Re: [FW-1] Samsung VOIP Phone 5021D

Mon, 17 Sep 2007 15:56:37 -0700 

Hi,
Our branch office used to have a direct internet connection using another isp. In this setup, the remote voip phone works. The server (Windows SBS) using ISA, natted and forwarded the packets to the pabx. The remote phone connects, via the internet, to the public address (external interface) of the windows sbs server. 


However, in our new setup, the new 10.77.6.0/24 network is just another 
wan site connected by a wan router (same as our branch offices). Our 
firewall/main internet gateway is located on the 172.16.4.0/24 network.


Of course, all internal lan hides behind the public ip of the firewall.


On the remote phone, I assigned it to use one of our public addresses.On 
the firewall object for the pabx, I have hidden it behind this public 
address. I have also assigned a 10.77.6.0/24 address to the pabx object.


The rule I've created are

any pabx allowed(service/protocol) accept
pabx any allowed(service/protocol) accept


If I do not nat it, how will the firewall knows where to send the 
packets to? Putting it another way, how do I setup the rule such that


1. It will accept the packets (to the public ip.xx.yy.zz) I've assigned

2. Then forward the packets to the correct ip (10.77.6.0/24) where the 
pabx is listening


ta
czar


Hugo van der Kooij wrote:

On Mon, 17 Sep 2007, David DeSimone wrote:


[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:



When the phone tries to connect, the firewall (splat R55) immediately
drops the packet (the drop rule - which is the last rule).  This means
that the rule I've set is not being processed or not being used at
all.  Even if I set the rule to accept any any, it still immediately
goes to the drop rule.  No other info are generated.



Checkpoint rules process incoming packets before they are translated by
NAT.  Make sure you are allowing the untranslated IP addresses in your
security policy.




Sounds this use is better of using NAT on the object so Check Point will 
handle both addresses.



But getting proprietary VoIP solutions to work through Check Point can 
be a real pain.


Hugo.



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================






















					Reply via email to