Re: H.323 ALG in Cisco 2600

Discussion in 'Cisco' started by Colin, Jul 15, 2003.

  1. Colin

    Colin Guest

    I had the same problem. I could initiate a call from the inside
    network and it would work fine. When I tried it from the outside
    network, it would just time out. So I fired up "debug ip nat h323" and
    I saw nothing. I was using dynamic nat so I set up static nat and it
    worked

    ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
    ip nat inside source list 7 pool test
    ip nat inside source static 192.168.1.10 172.18.124.5


    Where 192.168.1.10 inside address and 172.18.124.5 is the outside
    address.
    I had tried to use NAT overload and that did not work.








    (Blake Sount) wrote in message news:<>...
    > Hi all,
    >
    > I have a Cisco 2611XM with an IOS version of 12.2(8)T5 and I have
    > problem with H.323 communication with NAT.
    >
    > The enviroment is the following: I have a PC with Netmeeting or
    > Openphone and an private IP@ is assigned. Imagine that I want to
    > establish a call with a user beyond the router that is performing
    > dynamic NAPT.
    >
    > The call is established correctly but he RTP information is only
    > received in one direction. So far, this is the normal anomaly of a
    > router which is not preforming H323 ALG.
    >
    > Even I have tried to set a static NAT but it doesn't work at all. But
    > surprisingly when I activate the "debug ip nat h323" command, no trace
    > is displayed at all when a call is established!!
    >
    > My question is:
    >
    > Does a Cisco router (in particular the one mentioned above) has he
    > H.323 ALG activated and/or installed by default?
    >
    > Should I execute some command to activate it?
    >
    > Does any body have the same problem?
    >
    > That's all,
    >
    > Thank you very much. Please, try to answer ASAP because this issue
    > must be solved urgently.
    >
    > Blake
    Colin, Jul 15, 2003
    #1
    1. Advertising

  2. Colin

    Blake Sount Guest

    Thanks for your answer Colin,

    But what I want to do is to establish a call from the inside network
    (from the PC with the private IP@) towards the Internet but not from
    the outside network towards the inside network. Also, I have inserted
    the same line for the static nat and it didn't work at all.

    According to what you have told me, you could make calls from the
    inside networks using the nat and performing H.323 ALG without
    problems, couldn't you? Did you see any trace in that kind of calls
    from the very begining?

    Was you router model and IOS version the same as mine?

    Thank you very much.

    (Colin) wrote in message news:<>...
    > I had the same problem. I could initiate a call from the inside
    > network and it would work fine. When I tried it from the outside
    > network, it would just time out. So I fired up "debug ip nat h323" and
    > I saw nothing. I was using dynamic nat so I set up static nat and it
    > worked
    >
    > ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
    > ip nat inside source list 7 pool test
    > ip nat inside source static 192.168.1.10 172.18.124.5
    >
    >
    > Where 192.168.1.10 inside address and 172.18.124.5 is the outside
    > address.
    > I had tried to use NAT overload and that did not work.
    >
    >
    >
    >
    >
    >
    >
    >
    > (Blake Sount) wrote in message news:<>...
    > > Hi all,
    > >
    > > I have a Cisco 2611XM with an IOS version of 12.2(8)T5 and I have
    > > problem with H.323 communication with NAT.
    > >
    > > The enviroment is the following: I have a PC with Netmeeting or
    > > Openphone and an private IP@ is assigned. Imagine that I want to
    > > establish a call with a user beyond the router that is performing
    > > dynamic NAPT.
    > >
    > > The call is established correctly but he RTP information is only
    > > received in one direction. So far, this is the normal anomaly of a
    > > router which is not preforming H323 ALG.
    > >
    > > Even I have tried to set a static NAT but it doesn't work at all. But
    > > surprisingly when I activate the "debug ip nat h323" command, no trace
    > > is displayed at all when a call is established!!
    > >
    > > My question is:
    > >
    > > Does a Cisco router (in particular the one mentioned above) has he
    > > H.323 ALG activated and/or installed by default?
    > >
    > > Should I execute some command to activate it?
    > >
    > > Does any body have the same problem?
    > >
    > > That's all,
    > >
    > > Thank you very much. Please, try to answer ASAP because this issue
    > > must be solved urgently.
    > >
    > > Blake
    Blake Sount, Jul 15, 2003
    #2
    1. Advertising

  3. Colin

    Colin Guest

    Hi

    Before I put a static NAT in the config, I could only make calls from
    the inside. I got calls to work both ways after putting the static NAT
    in. When I was using a dynamic NAT w/ IP OverLoad, I could only make
    calls form the inside.

    I'm running IOS Version 12.3(1a) (c2600-ik9o3s3-mz.123-1a) on a 2620.

    Here is my working config (execpt when I'm logged in via VPN, IPSec is
    not working both ways - I can only make calls from the outside network
    - I think I have to set up the VPN in Tunnel Mode but I kinda lost -
    any pointers anyone??):

    ----------------------------------------
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname 2620A
    !
    enable secret 5 $1$7WI8$a0QQZaJi8qm8H8D3ldFqa/
    !
    username remote password 7 030752180500
    aaa new-model
    !
    !
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    aaa session-id common
    ip subnet-zero
    !
    !
    no ip domain lookup
    !
    ip inspect name netmeeting h323
    ip audit notify log
    ip audit po max-events 100
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group vpngroup
    key <xxxxxx>
    domain nada.com
    pool ippool
    acl 102
    !
    !
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set myset
    !
    !
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    no voice hpi capture buffer
    no voice hpi capture destination
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description OutSide-Interface
    ip address 172.18.124.158 255.255.255.0
    ip nat outside
    duplex auto
    speed auto
    crypto map clientmap
    !
    interface Serial0/0
    description Inside-Interface
    ip address 14.38.50.51 255.255.255.0
    ip nat inside
    clockrate 64000
    no fair-queue
    !
    interface Serial0/1
    no ip address
    shutdown
    !
    ip local pool ippool 10.5.80.10 10.5.80.20
    ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
    ip nat inside source list 7 pool test
    ip nat inside source static 192.168.1.10 172.18.124.5
    ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    ip route 192.168.1.0 255.255.255.0 14.38.50.52
    !
    !
    !
    ip access-list extended console
    ip access-list extended default-domain
    ip access-list extended protocol
    ip access-list extended service
    ip access-list extended tunnel-password
    access-list 7 permit 192.168.1.0 0.0.0.255
    access-list 102 permit ip any 10.5.80.0 0.0.0.255
    !
    radius-server authorization permit missing Service-Type
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 1511021F0725
    !
    !
    !
    end



    Have fun...

    Colin



    (Blake Sount) wrote in message news:<>...
    > Thanks for your answer Colin,
    >
    > But what I want to do is to establish a call from the inside network
    > (from the PC with the private IP@) towards the Internet but not from
    > the outside network towards the inside network. Also, I have inserted
    > the same line for the static nat and it didn't work at all.
    >
    > According to what you have told me, you could make calls from the
    > inside networks using the nat and performing H.323 ALG without
    > problems, couldn't you? Did you see any trace in that kind of calls
    > from the very begining?
    >
    > Was you router model and IOS version the same as mine?
    >
    > Thank you very much.
    >
    > (Colin) wrote in message news:<>...
    > > I had the same problem. I could initiate a call from the inside
    > > network and it would work fine. When I tried it from the outside
    > > network, it would just time out. So I fired up "debug ip nat h323" and
    > > I saw nothing. I was using dynamic nat so I set up static nat and it
    > > worked
    > >
    > > ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
    > > ip nat inside source list 7 pool test
    > > ip nat inside source static 192.168.1.10 172.18.124.5
    > >
    > >
    > > Where 192.168.1.10 inside address and 172.18.124.5 is the outside
    > > address.
    > > I had tried to use NAT overload and that did not work.
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > (Blake Sount) wrote in message news:<>...
    > > > Hi all,
    > > >
    > > > I have a Cisco 2611XM with an IOS version of 12.2(8)T5 and I have
    > > > problem with H.323 communication with NAT.
    > > >
    > > > The enviroment is the following: I have a PC with Netmeeting or
    > > > Openphone and an private IP@ is assigned. Imagine that I want to
    > > > establish a call with a user beyond the router that is performing
    > > > dynamic NAPT.
    > > >
    > > > The call is established correctly but he RTP information is only
    > > > received in one direction. So far, this is the normal anomaly of a
    > > > router which is not preforming H323 ALG.
    > > >
    > > > Even I have tried to set a static NAT but it doesn't work at all. But
    > > > surprisingly when I activate the "debug ip nat h323" command, no trace
    > > > is displayed at all when a call is established!!
    > > >
    > > > My question is:
    > > >
    > > > Does a Cisco router (in particular the one mentioned above) has he
    > > > H.323 ALG activated and/or installed by default?
    > > >
    > > > Should I execute some command to activate it?
    > > >
    > > > Does any body have the same problem?
    > > >
    > > > That's all,
    > > >
    > > > Thank you very much. Please, try to answer ASAP because this issue
    > > > must be solved urgently.
    > > >
    > > > Blake
    Colin, Jul 16, 2003
    #3
  4. Colin

    Colin Guest

    I finally figured out that the Cisco 3.x client does not support H.323
    (Netmeeting). Here is a MS TechNet article, although kind of old:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;324682

    What I noticed is that Netmeeting listens on the local IP address and
    not the IP assigned to the VPN session. The fix is to install the
    Cisco VPN 4.0.2 client.


    Colin


    (Colin) wrote in message news:<>...
    > Hi
    >
    > Before I put a static NAT in the config, I could only make calls from
    > the inside. I got calls to work both ways after putting the static NAT
    > in. When I was using a dynamic NAT w/ IP OverLoad, I could only make
    > calls form the inside.
    >
    > I'm running IOS Version 12.3(1a) (c2600-ik9o3s3-mz.123-1a) on a 2620.
    >
    > Here is my working config (execpt when I'm logged in via VPN, IPSec is
    > not working both ways - I can only make calls from the outside network
    > - I think I have to set up the VPN in Tunnel Mode but I kinda lost -
    > any pointers anyone??):
    >
    > ----------------------------------------
    > !
    > version 12.3
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > service password-encryption
    > !
    > hostname 2620A
    > !
    > enable secret 5 $1$7WI8$a0QQZaJi8qm8H8D3ldFqa/
    > !
    > username remote password 7 030752180500
    > aaa new-model
    > !
    > !
    > aaa authentication login userauthen local
    > aaa authorization network groupauthor local
    > aaa session-id common
    > ip subnet-zero
    > !
    > !
    > no ip domain lookup
    > !
    > ip inspect name netmeeting h323
    > ip audit notify log
    > ip audit po max-events 100
    > !
    > !
    > !
    > crypto isakmp policy 3
    > encr 3des
    > authentication pre-share
    > group 2
    > !
    > crypto isakmp client configuration group vpngroup
    > key <xxxxxx>
    > domain nada.com
    > pool ippool
    > acl 102
    > !
    > !
    > crypto ipsec transform-set myset esp-3des esp-sha-hmac
    > !
    > crypto dynamic-map dynmap 10
    > set transform-set myset
    > !
    > !
    > crypto map clientmap client authentication list userauthen
    > crypto map clientmap isakmp authorization list groupauthor
    > crypto map clientmap client configuration address respond
    > crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > no voice hpi capture buffer
    > no voice hpi capture destination
    > !
    > !
    > !
    > !
    > !
    > !
    > interface FastEthernet0/0
    > description OutSide-Interface
    > ip address 172.18.124.158 255.255.255.0
    > ip nat outside
    > duplex auto
    > speed auto
    > crypto map clientmap
    > !
    > interface Serial0/0
    > description Inside-Interface
    > ip address 14.38.50.51 255.255.255.0
    > ip nat inside
    > clockrate 64000
    > no fair-queue
    > !
    > interface Serial0/1
    > no ip address
    > shutdown
    > !
    > ip local pool ippool 10.5.80.10 10.5.80.20
    > ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
    > ip nat inside source list 7 pool test
    > ip nat inside source static 192.168.1.10 172.18.124.5
    > ip http server
    > no ip http secure-server
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    > ip route 192.168.1.0 255.255.255.0 14.38.50.52
    > !
    > !
    > !
    > ip access-list extended console
    > ip access-list extended default-domain
    > ip access-list extended protocol
    > ip access-list extended service
    > ip access-list extended tunnel-password
    > access-list 7 permit 192.168.1.0 0.0.0.255
    > access-list 102 permit ip any 10.5.80.0 0.0.0.255
    > !
    > radius-server authorization permit missing Service-Type
    > !
    > !
    > !
    > !
    > !
    > line con 0
    > line aux 0
    > line vty 0 4
    > password 7 1511021F0725
    > !
    > !
    > !
    > end
    >
    >
    >
    > Have fun...
    >
    > Colin
    >
    >
    >
    > (Blake Sount) wrote in message news:<>...
    > > Thanks for your answer Colin,
    > >
    > > But what I want to do is to establish a call from the inside network
    > > (from the PC with the private IP@) towards the Internet but not from
    > > the outside network towards the inside network. Also, I have inserted
    > > the same line for the static nat and it didn't work at all.
    > >
    > > According to what you have told me, you could make calls from the
    > > inside networks using the nat and performing H.323 ALG without
    > > problems, couldn't you? Did you see any trace in that kind of calls
    > > from the very begining?
    > >
    > > Was you router model and IOS version the same as mine?
    > >
    > > Thank you very much.
    > >
    > > (Colin) wrote in message news:<>...
    > > > I had the same problem. I could initiate a call from the inside
    > > > network and it would work fine. When I tried it from the outside
    > > > network, it would just time out. So I fired up "debug ip nat h323" and
    > > > I saw nothing. I was using dynamic nat so I set up static nat and it
    > > > worked
    > > >
    > > > ip nat pool test 172.18.124.200 172.18.124.210 netmask 255.255.255.0
    > > > ip nat inside source list 7 pool test
    > > > ip nat inside source static 192.168.1.10 172.18.124.5
    > > >
    > > >
    > > > Where 192.168.1.10 inside address and 172.18.124.5 is the outside
    > > > address.
    > > > I had tried to use NAT overload and that did not work.
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > > (Blake Sount) wrote in message news:<>...
    > > > > Hi all,
    > > > >
    > > > > I have a Cisco 2611XM with an IOS version of 12.2(8)T5 and I have
    > > > > problem with H.323 communication with NAT.
    > > > >
    > > > > The enviroment is the following: I have a PC with Netmeeting or
    > > > > Openphone and an private IP@ is assigned. Imagine that I want to
    > > > > establish a call with a user beyond the router that is performing
    > > > > dynamic NAPT.
    > > > >
    > > > > The call is established correctly but he RTP information is only
    > > > > received in one direction. So far, this is the normal anomaly of a
    > > > > router which is not preforming H323 ALG.
    > > > >
    > > > > Even I have tried to set a static NAT but it doesn't work at all. But
    > > > > surprisingly when I activate the "debug ip nat h323" command, no trace
    > > > > is displayed at all when a call is established!!
    > > > >
    > > > > My question is:
    > > > >
    > > > > Does a Cisco router (in particular the one mentioned above) has he
    > > > > H.323 ALG activated and/or installed by default?
    > > > >
    > > > > Should I execute some command to activate it?
    > > > >
    > > > > Does any body have the same problem?
    > > > >
    > > > > That's all,
    > > > >
    > > > > Thank you very much. Please, try to answer ASAP because this issue
    > > > > must be solved urgently.
    > > > >
    > > > > Blake
    Colin, Jul 20, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jean Avil

    NAT H323 ALG

    Jean Avil, Jan 28, 2004, in forum: Cisco
    Replies:
    0
    Views:
    1,020
    Jean Avil
    Jan 28, 2004
  2. Geoff

    Question re alg.exe

    Geoff, Oct 12, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    3,168
    Geoff
    Oct 13, 2003
  3. Mack

    NAT/ALG

    Mack, Feb 15, 2008, in forum: Cisco
    Replies:
    3
    Views:
    2,454
  4. Replies:
    0
    Views:
    1,077
  5. alexd

    Re: SIP ALG

    alexd, Jan 30, 2009, in forum: UK VOIP
    Replies:
    2
    Views:
    602
    alexd
    Jan 30, 2009
Loading...

Share This Page