Re: [nn] NAT -> SIP Issues

To:	"J. Oquendo" <sil@infiltrated.net>
Subject:	Re: [nn] NAT -> SIP Issues
From:	John Klasa <john@klasa.se>
Date:	Wed, 31 Jan 2007 23:08:37 +0100
Cc:	nn@qorbit.net
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
In-reply-to:	<20070131211034.GA38151@infiltrated.net>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
Organization:	@home
References:	<20070131211034.GA38151@infiltrated.net>
Reply-to:	john@klasa.se
Sender:	nn-bounces@qorbit.net
User-agent:	Thunderbird 1.5.0.9 (Windows/20061207)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My experience shows that the SIP ALG is not working in all cases. Try to
turn the SIP ALG off.

Regards, John

J. Oquendo skrev:
> Hey all... I'm trying to assist someone who is having issues with their NS20 
> but I don't understand enough about their topology to get them working 
> properly. So I have a quick question regarding SIP ;)
> 
> This is the relevant portion of their get config (at least pertaining to SIP)
> 
> set service "PBXtra" protocol udp src-port 0-65535 dst-port 5060-5060
> set service "PBXtra" + udp src-port 0-65535 dst-port 10000-51000
> set service "PBXtra" + udp src-port 0-65535 dst-port 4569-4569
> set alg sip app-screen unknown-message route permit
> set alg sip app-screen unknown-message nat permit
> set interface untrust ip 10.10.5.190/29
> set interface untrust nat
> set interface "untrust" mip 10.10.5.189 host 10.134.160.16 netmask 
> 255.255.255.
> set interface "untrust" mip 10.10.5.188 host 10.134.160.10 netmask 
> 255.255.255.
> set address Untrust "0.0.0.0/0" 0.0.0.0 0.0.0.0
> set policy id 6 name "PBXtra" from "Untrust" to "Trust"  "Any" 
> "MIP(10.10.5.189)" "PBXtra" permit log
> set policy id 6 application "SIP"
> set policy id 6
> set service "SIP"
> 
> ... According to them, they cannot register phones from their location to the 
> PBX to ours...
> 
> They don't want to place their PBX in a DMZ, they want it doing NAT, and from 
> what I understand NAT+SIP is sketchy...
> 
> What's happening because of NAT is, when an outbound call goes out, the 
> Netscreen's IP address replaces everything in the SIP message:
> 
>>>From 10.10.5.188 --> Netscreen --> 10.10.5.189 --> PBX 
> PBX 10.10.5.189  --> Netscreen ... Netscreen (And what I'm I to do with this!)
> 
> Is there a surefire implementation someone has used to get this working? TIA
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFwRNl46bRmLVBInERAi+pAKCmgvHHIQ1IAnngyGx7YtGEq/EloQCgpw6q
b0UFhUb69JUAez4+iXYMRjs=
=w/3J
-----END PGP SIGNATURE-----
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
[nn] NAT -> SIP Issues, J. Oquendo Re: [nn] NAT -> SIP Issues, John Klasa <= Re: [nn] NAT -> SIP Issues, Pavel Lunin

Previous by Date:	Re: [nn] How to find out number of tunnels being in use?, Stephen Gill
Next by Date:	[nn] NAT -> SIP Issues, J. Oquendo
Previous by Thread:	[nn] NAT -> SIP Issues, J. Oquendo
Next by Thread:	Re: [nn] NAT -> SIP Issues, Pavel Lunin
Indexes:	[Date] [Thread] [Top] [All Lists]