12-22-2011 01:09 AM
I want to configure static routes on our HDX 7000. This device is placed in our DMZ and uses H.323 for the Internet and SIP for a Lync placed in our internal network. This means, that I have to configure a default route to the Internet and a static route to our internal networks. But there are no configuration options, to do this.
In the moment, I route all traffic over the external firewall. (The DMZ is surrounded by two firewalls, one on the edge to the internet and an other one on the edge to the internal networks.) But this is a big overhead for the rulebase and all traffic even the internal traffic runs over the external firewall.
So, is there a trick or a regularly option to configure static routing on a HDX 7000 device?
Thank you for your help, Rafaelo
Sorry, English isn't my native language.
12-22-2011 07:10 AM
It may be a NAT issue.
Here’s how I explain the function:
If the NAT is 323 compatible is checked, the unit is putting the ‘real’ (internal) IP address at both layer 3 and layer 7 of the packet.
If it is unchecked, the unit puts the ‘real’ IP address in L3 and the WAN IP in L7 of the packet.
NAT is compatible is extremely close, in real-world function, to having no NAT settings at all. When it is checked, the unit is depending on the firewall to intercept the packets & do the L3 NAT (change internal IP to external IP/vice-versa), as well as open the payload of the packet, determine if there is anything ‘to do’ (such as determine if it is an H245 packet and alter the IP address/port numbers contained therein) & do whatever is necessary.
When not checked, the codec has the simple thought process of: “the firewall here is dumb, so I have to put the WAN IP in the payload part so this call will work”
The layer 3 part of the packet, regardless of the NAT settings, is the same as it would not work otherwise.
The "NAT is H323 compatible" setting is found in the Firewall section of the IP Network config section in the HDX Admin tools.
Sr. Product Support Technician
12-24-2011 12:31 AM
I think, we misunderstood each other. I spoke only about layer 3 and about the routing form the ip package. I have no NAT problem and I understood what you explained in your response.
The problem I have, affects the whole IP Traffic. E.g. ping, sip, html, h.323, dns, ntp ....
I can configure a default route an our hdx, but I can't configure additional static routes. On each Windows machine you can see the configured routes with the following command:
This command shows you the default route. This default route can be configured with the webinterface on a hdx too.
Than you can configure additional static routes on a Windows machine with the following command:
route add -p 10.10.10.0 mask 255.255.255.0 192.168.10.1
There is no possibility to configure something like this on a hdx. But I can't believe, that it isn't possible in general. Every Linux, Windows, Unix machine, nearly every device with an Ethernet interface and a linux system has the possibility, to configure these static routes. Therefore, I hope that there is a chance to do this on a hdx too.
So my question is, if you know how to configure these static routes an a hdx? Maybe you know a trick, or a special process, a support technician can execute on our hdx.
I need these static routes, because I want to avoid, to route internal traffic through our external firewall or vice versa. We are a company who needs no more than one hdx. We use this hdx for internal lnyc Conferences and for external h.323 conferences. Therefore we placed the hdx in our dmz.