Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems VC-289 Proxy Outside the Firewall, Proxies and NAT, For Networks Using NAT, VC-300

Models: VC-289

1 76

Download 76 pages 30.7 Kb

Page 12

Proxy Outside the Firewall

Configuring H.323 Gatekeepers and Proxies

H.323 Proxy Features

Proxy Outside the Firewall

To place the proxy and gatekeeper outside the firewall, two conditions must exist. First, the firewall must support H.323 dynamic access control. Second, Network Address Translation (NAT) must not be in use.

If NAT is in use, each endpoint must register with the gatekeeper for the duration of the time it is online. This will quickly overwhelm the firewall because a large number of relatively static, internal-to-external address mappings will need to be maintained.

If the firewall does not support H.323 dynamic access control, the firewall can be configured with static access lists that allow traffic from the proxy or gatekeeper through the firewall. This can present a security risk if an attacker can spoof, or simulate, the IP addresses of the gatekeeper or proxy and use them to attack the network. Figure 60 illustrates proxy outside the firewall.

Figure 60 Proxy Outside the Firewall

Terminals Firewall

Edge router

Gatekeeper

Proxy
Outside
devices	S6915
	S6915

Proxies and NAT

When a firewall is providing NAT between an internal and an external network, proxies may allow H.323 traffic to be handled properly, even in the absence of a firewall that can translate addresses for H.323 traffic. Table 24 and Table 25 provide guidelines for proxy deployment for networks that use NAT.

Table 24	Guidelines for Networks That Use NAT

For Networks Using NAT		Firewall with H.323 NAT	Firewall Without H.323 NAT

Firewall with dynamic access		Gatekeeper and proxy inside the	Co-edge gatekeeper and proxy
control		firewall

Firewall without dynamic access		Gatekeeper and proxy inside the	Co-edge gatekeeper and proxy
control		firewall, with static access lists
		on the firewall

Cisco IOS Voice, Video, and Fax Configuration Guide

VC-300

Image 12

Cisco Systems VC-289 Proxy Outside the Firewall, Proxies and NAT, For Networks Using NAT, Firewall with H.323 NAT, VC-300

Contents

Multimedia Conference Manager Overview Configuring H.323 Gatekeepers and ProxiesH.323 Gatekeeper Features, page H.323 Proxy Features, pageH.323 Gatekeeper Features Principal Multimedia Conference Manager FunctionsZone and Subnet Configuration, page Redundant H.323 Zone Support, pageZone and Subnet Configuration Redundant H.323 Zone SupportInterzone Routing Using E.164 Addresses, page Gatekeeper Multiple Zone SupportTechnology Prefixes VC-292Interzone Communication RADIUS and TACACS+Accounting via RADIUS and TACACS+ Terminal Name RegistrationInterzone Routing Using E.164 Addresses VC-294VC-295 Call ScenarioHSRP Support VC-296H.323 Proxy Features SecuritySecurity, page Quality of Service, page Application-SpecificRouting, pageProxy Inside the Firewall VC-298Proxy in Co-EdgeMode See FigureVC-299 For Networks Using NAT Proxy Outside the FirewallProxies and NAT Firewall with H.323 NATQuality of Service Application-SpecificRoutingFor Networks Not Using NAT Firewall with H.323. NATH.323 Prerequisite Tasks and Restrictions Redundant H.323 Zone SupportVC-302 H.323 Gatekeeper Configuration Task List Configuring the GatekeeperConfiguring the Gatekeeper, page 303 Required Configuring the Proxy, page 332 RequiredCommand Starting a GatekeeperPurpose VC-304Command the h323-gatewayvoip h.323-id commandPurpose VC-305Command zone subnet commandPurpose VC-306Configuring Intergatekeeper Communication Via DNS, page Manual Configuration, pageCommand Via DNSConfiguring Redundant H.323 Zone Support Manual ConfigurationCommand PurposeConfiguring Local and Remote Gatekeepers CommandPurpose VC-309Command CommandVerifying Zone Prefix Redundancy PurposeCommand zone local or zone remote command. You canPurpose VC-311Command Verifying Technology Prefix RedundancyPurpose VC-312Configuring Static Nodes CommandPurpose Gatekeeper” section on pageConfiguring H.323 Users via RADIUS CommandCommand PurposeCommand Purposeserver radius or aaa group server tacacs+ VC-315Command PurposeVC-316 Command password default password-SpecifiesthePurpose VC-317Configuring a RADIUS/AAA Server CommandCommand “Configuring H.323 Users via RADIUS” section onCommand “Configuring H.323 Users via RADIUS” section onPurpose pageConfiguring User Accounting Activity for RADIUS CommandPurpose VC-320Configuring E.164 Interzone Routing CommandCommand PurposeConfiguring H.323 Version 2 Features Command“Configuring Redundant Gatekeepers for a PurposeConfiguring a Dialing Prefix for Each Gateway CommandPurpose VC-323Command PurposeVC-324 Command PurposeVC-325 Configuring a Prefix to a Gatekeeper Zone List CommandPurpose “Starting a Gatekeeper” section on pageCommand PurposeVC-327 Command PurposeVC-328 Command PurposeVC-329 Command PurposeVC-330 Verifying Gatekeeper Proxied Access Configuration CommandPurpose Router# show gatekeeper zone statusConfiguring the Proxy Configuring a Forced Disconnect on a GatekeeperCommand Configuring a Proxy Without ASR, pageConfiguring a Proxy Without ASR Commandshow interfaces command PurposeCommand Purposemultipoint point-to-point-Optional VC-334Command PurposeVC-335 Command switchPurpose KeywordConfiguring a Proxy with ASR CommandKeyword Interface TypeCommand “Configuring a Proxy Without ASR” section on“Configuring a Proxy Without ASR” section on “Configuring a Proxy Without ASR” section onCommand “Configuring a Proxy Without ASR” section onPurpose pageCommand PurposeVC-340 Command PurposeVC-341 Command “Configuring a Proxy Without ASR” section onCommand PurposeCommand “Configuring a Proxy Without ASR” section on“Configuring a Proxy Without ASR” section on PurposeCommand “Configuring a Proxy Without ASR” section onPurpose pageH.323 Gatekeeper Configuration Examples Command“Configuring a Proxy with ASR” section on “Configuring a Proxy Without ASR” section onConfiguring a Gatekeeper Example Co-EdgeProxy with Subnetting Example, pageDefining Multiple Zones Example, page Removing a Proxy Example, pageRedundant Gatekeepers for a Zone Prefix Example E.164 Interzone Routing ExampleVC-347 VC-348 Configuring HSRP on the Gatekeeper Example VC-349Isolating the Multimedia Network, page Co-EdgeProxy with Subnetting Example, pageVC-350 Enabling the Proxy to Forward H.323 Packets Isolating the Multimedia NetworkVC-351 PX1 Configuration VC-352R1 Configuration Configuring H.323 Gatekeepers and ProxiesH.323 Gatekeeper Configuration Examples VC-353PX1 Configuration Figure 64 Sample Configuration with SubnettingConfiguring H.323 Gatekeepers and Proxies H.323 Gatekeeper Configuration ExamplesR1 Configuration Configuring H.323 Gatekeepers and ProxiesH.323 Gatekeeper Configuration Examples VC-355PX2 Configuration R2 ConfigurationVC-356 VC-357 PX1Edge net 172.21.127.39 GK1PX1 Configuration Configuring H.323 Gatekeepers and ProxiesH.323 Gatekeeper Configuration Examples VC-358PX1 Configuration The following output is for the PX1 configurationConfiguring H.323 Gatekeepers and Proxies H.323 Gatekeeper Configuration ExamplesDefining Multiple Zones Example Defining One Zone for Multiple Gateways ExampleVC-360 Configuring a Proxy for Inbound Calls Example Configuring a Proxy for Outbound Calls ExampleVC-361 Removing a Proxy Example H.235 Security ExampleVC-362 GKTMP and RAS Messages Example Prohibiting Proxy Use for Inbound Calls ExampleVC-363 Configuring H.323 Gatekeepers and Proxies H.323 Gatekeeper Configuration ExamplesVC-364