Cisco Systems EDCS-154011 manual Access-list command

Page 9

static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask] [max_conns [em_limit]] [norandomseq]

In the configuration from Table XX, the static command is implemented in this manner:

static (inside,outside) 209.165.201.10 10.1.1.10 netmask 255.255.255.255 0 0 static (inside,outside) 209.165.201.20 10.1.1.20 netmask 255.255.255.255 0 0 static (inside,outside) 209.165.201.20 10.1.1.30 netmask 255.255.255.255 0 0

For each H.323 terminal, MCU and Gateway on the inside that you would like an external terminal to have access to will require a static entry in the PIX configuration. Likewise, if you would like external terminals to access a gatekeeper on the inside, a static entry will need to be created as well. One way to get around needing to add multiple static entries would be to implement the Cisco Multimedia Conference Manager (MCM).

The Cisco Multimedia Conference Manager (MCM) is a Cisco IOS software component that supplies gatekeeper and proxy functions for an H.323 video network. The Cisco IOS based gatekeeper allows large H.323 video networks to be built and managed on Cisco hardware. The proxy supplies needed functions that are not currently supplied by devices in some IP networks. Functions such as QoS, access to NAT networks, and firewall access are some of the functions that the proxy supplies.

Access-list command

The access-listcommand lets you specify if an IP address is permitted or denied access to a port or protocol. In this document, one or more access-listcommand statements with the same access list name are referred to as an "access list." The command syntax for this command is as follows:

access-listacl_ID [deny permit] protocol {source_addr local_addr} {source_mask local_mask} operator port {destination_addr remote_addr} {destination_mask remote_mask} operator port

In the configuration from Table XX, the access-list is created in this manner:

access-listacl_out permit udp any host 209.165.201.10 eq 1719 access-listacl_out permit tcp any host 209.165.201.20 eq h323 access-listacl_out permit tcp any host 209.165.201.30 eq 2720

Here we are allowing any external unit to access the gatekeeper with an IP address of 209.165.201.10 through port 1719. This will be needed for RAS messages to pass back and forth. Also any external unit may access the H.323 terminal at IP address 209.165.201.20 on port h323 (1720), h323 or 1720 may be used interchangeably. Because of the use of the fixup protocol h323, it will not be necessary to create additional access-list commands to open other ports for H.323 communication. Lastly for the Cisco

Copyright © 2001 Cisco Systems, Inc.

Page 9 of 11

Page 8 Page 10
Image 9
Page 8 Page 10
Contents An IP/VC Application Note Table of contents Introduction What is the Cisco Secure PIX Firewall? Issues with Firewalls and H.323Implementing NAT for use with in-bound H.323 traffic What is NAT?Two Interface PIX with NAT Diagram Configuration Description Static command Breaking down the PIX configuration Fixup protocol CommandAccess-list command Access-list aclout permit tcp any host Access-group aclID in interface interfacenameAccess-group aclout in interface outside Helpful Links Typical Ports used for H.323 traffic
Top Page Image Contents