Hi Steven, On Wed, Jul 15, 2009 at 6:28 PM, Steven Pfister<spfis...@dps.k12.oh.us> wrote: > I'm having some trouble with h.323 (video) calls through a PIX 525 using NAT. > We can get incoming calls fine, but not outgoing calls for some reason. My > question has to do with 'inspect h323' vs 'fixup protocol h323'. What's the > difference between them? The video conferencing unit in question has a NAT > transversal option where I can supply an address and mask.I'm wondering if > I'm having a NAT transversal problem anyway. Which one would handle the NAT > transversal, inspect or fixup? Currently, the PIX config has: > > inspect h323 h225 > inspect h323 ras > > do I need: > > fixup protocol h323 h225 1718-1720 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > > instead of the inspect commands? In addition to them? >
"inspect" is the name of the "fixup" from 7.0 onwards - obviously as time went, some more enhancements were added. you can enter the "fixup" commands, but they will be autoconverted into the respective "inspect" under "magic" default policy. You mention that the inbound call works - so a nice way to debug would be to grab the pcap on inside+ pcap on the outside and study them in wireshark for both failing and working scenarios and see what is different. The first cutover point is whether you see the tcp/1720 in the outbound direction or not - if not, or if it is going to the wrong address, would mean there is an issue related to RAS signaling - else it's something with the call signaling. The above can be tested much easier if you are able to make the direct calls by IP address and the other party can accept such calls without involving RAS at all - this could be an easy shortcut instead of staring at the sniffer traces :-) - if the direct call using IP address works, then you can further investigate RAS. If the inbound calls to you work, most probably it is going to be the case, but worth doublechecking. The inspect in the default configuration normally should be able to tweak all the embedded IPs both for RAS and call setup, so the endpoints would not need to have any NAT awareness nor do any special efforts to detect/traverse the NAT. Also might be quite useful to have a quick test with another h323 stack if you can - openh323 had a very tweakable client, and ekiga can do h323 video as well. If those work, again you get one more baseline to compare the sniffer traces with. cheers, andrew _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/