Posted by: Yasir Irfan
Recently we were asked to configure the Polycom device to have video conferencing with external world. Our Polycom device is behind a Cisco ASA 5540 firewall as shown in the below network layout.
In order to permit H.323 video conferencing you need to follow the following steps
Define static NAT rules
In the above example we will create a NAT rule for the external IP address 192.168.0.3 to the internal IP address 10.0.0.2 (assigned to Polycom device) using the following Cisco IOS command in ASA firewall.
static (inside,outside) 192.168.0.3 10.0.0.2 netmask 255.255.255.255
Create an access list to allow access to polycom device from external network, we need to allow the following ports tcp/udp to enable to video conferencing and apply the same to outside interface
1720 – tcp
3230 3285 – tcp
access-list Outside_In remark Allow traffic going to polycom device
access-list Outside_In extended permit udp any host 192.168.0.3 eq 1720
access-list Outside_In extended permit tcp any host 192.168.0.3 eq h323
access-list Outside_In extended permit udp any host 192.168.0.3 range 3230 3285
access-list Outside_In extended permit tcp any host 192.168.0.3 range 3230 3243
access-group Outside_In in interface outside
Create the Access list which will allow traffic to traverse the ASA firewall from Internal to External network, repeat the steps above, but ensure the Interface: is set to inside as shown below.
access-list Inside_In remark Allow Traffic form polycom device to outside
access-list Inside_In extended permit udp host 10.0.0.2 any range 3230 3285
access-list Inside_In extended permit tcp any host 10.0.0.2 eq h323
access-list Inside_In extended permit tcp host 10.0.0.2 any range 3230 3242
access-group Inside_In in interface inside
By following the above three steps you can enable video conference to any polycom device behind the ASA firewall.