07-07-2010 07:21 AM
I'm in the process of testing a JUNIPER SSG5 in combination with a hardware VOIP Phone (Lnksys SPA922) and a hosted PBX in the untrust zone. I need to use the SIP ALG function.
I have only one public ip which is bound to the untrust port.
The phone has an internal ip 172.16.2.11 and the trust gateway is 172.16.2.1.
When i just create two policies that allow any traffic from trust to untrust and vice versa and setup the phone then i see that the PBX gets an internal ip address in the sip requests.
What i did then is activate source translation from trust to untrust. This fixed the ip issue the PBX gets now my untrust ip in the sip requests.
But now we see that the source port is constantly changing and i need to keep that port fixed. How do i do this? I tried to make an ip pool on my untrust interface and uncheck port translation but it gives me an invaled parameter (it doesnt give me that message when making an ip pool with my untrust wan ip outside the range).
Is their a way to force the port to be static withouth the need of a second public ip?
07-07-2010 10:34 AM
try disabling the SIP ALG, the ALG's only work w/ specific phones / applications .
Juniper Elite Partner Enterprise Solutions Provider & Service Provider Infrastructure
Operate & Implement Specialist
Hit the Kudos button if my info helps.
and if this worked for you please flag my post as an "Accepted Solution" so others can benefit.
07-08-2010 04:22 AM
Joe Kim is correct. You just might need the alg to be off. I've found that sip alg is a standard that is not really standard. I've used three different manufactor firewalls in voip setups over the years. And they all had this same issue. You really can't be sure if it should be on or off until the equipment is installed and tested.
Sometimes it works with the alg on.
Sometimes it works with the alg off.
Maybe someone with more experience with voip can say why, but that's been my practical experience on the ground. Just try it both ways and see what works.
If neither work then open a case with JTAC and they will help you figure it out.
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6
07-08-2010 05:29 AM
The modern IPBX devices are NAT-aware und do not need often any "support" from the firewall in the middle. I observed how the SIP ALG was modifying the packet payload, while communicating systems did not need it. The result was an unidirectional voice flow. I had also to select Application "Ignore" in the FW policy in addtition to disabling of the ALG. The release was, as far as I remember, ScreenOS 5.4.
07-16-2010 01:30 AM
thank you for these tips. The VoIP provider specifc asked for the SIP ALG function. I'm at the loacation this afternoon to do some extra testing lets hope i can get it to work and i'll come back to this afterwards