Resumen del contenido incluido en la página 1 
                    
                         
 
Integrating Cisco Secure PIX Firewall and IP/VC 
Videoconferencing Networks 
An IP/VC Application Note 
 
 
 
 
Jonathan Roberts 
Network Consultant Engineer 
 
Enterprise Voice, Video Business Unit 
September 24, 2001 
                            EDCS-154011 
Copyright © 2001 Cisco Systems, Inc.  Page 1 of 11                                                                                                                                                                                         
                    
                    Resumen del contenido incluido en la página 2 
                    
                        Table of contents    Table of contents.............................................................................................................................2  Introduction......................................................................................................................................3  Issues with Firewalls and H.323......................................................................................................4  What is the Cisco Secure PIX Firewall?...........
                    
                    Resumen del contenido incluido en la página 3 
                    
                        Introduction  This paper explains how to set up the Cisco Secure PIX firewall for use in Cisco IP/VC  H.323 deployments. The configuration that will be shown below will be a two-interface  PIX 515 running version 6.01 and utilizing NAT. The goals of this paper are:  1. Describe the issues with firewalls and H.323  2. Describe how to set up the firewall to allow H.323 video traffic to pass  3. Describe how to allow a terminal outside the firewall to register with a GK on the  inside of the firewa
                    
                    Resumen del contenido incluido en la página 4 
                    
                        Issues with Firewalls and H.323    What makes H.323 so cumbersome to run through a firewall is its use of multiple data  ports for a single call.  For an H.323 call to take place it must first open an H.225  connection on TCP port 1720, using Q.931 signaling.  After this has taken place, the  H.245 management session is established.  While this can take place on a separate  channel from the H.225 setup it can also be done using H.245 tunneling, which takes the  H.245 messages and embeds them in 
                    
                    Resumen del contenido incluido en la página 5 
                    
                        What is NAT?    Network Address Translation (NAT) is designed for IP address simplification and  conservation, as it enables private IP internetworks that use nonregistered IP addresses to  connect to the Internet. NAT can operate on the PIX or a router, usually connecting two  networks together, and translates the private (not globally unique) addresses in the  internal network into globally unique addresses before packets are forwarded onto  another network. As part of this functionality, NAT 
                    
                    Resumen del contenido incluido en la página 6 
                    
                        How to configure the Cisco Secure PIX Firewall to allow H.323 traffic    For this configuration we will assume the following, which is depicted in figure 1:  • The Firewall is a PIX 515 with two interfaces.    • A Gatekeeper with an internal IP address of 10.1.1.10 and an external IP address  of 209.165.201.10.  • An H.323 terminal with an internal IP address of 10.1.1.20 and an external IP  address of 209.165.201.20.    • A Cisco IP/VC 3510 MCU with an internal IP address of 10.1.1.30 and an  e
                    
                    Resumen del contenido incluido en la página 7 
                    
                        Table 1: Two Interface PIX with NAT Configuration  Configuration Description  nameif ethernet0 outside security0  PIX Firewall provides nameif and interface command  statements for the interfaces in the default configuration. Change  nameif ethernet1 inside security100  the default auto option in the interface command to the specific  interface ethernet0 10baset  line speed for the interface card.  interface ethernet1 10baset  Fixup protocol h323 1720  The fixup protocol commands let you view, c
                    
                    Resumen del contenido incluido en la página 8 
                    
                        Breaking down the PIX configuration    Fixup protocol Command    The first thing that we will look at in the PIX configuration is the H.323 Fixup Protocol.  The H.323 fixup on PIX enables users to allow H.323 traffic to pass though the PIX.     The two major functions of the fixup are to:    1.  NAT the necessary embedded IPv4 addresses in the H.225 and H.245 signaling  channels.  Since H.323 messages are encoded in PER encoding format, PIX uses an  ASN.1 decoder to decode the H.323 messages.   
                    
                    Resumen del contenido incluido en la página 9 
                    
                        static [(internal_if_name, external_if_name)] global_ip local_ip [netmask  network_mask] [max_conns [em_limit]] [norandomseq]    In the configuration from Table XX, the static command is implemented in this manner:    static (inside,outside) 209.165.201.10 10.1.1.10 netmask 255.255.255.255 0 0  static (inside,outside) 209.165.201.20 10.1.1.20 netmask 255.255.255.255 0 0  static (inside,outside) 209.165.201.20 10.1.1.30 netmask 255.255.255.255 0 0    For each H.323 terminal, MCU and Gateway on th
                    
                    Resumen del contenido incluido en la página 10 
                    
                        IP/VC 3510 MCU with the IP address of 209.165.201.30, port 2720 will need to be  opened.    Use the following guidelines for specifying a source, local, or destination address:    -Use a 32-bit quantity in four-part, dotted-decimal format.     -Use the keyword any as an abbreviation for an address and mask of 0.0.0.0  0.0.0.0. This keyword is normally not recommended for use with IPSec.    -Use host address as an abbreviation for a mask of 255.255.255.255.    Use the following guidelines for spe
                    
                    Resumen del contenido incluido en la página 11 
                    
                        deny option in an access-list command statement, PIX Firewall discards the packet and  generates the following syslog message:    %PIX-4-106019: IP packet from source_addr to destination_addr, protocol protocol  received from interface interface_name deny by access-group acl_ID    Always use the access-list command with the access-group command.    Typical Ports used for H.323 traffic    Port Protocol Description Terminal MCU Gateway Gatekeeper  1300 TCP H.235 secure signaling X X X   1503 TCP T