Go to Network Services Home Page
Cisco Pix Firewall
IP VIDEO-
CONFERENCE
  H.323 Basics
LAN DESIGN
  Firewalls & NAT
  Gatekeepers
  Quality of Service
  Dialing Plan
CODECS
  Supported Codecs
  Software Releases
  District IVC Status
  H.264 Video codec
MULTIPOINT/MCU
  K-20 Gatekeeper
  Scheduling
GLOSSARY
H.323 LINKS
 
   
Version 6.3(3):
Wisconsin VCS Videoconferencing Services have been successful at placing inbound and outbound calls using Polycom Viewstations through Cisco PIX firewalls running Version 6.3(3) by setting up an "access list" in the firewall. By using the information below, you do not need to open up several ports that will let everything through, maintaining security behind your firewall.
Using 6.3(3) also elliminates having to create a temporary or permanent punch through of your firewall based on IP subnets everytime you want to receive a video call from a new site. In the past, this method was sometimes easier to use on older software versions.
Note at the bottom of the page is additional links for setting up your Polycom codec to work with 6.3(3). Polycom and Cisco have collaborated to make this work better than ever before.
 
Global Pix 6.3(3) firewall settings for all of your codecs:
**Note: Always make a backup copy of the PIX configuration before attempting any changes**
  1. Make sure you are not running NAT outside of the PIX. All NAT must be configured on the PIX.
  2. Open the following ports bidirectionally:
    • 21 FTP (allows upgrade of endpoint software)
    • 23 Telnet (allows ICS and WiscNet support person to connect to endpoint)
    • 80 WWW (allows ICS and WiscNet to connect to Polycom web server to remotely manage the endpoint & help troubleshoot)
    • 1718 and 1719 UDP and TCP
    • 1731 TCP bidirectional (audio call control)
    • 3230 - 3247 UDP bidirectional (audio & video)
    • 3230 - 3235 TCP bidirectional (H.245 call control: aka RTCP)
  3. Change the "timeout" or your calls will disconnect in five minutes. We suggest 10 hours to cover day long meetings including lunch break.
    • Change this line from:
      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:30:00
    • to: (suggestion: copy this line and paste into your configuration)
      timeout h323 10:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:30:00
  4. Increase the h225 timeout values to at least 10 hours.
    • Change this line from:
      timeout conn 1:00:00 half-closed 0:30:00 udp 0:30:00 rpc 0:10:00 h225 1:00:00
    • to: (suggestion: copy this line and paste into your configuration)
      timeout conn 1:00:00 half-closed 0:30:00 udp 0:30:00 rpc 0:10:00 h225 10:00:00
 
Individual Pix 6.3(3) firewall settings for each of your codecs:
Repeat these steps for each codec.
**Note: Always make a backup copy of the PIX configuration before attempting any changes**
  1. Create a static route through the firewall (inside to outside IP address).
    • Example:
      static (inside, outside) 192.150.50.0 10.11.08.50 netmask 255.255.255.255 0 0
    • Note: substitute the routable IP address used in this example (192.150.50.0) and the private or NAT IP (10.11.08.50) with your IPs.
  2. Copy the access list below into your PIX configuration.
    • Polycom is migrating their RAS registation from TCP ports 1718 and 1719 to UDP 1718 and 1719 - we account for both at the current time
    • Cisco's "H323 fixup protocols" are now recommended.
    • Add your static outside IP address in place of the example address 192.150.50.0

      fixup protocol h323 h225 1720
      fixup protocol h323 ras 1718-1719
      access-list INTERNET permit tcp any host 192.150.50.0 eq www
      access-list INTERNET permit tcp host 192.150.50.0 any eq www
      access-list INTERNET permit udp host 192.150.50.0 any eq 80
      access-list INTERNET permit tcp any host 192.150.50.0 eq telnet
      access-list INTERNET permit udp any host 192.150.50.0 eq 1718
      access-list INTERNET permit udp host 192.150.50.0 any eq 1718
      access-list INTERNET permit udp any host 192.150.50.0 eq 1719
      access-list INTERNET permit udp host 192.150.50.0 any eq 1719
      access-list INTERNET permit tcp any host 192.150.50.0 eq h323
      access-list INTERNET permit tcp host 192.150.50.0 any eq h323
      access-list INTERNET permit tcp any host 192.150.50.0 eq 1731
      access-list INTERNET permit tcp host 192.150.50.0 any eq 1731
      access-list INTERNET permit tcp any host 192.150.50.0 range 3230 3235
      access-list INTERNET permit tcp host 192.150.50.0 any range 3230 3235
      access-list INTERNET permit udp any host 192.150.50.0 range 3230 3247
      access-list INTERNET permit udp host 192.150.50.0 any range 3230 3247
Codec settings to work with the PIX 6.3(3) version of firewall:
See: How to setup your Polycom codec
 
~Exerpts for the material on this page have been graciously contributed by Wisconsin VCS Videoconference Services
For comments regarding this site, please email Debby Thompson at debbyt@ncesd.org
Directions & Map or NCESD Territory Map
Contact Info | About Tech Team | Tech Dept HOME