RE: [fw-wiz] Checkpoint NAT H.323 support

From: Luis Maria Sainz Caballero (luismax_at_spcinternet.net)
Date: 11/24/04

  • Next message: Servie Platon: "[fw-wiz] Security and Audit Policy"
    To: "Warren Verbanec" <Warren.Verbanec@resilience.com>
    Date: Wed, 24 Nov 2004 15:49:56 +0100 (CET)
    
    

    Hi,

    I have already followed a lot of docs from CP but none of them is
    sufficiently clear or is just my case. My rule is the following

      Gateway_VoIP_domain -- Gatekeeper_VoIP_domain -- H323_RAS -- Accept

    being the gateway (Cisco ATA) inside my trusted network and the gatekeeper
    on the Internet. I have defined the "related endpoints domain" of the
    gateway as the same net where the gateway is in; I don´t know if it is
    correct because these endpoints are analogous phones without IP ¿?. And I
    have defined the "related endpoints domain" of the gatekeeper as the
    Internet because I haven´t data about them (the gatekeeper is property of
    a VoIP ISP).

    Anyway, it supposes that the "H323_RAS" is a special service whitch the CP
    have to treat especialy, that is, CP have to inspect the data payload
    looking for the IPs to be correctly traslated, but it doesn´t. I use fw
    monitor with the "-p all" parameter in order to check it, and effectively
    the IP heather is correctly traslated but not the IP inside the payload.

    Any help is very very appreciated,

      LuismaX

    > Hi
    >
    > As of R55 HFA 08 or so, FW-1 has supported H.323 v2 and v4 quite nicely.
    > NATted gatekeepers should be translated just fine in the H.225 stream.
    >
    > Please check your configuration over. What kind of H.323 gear is this?
    >
    > -Warren Verbanec
    > Resilience Corporation
    >
    > -----Original Message-----
    > From: Rob Hughes [mailto:rob@robhughes.com]
    > Sent: Saturday, November 20, 2004 3:39 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: Re: [fw-wiz] Checkpoint NAT H.323 support
    >
    >
    > On Thu, 2004-11-18 at 16:46 +0100, Luis Maria Sainz Caballero wrote:
    >> Hi people,
    >>
    >> I am new to the list and I hope you help me. I have a problem with
    >> FW-1/VPN-1 NG with AI (R55) and the H.323 support. I am trying to
    >> register
    >> (H.323 RAS) a VoIP gateway inside my trusted network with a gatekeer on
    >> the Internet. I have already configured the VoIP domains (one for the
    >> gateway and another for the gatekeeper) in the FW, applied the last
    >> hotfix
    >> acumulator (HFA_11) and configured static NAT for the internal gateway
    >> to
    >> a public IP.
    >> The gatekeeper cannot respond because the IP inside the h225 payload
    >> isn't
    >> traslated, and I have confirmed it using the monitor inside de Firewall
    >> (fw monitor).
    >> Anybody know if Checkpoint really suports H.323 NAT? or can be a problem
    >> of mixconfiguration?
    >>
    >
    > What does your rule look like? Specifically, what service are you using?
    > Also, the CP docs have examples of how to set this up. Have you tried
    > following those? But yes, it does (mostly) work.
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    -- 
    Luis Maria Sainz Caballero
    Administrador de Centro de Datos
    "SPC Net Soluciones de Negocio Electrónico S.L."
    Parque Tecnológico de Álava
    Albert Einstein 44 Edificio E6 Oficina 006
    01510- Miñano
    Tlfno. 945-297100 Fax. 945-298121
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Servie Platon: "[fw-wiz] Security and Audit Policy"

    Relevant Pages

    • [fw-wiz] Checkpoint NAT H.323 support
      ... gateway and another for the gatekeeper) in the FW, ... acumulator and configured static NAT for the internal gateway to ... The gatekeeper cannot respond because the IP inside the h225 payload isn't ... and I have confirmed it using the monitor inside de Firewall ...
      (Firewall-Wizards)
    • [fw1-gurus] RE: [fw-wiz] Checkpoint NAT H.323 support
      ... being the gateway inside my trusted network and the gatekeeper ... the IP heather is correctly traslated but not the IP inside the payload. ... and I have confirmed it using the monitor inside de Firewall ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Checkpoint NAT H.323 support
      ... > gateway and another for the gatekeeper) in the FW, ... > acumulator and configured static NAT for the internal gateway to ... and I have confirmed it using the monitor inside de Firewall ...
      (Firewall-Wizards)
    • Re: Connect to gatekeeper
      ... Gatekeeper support is available only on Windows XP and W2k3. ... - an H.323 gateway configured (like ...
      (microsoft.public.win32.programmer.tapi)
    • [fw1-gurus] RE: [fw-wiz] Checkpoint NAT H.323 support
      ... Please check your configuration over. ... > gateway and another for the gatekeeper) in the FW, ... and I have confirmed it using the monitor inside de Firewall ...
      (Firewall-Wizards)