Remote H323 handsets behind Cisco ASA 5

[maccabee333]

Hi Guys, I was just going through some old posts and realized I didn't ever post my solution to this.

Basically even though the Cisco was set to be completely open the phones still wouldn't register correctly.

We spent a long time looking at this with Avaya and they came up with this. In NoUser source code add REMOTE_H323=1800 This changes the port being used by the handsets and gets round the Cisco's annoying little sniffers.


Hope this helps someone as much as it did me.

Ian


APSS,ACIS,ACSS

trained on SplicCom but who wants to know that.

follow me on Twitter @TheIanMac

 

[tlpeter]

Does this actually work?
That would be great!


BAZINGA!

I'm not insane, my mother had me tested!

 

[tlpeter]

I am thinking this would solve problems at the other end too as some providers block a lot of ports lower than a certain number.
I am going to try this for one user on our own system where it does not work.
Do you need a reboot for this?


BAZINGA!

I'm not insane, my mother had me tested!

 

[maccabee333]

it worked for us on 2sites using the same asa with separate ports configured for two separate IPO's

Before adding it in we would just get what looked like a registered phone but without the button programming and dial tone. After perfect working phone

APSS,ACIS,ACSS

trained on SplicCom but who wants to know that.

follow me on Twitter @TheIanMac

 

[maccabee333]

No I didnt need to reboot the IPO. phone picked it up on registration.

from memory its changing the 1720 to 1800 cant remember exactly what port it changed.

APSS,ACIS,ACSS

trained on SplicCom but who wants to know that.

follow me on Twitter @TheIanMac

 

[tlpeter]

Star for you as i have had the same on our Cisco 18xx router.
No matter what we tried we could not get it working at all.
But does this changes the 1719 and 1720 ports to 1800?
It this is the case then i assume that i can use any port not in use.


BAZINGA!

I'm not insane, my mother had me tested!

 

[maccabee333]

Thanks.

I will have to check my notes from the original ticket. I'm sure you can use any port free Avaya just decided to use 1800.

APSS,ACIS,ACSS

trained on SplicCom but who wants to know that.

follow me on Twitter @TheIanMac

 

[maccabee333]

its 1720. This is what avaya sent me

"Hello Ian,

As discussed over the phone, the issue appears to be resolved.

Andrey and I from our labs connected to the system using the IP address that you provided and reproduced the issue that you raised, as this was done in a controlled environment allowed us to collect a packet capture trace. In there we were able to see that the second part of the registration “screen paiting” was not being successful, many ICMP messages of port unreachable. This was introduced by the Cisco.

In order to overcome this, the following entry was added in the No User Source Number:

REMOTE_H323=1800

Afterwards we were able to connect and make calls to each other successfully.

Please try it at your premises and let us know how you get on"

And

"Hello Ian,

The method works by instructing the Phone to use a different signal port other than 1720 and in the (below) case 1800 is used. The Cisco then doesn´t bother anymore.

Regards,"



APSS,ACIS,ACSS

trained on SplicCom but who wants to know that.

follow me on Twitter @TheIanMac

 

[CarGoSki]

hmmm... new source number code.
definitely star worthy

 

[amriddle01]

Now this is interesting ....and actually worth a star (as oppose to the cheap ones we usually pick up for training end users), wonder if this works on the Drayteks...?



"No problem monkey socks

 

[maccabee333]

Thanks Guys,

@amriddle01 what drayteks are you using? I have it working in our office and on our test bench using 2830's

APSS,ACIS,ACSS

trained on SplicCom but who wants to know that.

follow me on Twitter @TheIanMac

 

[tlpeter]

maccabee333, i just tried this for a colleague who changed internet provider and it works for him too.


BAZINGA!

I'm not insane, my mother had me tested!

 

[maccabee333]

Awesome!!! glad to help. Getting an IPOS does have its up sides some times.

APSS,AIPS,ACIS,ACSS

SpliceCom Advanced Specialist

follow me on Twitter @TheIanMac

 

[keithlcope]

Hey Guys,

I am having trouble getting this to work. I have changed the nouser sourcecode to REMOTE_H323=1800
All of the settings in the network topology tab are set as well.

As of now I have the phone registered, extension logged in, and all buttons appear. I can make and receive calls but have no audio.

The customer has another vendor making all the changes to the firewall and they have made the port forwarding changes and disabled H323 inspection as I have requested. Is there something that I need to have them check in the firewall to allow this to work?

 

[tlpeter]

Keith, did you remove the port forwarding for port 1720?
I had the same problem and i forgot to remove that port.
It seems that the phone is still trying to use port 1720 somehow.
Let me know if that fixes the no speech issue after removing port 1720 out of the routers port forwarding.

BAZINGA!

I'm not insane, my mother had me tested!

 

[keithlcope]

Thanks for the input.
I am still waiting to hear back from the other vendor to have this done.
Once I do I will let you know the results.

 

[punchtool]

Keith I'm having the same issue what did you find? I get dial tone every now and then but not every time.

 

[keithlcope]

Punchtool,
Sorry I took so long to reply. I've been trying to get some info from the tech that configured the router for me. I think what finally worked for us was to manually forward the ports individually instead of the whole range that is set in IPO.
These are the notes that he sent me. Hope they help

To do remote worker, you need to port forward UDP 1719 and 1720 to the IPO. If the inspect H.323 isn’t working, you may need to turn off the ALG for H.323: (We also changed port 1720 to 1800 with the "nouser" sourcecode)

policy-map global_policy
class inspection_default
no inspect h323 h225
no inspect h323 ras

BY doing so, you will also need to port forward to RTP (UDP) range from the internet to the IPO. Use the same range specified in the IPO.

Try with inspection first to avoid having to port forward RTP, but if that doesn’t work, do in manually.