Educause Security Discussion mailing list archives
Re: iChat and the PIX
From: Mike Radomski <Mike.Radomski () ITEC SUNY EDU>
Date: Tue, 14 Dec 2004 14:19:17 -0500
Setting up statics for NAT addresses and opening the ports listed at http://docs.info.apple.com/article.html?artnum=93208 worked for us. I am not sure this is a long term solution since it goes against the principles of NAT and PAT. Here is our ACL for ichat: access-list ACL_OUT permit udp any any eq 5060 access-list ACL_OUT permit tcp any any eq 5190 access-list ACL_OUT permit udp any any eq 5190 access-list ACL_OUT permit tcp any any eq 5298 access-list ACL_OUT permit udp any any eq 5298 access-list ACL_OUT permit udp any any eq 5353 access-list ACL_OUT permit udp any any eq 5678 access-list ACL_OUT permit udp any any range 16384 16403 Cheers! -- Mike Radomski SUNY - ITEC Information Technology Exchange Center Systems Programmer/Analyst E-mail: Mike.Radomski () itec suny edu Systems E-Mail: scsys () itec suny edu Phone: (716)878-4832 Cellular: (716)807-4040 Fax: (716)878-3485 There are only 10 types of people... Those who understand binary and those who don't. "Wood, Anne M (wood)" <wood () JUNIATA EDU> Sent by: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 12/14/04 01:25 PM Please respond to The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To SECURITY () LISTSERV EDUCAUSE EDU cc Subject Re: [SECURITY] iChat and the PIX Craig, We were able to establish audio and video using iChat through a PIX firewall by creating a static (one-to-one) map for the Internal address that was going to initiate the iChat session to one of our Internet routable Ips. Once that static address was assigned on the pix, the internal computer could initiate the iChat session. This would not work the other way around (outside user initiating iChat session). Ports would have to be opened up for this scenario. We can't support iChat for our users due to this complication. I don't know if this is a common problem with the pix or not, but that is how we got around it for one special event we held that needed iChat. Hope this helps. Anne -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sauvigne, Craig M Sent: Tuesday, December 14, 2004 11:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] iChat and the PIX If your campus is using a Cisco PIX, can you please read this and see if you have any advice? Our problem has been escalated by a parent to our President's office... We have a problem with a student not being able to use iChat from our campus network. We have run numerous tests from public and private IP's through our Cisco PIX and we have run numerous tests from other networks that don't go through the PIX and it seems we have narrowed down a problem that our NAT and PAT users cannot use iChat through our PIX if talking to another user off campus that also has a private IP address. We have tried "fixup protocol sip 5060" on and off and still no success. Does anybody have any experience getting iChat to work correctly through a PIX? Thanks in advance, ================================ Craig M. Sauvigne System Administrator Winthrop University Rock Hill, SC 29733 sauvignec () winthrop edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- iChat and the PIX Sauvigne, Craig M (Dec 14)
- <Possible follow-ups>
- Re: iChat and the PIX Joe Marshall (Dec 14)
- Re: iChat and the PIX Stephen Bernard (Dec 14)
- Re: iChat and the PIX Arturo Servin (Dec 14)
- Re: iChat and the PIX Wood, Anne M (wood) (Dec 14)
- Re: iChat and the PIX Mike Radomski (Dec 14)
- Re: iChat and the PIX Sauvigne, Craig M (Dec 14)