RE: Checkpoint NAT H.323 support

["Luis Maria Sainz Caballero" <luismax () spcinternet net>]

Hi,

I have already followed a lot of docs from CP but none of them is
sufficiently clear or is just my case. My rule is the following

  Gateway_VoIP_domain  -- Gatekeeper_VoIP_domain -- H323_RAS -- Accept

being the gateway (Cisco ATA) inside my trusted network and the gatekeeper
on the Internet. I have defined the "related endpoints domain" of the
gateway as the same net where the gateway is in; I don´t know if it is
correct because these endpoints are analogous phones without IP ¿?. And I
have defined the "related endpoints domain" of the gatekeeper as the
Internet because I haven´t data about them (the gatekeeper is property of
a VoIP ISP).

Anyway, it supposes that the "H323_RAS" is a special service whitch the CP
have to treat especialy, that is, CP have to inspect the data payload
looking for the IPs to be correctly traslated, but it doesn´t. I use fw
monitor with the "-p all" parameter in order to check it, and effectively
the IP heather is correctly traslated but not the IP inside the payload.

Any help is very very appreciated,

  LuismaX


> Hi
>
> As of R55 HFA 08 or so, FW-1 has supported H.323 v2 and v4 quite nicely.
> NATted gatekeepers should be translated just fine in the H.225 stream.
>
> Please check your configuration over. What kind of H.323 gear is this?
>
> -Warren Verbanec
> Resilience Corporation
>
> -----Original Message-----
> From: Rob Hughes [mailto:rob () robhughes com]
> Sent: Saturday, November 20, 2004 3:39 PM
> To: firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] Checkpoint NAT H.323 support
>
>
> On Thu, 2004-11-18 at 16:46 +0100, Luis Maria Sainz Caballero wrote:
> > Hi people,
> >
> > I am new to the list and I hope you help me. I have a problem with
> > FW-1/VPN-1 NG with AI (R55) and the H.323 support. I am trying to
> > register
> > (H.323 RAS) a VoIP gateway inside my trusted network with a gatekeer on
> > the Internet. I have already configured the VoIP domains (one for the
> > gateway and another for the gatekeeper) in the FW, applied the last
> > hotfix
> > acumulator (HFA_11) and configured static NAT for the internal gateway
> > to
> > a public IP.
> > The gatekeeper cannot respond because the IP inside the h225 payload
> > isn't
> > traslated, and I have confirmed it using the monitor inside de Firewall
> > (fw monitor).
> > Anybody know if Checkpoint really suports H.323 NAT? or can be a problem
> > of mixconfiguration?
>
> What does your rule look like? Specifically, what service are you using?
> Also, the CP docs have examples of how to set this up. Have you tried
> following those? But yes, it does (mostly) work.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


-- 
Luis Maria Sainz Caballero
Administrador de Centro de Datos
"SPC Net Soluciones de Negocio Electrónico S.L."
Parque Tecnológico de Álava
Albert Einstein 44 Edificio E6 Oficina 006
01510- Miñano
Tlfno. 945-297100 Fax. 945-298121

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards