If I have understood the question correctly, The key is not to call the GW via its private IP. If it is registered to the GK, then the GK should return to the originator of the call the outside address associated with it in the firewall (essentially a static NAT entry). This is done by dialling the endpoints E.164 number. For example, the ARQ of the originator has in it the E.164 number of the GW. The ACF from the GK will instruct the originator to set up a session to the outside IP address of the GW as defined in the NAT entry on the firewall. Upon connection to this IP address, the Firewall forwards the session to the appropriate inside IP address (in this case, the GW). Because the firewall is H.323 aware, any incoming sessions from the outside on a particular IP address should not only have the address in the header translated to the inside address, but also the H.323 payload as well. I hope this helps, Glen -----Original Message----- From: Stewart Nelson [mailto:sn@xxxxxxxxxxx] Sent: 09 July 2004 08:09 To: openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Question about NATed endpoints Hi, The GW sends an RRQ with a private call signal address. If the firewall is working correctly, it translates that to a public address and forwards it to the GK, which should be unaware that the GW is behind a NAT. When the RCF comes in, the firewall makes an entry mapping the public address to the private. On an incoming setup, the GK opens a TCP connection to the public address on typically port 1720, and the firewall forwards that to the GW's private address. Unfortunately, many firewalls require a non-default configuration setting before they will do this. If you have just one such endpoint, try it and see if you can get it working. If you plan to have many endpoints behind firewalls of different types over which you have no administrative control, and you expect incoming calls to work, you will surely run into trouble. I can only suggest that you use a more NAT-friendly protocol, such as SIP or IAX. Perhaps there are others on this list who have solved the problem using H.323. --Stewart ----- Original Message ----- From: "James Lertora" <jlertora@xxxxxxxxxx> To: <openh323gk-users@xxxxxxxxxxxxxxxxxxxxx> Sent: Thursday, July 08, 2004 9:48 AM Subject: RE: Question about NATed endpoints > Thanks Stewart and Michal. > > I have one more question. > > If there is a gateway with a private IP being NATed behind a firewall > that is H.323 aware. After the GW registers with the GK and a caller > tries to reach the GW with the private IP how does the set up message > make it to the private IP address through the firewall ? > If I get this I think it will all make sense. > > Thanks again. > > > > James Lertora > Technical Support > Patton Electronics > mailto:support@xxxxxxxxxx ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________________ List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/ ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________________ List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/