1

I'm currently trying to configure two different ASA 5510s to properly forward all ports used in h323 video conferencing to the proper video conferencing equipment setup on the internal network on each respective site.

Our general network layout is as follows;

I have two separate work sites, each with independent cloud access. I've set up a site-to-site VPN tunnel that provides inter-site file sharing and inter-site access to our exchange server. Right now site-to-site video conferencing works fine since it is going through the VPN but I'm having problems getting the firewalls configured to conduct h323 calls from external sources.

I've collaborated with the desired external video conferencing clients to mirror the ports they have open on their side.

I'm trying to configure our firewall to permit access from ports:

1718 udp
1719 udp
1720 tcp
1731 tcp
80   tcp
3230-3235 tcp
2326-2485 udp
3230-3280 udp
1024-65535 tcp/udp

Before I start getting chewed out for leaving so many ports open, let me say that I don't really intend on keeping all these ports open. I will narrow the port range once we've come to an agreement on how wide our range of dynamic TCP/UDP ports will be.

My main concern is the most expeditious and simplest way to configure the firewall to cover such a broad range of ports.

My original idea was to make a TCP/UDP service group that includes all the above listed port ranges and integrate that service group into the ACL and NAT rules but the service group doesn't propagate when I'm attempting to create the rules.

(I've been trying to use the ASDM since my comfort level with the command-line in this case is a little shaky. I'm currently running ASA 8.4/ASDM 6.4 )

Current ACL rule is:

access-list outside_access_in extended permit object-group TCPUDP any object VC_Unit object-group VC_services

(with VC_unit being the internally located video conference equipment and VC_services being the service object group containing all the desired ports/port ranges.

In the past, I've just assigned port-forwarding rules by going into the network object itself but it only seems to support the designation of one specific port (i.e. 3389 when forwarding RDP...not a range of ports or multiple port ranges as is my need in this case.)

This is probably a fairly simple question so please forgive my ignorance but any assistance in this matter would be greatly appreciated.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
Beeder456
  • 71
  • 6
  • What is "independent cloud access"? – Evan Anderson Nov 18 '14 at 22:36
  • 1
    Do the NAT rules need to be variable based on matching these specific ports, or can you NAT generally for the involved IP addresses and trust the filter ACL to allow only the appropriate traffic? – Shane Madden Nov 18 '14 at 23:27
  • @EvanAnderson, I mean that each campus has it's own gateway to the internet...they do not share an ISP gateway. – Beeder456 Nov 19 '14 at 17:06
  • @ShaneMadden, I suppose it could go either way. I think I had it stuck in my head to apply variable NAT rules matching the ports. I never really thought about doing general NAT rules and letting the ACL do the filtering. I'm assuming the general NATing would be simpler but that variable NATing would be a little more secure. Could I ask you to give a little bit of guidance on both methods? – Beeder456 Nov 19 '14 at 17:13

0 Answers0