Home > Archive > CCNP > April 2002 > H323 through a Pix





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author H323 through a Pix
drizzits

2002-04-12, 10:56 am

Hey everyone,


I have a question. Anyone ever set up there pix to do h323 video confrencing without having to poke holes throught it. We are looking to let ourselves connect to anyone on the net. This creats the problem if it was just between offices then it would be easy just create a vpn. WE want it to be able to accept inbound sessions.

Thanks
Drizzits
chodan

2002-04-12, 9:38 pm

I wouldn`t think there would be a way without VPN.
Otherwise you would need to create static NAT mappings and allow specific ports incoming access through the firewall.
If you have enough address space you could place your video conference machine on your DMZ, yes it would be more vulnerable but your LAN would be more secure.
darthfeces

2002-04-12, 9:58 pm

fixup protocol h323 1720
drizzits

2002-04-14, 10:38 pm

The problem is not really outgoing its incoming. Darthfeces from what I understand that if you use fixup h323 that will only help with outgoing h323 it still wont accept incoming. THat what I was told I will be trying it tomorrow I will let you know if it works.

Drizzits
chodan

2002-04-15, 6:50 am

Thats why I suggested a static NAT mapping.
So your incoming H.323 will know what address to attach to.
Not to mention fixup protocol h323 1720 is on by default.
chodan

2002-04-15, 7:09 am

access-list 101 permit tcp host any any eq h323


access-group 101 in interface outside

does this sound right to you all?
darthfeces

2002-04-15, 1:54 pm

yes,
i didn't read through the question ... my bad
catfisch

2002-04-16, 11:44 pm

The way i did this is.. i took a 224 mask network address i owned and busted it up to..two 240's. put one as my DMZ and assigned 192.168's to my networks behind the fiewall. Then i setup DNAT entries into selected fakesorts inside my network.. and mapped them to one of my IP in my other 240.. this works out really well.. it gives me tight control and it's totally transparent to the users..
-Catfisch
chodan

2002-04-17, 6:56 am

quote:
Originally posted by catfisch
The way i did this is.. i took a 224 mask network address i owned and busted it up to..two 240's. put one as my DMZ and assigned 192.168's to my networks behind the fiewall. Then i setup DNAT entries into selected fakes: ports inside my network.. and mapped them to one of my IP in my other 240.. this works out really well.. it gives me tight control and it's totally transparent to the users..
-Catfisch

Sweet
an elegant solution.
catfisch

2002-04-20, 5:00 pm

Thanks.. chodan.. and it's free! -Catfisch
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net