From: Troy Rader (troy@onenet.net)
Date: Sat Nov 23 2002 - 00:44:38 GMT-3
Banlan,
Here is my recent experience with this, although I do not claim to be
either a pix nor a h.323 expert. Sorry for the length. I hope it is
worthwhile to you. Skip to the last paragraph for the short version. :)
We run a state-wide IP network in Oklahoma for government and education
use. Weekly, we have about 3,000 H.323 classes traverse our network.
Naturally, we get lots of calls from our customers seeking advice on
problems they have with H.323 thru their firewall. Generally, our
customers have simply kept their H.323 endpoints "outside" their firewall.
Finally, we put a PIX in our lab, where we also have 1 or 2 of every
vendor's H.323 endpoints (polycom, tandberg, etc). We ran our normal
H.323 interop tests with the PIX sitting between each combination of
endpoints. With many TAC cases opened along the way, we tested MANY
versions of PIX code, from 6.2.x, back to 6.1.1, including various interim
releases that TAC sent us. We found that H.323 does indeed have issues
going thru firewalls. The pix in this case. Most endpoints worked to most
other endpoints fine. There were just a few combinations that had either
audio problems, or video problems 1-way, etc.
This seems like a pretty stupid oversight now, but recently, our SE
pointed out that 6.3 PIX code, due out next year some time, will support
H.323 up to version 4 of the standard, where previously, they only
supported up to version 2 of H.323. Our endpoints all run H.323 version
3 or 4. We have an alpha copy of 6.3 now and will be testing soon to
determine if the version 3/4 support resolves all our interop issues. Here
is a link for more H.323 version info: http://www.h323forum.org/standards/
On the PAT issue, I believe that the PIX, and Enterprise versions of IOS,
do support H.323. I don't believe anything special is required, but I am
not 100% certain. I tested Enterprise IOS 4 years ago when I saw that in
release notes that it supported H.323 in NAT, and it required nothing
special. I believe it is just a matter of your version of NAT supporting
H.323 or not.
Summary: The PIX currently supports H.323 version 2. Most H.323 endpoints
utilize H.323 version 3 or 4. PIX 6.3 will support H.323 version 3/4.
NAT/PAT might work, just depends on version and h323 support.
Troy
On Fri, 22 Nov 2002, Banlan Chen wrote:
> Hi Group,
>
> How can I configure a PIX which use PAT to connect the internet to
let Netmeeting and Voice over MSN Messenger pass the firewall?
>
> Thanks in advance
> Banlan
>
>
> _____________________________________________________________
> Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year.
> http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:09 GMT-3