Re: [FW-1] FW-1 and Asterisk PBX

Subject:	Re: [FW-1] FW-1 and Asterisk PBX
From:	Ted Serreyn <ted AT SERREYN DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 27 Sep 2006 20:36:24 -0500

Since you have asterisk, you could always use a provider that uses IAX
trunking and avoid the issue all together ;)

-- 
Ted Serreyn               Phone: 262-432-0260  Fax: 262-432-0232
Serreyn Network Services, LLC            http://www.serreyn.com/

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of cisco4ng
Sent: Monday, September 25, 2006 5:12 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] FW-1 and Asterisk PBX

This will NOT work as long as your local sip proxy is behind a checkpoint
firewall,
  Juniper/NetScreen or Cisco Pix firewall.  These vendors claim to be "sip"
compliant;
  however, it is not a guarantee thing.  For this to work properly, you
would need
  something like Session Border Controller (SBC) nearend and farend.
   
  I've gone through a few months ago with with something similar to Asterisk
for
  Juniper/Netscreen firewall.
   
  HTH

Markus Hauke <markus AT FAMILIE-HAUKE DOT DE> wrote:
  Hi there,

I've just configured an Asterisk PBX with some SIP-Phones connected to 
it on the LAN and an ISDN link. So far everything is working fine. But 
now I've tried to connect the PBX to an external SIP provider 
(sipgate.de in this case) through my VPN-1 NGX R61. I configured static 
NAT for the Asterisk machine, but the SIP registrations fails all the 
time. I observed some strange behavior in the NAT. The SIP registration 
packet (source port 5060, destination port 5060) reaches the firewall, 
changes the source port at the interior interface and to another high 
port at the exterior interface. But the answer packet will not be 
translated correctly. This is what I see in fw monitor (n.n.n.n is my 
external IP address, 217.10.79.9 is the sipgate proxy):

eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 5060 -> 5060
eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 17973 -> 5060
eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 17973 -> 5060
eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510 id=0
UDP: 40625 -> 5060

eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404 id=5495
UDP: 5060 -> 40625
eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973
eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973
eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973

So you can see, the answer packet does not get translated back to 
destination port 5060 and will not be accepted by the Asterisk machine 
(it answers with an ICMP port unreachable...)

Has anyone a hint for me? There are no SmartDefense settings for SIP and 
I tried to configure a VoIP Domain SIP Proxy rule with no success.

Thanks
Markus

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


                
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2¢/min or less.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] FW-1 and Asterisk PBX, Markus Hauke Re: [FW-1] FW-1 and Asterisk PBX, cisco4ng Re: [FW-1] FW-1 and Asterisk PBX, O'Flynn, Derek Re: [FW-1] FW-1 and Asterisk PBX, Ted Serreyn <=

Previous by Date:	Re: [FW-1] VML Vuln, Millan, Raul
Next by Date:	[FW-1] Firewall Log format, Russell Aspinwall
Previous by Thread:	Re: [FW-1] FW-1 and Asterisk PBX, O'Flynn, Derek
Next by Thread:	[FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Dennis Breithaupt
Indexes:	[Date] [Thread] [Top] [All Lists]