[c-nsp] Question on h.323 video calls through a PIX 525 with NAT

Andy Litzinger Andy.Litzinger at theplatform.com
Wed Jul 15 13:14:21 EDT 2009


I don't think you can have the inspect and fixup in the same config.  I believe the inspection policies replace the fixup commands in the 7.x+ code.

either one pretty much does the same thing- its going into the packet and rewriting the IP in the h323 data payload (if necessary).

we had some issues with this behaviour and ended up disabling the h323 inspection and turning on the NAT traversal option of the device and things worked great for us.  YMMV.  Obviously you'll want to make sure you don't have any other h323 device traffic that would be affected by this change.

-andy

________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister [SPfister at dps.k12.oh.us]
Sent: Wednesday, July 15, 2009 9:28 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Question on h.323 video calls through a PIX 525 with NAT

I'm having some trouble with h.323 (video) calls through a PIX 525 using NAT. We can get incoming calls fine, but not outgoing calls for some reason. My question has to do with 'inspect h323' vs 'fixup protocol h323'. What's the difference between them? The video conferencing unit in question has a NAT transversal option where I can supply an address and mask.I'm wondering if I'm having a NAT transversal problem anyway. Which one would handle the NAT transversal, inspect or fixup? Currently, the PIX config has:

  inspect h323 h225
  inspect h323 ras

do I need:

 fixup protocol h323 h225 1718-1720
 fixup protocol h323 h225 1720
 fixup protocol h323 ras 1718-1719

instead of the inspect commands? In addition to them?

Thanks!


Steve Pfister
Technical Coordinator,
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St.
Dayton, OH 45402

Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list