Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: H.323 ALG in Cisco 2600

Reply
Thread Tools

Re: H.323 ALG in Cisco 2600

 
 
Colin
Guest
Posts: n/a
 
      07-15-2003
I had the same problem. I could initiate a call from the inside
network and it would work fine. When I tried it from the outside
network, it would just time out. So I fired up "debug ip nat h323" and
I saw nothing. I was using dynamic nat so I set up static nat and it
worked

ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
ip nat inside source list 7 pool test
ip nat inside source static 192.168.1.10 172.18.124.5


Where 192.168.1.10 inside address and 172.18.124.5 is the outside
address.
I had tried to use NAT overload and that did not work.








http://www.velocityreviews.com/forums/(E-Mail Removed) (Blake Sount) wrote in message news:<(E-Mail Removed). com>...
> Hi all,
>
> I have a Cisco 2611XM with an IOS version of 12.2(T5 and I have
> problem with H.323 communication with NAT.
>
> The enviroment is the following: I have a PC with Netmeeting or
> Openphone and an private IP@ is assigned. Imagine that I want to
> establish a call with a user beyond the router that is performing
> dynamic NAPT.
>
> The call is established correctly but he RTP information is only
> received in one direction. So far, this is the normal anomaly of a
> router which is not preforming H323 ALG.
>
> Even I have tried to set a static NAT but it doesn't work at all. But
> surprisingly when I activate the "debug ip nat h323" command, no trace
> is displayed at all when a call is established!!
>
> My question is:
>
> Does a Cisco router (in particular the one mentioned above) has he
> H.323 ALG activated and/or installed by default?
>
> Should I execute some command to activate it?
>
> Does any body have the same problem?
>
> That's all,
>
> Thank you very much. Please, try to answer ASAP because this issue
> must be solved urgently.
>
> Blake

 
Reply With Quote
 
 
 
 
Blake Sount
Guest
Posts: n/a
 
      07-15-2003
Thanks for your answer Colin,

But what I want to do is to establish a call from the inside network
(from the PC with the private IP@) towards the Internet but not from
the outside network towards the inside network. Also, I have inserted
the same line for the static nat and it didn't work at all.

According to what you have told me, you could make calls from the
inside networks using the nat and performing H.323 ALG without
problems, couldn't you? Did you see any trace in that kind of calls
from the very begining?

Was you router model and IOS version the same as mine?

Thank you very much.

(E-Mail Removed) (Colin) wrote in message news:<(E-Mail Removed) om>...
> I had the same problem. I could initiate a call from the inside
> network and it would work fine. When I tried it from the outside
> network, it would just time out. So I fired up "debug ip nat h323" and
> I saw nothing. I was using dynamic nat so I set up static nat and it
> worked
>
> ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
> ip nat inside source list 7 pool test
> ip nat inside source static 192.168.1.10 172.18.124.5
>
>
> Where 192.168.1.10 inside address and 172.18.124.5 is the outside
> address.
> I had tried to use NAT overload and that did not work.
>
>
>
>
>
>
>
>
> (E-Mail Removed) (Blake Sount) wrote in message news:<(E-Mail Removed). com>...
> > Hi all,
> >
> > I have a Cisco 2611XM with an IOS version of 12.2(T5 and I have
> > problem with H.323 communication with NAT.
> >
> > The enviroment is the following: I have a PC with Netmeeting or
> > Openphone and an private IP@ is assigned. Imagine that I want to
> > establish a call with a user beyond the router that is performing
> > dynamic NAPT.
> >
> > The call is established correctly but he RTP information is only
> > received in one direction. So far, this is the normal anomaly of a
> > router which is not preforming H323 ALG.
> >
> > Even I have tried to set a static NAT but it doesn't work at all. But
> > surprisingly when I activate the "debug ip nat h323" command, no trace
> > is displayed at all when a call is established!!
> >
> > My question is:
> >
> > Does a Cisco router (in particular the one mentioned above) has he
> > H.323 ALG activated and/or installed by default?
> >
> > Should I execute some command to activate it?
> >
> > Does any body have the same problem?
> >
> > That's all,
> >
> > Thank you very much. Please, try to answer ASAP because this issue
> > must be solved urgently.
> >
> > Blake

 
Reply With Quote
 
 
 
 
Colin
Guest
Posts: n/a
 
      07-15-2003
Hi

Before I put a static NAT in the config, I could only make calls from
the inside. I got calls to work both ways after putting the static NAT
in. When I was using a dynamic NAT w/ IP OverLoad, I could only make
calls form the inside.

I'm running IOS Version 12.3(1a) (c2600-ik9o3s3-mz.123-1a) on a 2620.

Here is my working config (execpt when I'm logged in via VPN, IPSec is
not working both ways - I can only make calls from the outside network
- I think I have to set up the VPN in Tunnel Mode but I kinda lost -
any pointers anyone??):

----------------------------------------
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2620A
!
enable secret 5 $1$7WI8$a0QQZaJi8qm8H8D3ldFqa/
!
username remote password 7 030752180500
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip inspect name netmeeting h323
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key <xxxxxx>
domain nada.com
pool ippool
acl 102
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface FastEthernet0/0
description OutSide-Interface
ip address 172.18.124.158 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map clientmap
!
interface Serial0/0
description Inside-Interface
ip address 14.38.50.51 255.255.255.0
ip nat inside
clockrate 64000
no fair-queue
!
interface Serial0/1
no ip address
shutdown
!
ip local pool ippool 10.5.80.10 10.5.80.20
ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
ip nat inside source list 7 pool test
ip nat inside source static 192.168.1.10 172.18.124.5
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 192.168.1.0 255.255.255.0 14.38.50.52
!
!
!
ip access-list extended console
ip access-list extended default-domain
ip access-list extended protocol
ip access-list extended service
ip access-list extended tunnel-password
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip any 10.5.80.0 0.0.0.255
!
radius-server authorization permit missing Service-Type
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 1511021F0725
!
!
!
end



Have fun...

Colin



(E-Mail Removed) (Blake Sount) wrote in message news:<(E-Mail Removed). com>...
> Thanks for your answer Colin,
>
> But what I want to do is to establish a call from the inside network
> (from the PC with the private IP@) towards the Internet but not from
> the outside network towards the inside network. Also, I have inserted
> the same line for the static nat and it didn't work at all.
>
> According to what you have told me, you could make calls from the
> inside networks using the nat and performing H.323 ALG without
> problems, couldn't you? Did you see any trace in that kind of calls
> from the very begining?
>
> Was you router model and IOS version the same as mine?
>
> Thank you very much.
>
> (E-Mail Removed) (Colin) wrote in message news:<(E-Mail Removed) om>...
> > I had the same problem. I could initiate a call from the inside
> > network and it would work fine. When I tried it from the outside
> > network, it would just time out. So I fired up "debug ip nat h323" and
> > I saw nothing. I was using dynamic nat so I set up static nat and it
> > worked
> >
> > ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
> > ip nat inside source list 7 pool test
> > ip nat inside source static 192.168.1.10 172.18.124.5
> >
> >
> > Where 192.168.1.10 inside address and 172.18.124.5 is the outside
> > address.
> > I had tried to use NAT overload and that did not work.
> >
> >
> >
> >
> >
> >
> >
> >
> > (E-Mail Removed) (Blake Sount) wrote in message news:<(E-Mail Removed). com>...
> > > Hi all,
> > >
> > > I have a Cisco 2611XM with an IOS version of 12.2(T5 and I have
> > > problem with H.323 communication with NAT.
> > >
> > > The enviroment is the following: I have a PC with Netmeeting or
> > > Openphone and an private IP@ is assigned. Imagine that I want to
> > > establish a call with a user beyond the router that is performing
> > > dynamic NAPT.
> > >
> > > The call is established correctly but he RTP information is only
> > > received in one direction. So far, this is the normal anomaly of a
> > > router which is not preforming H323 ALG.
> > >
> > > Even I have tried to set a static NAT but it doesn't work at all. But
> > > surprisingly when I activate the "debug ip nat h323" command, no trace
> > > is displayed at all when a call is established!!
> > >
> > > My question is:
> > >
> > > Does a Cisco router (in particular the one mentioned above) has he
> > > H.323 ALG activated and/or installed by default?
> > >
> > > Should I execute some command to activate it?
> > >
> > > Does any body have the same problem?
> > >
> > > That's all,
> > >
> > > Thank you very much. Please, try to answer ASAP because this issue
> > > must be solved urgently.
> > >
> > > Blake

 
Reply With Quote
 
Colin
Guest
Posts: n/a
 
      07-20-2003
I finally figured out that the Cisco 3.x client does not support H.323
(Netmeeting). Here is a MS TechNet article, although kind of old:

http://support.microsoft.com/default...b;en-us;324682

What I noticed is that Netmeeting listens on the local IP address and
not the IP assigned to the VPN session. The fix is to install the
Cisco VPN 4.0.2 client.


Colin


(E-Mail Removed) (Colin) wrote in message news:<(E-Mail Removed) om>...
> Hi
>
> Before I put a static NAT in the config, I could only make calls from
> the inside. I got calls to work both ways after putting the static NAT
> in. When I was using a dynamic NAT w/ IP OverLoad, I could only make
> calls form the inside.
>
> I'm running IOS Version 12.3(1a) (c2600-ik9o3s3-mz.123-1a) on a 2620.
>
> Here is my working config (execpt when I'm logged in via VPN, IPSec is
> not working both ways - I can only make calls from the outside network
> - I think I have to set up the VPN in Tunnel Mode but I kinda lost -
> any pointers anyone??):
>
> ----------------------------------------
> !
> version 12.3
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname 2620A
> !
> enable secret 5 $1$7WI8$a0QQZaJi8qm8H8D3ldFqa/
> !
> username remote password 7 030752180500
> aaa new-model
> !
> !
> aaa authentication login userauthen local
> aaa authorization network groupauthor local
> aaa session-id common
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip inspect name netmeeting h323
> ip audit notify log
> ip audit po max-events 100
> !
> !
> !
> crypto isakmp policy 3
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group vpngroup
> key <xxxxxx>
> domain nada.com
> pool ippool
> acl 102
> !
> !
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
> !
> crypto dynamic-map dynmap 10
> set transform-set myset
> !
> !
> crypto map clientmap client authentication list userauthen
> crypto map clientmap isakmp authorization list groupauthor
> crypto map clientmap client configuration address respond
> crypto map clientmap 10 ipsec-isakmp dynamic dynmap
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
> description OutSide-Interface
> ip address 172.18.124.158 255.255.255.0
> ip nat outside
> duplex auto
> speed auto
> crypto map clientmap
> !
> interface Serial0/0
> description Inside-Interface
> ip address 14.38.50.51 255.255.255.0
> ip nat inside
> clockrate 64000
> no fair-queue
> !
> interface Serial0/1
> no ip address
> shutdown
> !
> ip local pool ippool 10.5.80.10 10.5.80.20
> ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
> ip nat inside source list 7 pool test
> ip nat inside source static 192.168.1.10 172.18.124.5
> ip http server
> no ip http secure-server
> ip classless
> ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
> ip route 192.168.1.0 255.255.255.0 14.38.50.52
> !
> !
> !
> ip access-list extended console
> ip access-list extended default-domain
> ip access-list extended protocol
> ip access-list extended service
> ip access-list extended tunnel-password
> access-list 7 permit 192.168.1.0 0.0.0.255
> access-list 102 permit ip any 10.5.80.0 0.0.0.255
> !
> radius-server authorization permit missing Service-Type
> !
> !
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> password 7 1511021F0725
> !
> !
> !
> end
>
>
>
> Have fun...
>
> Colin
>
>
>
> (E-Mail Removed) (Blake Sount) wrote in message news:<(E-Mail Removed). com>...
> > Thanks for your answer Colin,
> >
> > But what I want to do is to establish a call from the inside network
> > (from the PC with the private IP@) towards the Internet but not from
> > the outside network towards the inside network. Also, I have inserted
> > the same line for the static nat and it didn't work at all.
> >
> > According to what you have told me, you could make calls from the
> > inside networks using the nat and performing H.323 ALG without
> > problems, couldn't you? Did you see any trace in that kind of calls
> > from the very begining?
> >
> > Was you router model and IOS version the same as mine?
> >
> > Thank you very much.
> >
> > (E-Mail Removed) (Colin) wrote in message news:<(E-Mail Removed) om>...
> > > I had the same problem. I could initiate a call from the inside
> > > network and it would work fine. When I tried it from the outside
> > > network, it would just time out. So I fired up "debug ip nat h323" and
> > > I saw nothing. I was using dynamic nat so I set up static nat and it
> > > worked
> > >
> > > ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
> > > ip nat inside source list 7 pool test
> > > ip nat inside source static 192.168.1.10 172.18.124.5
> > >
> > >
> > > Where 192.168.1.10 inside address and 172.18.124.5 is the outside
> > > address.
> > > I had tried to use NAT overload and that did not work.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > (E-Mail Removed) (Blake Sount) wrote in message news:<(E-Mail Removed). com>...
> > > > Hi all,
> > > >
> > > > I have a Cisco 2611XM with an IOS version of 12.2(T5 and I have
> > > > problem with H.323 communication with NAT.
> > > >
> > > > The enviroment is the following: I have a PC with Netmeeting or
> > > > Openphone and an private IP@ is assigned. Imagine that I want to
> > > > establish a call with a user beyond the router that is performing
> > > > dynamic NAPT.
> > > >
> > > > The call is established correctly but he RTP information is only
> > > > received in one direction. So far, this is the normal anomaly of a
> > > > router which is not preforming H323 ALG.
> > > >
> > > > Even I have tried to set a static NAT but it doesn't work at all. But
> > > > surprisingly when I activate the "debug ip nat h323" command, no trace
> > > > is displayed at all when a call is established!!
> > > >
> > > > My question is:
> > > >
> > > > Does a Cisco router (in particular the one mentioned above) has he
> > > > H.323 ALG activated and/or installed by default?
> > > >
> > > > Should I execute some command to activate it?
> > > >
> > > > Does any body have the same problem?
> > > >
> > > > That's all,
> > > >
> > > > Thank you very much. Please, try to answer ASAP because this issue
> > > > must be solved urgently.
> > > >
> > > > Blake

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PWR-2600-AC 2600 power supply to switch over a DC router? dehusk@gmail.com Cisco 2 08-09-2008 10:47 PM
Kernel of Interrup System Alg. Little C Programming 3 03-26-2006 08:25 PM
List Alg/code albert_reade@yahoo.com C Programming 1 02-14-2006 04:50 AM
NAT H323 ALG Jean Avil Cisco 0 01-28-2004 06:26 PM
Question re alg.exe Geoff Computer Security 2 10-13-2003 07:17 PM



Advertisments