Cisco Systems EDCS-154011 User Manual
Copyright © 2001 Cisco Systems, Inc. Page 1 of 11
Integrating Cisco Secure PIX Firewall and IP/VC
Videoconferencing Networks
An IP/VC Application Note
Jonathan Roberts
Network Consultant Engineer
Enterprise Voice, Video Business Unit
September 24, 2001
EDCS-154011
Copyright © 2001 Cisco Systems, Inc. Page 2 of 11
Table of contents
Table of contents ............................................................................................................................. 2
Introduction...................................................................................................................................... 3
Issues with Firewalls and H.323...................................................................................................... 4
What is the Cisco Secure PIX Firewall? .......................................................................................... 4
What is NAT? ..................................................................................................................................5
Implementing NAT for uses with in-bound H.323 traffic ........................................................... 5
How to configure the Cisco Secure PIX Firewall to allow H.323 traffic ...........................................6
Breaking down the PIX configuration .......................................................................................8
Fixup protocol Command .........................................................................................................8
Static command ....................................................................................................................... 8
Access-list command ...............................................................................................................9
Access-group command ........................................................................................................ 10
Typical Ports used for H.323 traffic ........................................................................................ 11
Helpful Links........................................................................................................................... 11
Copyright © 2001 Cisco Systems, Inc. Page 3 of 11
Introduction
This paper explains how to set up the Cisco Secure PIX firewall for use in Cisco IP/VC
H.323 deployments. The configuration that will be shown below will be a two-interface
PIX 515 running version 6.01 and utilizing NAT. The goals of this paper are:
1. Describe the issues with firewalls and H.323
2. Describe how to set up the firewall to allow H.323 video traffic to pass
3. Describe how to allow a terminal outside the firewall to register with a GK on the
inside of the firewall.
4. Describe how to allow a terminal outside the firewall to communicate with a
terminal on the inside of the firewall.
Where appropriate, this paper refers to existing procedures in the following Cisco user
guides:
Cisco IP/VC Videoconferencing Design Guide
Managing Cisco Network Security
This guide assumes the user has basic PIX knowledge. For detailed PIX configuration
steps, see the online documentation below:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/index.htm
Use the following link to download PIX code:
http://www.cisco.com/kobayashi/sw-center/internet/pix.shtml
Note: For those who are new to the Cisco IP/VC videoconferencing product family and
the Cisco Secure PIX Firewall, it is highly recommended that you first review the users
guides referenced above, as this paper is designed to enhance your understanding of the
products beyond that of the new user.
Copyright © 2001 Cisco Systems, Inc. Page 4 of 11
Issues with Firewalls and H.323
What makes H.323 so cumbersome to run through a firewall is its use of multiple data
ports for a single call. For an H.323 call to take place it must first open an H.225
connection on TCP port 1720, using Q.931 signaling. After this has taken place, the
H.245 management session is established. While this can take place on a separate
channel from the H.225 setup it can also be done using H.245 tunneling, which takes the
H.245 messages and embeds them in the Q.931 messages in the previously established
H.225 channel.
At this point the H.245 session opens dynamically assigned ports for the UDP-based
RTP/RTCP video and audio data streams. These ports can range from 1024 to 65535.
Since these ports are not known in advance, and since it would defeat the purpose of a
firewall to open all these ports, a firewall must be able to “snoop” the H.323 data stream
in order to open the additional ports needed for the call. This is also known as stateful
inspection.
An additional problem encountered with most firewalls is the use of NAT (see “What is
NAT” below for more information). Within H.323, the H.225 and H.245 signaling
channels make heavy use of the embedded IP address. An example could be the
following: A terminal has a private address of 10.1.1.125, which gets translated to
206.165.202.125 when it tries to place a call to an H.323 terminal with an IP address of
206.165.201.78 on the outside network. The terminal on the outside will still receive the
private address within the H.225 signaling stream. Since this is a non-routable address,
an attempt to make a connection back will fail. One way to get around this problem is to
use an H.323-aware NAT firewall, which can rewrite the addresses in the signaling
payload.
What is the Cisco Secure PIX Firewall?
Formerly known as the PIX Firewall, the Cisco Secure PIX Firewall series is the highestperformance, enterprise-class firewall product line within the Cisco firewall family. The
integrated hardware/software PIX Firewall series delivers high security without
impacting network performance, scaling to meet the entire range of customer
requirements.
Loading...