Re: iChat and the PIX

[Mike Radomski <Mike.Radomski () ITEC SUNY EDU>]

Setting up statics for NAT addresses and opening the ports listed at
http://docs.info.apple.com/article.html?artnum=93208 worked for us.  I am
not sure this is a long term solution since it goes against the principles
of NAT and PAT.

Here is our ACL for ichat:

access-list ACL_OUT permit udp any any eq 5060
access-list ACL_OUT permit tcp any any eq 5190
access-list ACL_OUT permit udp any any eq 5190
access-list ACL_OUT permit tcp any any eq 5298
access-list ACL_OUT permit udp any any eq 5298
access-list ACL_OUT permit udp any any eq 5353
access-list ACL_OUT permit udp any any eq 5678
access-list ACL_OUT permit udp any any range 16384 16403


Cheers!
--
Mike Radomski

SUNY - ITEC
Information Technology Exchange Center
Systems Programmer/Analyst
E-mail: Mike.Radomski () itec suny edu
Systems E-Mail: scsys () itec suny edu
Phone: (716)878-4832
Cellular: (716)807-4040
Fax: (716)878-3485

There are only 10 types of people...
Those who understand binary and those who don't.



"Wood, Anne M (wood)" <wood () JUNIATA EDU>
Sent by: The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
12/14/04 01:25 PM
Please respond to
The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
Re: [SECURITY] iChat and the PIX






Craig,
We were able to establish audio and video using iChat through a PIX
firewall by creating a static (one-to-one) map for the Internal address
that was going to initiate the iChat session to one of our Internet
routable Ips.  Once that static address was assigned on the pix, the
internal computer could initiate the iChat session.  This would not work
the other way around (outside user initiating iChat session).  Ports
would have to be opened up for this scenario.  We can't support iChat
for our users due to this complication.  I don't know if this is a
common problem with the pix or not, but that is how we got around it for
one special event we held that needed iChat.

Hope this helps.
Anne

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sauvigne, Craig M
Sent: Tuesday, December 14, 2004 11:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] iChat and the PIX

If your campus is using a Cisco PIX, can you please read this and see if
you have any advice? Our problem has been escalated by a parent to our
President's office...

We have a problem with a student not being able to use iChat from our
campus network.  We have run numerous tests from public and private IP's
through our Cisco PIX and we have run numerous tests from other networks
that don't go through the PIX and it seems we have narrowed down a
problem that our NAT and PAT users cannot use iChat through our PIX if
talking to another user off campus that also has a private IP address.

We have tried "fixup protocol sip 5060" on and off and still no success.

Does anybody have any experience getting iChat to work correctly through
a PIX?

Thanks in advance,

================================
Craig M. Sauvigne
System Administrator
Winthrop University
Rock Hill, SC 29733
sauvignec () winthrop edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.