[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT woes



Hi Ken,

Try to allow the gnugk to access any any outbound on the cisco ASA.
Also you have to make sure the NAT ports are not mapped dynamical but
static so port localip:40001 get translated into externalip:40001

Also Tandberg has a few demands on firewall ports to open but since you
are using gnugk this should be proxied by gnugk.



Siem

-----Original Message-----
From: Ken Tucker [mailto:ken.tucker@xxxxxxxxx] 
Sent: woensdag 5 mei 2010 19:30
To: GNU Gatekeeper Users
Subject: Re:  NAT woes

Our firewall is a Cisco ASA. I have turned off all H323 inspection.
Calling from external endpoint to internal endpoint works and I now have
full audio/video. Internal to external fails, it just rings and rings. 

Also, an internal to internal connection works, but only if I set the
Tandberg to use static H323 ports. I still need to update the code on
that endpoint which may help.

Still testing... ;)

Thanks!

-----Original Message-----
From: Andrew Herdman [mailto:andrew@xxxxxxxxx] 
Sent: Wednesday, May 05, 2010 11:43 AM
To: GNU Gatekeeper Users
Subject: Re:  NAT woes

Ken;

Glad things are moving forward.  The other questions, we'll need to know

more about your environment, the firewall, while things may be open, if 
it's a state full inspection firewall it may be blocking things anyway, 
smart is not always better.  You also don't mention which way works, and

which way does not.

Andrew


Ken Tucker wrote:
> Thanks, Andrew. That instantly helped. I'm still having some issues
but I'm light-years further than I was. Any other settings you or anyone
recommend for having the gatekeeper NATed and external endpoints NATed?
I still have some issues were I can call one way but not the other.
Thanks!
>
> Ken
>
> -----Original Message-----
> From: Andrew Herdman [mailto:andrew@xxxxxxxxx] 
> Sent: Wednesday, May 05, 2010 6:24 AM
> To: GNU Gatekeeper Users
> Subject: Re:  NAT woes
>
> Ken;
>
> Try adding this to [Gatekeeper::Main]
>
> Home=IP Address of Ethernet
> ExternalIP=IP Address that is NAT to Outside
>
> I've had better luck with things.
>
> As well, not sure about your entire setup, but if you add to [Proxy]
>
> ProxyAlways=1
>
> might help simplify your debugging, as all calls will be proxied. It
may 
> however cause issues if you have several inside endpoints calling each

> other.
>
> Andrew
>
>
> Ken Tucker wrote:
>   
>> Hi all,
>>
>> I've been banging my head against a wall for several days and after 
>> numerous attempts at ini changes and google searches, I figured it
was 
>> time to come begging for help...
>>
>> I have a single gnugk system (2.3.1) behind my firewall. It only has 
>> one (private IP) interface. It is NATed to the Internet and all the 
>> appropriate ports are allowed in. I have endpoints in other VLANs 
>> behind the firewall (with full IP access to/from gnugk for now). I 
>> also have external endpoints on different networks that are NATed
out. 
>> Note that ALL endpoints are Tandbergs.
>>
>> All units register fine, either to the private IP or the NATed IP of 
>> gnugk. However, I cannot get a call to connect from external to 
>> internal endpoint or vice-versa. If I call from ext to int, it rings,

>> and as soon as the other side connects, the ext shows call 
>> cleared/disconnected. Here's a chunk of the logs (using -ttttt) when
I 
>> call from the external unit to the internal unit (via alias): (all
IPs 
>> have been changed J )
>>
>> ------------------------------------------------------------------
>>
>> 2010/05/04 23:39:29.332 3 RasSrv.cxx(2569) GK ARQ will request 
>> bandwith of 10240
>>
>> 2010/05/04 23:39:29.332 5 Routing.h(177) ROUTING Checking policy 
>> Explicit for the request ARQ 2572
>>
>> 2010/05/04 23:39:29.332 5 Routing.h(177) ROUTING Checking policy 
>> Internal for the request ARQ 2572
>>
>> 2010/05/04 23:39:29.332 4 RasTbl.cxx(1697) Alias match for EP 
>> 10.1.1.1:1719
>>
>> 2010/05/04 23:39:29.332 5 Routing.h(183) ROUTING Policy Internal 
>> applied to the request ARQ 2572
>>
>> 2010/05/04 23:39:29.332 2 RasTbl.cxx(3321) CallTable::Insert(CALL) 
>> Call No. 1, total sessions : 1
>>
>> 2010/05/04 23:39:29.332 5 RasTbl.cxx(3087) RAS
>>
>> NAT Offload (H460.23/.24) calculation inputs for Call No: 1
>>
>> Rule : Must Proxy Media
>>
>> Calling Endpoint:
>>
>> Proxy IP: 22.22.22.22
>>
>> Called Endpoint:
>>
>> Proxy IP: 10.1.1.1
>>
>> 2010/05/04 23:39:29.332 4 RasTbl.cxx(3092) RAS Disable H.460.24 
>> Offload as neither party supports it.
>>
>> 2010/05/04 23:39:29.332 4 RasSrv.cxx(2744) RAS NAT strategy for Call 
>> No: 1 set to Unknown Strategy
>>
>> 2010/05/04 23:39:29.332 2 RasSrv.cxx(394) 
>>
ACF|22.22.22.22:1719|5423_endp|16845|222:dialedDigits|224:dialedDigits|f
alse|02-b2-8b-0e-26-8e-19-50-34-48-00-50-60-01-25-4a;
>>
>> 2010/05/04 23:39:29.332 3 RasSrv.cxx(236) RAS Send to
22.22.22.22:1719
>>
>> .....
>>
>> 2010/05/04 23:39:39.786 1 ProxyChannel.cxx(4536) H245d Could not 
>> open/connect H.245 socket at 0.0.0.0:31001 - error 12/1073751885: 
>> Connection refused
>>
>> 2010/05/04 23:39:39.786 3 ProxyChannel.cxx(4538) H245 10.1.1.1:11025 
>> DIDN'T ACCEPT THE CALL
>>
>>
------------------------------------------------------------------------
-
>>
>> Few things... Why would NAT strategy be set to "Unknown Strategy"?
Also 
>> what does the connection refused for 0.0.0.0 signify?
>>
>> Here's my config:
>>
>> [Gatekeeper::Main]
>>
>> Fortytwo=42
>>
>> TimeToLive=600
>>
>> ExternalIP=[nated external IP of gnugk]
>>
>> ExternalIsDynamic=0
>>
>> [RoutedMode]
>>
>> GKRouted=1
>>
>> H245Routed=1
>>
>> CallSignalPort=1720
>>
>> RemoveH245AddressOnTunneling=1
>>
>> DropCallsByReleaseComplete=1
>>
>> SupportNATedEndpoints=1
>>
>> ;SupportCallingNATedEndpoints=1
>>
>> Q931PortRange=30000-30999
>>
>> H245PortRange=31000-31999
>>
>> EnableH46018=1 <----- without this, I got immediate route errors
>>
>> NATStdMin=18
>>
>> [Proxy]
>>
>> Enable=1
>>
>> T120PortRange=50000-59999
>>
>> RTPPortRange=50000-59999
>>
>> InternalNetwork=[various endpoint vlans behind firewall],127.0.0.0/8 
>> <----- without the internal vlans, I couldn't get a call to even
start
>>
>> [GkStatus::Auth]
>>
>> rule=allow
>>
>> [RasSrv::RRQFeatures]
>>
>> SupportDynamicIP=1
>>
>> Thank you for any hints you have for me...!
>>
>> Ken
>>
>>
------------------------------------------------------------------------
>>
>>
------------------------------------------------------------------------
------
>>   
>>
------------------------------------------------------------------------
>>
>> _______________________________________________________
>>
>> Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
>> Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
>> Unsubscribe:
http://lists.sourceforge.net/lists/listinfo/openh323gk-users
>> Homepage: http://www.gnugk.org/
>>     
>
>
>
------------------------------------------------------------------------
------
> _______________________________________________________
>
> Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
> Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
> Unsubscribe:
http://lists.sourceforge.net/lists/listinfo/openh323gk-users
> Homepage: http://www.gnugk.org/
>
>
------------------------------------------------------------------------
------
> _______________________________________________________
>
> Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
> Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
> Unsubscribe:
http://lists.sourceforge.net/lists/listinfo/openh323gk-users
> Homepage: http://www.gnugk.org/
>   


------------------------------------------------------------------------
------
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe:
http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/

------------------------------------------------------------------------
------
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe:
http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/

------------------------------------------------------------------------------
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/

[SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Singles Community]     [Yosemite News]

Add to Google Powered by Linux