Proper Configuration of Cisco Router for Video Conferencing

Question

I am looking for help configuring a Cisco 861 Router to allow for video conferencing endpoints to connect.

I've gotten to the point where I can place and receive calls but cannot receive video on the endpoint behind my 861 router. I am using a Polycom HDX 8000 for my endpoint calling to/from another public endpoint I know is good.

My current running config...

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3399770473
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3399770473
 revocation-check none
 rsakeypair TP-self-signed-3399770473
!
!

ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1 
 dns-server 66.28.0.45 66.28.0.61 
 lease 0 2
!
!
ip cef
ip domain name yourdomain.com
ip name-server 66.28.0.45
ip name-server 66.28.0.61
!

class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
!
! 

interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$
 ip address <my public ip here> 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.4 1720 interface FastEthernet4 1720
ip nat inside source static udp 10.10.10.4 1720 interface FastEthernet4 1720
ip route 0.0.0.0 0.0.0.0 <my public gateway>
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
 !
 access-list 1 remark INSIDE_IF=Vlan1
 access-list 1 remark CCP_ACL Category=2
 access-list 1 permit 10.10.10.0 0.0.0.7
 access-list 23 permit 10.10.10.0 0.0.0.7
 no cdp run

Do you have any idea what's failing? What analysis have you done? — MikeyB, Mar 29 '12 at 01:57
@MikeyB, He seems to be trying to use H.323, which is very painful to get working through a NAT. — Zoredache, Mar 29 '12 at 21:42
@Scott B: Is the videoconference going through the internet or a tunnel (GRE/IPSec)? — petrus, Mar 30 '12 at 16:09

score 0 · Answer 1 · answered Mar 29 '12 at 21:41

I see that you are trying to nat 1720/tcp and 1720/udp which means you are almost certainly trying to open H.323. The problem with H.323 is that a typical video connection will have 7 separate sockets (2 for audio, 2 for video, and 3 used for signalling and control) in use during a connection, and 6 of those are negotiated by the new end points during the call connection.

A large number of NAT implementations, simply cannot handle H.323 because the ports are negotiated. If you have a single address, and you are trying to do this through PAT, then you will almost certainly fail.

What you may need to consider is setting up a H.323 gatekeeper, which can basically act as an H.323 application level proxy. GnuGK is an open source application able to do this.

At the minimum I believe you are going to need to setup a 1-to-1 NAT. That is you need to setup a NAT so that everything destined for some external IP gets forwarded to 10.10.10.4.

Proper Configuration of Cisco Router for Video Conferencing

1 Answers1