Author Topic: HG 1500 NAT  (Read 9980 times)

0 Members and 1 Guest are viewing this topic.

Offline superddl

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
HG 1500 NAT
« on: February 17, 2011, 10:43:58 am »
Hi all,
Please see the structure. We have HG 1500 NATed but can't use VoIP. Is there any restriction with NAT or any settings I need to do?
My firewall is Checkpoint R71. The PBX and HG 1500 both in Taipei and Taichung have no restriction with outbound and inbound connection. Many thanks.



Offline Kimera

  • Global Moderator
  • Hero Member
  • ****
  • Posts: 1.196
  • Karma: +42/-3
  • Kimera (Ars Gratia Artis)
    • View Profile
    • SIEMENS Enterprise Wiki
Re: HG 1500 NAT
« Reply #1 on: February 17, 2011, 12:35:37 pm »
Hello,

The NATted (one location only) node could be the origin of VoIP (voice and signalling) issues you have in one direction (for calls which originate on Taipei to TaiChung), the other direction is granted by the Firewall itself (because all LAN origination traffic is permitted and the stateful traffic is permitted too): if the signalling (other than the voice) is being blocked maybe you should pay attention on the way your CheckPoint R71 Firewall is configured to forward/route the incoming traffic to the HiPath HG1500 media gateway.

Another scenario: why not place both nodes behind firewalls (on, as example, DMZ Ethernet port but could be a LAN 2 port too if LAN 1 is also used for the PC Subnet) and then make (1) VPN between WANs and (2) forward routing between WAN interface and DMZ interface on each Firewall ?

Example:

System (A) HG LAN 1 port <-> Firewall DMZ (A) port <-- forwarding to/from --> WAN (A) <--- VPN ---> WAN (B) <-- forwarding to/from --> Firewall DMZ (B) port <-> System (B) HG LAN 1

and also adding (3) a rule to manage IP traffic (to/from) between LAN and DMZ on each Subnet's Firewall.

Best regards,
Kimera.

P.S.
By the way you should have a look at "A31003-H3580-M102-10-76A9 01/2011 HiPath 3000/5000 V8 Configuration Examples" Administrator Manual: on page 2-19 (LAN-LAN Routing) there is an example of a similar scenario using (and so enabling) the LAN 2 Ethernet port on both two HG1500 Media Gateways and then working on both Firewall's DMZ (or LAN 2) sides to managing routing between nodes.
« Last Edit: February 17, 2011, 01:24:37 pm by Kimera »
(Ethical) Hackers are not just skilled, they are lucky people and they are persistent people. It's a combination of all three.
"Die Lösung ist immer einfach, man muss sie nur finden" Alexander Solschenizyn

I'm all for being a Partner, and a Professional. But if you want me to sell your products...you need to scratch my back a little too.