PDA

View Full Version : watchguard firebox x700 and videoconferencing

orish
07-18-2004, 08:57 AM
Hi all,

I set up a watchguard firebox x700 into out network and want to make vc-calls.

After standard set up surfing and mailing and so on is ok.

Additional to the standard rules already in the box (ftp 21, ping, outgoing all allowed) I created a rule for NATing from external IP ->one special internal IP (VC) and I give it all possible tcp and udp ports (1024-65535).

If I'm doing a dial out call the vc-unit connects over tcp 1720 and thats all. Black screen. My VC-unit-log says there are no packets do decode. If I dial in with a remote system there connects 1720 tcp and the firewall shows that this allowed tcp 1720 connection is detected by my NAT-rule. But thats all - no more connections on other ports, black screen and no packets to decode in the vc-unit.

So it seems to me that the firewall blocks all the packets - but I allowed all these packets in that NAT-rule above and checked the logging of the rule so that its showing if this rule is used.

(with another 'small' router/firewall the vc-unit is working fine...so its not am matter of the unit)

Thanks very much for comments and hints!

cheers orish
Glen Sykes
07-19-2004, 12:18 PM
Hi Orish.

Can you confirm what your VC endpoint is?

A common problem with VC through NAT is that the H.323 payload itself makes a reference to the inside IP address of the VC system. In other words, the system that you are making a call to on the other side of the firewall will try to send the return streams to an unroutable IP address.

There are a few ways of overcoming this. Both Polycom and Tandberg (and others) for example allow you to configure your system so that it uses the outside NAT'ed address rather than its private address in the payload. The other alternative is to use an H.323 aware NAT, such as Cisco IOS NAT or PIX which will actually rewrite the H.323 payload with the correct IP address as well as the IP header.

Hope this helps,

Glen
orish
07-19-2004, 03:10 PM
Hi Glen,

my endpoint is a sony pcs-1 and NAT is turned on. the reason for the problem was my testing participant on the other site. It was a plcm sp128 online without NAT turned on. I tested with an another participant and it is working fine.

thanks orish
Glen Sykes
07-19-2004, 06:29 PM
Glad to hear you sorted it!