Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks An IP/VC Application Note Jonathan Roberts Network Consultant Engineer Enterprise Voice, Video Business Unit September 24, 2001 EDCS-154011 Copyright © 2001 Cisco Systems, Inc.
Table of contents Table of contents............................................................................................................................. 2 Introduction...................................................................................................................................... 3 Issues with Firewalls and H.323...................................................................................................... 4 What is the Cisco Secure PIX Firewall? .........................
Introduction This paper explains how to set up the Cisco Secure PIX firewall for use in Cisco IP/VC H.323 deployments. The configuration that will be shown below will be a two-interface PIX 515 running version 6.01 and utilizing NAT. The goals of this paper are: 1. Describe the issues with firewalls and H.323 2. Describe how to set up the firewall to allow H.323 video traffic to pass 3. Describe how to allow a terminal outside the firewall to register with a GK on the inside of the firewall. 4.
Issues with Firewalls and H.323 What makes H.323 so cumbersome to run through a firewall is its use of multiple data ports for a single call. For an H.323 call to take place it must first open an H.225 connection on TCP port 1720, using Q.931 signaling. After this has taken place, the H.245 management session is established. While this can take place on a separate channel from the H.225 setup it can also be done using H.245 tunneling, which takes the H.245 messages and embeds them in the Q.
What is NAT? Network Address Translation (NAT) is designed for IP address simplification and conservation, as it enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT can operate on the PIX or a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into globally unique addresses before packets are forwarded onto another network.
How to configure the Cisco Secure PIX Firewall to allow H.323 traffic For this configuration we will assume the following, which is depicted in figure 1: • The Firewall is a PIX 515 with two interfaces. • A Gatekeeper with an internal IP address of 10.1.1.10 and an external IP address of 209.165.201.10. • An H.323 terminal with an internal IP address of 10.1.1.20 and an external IP address of 209.165.201.20. • A Cisco IP/VC 3510 MCU with an internal IP address of 10.1.1.30 and an external IP address of 209.
Table 1: Two Interface PIX with NAT Configuration Configuration Description nameif ethernet0 outside security0 PIX Firewall provides nameif and interface command statements for the interfaces in the default configuration. Change the default auto option in the interface command to the specific line speed for the interface card. nameif ethernet1 inside security100 interface ethernet0 10baset interface ethernet1 10baset Fixup protocol h323 1720 ip address outside 209.165.201.5 255.255.255.
Breaking down the PIX configuration Fixup protocol Command The first thing that we will look at in the PIX configuration is the H.323 Fixup Protocol. The H.323 fixup on PIX enables users to allow H.323 traffic to pass though the PIX. The two major functions of the fixup are to: 1. NAT the necessary embedded IPv4 addresses in the H.225 and H.245 signaling channels. Since H.323 messages are encoded in PER encoding format, PIX uses an ASN.1 decoder to decode the H.323 messages. 2.
static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask] [max_conns [em_limit]] [norandomseq] In the configuration from Table XX, the static command is implemented in this manner: static (inside,outside) 209.165.201.10 10.1.1.10 netmask 255.255.255.255 0 0 static (inside,outside) 209.165.201.20 10.1.1.20 netmask 255.255.255.255 0 0 static (inside,outside) 209.165.201.20 10.1.1.30 netmask 255.255.255.255 0 0 For each H.
IP/VC 3510 MCU with the IP address of 209.165.201.30, port 2720 will need to be opened. Use the following guidelines for specifying a source, local, or destination address: -Use a 32-bit quantity in four-part, dotted-decimal format. -Use the keyword any as an abbreviation for an address and mask of 0.0.0.0 0.0.0.0. This keyword is normally not recommended for use with IPSec. -Use host address as an abbreviation for a mask of 255.255.255.255.
deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message: %PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol received from interface interface_name deny by access-group acl_ID Always use the access-list command with the access-group command. Typical Ports used for H.
