Re: [nn] NAT -> SIP Issues

["Pavel Lunin" <plunin@gmail.com>]

Not only yours, John :)
Actually SIP alg is only needed in a case of stupid client, which itself can't work around NAT. Todays clients almost all can do it.  Trying together to cheat each other SIP alg and a client disturb the normal way of working.

So usually it's normal to say

unset sip alg

Keep in mind, that ScreenOS 5.1 (or maybe even 5.2) and older don't give a tip for 'set sip ?' for some reason. So don't be afraid, just say 'unset alg sip' :)

To get SIP-telephony working properly, you usually need to configure policies for RTP. If two sides of calls may be situated by the different sides of NetSreen. RTP uses UDP protocol, but it's quite crazy with port numbers. First, ports depend on your SIP client. Second, saying 'a port' for RTP you mean source port, not destination.

So for example if you use X-lite, you sould say something like

set service "RTP_XLITE" protocol udp src-port 8000-8001 dst-port 1-65535

and than use RTP_XLITE in a policy:

set pol from trust to untrust sip-clients sip-pbx RTP_XLITE permit

I hope that's it.

--
Regards,
Pavel

2007/2/1, John Klasa <john@klasa.se>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My experience shows that the SIP ALG is not working in all cases. Try to
turn the SIP ALG off.

_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn