Supported MGCP Topologies and NAT Support

For complete information on NAT configuration, see the R81 Security Management Administration Guide.

The Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. supports the MGCP deployments listed in the table. NAT is not supported on IP addresses behind an external Security Gateway interface.

Supported MGCP Topology

Supports No NAT

Supports NAT for Internal Phones - Hide/Static NAT

Description

Call Agent in External Network

(see MGCP Rules for a Call Agent in the External Network)

Yes

Yes

  • The IP phones use the services of a Call Agent on the external side of the Security Gateway. This enables the use of a Call Agent that is maintained by another organization.

  • You can configure Hide NAT, Static NAT, or No-NAT for the phones on the internal side of the Security Gateway.

Call Agent in the DMZ

(see Sample MGCP Rules for a Call Agent in DMZ)

Yes

No

  • The same Call Agent controls both endpoint domains.

  • This topology makes it possible to provide Call Agent services to other organizations.

Call Agent to Call Agent

(see Sample MGCP Rules for a Call Agent to Call Agent)

Yes

No

  • Each Call Agent controls a separate endpoint domain.

  • When there is one or more Call Agents, the signaling passes through each Call Agent. Once the call has been set up, the media can pass endpoint to endpoint.

Notes - Below are the following exceptions for using MGCP with NAT:

  • Manual NAT rules are not supported. You must use Automatic NAT.

  • If only one endpoint is NAT enabled, calls cannot be made from an external source to two endpoints on the trusted side of a Security Gateway.

  • Bidirectional NAT of VoIP calls is not supported.

Sample MGCP Packet Before NAT

The image of this packet capture shows an MGCP packet from a phone with IP address 194.90.147.53, and source port 2427 - which is the default MGCP port.

Frame 19 (129 bytes on wire, 129 bytes captured)
Ethernet II, Src: 00:00:00:00:00:00, Dst: 69:31:65:74:68:31
Internet Protocol, Src Addr: 194.90.147.53 (194.90.147.53), Dst: 67.130.192.131 (67.130.192.131)
User Datagram Protocol, Src Port: 2427 (2427), Dst Port: 2727 (2727)
Media Gateway Control Protocol
   verb: NTFY
   Transaction ID: 22
   Endpoint: d001@00064ab42c2
   Version: MGCP 1.0
   The response to this request is in frame 57
   Parameters
     NotifiedEntity (N): cs@[67.130.192.131]:2727
     RequestIdentifier (x): 83ec66591c69
     ObservedEvents (o): L/hd

Sample MGCP Packet After Hide NAT When Option is Disabled

The image of the packet capture below shows the MGCP packet after Hide NAT, with the Hide NAT changes source port for MGCP option disabled.

The IP address is translated to the Hide NAT address of 194.90.147.14, but the source port 2427 is unchanged.

Frame 16 (129 bytes on wire, 129 bytes captured)
Ethernet II, Src: 00:00:00:00:00:00, Dst: 4f:62:65:74:68:30
Internet Protocol, Src Addr: 194.90.147.14 (194.90.147.14), Dst: 67.130.192.131 (67.130.192.131)
User Datagram Protocol, Src Port: 2427 (2427), Dst Port: 2727 (2727)
Media Gateway Control Protocol
   verb: NTFY
   Transaction ID: 13
   Endpoint: d001@000364ab42c2
   Version: MGCP 1.0
   The response to this request is in frame 23
   Parameters
     NotifiedEntity (N): cs@[67.130.192.131]:2727
     RequestIdentifier (x): 83ec66591c69
     ObservedEvents (o): L/hd

In this environment, all the internal phones are registered with the same Source IP ,194.90.147.14, and the default MGCP source port, 2427.

Some MGCP servers can register a phone with only one IP address and port combination. As a result, only one of the phones behind that IP address will be registered successfully on the server.