PDA

View Full Version : Cisco ASA 5010 and Polycom MGC-50

tonycan
06-03-2008, 09:37 AM
Hi -

I have no videoconference experience but I have been given the following problem. My company has purchased a Polycom MGC-50 which has been set up for videoconferencing within our network. We now want to be able to videoconference via the internet. Our firewall is a Cisco ASA 5010 (7.0(4)), which I understood was fully compliant with H.323 filtering, NAT/PAT etc, but the suppliers have said that the ASA will not work with the MGC-50; instead, they have insisted we bypass the ASA completely and connect instead to a Polycom V2IU. Their case against the ASA is that

"for every internal device that need to be accessible from outside, you will need to create a NAT translation and open ports and of course there is a load on the firewall to process all these.

V2IU uses a single external port, incoming callers call it and append an extension number to get routed accordingly.

H323 environment is best operated with a Gatekeeper, particularly when you have a ISDN Gateway, the V2IU contains one."

I'd be grateful if someone could advise if they are correct that the ASA
H323 firewall is really unworkable or genuinely inferior to the V2IU option.

Many thanks

Tony Canning
Wise82Guy
06-04-2008, 10:17 AM
The difference is that the V2IU (now rebranded as the VBP) has an application layer gateway that can route H.323 calls, and the ASA does not. Whoever you got this information from is correct that the ASA approach will require static NAT (public address to private address translations) for every endpoint you've got. So if you have have 20 endpoints, you need tp purchase 20 public IP addresses. And as your informer also mentions, With a V2IU/VBP, you can purchase one public IP address for the WAN port of the V2IU/VBP, and then use extensions behind that single public IP to reach your 20 endpoints (or 50, or 1000, or whatever you've got - scale is somewhat a separate conversation depending on what you ultimately want to do).

I feel the need to clarify that the V2IU/VBP DOES contain a built-in gatekeeper (or the ability to integrate with an external gatekeeper - that gets into the scope/scale discussion), and can integrate with an ISDN gateway, but does NOT within itself contain an ISDN gateway.

Without getting into fuller disclosure than is appropriate, I will say that in addition to the lack of extension-dialing mentioned previously, Cisco has some admitted difficulties getting H323 calls through some of their devices in some environments.
tonycan
06-04-2008, 10:55 AM
Many thanks, that's very helpful