Hello Check mates. 

I'm facing an issue when trying to integrate a VoIP provider (Ring Central). The provider sends signaling traffic from the Internet to a call manager (which inside our network), when an external call initiates.

In order to enable this communication, I created a NAT to publish the call manager, security rules, as well as reverse ARP, following sk95369. The network services in my security rules are the regular objects.

Bellow the path of the communication:

External call initiates: User traffic over the Internet -> Ring Central -> Internet -> Check Point NAT -> Call Manager

The NAT works fine, since the external traffic can reach the internal server (call manager). However, this call manager rejects the petition returning a 'bad request' error. This happens because the Payload has not been handled correctly by the firewall.

The signaling parameters are not translated from the external address to the internal, as shown below.

14:09:23.284951 00:1c:7f:8a:26:a4 > 00:08:e3:ff:fc:2c, ethertype IPv4 (0x0800), length 1252: 199.255.X.X.5060 > 192.168.X.X.5060: SIP: INVITE sip:1255@12.27.X.X:5060 SIP/2.0

The call manager expects to receive the INVITE message with its own address (192.168.X.X), not the NATed address (12.27.X.X)

I've tried several combinations of services objects and types of NAT rules, also tried enabling the Inspection Setting "Strict SIP Protocol Flow Enforcement", but nothing has helped yet.

Does anyone on the forum have a similar deployment that can share any recommendations with me?

I'm running out of options and The TAC is not being much helpful.

Thanks,