Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1127
Views
0
Helpful
1
Replies

VCS StarterPack H.323 IP Dial Out and UDP 1719 LRQ problem

Tamer Ozbay
Level 1
Level 1

‎08-01-2013 01:45 AM - edited ‎03-18-2019 01:33 AM

Dear All,

I have a VCS Starter Pack with Dual Interface and  NAT configuration. This is a demo  setup and therefore all settings have been made with IP addresses.There is No SRV records. The customer has a Checkpoint firewall and we made NAT configüration between Public IP address and VCS LAN2  IP addresses.

There is a Tandberg MXP system registered to this VCS StarterPack over H.323 and SIP.

MXP system can receive H.323 call like(mxp@213.X.X.X) and SIP Call (mxp1700@213.X.X.X).

MXP system can make call over  SIP protocol to the address (ex60@biltam.com.tr) but can not make H.323 call to the same address (ex60@biltam.com.tr).

I checked the logs and we found the below issue with firewall guy on the Checkpoint firewall.

VCS Starterpack sends LRQ packet to the outside and the outside answer  LCF packet to our public IP address of the VCS.  The Checkpoint Firewall

receive this packet but doesn't make any NAT translation for 1719 UDP packet and VCS StarterPack doesn't receive this LCF package.

There is some issue when I make a call to the public IP address of the test VC System on the internet.

Is there any special config at the checkpoint firewall or I forgot some point on the VCS? We made special rule on the Checkpoint to translate 1719 UDP port to the VCS Starterpack LAN 2 interface but  when we check the report we can see there is no Translation.

Now I am checking internet about this issue may be I can found some detail about the solution.

Best Regards

Tamer OZBAY

Labels:
0 Helpful
1 Reply 1

Zac Colton
Cisco Employee
Cisco Employee

‎08-01-2013 05:29 AM

Checkpoint firewalls are known to require some off the shelf config changes. I believe the packet inspection on a Checkpoint is called SmartDefence. You will need to turn it off for h323 and SIP. Even after turning it off, it will still perform packet inspection on those protocols if you use the builtin protolanguage rules, you will need to define a custom protocol with all the required ports. Then use that protocol definition when building the allow rules for communication.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents