Firewall Wizards mailing list archives
RE: Checkpoint NAT H.323 support
From: "Luis Maria Sainz Caballero" <luismax () spcinternet net>
Date: Wed, 24 Nov 2004 15:49:56 +0100 (CET)
Hi, I have already followed a lot of docs from CP but none of them is sufficiently clear or is just my case. My rule is the following Gateway_VoIP_domain -- Gatekeeper_VoIP_domain -- H323_RAS -- Accept being the gateway (Cisco ATA) inside my trusted network and the gatekeeper on the Internet. I have defined the "related endpoints domain" of the gateway as the same net where the gateway is in; I don´t know if it is correct because these endpoints are analogous phones without IP ¿?. And I have defined the "related endpoints domain" of the gatekeeper as the Internet because I haven´t data about them (the gatekeeper is property of a VoIP ISP). Anyway, it supposes that the "H323_RAS" is a special service whitch the CP have to treat especialy, that is, CP have to inspect the data payload looking for the IPs to be correctly traslated, but it doesn´t. I use fw monitor with the "-p all" parameter in order to check it, and effectively the IP heather is correctly traslated but not the IP inside the payload. Any help is very very appreciated, LuismaX
Hi As of R55 HFA 08 or so, FW-1 has supported H.323 v2 and v4 quite nicely. NATted gatekeepers should be translated just fine in the H.225 stream. Please check your configuration over. What kind of H.323 gear is this? -Warren Verbanec Resilience Corporation -----Original Message----- From: Rob Hughes [mailto:rob () robhughes com] Sent: Saturday, November 20, 2004 3:39 PM To: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Checkpoint NAT H.323 support On Thu, 2004-11-18 at 16:46 +0100, Luis Maria Sainz Caballero wrote:Hi people, I am new to the list and I hope you help me. I have a problem with FW-1/VPN-1 NG with AI (R55) and the H.323 support. I am trying to register (H.323 RAS) a VoIP gateway inside my trusted network with a gatekeer on the Internet. I have already configured the VoIP domains (one for the gateway and another for the gatekeeper) in the FW, applied the last hotfix acumulator (HFA_11) and configured static NAT for the internal gateway to a public IP. The gatekeeper cannot respond because the IP inside the h225 payload isn't traslated, and I have confirmed it using the monitor inside de Firewall (fw monitor). Anybody know if Checkpoint really suports H.323 NAT? or can be a problem of mixconfiguration?What does your rule look like? Specifically, what service are you using? Also, the CP docs have examples of how to set this up. Have you tried following those? But yes, it does (mostly) work. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Luis Maria Sainz Caballero Administrador de Centro de Datos "SPC Net Soluciones de Negocio Electrónico S.L." Parque Tecnológico de Álava Albert Einstein 44 Edificio E6 Oficina 006 01510- Miñano Tlfno. 945-297100 Fax. 945-298121 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Checkpoint NAT H.323 support Luis Maria Sainz Caballero (Nov 18)
- Re: Checkpoint NAT H.323 support Rob Hughes (Nov 23)
- <Possible follow-ups>
- RE: Checkpoint NAT H.323 support Warren Verbanec (Nov 27)
- Message not available
- RE: Checkpoint NAT H.323 support Luis Maria Sainz Caballero (Nov 27)
- Message not available