[FW-1] Manual NAT and udp port unreachable

Subject:	[FW-1] Manual NAT and udp port unreachable
From:	Niraj Patel <niraj AT VIPANA DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 29 Mar 2005 17:28:22 -0500

Hi,

I'm trying to connect sip phones behind a nokia checkpoint fw-1 ng fp3 to a
sip proxy outside the firewall. The phone has been given a public ip (I have
a few of them from my dsl provider) which is setup with proxy arp on the
main external interface (setup using voyager). The public phone ip has a
static route to the internal phone ip (also setup in voyager). I am able to
ping the phone using it's public ip just fine.

While the phone can issue a request to the proxy, the ack from the proxy is
getting lost in a udp port unreachable message. The RTP port range on the
proxy is 10000-10100.

I've tried using the static nat feature on the phone network object and
automatically creating the NAT rules. I've also tried manually setting the
NAT rules by creating a host object for the internal and external ip of the
phone. The whole setup being quite finicky and I can't seem to get it to
work.


Ext. FW Public IP: 1.2.3.4/24
Internal FW Subnet IP: 10.10.10.1/24

SIP Proxy Public IP: 80.90.100.200

Public Phone IP: 1.2.3.10/24
Internal Phone IP: 10.10.10.100/24


Doing a tcpdump on the interface of the 10 subnet shows:

10.10.10.100.5060 > 80.90.100.200.5060          
80.90.100.200.5060 > 10.10.10.100.10015 
10.10.10.100 > 80.90.100.200: icmp: 10.10.10.100 udp port 10015 unreachable

A tcpdump on the external fw interface shows pretty much the same thing but
with the 10.10.10.100 replaced by 1.2.3.4

As a result, the phone will not register. I've tried this with a couple of
different phones so I don't think it's a phone problem. I think what's
happening is that the external NAT is using a different port and the proxy
is replying directly to that port but then the fw doesn't know how to
forward/map the response back to the orignating port on the phone. Is that
right?


The manual NAT rules I have setup are:

ORIGINAL                                                TRANSLATED
Source          Destination             Service         Source
Destination     Service
10.10.10.100    ANY                     ANY             1.2.3.10
ANY             ANY
ANY             1.2.3.10                        ANY             ANY
10.10.10.100    ANY


Have tried various combinations thereof, removing the option to do NAT on
the client side and tried to do a port mapping of the range 10000-10100 to
5060 but it kicked back with an error.

Any help would be greatly appreciated. Thanks in advance!

Regards,
Nick




=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Manual NAT and udp port unreachable, Niraj Patel <=

Previous by Date:	Re: [FW-1] Basic NAT question, Aldo Loaiza
Next by Date:	[FW-1] Advanced (yeah, right) NAT question, Chontzopoulos Dimitris
Previous by Thread:	[FW-1] Stonegate and Checkpoint, Sarachai Sangniyom
Next by Thread:	[FW-1] Advanced (yeah, right) NAT question, Chontzopoulos Dimitris
Indexes:	[Date] [Thread] [Top] [All Lists]