring here is as you stated in your first response, there must be an ALG at work.

Hmmm I guess I should take a closer look at the routers in use.

Thank you very much.

Cheers

Dave

Think with Portals

Think with Portals
491
Views
0
Helpful
4
Replies
CreatePlease to create content