This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sarm_Chanatip
Collaborator
‎2019-03-13 12:13 AM

VoIP Traffic Issue

Hello guys,

First of all, I'm new with VoIP configuration and now encountering VoIP traffic issue while the call flow traverses the Check Point Gateway

I will briefly explain an issue.

1. When Phone device ( 192.168.10.204 ) that behind firewall calls to Phone device that's the opposite side of firewall ( 10.105.62.102 ). RTP message is working fine, both sides can hear each other

2. But If  Phone devices from the opposite side call back to 172.19.0.204 ( translation to 192.168.10.204 ),

RTP message is not working properly, only one side can hear voice but another cannot.

In this point, Phone A could hear, but Phone B could not.

 

Please see diagram below to refer

RTA-VoIP-Diagram-POC.jpg

 

Does anyone here ever encounter issue like this before?

 

Really appreciate every comments


Regards,

Sarm

0 Kudos
9 Replies
Wolfgang
Authority
Authority
‎2019-03-13 12:46 AM

Can you show us your NAT-rule for the connection. You have to translate both directions. Maybee this is a NAT problem. Did you see the NAT working for both directions?

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-13 03:23 AM
In response to Wolfgang

Dear Nickel,

I have configured static NAT both directions and only saw the NAT was working for outgoing call connection but still a bit confusing why incoming call ( RTP )is not working while call is connected.

Regards,
Sarm
0 Kudos
D_W
Advisor
‎2019-03-13 02:46 AM

We had an identic issue and used at first https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... to check the right rule set.
Based on how your VOIP Architecture is build you have to choose the right ruleset.

Then most stuff worked but for example more then one call at the same time (to/from external) wasn't possible. We haven't found any Log/Drop.

However our final solution was to disable all SIP IPS Rules for the VOIP Area.

KR
David

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-13 08:14 AM
In response to D_W

Hi David,

Thank you for comments.

Based on your sk provided, I have the SIP Security Rule for Proxy in an External Network:

The rule is set to Souce: Net 192.168.10.0 with Destination: 10.105.62.0 and allow any service but still does not work.

Regarding IPS rules we do not have this blade enabled yet, it's just a firewall blade only

Regards,
Sarm
0 Kudos
D_W
Advisor
‎2019-03-13 08:36 AM
In response to Sarm_Chanatip

Have you scrolled trough all sections that are in this SK?
For example when you NAT you have also have to set some special rules, see section 8.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
D_W
Advisor
‎2019-03-15 02:19 AM
In response to Sarm_Chanatip

IPS can drop without log although IPS is not activated. Also SIP is mentioned.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-13 11:41 AM

I describe exactly this issue in my article:

VoIP Issue and SMB Appliance (600/1000/1200/1400)

 

fon.JPG

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-14 04:37 AM
In response to HeikoAnkenbrand

Hello Heiko,

I have read your article and tried to perform as the sk attached in the content but did not help. It's not looking like relevant to my case.

I'm still having in trouble with inbound call.

Any ideas I can check more?

Thank you!

Regards,
Sarm

0 Kudos
Pawel_Szetela
Contributor
‎2019-03-14 05:41 AM

Hi,

We've had similiar problem but with H323 and no NAT in our case - "Hide internal networks behind gateway's IP" is checked and we have no NAT rules for VOIP traffic. Source and destination wasn't nated but payload was still nated. SK98354 in our case helped.

Depending on the version You are using look at this SK143713

Regards

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top