RE: Natting thru a pix firewall with IOS version 7.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Sean

Yes, this is correct.
The parent GnuGK on the outside of the firewall detects the child Nat'd GnuGk is behind a router/firewall and notifies the child GnuGK when it registers (via a non-standard message in the RCF) the child GnuGK detects this and modifies how it handles call signalling to enable it to traverse the NAT. It will open a TCP keep-alive socket through the firewall to the Parent GnuGK signalling port (usually port 1721). This socket is constantly kept open in the firewall to be able to receive calls. When a call is received at the Parent Gatekeeper the call signal is routed through the keep-alive socket to the child gatekeeper to receive the incoming call. The child GnuGK will then open 2 UDP media sockets out to the parent GnuGK to open holes in the firewall for the media. The media is then proxied through both child and parent GnuGK.
This functionality was developed for and is only used with GnuGK. It is very good and does work very efficiently. The ITU has recently released a couple of standards that pretty much does the same thing however IMHO is not as easy to implement as the GnuGK method and very few vendors have adopted the standard.
In theory (and in practise) the child Nat'd GnuGK is not necessarily required and can operate just as well with just Endpoints as long as these endpoints are compatible with GnuGK NAT traversal logic.
I have done some work in this area and recently included the GnuGK messaging into the OpenH323 CVS (so eventually clients like MyPhone etc can support it) There are a couple of commercial (some free) products which also support it. 

Simon



At 02:34 AM 9/12/2005, you wrote:

So in order for me to use my Gnugk box to connect to another brand would
be to turn of the proxy function, or to place a third Gnugk box on the
outside to proxy thru the firewall correct? As shown below.


Gnugk box <------> Firewall <------> Gnugk box  <------> Vendor x

Thanks,


Sean Salomon






________________________________

From: openh323gk-users-admin@xxxxxxxxxxxxxxxxxxxxx
[mailto:openh323gk-users-admin@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Simon
Horne
Sent: Thursday, December 08, 2005 8:53 AM
To: openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  Natting thru a pix firewall with IOS
version 7.0



GnuGk has it's own Nat Traversal methodology which allows communication
between GnuGK gatekeepers to traverse NAT's. This is not a standard
H.323 function and will only work when the gatekeeper on the inside of
the NAT and the gatekeeper on the outside are both GnuGK.

Simon

At 11:09 AM 8/12/2005, you wrote:



        Has anyone had the Gnugk gatekeeper proxy thru a Cisco pix fire
wall, and connect to a Cisco Gatekeeper. The gatekeeper is running
version 12.x of the IOS. I have been able to proxy the internal gnugk
box thru the firewall running IOS version 7.0 to a gnugk box on the
outside world. The only way I have been able to do this is to register
the internal gatekeeper to the external gatekeeper. When I change the
external gatekeeper from a gnugk box to a Cisco box it fails. The calls
will go out, but when they come back in it fails. It seems like the h323
encapsulation is failing. Anyone have any ideas?

        Thanx in advance..





-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&opick
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id?49
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&opÌk
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id?49
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/
[Index of Archives]     [SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Yosemite News]

  Powered by Linux