Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VCS StarterPack H.323 IP Dial Out and UDP 1719 LRQ problem

Dear All,

I have a VCS Starter Pack with Dual Interface and  NAT configuration. This is a demo  setup and therefore all settings have been made with IP addresses.There is No SRV records. The customer has a Checkpoint firewall and we made NAT configüration between Public IP address and VCS LAN2  IP addresses.

There is a Tandberg MXP system registered to this VCS StarterPack over H.323 and SIP.

MXP system can receive H.323 call like(mxp@213.X.X.X) and SIP Call (mxp1700@213.X.X.X).

MXP system can make call over  SIP protocol to the address (ex60@biltam.com.tr) but can not make H.323 call to the same address (ex60@biltam.com.tr).

I checked the logs and we found the below issue with firewall guy on the Checkpoint firewall.

VCS Starterpack sends LRQ packet to the outside and the outside answer  LCF packet to our public IP address of the VCS.  The Checkpoint Firewall

receive this packet but doesn't make any NAT translation for 1719 UDP packet and VCS StarterPack doesn't receive this LCF package.

There is some issue when I make a call to the public IP address of the test VC System on the internet.

Is there any special config at the checkpoint firewall or I forgot some point on the VCS? We made special rule on the Checkpoint to translate 1719 UDP port to the VCS Starterpack LAN 2 interface but  when we check the report we can see there is no Translation.

Now I am checking internet about this issue may be I can found some detail about the solution.

Best Regards

Tamer OZBAY

Everyone's tags (6)
1 REPLY
Cisco Employee

Re: VCS StarterPack H.323 IP Dial Out and UDP 1719 LRQ problem

Checkpoint firewalls are known to require some off the shelf config changes. I believe the packet inspection on a Checkpoint is called SmartDefence. You will need to turn it off for h323 and SIP. Even after turning it off, it will still perform packet inspection on those protocols if you use the builtin protolanguage rules, you will need to define a custom protocol with all the required ports. Then use that protocol definition when building the allow rules for communication.

Sent from Cisco Technical Support iPhone App

624
Views
0
Helpful
1
Replies