Odd problem

[Genx87]

In our small office we have a DSL router, Netscreen firewall, DC, Term server, and about 15 clients. The clients are given an unroutable network of 10.0.0.0 and 10.0.1.0 for our remote office. We have a VPN setup between our remote and home office.

The problem I have isnt internal but external. I can get netmeeting to connect from within our office to any location I feel except for this one guys address. This one guy is a contractor we use for doing some support issues with outlook crm. It is really odd because I have no problem getting out to any address but his. And I can connect to his address from another computer outside of our network. I can also connect to his address from our terminal server which has a public IP and private IP.

I thought it was a firewall issue but since I can get out to multiple address's without a problem I dont think it is. I have looked through the firewall and cant find any rules that would block his address.

Any idea or suggestions on where I should go next? I thought maybe it is a routing issue with our ISP. Does that makes sense?

It is so odd and irritating at the same time. And suggestions will be much appreciated.

 

[Genx87]

Bumping in the hope somebody has a suggestion.

 

[spidey07]

possible network address translation on his end.

netmeeting doesn't work with NAT/PAT unless the nat/pat device actively supports it.

 

[Genx87]

He is on a DMZ and I can get to him from my home address. That is what makes this soo wierd.

It is like for whatever reason my network cant get to his.

 

[spidey07]

Originally posted by: Genx87
He is on a DMZ and I can get to him from my home address. That is what makes this soo wierd.

It is like for whatever reason my network cant get to his.

you have have a double NAT going on. DMZ doesn't matter, its all in the capabilities of the respective nat devices.

 

[Genx87]

Shouldnt a DMZ give the internal machine an external address?

What kind of capabilities do the devices need? This worked at one point but then we switched ISPs and it stopped working.

Thank you for helping me.

 

[spidey07]

well its been a while since I've had to troubleshoot this kind of problem.

IIRC H.323 (the protocol used) negotiates another port to use for conferencing. This means if there is NAT anywhere in the path it will break and not work.

Fortunately "smart" NAT devices know how to handle H.323 and make the appropriate modifications to the packets.

So if all worked well before you switched ISPs then you can pretty much discount and client/client configurations (nat routers, etc) and look to the ISP. SOME isps will do NAT on their network and reak havoc for things like netmeeting and IPsec.

Call the ISP?

also do a search for "h.323 nat netmeeting", this of course is assuming netmeeting still uses H.323. Like I said I haven't looked at it in a while so I really don't know.

 

[Genx87]

Yeah it does and the firewall is setup to forward those ports.

One thing I am digging into is to see if before the move the clients didnt have a routable address and after the move they ended up with a NAT address.

I wasnt actually here for the move so I have to gather more information.

I thank you for helping me so far

 

[spidey07]

Just make sure you know that forwarding ports WILL NOT fix the problem with H.323 and NAT.

H.323 negotiate port number in the application layer (layer 7) and nat devices don't normally inspect layer 7 to allow the communication to come through. that's what I'm talking about when I say NAT will break H.323 - no matter what ports you forward.

Whether or not the NAT device/firewall supports H.323 is totally up to the firewall/nat device.