[h323plus] SonicWall/Dell wreck of a NAT

Marek Podgorny marekjp at gmail.com
Fri Nov 15 17:25:00 EST 2013 

Marek Podgorny
+1 315 373-6345


On Fri, Nov 15, 2013 at 4:25 PM, Simon Horne <s.horne at spranto.com> wrote:

> I assume you are using H.460.18/.19 ?
>
> The fact it is letting 1719 through indicates the firewall might be doing
> deep packet inspection. If so this might indicate that an ALG might be in
> play.
>

I'm quite sure there is no DPI on SonicWall. My guess is that checking the
"H323 support" box modifies the treatment  of few well-known ports for NAT.

>
>
> I suggest you check when registering the IP address used to register with
> the gatekeeper. Basically check the RRQ from the NATed endpoint with the
> RRQ received at the gatekeeper and make sure the IP addresses match.
>

I did. They match, but this does not mean - to me - that there is an active
ALG in play. This is just the basic NAT - gatekeeper only sees FW WAN IP.

On the 2nd thought though, here is what I see:

Call signaling address        209.217.218.37:30842
RAS address                    209.217.218.37:4096
Apparent RAS address      209.217.218.37:4096

I never got to the bottom of the probably deep significance of these 3
addresses.

If an ALG is in play then the addresses get changed on the way through from
> internal to external addresses. If that is the case then simply turn off
> H.460.18/.19 in the endpoint behind the NAT and let the ALG do what is
> maybe is supposed to do. (I have low confidence in ALGs) . The other
> alternative is to try to turn off the ALG and deep packet inspection in the
> firewall off.
>

I tried to latter to no effect but didn't think of the former.

I hate SonicWall. My $100 SOHO router handles all this w/o a hitch.


>
> To test as you requested
>
> H323EndPoint::SetUDPPorts(1718,172x);
>
>
>
> This will set the first UDP port for RAS to 1719.
>
>
>
> Simon
>
>
>
> *From:* h323plus-bounces at lists.packetizer.com [mailto:
> h323plus-bounces at lists.packetizer.com] *On Behalf Of *Marek Podgorny
> *Sent:* 16 November 2013 06:29
> *To:* h323plus at lists.packetizer.com
> *Subject:* [h323plus] SonicWall/Dell wreck of a NAT
>
>
>
> I have a problem with firewall that I cannot replace or reconfigure. The
> FW is a SonicWall, public IP on Internet side (of course), NAT on the LAN
> side, gatekeeper on a public address outside FW. Calls from EPs on NAT to
> outside world work but incoming calls fail. I wiresharked the traffic and
> found that the Q.931 setup ServiceControlIndication packet bounces from the
> FW. The reason for this is that while this particular packet is sent to UDP
> port previously used by the NATed EP RRQ, the FW fails to preserve NAT
> mapping table. SonicWall  also ignores port preservation setting.
>
>
>
> Astonishingly, bi-directional access to UDP port 1719 works (SonicWall
> claims to support H.323 and it is possible to "activate" it. Maybe port
> 1719 becomes special). Therefore, here is my question:
>
>
>
> Is it possible to order H323Plus to only use outgoing UDP port 1719 for
> RAS signalling?
>
>
> Marek Podgorny
>
> +1 315 373-6345
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.packetizer.com/pipermail/h323plus/attachments/20131115/8876c48d/attachment-0002.html>

More information about the h323plus mailing list