Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 8.2 NAT Question

Status
Not open for further replies.
eks1

eks1

IS-IT--Management
Jan 17, 2013
2
US
I can get things done in the ASA if I have examples, but while probably totally obvious, this is stumping me.

I'm trying to get a video conferencing system working and we keep sporadically losing connectivity.

They have asked me to open up ALL TCP/UDP traffic between 192.168.9.15 and 88.88.88.88 (made up IPs).

I know how to open up certain ports, but I'm not clear on how to open up everything. Do I just eliminate the eq 17990 at the end of the access-list command?

access-list inbound extended permit tcp any host 88.88.88.88 eq 17990
static (inside,outside) 88.88.88.88 192.168.9.15 netmask 255.255.255.255

They have also asked that I set the UDP timeout to be longer than 2 minutes. In reading, for security reasons it says not to make this change globally, so is there a way to make the change only for this NAT?

Thanks in advance.

 
Sort by date Sort by votes
If you want to allow ALL TCP & UDP traffic then you need two lines in the inbound ACL - one to allow tcp and one to allow udp:
Code: 
access-list inbound extended permit tcp any host 88.88.88.88 
access-list inbound extended permit udp any host 88.88.88.88
What protocol is your VC unit using? If its H.323 or SIP then the PIX should understand the protocol and dynamically create the pinholes for the protocol to operate without you opening all TCP & UDP ports. In my experience you will probably also need ICMP of some sorts as the end stations will need ICMP reachability between themselves - you may need to turn on ICMP inspection as it isn't on by default.

Andy
 
Upvote 0 Downvote
Thanks Andy, that's basically what I was thinking needed to be done. I've made the changes and will test it tonight when I'm off the network.
I believe the video conferencing system is using H.264.
The manufacturer is Vidyo.

Any thoughts on the UDP timeout?
 
Upvote 0 Downvote
H.264 is a video codec. The actual VC protocol will be almost definitely either SIP or H.323. As I say the PIX should be able to handle either without opening huge port (or all...) ranges. You just need to allow the control traffic ports:

SIP - UDP/5060
H.323 - TCP/1720

Assuming the default global inspections are enabled the PIX intelligently inspects the SIP or H.323 conversations and dynamically opens the RTP ports that are negotiated in the call setup.

Typically you will also need to allow ICMP between the endpoints.

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
562
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
519
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
275
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
126
WhosYourDiffie
WhosYourDiffie
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
139
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top