CUBE in DMZ, H323 calls to CUBE, Ports need to be opened?

Bryan Geoghan · ‎08-31-2009

Hi,

I am putting in a CUBE in a DMZ that will have a public address that will NAT to it's internal address.

First off, what scenario is the CUBE really used for? Does it make since to have an outside IP Video Station register to the CUBE using the public IP and then make calls to internal video endpoints?

If so, does H323 work well with this?

And lastly, what do I need to do on the firewall besides mapping the public IP to the private IP? Do I need to open ports or add certain commands?

Thanks

Nicholas Matthews · ‎08-31-2009

You'll need TCP 1720 for H225 negotiation. You will also need random ports between 25000-50000 on both sides as H245 is negotiated dynamically between two random ports. If you're using SIP, TCP/UDP 5060 would be opened up.

Having the CUBE can help centralize your dial plan, as well as add security since it will be the border element between your internal devices and the external IP network.

For what you're doing, H323 would be the best option, yes.

-nick

Bryan Geoghan · ‎08-31-2009

Yes, but isn't there some feature to the CUBE or Cisco ASA that automatically opens the ports when needed and then closes them? Maybe its those random ports? If so, what needs to be configured on the ASA for that.

Would that just leave TCP 1720 needing to be opened to the CUBE?

Nicholas Matthews · ‎08-31-2009

Yes, H323 inspection should take care of the H245 ports automatically. It's worth noting, however.

If it's just H323, TCP port 1720 is what you're looking at.

-nick

pcameron · ‎09-07-2009

Attached is a sample config for an ASA that is providing NAT/firewall for a CUBE and Gatekeeper router. This might be what you are looking for.