Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

H323 over Zone Based Fire Wall

Hi

I am facing an issue for Video Conf conneciton over SR520 with Zone based-firewall.

I can call out from inside to outside but cannot recieve call from outside.

below shows what i have done for this... am i missing any?

appreciate if some one can help me. any advice will helpfull! Thanks much!

what i have done is :

1) add NAT translation

ip nat inside source static 172.16.92.15 xxx.xxx.xxx.xxx

2) create an access-list with following ports to allow the traffic.

ip access-list extended TANDBERG

permit tcp any any eq 389

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 1720

permit tcp any any gt 1023

permit udp any any gt 1023

3) create a class-map with following protocols with  "access-group name TANDBERG" as above.

class-map type inspect match-any SDM-Voice-permit

match protocol sip

match protocol h323

match protocol icmp

match protocol telnet

match protocol ssh

match protocol skinny

match protocol h225ras

match protocol h323-annexe

match protocol h323-nxg

match access-group name TANDBERG

4) added class-map to policy-map as below which is for inside > outside.

policy-map type inspect sdm-inspect

class type inspect SDM-Voice-permit           <<<<<<<<<<<<<<<<<<

  inspect

class type inspect sdm-cls-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect z1-z2-pmap

class type inspect sdm-invalid-src

  inspect

class type inspect PPTP-Pass-Through-Traffic

  pass

class type inspect All-Traffic

  inspect

class class-default

  pass

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-Voice-permit

  inspect

class type inspect PPTP-Pass-Through-Traffic

  pass

class type inspect SDM-inspect-staticnat-in

  inspect

class type inspect L2L_VPN_10.188.18.0_23

  inspect

class class-default

  drop

zone security out-zone

zone security in-zone

zone security pptp

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-in source out-zone destination in-zone

service-policy type inspect sdm-inspect-voip-in

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security pptp-in source pptp destination in-zone

service-policy type inspect PPTP-In-Policy

zone-pair security pptp-out source pptp destination out-zone

service-policy type inspect sdm-inspect

!

5) also added for outside > inside

policy-map type inspect sdm-inspect-voip-in      
class type inspect SDM-Voice-permit                  <<<<<<<<<<<<<<<<<
  inspect
class type inspect PPTP-Pass-Through-Traffic
  pass
class type inspect SDM-inspect-staticnat-in
  inspect
class type inspect L2L_VPN_10.188.18.0_23
  inspect
class class-default
  drop

zone security out-zone
zone security in-zone
zone security pptp
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone                <<<<<<<<<<<<<<<<<<<
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone              <<<<<<<<<<<<<<<<<<
service-policy type inspect sdm-inspect
zone-pair security pptp-in source pptp destination in-zone
service-policy type inspect PPTP-In-Policy
zone-pair security pptp-out source pptp destination out-zone
service-policy type inspect sdm-inspect
!

Everyone's tags (7)
316
Views
0
Helpful
0
Replies
CreatePlease to create content