MGCP Supported Deployment and NAT Support

The Security Gateway supports the MGCP deployments listed in the table. You can configure Hide or Static NAT for the phones in the internal network.

NAT is not supported on IP addresses behind an external Security Gateway interface.

The SmartConsole configuration depends on the topology.

Supported MGCP Topology	No NAT			NAT for Internal Phones - Hide/Static NAT
Call Agent in External Network	Yes			Yes
Call Agent in the DMZ	Yes			No
Call Agent to Call Agent	Yes			No
Call Agent in External Network			The IP Phones use the services of a Call Agent on the external side of the gateway. This topology enables the use of services of a Call Agent that is maintained by another organization. It is possible to configure Hide NAT, Static NAT or no-NAT for the phones on the internal side of the gateway.
Call Agent in the DMZ		The same Call Agent controls both endpoint domains. This topology makes it possible to provide Call Agent services to other organizations.
Call Agent to Call Agent		Each Call Agent controls a separate endpoint domain. When there is one or more Call Agents, the signaling passes through each Call Agent. Once the call has been set up, the media can pass endpoint to endpoint.

Notes:

Below are the following exceptions for using MGCP with NAT:

• Manual NAT rules are not supported. You must use Automatic NAT.
• Calls cannot be made from an external source to two endpoints on the trusted side of a gateway if only one of the endpoints is NAT enabled.
• Bidirectional NAT of VoIP calls is not supported.

Hide NAT for MGCP Traffic

You can configure NAT on the gateway for the:

• IP address of the MGCP endpoint phones
• Source port of the MGCP endpoint phones.

To configure Hide NAT on the gateway:

1. Open SmartConsole.
2. Select the Manage & Settings tab go to Blades > Inspection Settings.
3. In the search field, type MGCP - General Settings. Double-click on the setting that shows.
4. Select a Profile > Advanced.
5. In Advanced, check the box Hide NAT changes source port for MGCP.

With this option disabled, the gateway performs Hide NAT only on the IP address of MGCP endpoint phones.

Note - Hide NAT changes source port for MGCP must be selected in environments where:

• The gateway is configured in SmartConsole to Hide NAT on the internal IP addresses of the endpoints
• The MGCP server can register only one endpoint with a given IP address and port combination

Important - Hide NAT can be used for all types of calls (incoming, outgoing, internal and external). However, for security reasons, when using Hide NAT for incoming calls, the Destination of the VoIP call in the Rule Base cannot be Any.

MGCP Packets

MGCP packet before NAT

The image of the packet capture below shows an MGCP packet from a phone with IP address 194.90.147.53, and source port 2427 (the default MGCP port).

Packet after Hide NAT when option is disabled

The image of the packet capture below shows the MGCP packet after Hide NAT, with the Hide NAT changes source port for MGCP option disabled. The IP address is translated to the Hide NAT address of 194.90.147.14, but the source port 2427 is unchanged.

In this environment, all the internal phones are registered with the same Source IP ,194.90.147.14, and the default MGCP source port, 2427.

Some MGCP servers can register a phone with only one IP address and port combination. As a result, only one of the phones behind that IP address will be registered successfully on the server.

Packet after NAT when option is enabled

The image of the packet capture below shows the MGCP packet after Hide NAT, with the option enabled.

• The IP address is translated to the Hide NAT address of 194.90.147.14
• The source port is also translated to an allocated port of 10416

In this environment, a different port is allocated for each internal phone. All phones are registered with a different Source IP: port combination. For example:

• One phone with source IP 194.90.147.14 and source port 10416 (as shown in the packet capture)

AND

• Another phone with source IP 194.90.147.14 and source port 10417

As a result, all internal phones are registered successfully on the server.

Packet after NAT when Option is Enabled

This packet capture shows the MGCP packet after Hide NAT, with the option enabled.

• The IP address is translated to the Hide NAT address of 194.90.147.14
• The source port is also translated to an allocated port of 10416

In this environment, a different port is allocated for each internal phone. All phones are registered with a different Source IP: port combination. For example:

• One phone with source IP 194.90.147.14 and source port 10416 (as shown in the packet capture), and
• Another phone with source IP 194.90.147.14 and source port 10417.

As a result, all internal phones are registered successfully on the server.