RE: [fw-wiz] Checkpoint NAT H.323 support
From: Luis Maria Sainz Caballero (luismax_at_spcinternet.net)
To: "Warren Verbanec" <Warren.Verbanec@resilience.com> Date: Wed, 24 Nov 2004 15:49:56 +0100 (CET)
I have already followed a lot of docs from CP but none of them is
sufficiently clear or is just my case. My rule is the following
Gateway_VoIP_domain -- Gatekeeper_VoIP_domain -- H323_RAS -- Accept
being the gateway (Cisco ATA) inside my trusted network and the gatekeeper
on the Internet. I have defined the "related endpoints domain" of the
gateway as the same net where the gateway is in; I don´t know if it is
correct because these endpoints are analogous phones without IP ¿?. And I
have defined the "related endpoints domain" of the gatekeeper as the
Internet because I haven´t data about them (the gatekeeper is property of
a VoIP ISP).
Anyway, it supposes that the "H323_RAS" is a special service whitch the CP
have to treat especialy, that is, CP have to inspect the data payload
looking for the IPs to be correctly traslated, but it doesn´t. I use fw
monitor with the "-p all" parameter in order to check it, and effectively
the IP heather is correctly traslated but not the IP inside the payload.
Any help is very very appreciated,
> As of R55 HFA 08 or so, FW-1 has supported H.323 v2 and v4 quite nicely.
> NATted gatekeepers should be translated just fine in the H.225 stream.
> Please check your configuration over. What kind of H.323 gear is this?
> -Warren Verbanec
> Resilience Corporation
> -----Original Message-----
> From: Rob Hughes [mailto:firstname.lastname@example.org]
> Sent: Saturday, November 20, 2004 3:39 PM
> To: email@example.com
> Subject: Re: [fw-wiz] Checkpoint NAT H.323 support
> On Thu, 2004-11-18 at 16:46 +0100, Luis Maria Sainz Caballero wrote:
>> Hi people,
>> I am new to the list and I hope you help me. I have a problem with
>> FW-1/VPN-1 NG with AI (R55) and the H.323 support. I am trying to
>> (H.323 RAS) a VoIP gateway inside my trusted network with a gatekeer on
>> the Internet. I have already configured the VoIP domains (one for the
>> gateway and another for the gatekeeper) in the FW, applied the last
>> acumulator (HFA_11) and configured static NAT for the internal gateway
>> a public IP.
>> The gatekeeper cannot respond because the IP inside the h225 payload
>> traslated, and I have confirmed it using the monitor inside de Firewall
>> (fw monitor).
>> Anybody know if Checkpoint really suports H.323 NAT? or can be a problem
>> of mixconfiguration?
> What does your rule look like? Specifically, what service are you using?
> Also, the CP docs have examples of how to set this up. Have you tried
> following those? But yes, it does (mostly) work.
> firewall-wizards mailing list
-- Luis Maria Sainz Caballero Administrador de Centro de Datos "SPC Net Soluciones de Negocio Electrónico S.L." Parque Tecnológico de Álava Albert Einstein 44 Edificio E6 Oficina 006 01510- Miñano Tlfno. 945-297100 Fax. 945-298121 _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards