|
List Info
Thread: FW-1 and Asterisk PBX
|
|
| FW-1 and Asterisk PBX |
|
2006-09-25 07:46:26 |
Hi there,
I've just configured an Asterisk PBX with some SIP-Phones
connected to
it on the LAN and an ISDN link. So far everything is working
fine. But
now I've tried to connect the PBX to an external SIP
provider
(sipgate.de in this case) through my VPN-1 NGX R61. I
configured static
NAT for the Asterisk machine, but the SIP registrations
fails all the
time. I observed some strange behavior in the NAT. The SIP
registration
packet (source port 5060, destination port 5060) reaches the
firewall,
changes the source port at the interior interface and to
another high
port at the exterior interface. But the answer packet will
not be
translated correctly. This is what I see in fw monitor
(n.n.n.n is my
external IP address, 217.10.79.9 is the sipgate proxy):
eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 5060 -> 5060
eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 17973 -> 5060
eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 17973 -> 5060
eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510 id=0
UDP: 40625 -> 5060
eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404 id=5495
UDP: 5060 -> 40625
eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
So you can see, the answer packet does not get translated
back to
destination port 5060 and will not be accepted by the
Asterisk machine
(it answers with an ICMP port unreachable...)
Has anyone a hint for me? There are no SmartDefense settings
for SIP and
I tried to configure a VoIP Domain SIP Proxy rule with no
success.
Thanks
Markus
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| FW-1 and Asterisk PBX |
|
2006-09-25 10:12:16 |
This will NOT work as long as your local sip proxy is behind
a checkpoint firewall,
Juniper/NetScreen or Cisco Pix firewall. These vendors
claim to be "sip" compliant;
however, it is not a guarantee thing. For this to work
properly, you would need
something like Session Border Controller (SBC) nearend and
farend.
I've gone through a few months ago with with something
similar to Asterisk for
Juniper/Netscreen firewall.
HTH
Markus Hauke <markusFAMILIE-HAUKE.DE> wrote:
Hi there,
I've just configured an Asterisk PBX with some SIP-Phones
connected to
it on the LAN and an ISDN link. So far everything is working
fine. But
now I've tried to connect the PBX to an external SIP
provider
(sipgate.de in this case) through my VPN-1 NGX R61. I
configured static
NAT for the Asterisk machine, but the SIP registrations
fails all the
time. I observed some strange behavior in the NAT. The SIP
registration
packet (source port 5060, destination port 5060) reaches the
firewall,
changes the source port at the interior interface and to
another high
port at the exterior interface. But the answer packet will
not be
translated correctly. This is what I see in fw monitor
(n.n.n.n is my
external IP address, 217.10.79.9 is the sipgate proxy):
eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 5060 -> 5060
eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 17973 -> 5060
eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 17973 -> 5060
eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510 id=0
UDP: 40625 -> 5060
eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404 id=5495
UDP: 5060 -> 40625
eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
So you can see, the answer packet does not get translated
back to
destination port 5060 and will not be accepted by the
Asterisk machine
(it answers with an ICMP port unreachable...)
Has anyone a hint for me? There are no SmartDefense settings
for SIP and
I tried to configure a VoIP Domain SIP Proxy rule with no
success.
Thanks
Markus
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the
US (and 30+ countries) for 2¢/min or less.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| FW-1 and Asterisk PBX |
|
2006-09-26 15:47:10 |
Just wondering on your NAT rule, is it translating the
source/dest ports, or you using originals? Using a static
nat where you have one external IP? If you have more than
one external IP, use a specific one for the NAT.
You could also create a separate service for 5060, and under
advanced choose None as the protocol type. Then build a
rule to allow your asterisk to talk to the sipgate. I
haven't tested any of this, but I've had to do protocol none
on lots of things to get some stuff through the inspections.
I believe SmartDefense also has some VOIP specific checks,
I suppose try disabling these as well, most times
SmartDefense checks override even when protocol type none is
selected.
Derek O'Flynn
LSU Health Sciences Center
Enterprise Information Security
(504)628-4431 doflynlsuhsc.edu
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of cisco4ng
Sent: Monday, September 25, 2006 5:12 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] FW-1 and Asterisk PBX
This will NOT work as long as your local sip proxy is behind
a checkpoint firewall,
Juniper/NetScreen or Cisco Pix firewall. These vendors
claim to be "sip" compliant;
however, it is not a guarantee thing. For this to work
properly, you would need
something like Session Border Controller (SBC) nearend and
farend.
I've gone through a few months ago with with something
similar to Asterisk for
Juniper/Netscreen firewall.
HTH
Markus Hauke <markusFAMILIE-HAUKE.DE> wrote:
Hi there,
I've just configured an Asterisk PBX with some SIP-Phones
connected to
it on the LAN and an ISDN link. So far everything is working
fine. But
now I've tried to connect the PBX to an external SIP
provider
(sipgate.de in this case) through my VPN-1 NGX R61. I
configured static
NAT for the Asterisk machine, but the SIP registrations
fails all the
time. I observed some strange behavior in the NAT. The SIP
registration
packet (source port 5060, destination port 5060) reaches the
firewall,
changes the source port at the interior interface and to
another high
port at the exterior interface. But the answer packet will
not be
translated correctly. This is what I see in fw monitor
(n.n.n.n is my
external IP address, 217.10.79.9 is the sipgate proxy):
eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 5060 -> 5060
eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 17973 -> 5060
eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 17973 -> 5060
eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510 id=0
UDP: 40625 -> 5060
eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404 id=5495
UDP: 5060 -> 40625
eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
So you can see, the answer packet does not get translated
back to
destination port 5060 and will not be accepted by the
Asterisk machine
(it answers with an ICMP port unreachable...)
Has anyone a hint for me? There are no SmartDefense settings
for SIP and
I tried to configure a VoIP Domain SIP Proxy rule with no
success.
Thanks
Markus
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the
US (and 30+ countries) for 2¢/min or less.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| FW-1 and Asterisk PBX |
|
2006-09-28 01:36:24 |
Since you have asterisk, you could always use a provider
that uses IAX
trunking and avoid the issue all together ;)
--
Ted Serreyn Phone: 262-432-0260 Fax:
262-432-0232
Serreyn Network Services, LLC http://www.serreyn.com/
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of cisco4ng
Sent: Monday, September 25, 2006 5:12 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] FW-1 and Asterisk PBX
This will NOT work as long as your local sip proxy is behind
a checkpoint
firewall,
Juniper/NetScreen or Cisco Pix firewall. These vendors
claim to be "sip"
compliant;
however, it is not a guarantee thing. For this to work
properly, you
would need
something like Session Border Controller (SBC) nearend and
farend.
I've gone through a few months ago with with something
similar to Asterisk
for
Juniper/Netscreen firewall.
HTH
Markus Hauke <markusFAMILIE-HAUKE.DE> wrote:
Hi there,
I've just configured an Asterisk PBX with some SIP-Phones
connected to
it on the LAN and an ISDN link. So far everything is working
fine. But
now I've tried to connect the PBX to an external SIP
provider
(sipgate.de in this case) through my VPN-1 NGX R61. I
configured static
NAT for the Asterisk machine, but the SIP registrations
fails all the
time. I observed some strange behavior in the NAT. The SIP
registration
packet (source port 5060, destination port 5060) reaches the
firewall,
changes the source port at the interior interface and to
another high
port at the exterior interface. But the answer packet will
not be
translated correctly. This is what I see in fw monitor
(n.n.n.n is my
external IP address, 217.10.79.9 is the sipgate proxy):
eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 5060 -> 5060
eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 17973 -> 5060
eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502
id=0
UDP: 17973 -> 5060
eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510 id=0
UDP: 40625 -> 5060
eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404 id=5495
UDP: 5060 -> 40625
eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398
id=5495
UDP: 5060 -> 17973
So you can see, the answer packet does not get translated
back to
destination port 5060 and will not be accepted by the
Asterisk machine
(it answers with an ICMP port unreachable...)
Has anyone a hint for me? There are no SmartDefense settings
for SIP and
I tried to configure a VoIP Domain SIP Proxy rule with no
success.
Thanks
Markus
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the
US (and 30+
countries) for 2¢/min or less.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
[1-4]
|
|