ScreenOS Firewalls (NOT SRX)
Reply
Visitor
PlusIT
Posts: 6
Registered: ‎07-07-2010
0

Juniper SSG5 - SIP problem - how to keep the NAT port translation fixed

Hi

I'm in the process of testing a JUNIPER SSG5 in combination with a hardware VOIP Phone (Lnksys SPA922) and a hosted PBX in the untrust zone.  I need to use the SIP ALG function.

I have only one public ip which is bound to the untrust port.
The phone has an internal ip 172.16.2.11 and the trust gateway is 172.16.2.1.

When i just create two policies that allow any traffic from trust to untrust and vice versa and setup the phone then i see that the PBX gets an internal ip address in the sip requests.
What i did then is activate source translation from trust to untrust.  This fixed the ip issue the PBX gets now my untrust ip in the sip requests.

But now we see that the source port is constantly changing and i need to keep that port fixed.  How do i do this?  I tried to make an ip pool on my untrust interface and uncheck port translation but it gives me an invaled parameter (it doesnt give me that message when making an ip pool with my untrust wan ip outside the range).

Is their a way to force the port to be static withouth the need of a second public ip?

Contributor
joekim1113
Posts: 45
Registered: ‎08-07-2008
0

Re: Juniper SSG5 - SIP problem - how to keep the NAT port translation fixed

try disabling the SIP ALG, the ALG's only work w/ specific phones / applications . 

 

try 'fix-port' 

 

 

JNCIS-ES
JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-UAC;
JNCIA-EX
JNCIA-IDP
Juniper Elite Partner Enterprise Solutions Provider & Service Provider Infrastructure
Operate & Implement Specialist
www.novadatacom.com

Hit the Kudos button if my info helps. :smileyhappy:
and if this worked for you please flag my post as an "Accepted Solution" so others can benefit.
Visitor
PlusIT
Posts: 6
Registered: ‎07-07-2010
0

Re: Juniper SSG5 - SIP problem - how to keep the NAT port translation fixed

that's the problem The VoIP provider specif asked for the SIP ALG to be used.

Distinguished Expert
spuluka
Posts: 2,567
Registered: ‎03-30-2009
0

Re: Juniper SSG5 - SIP problem - how to keep the NAT port translation fixed

Joe Kim is correct.  You just might need the alg to be off.  I've found that sip alg is a standard that is not really standard.  I've used three different manufactor firewalls in voip setups over the years.  And they all had this same issue.  You really can't be sure if it should be on or off until the equipment is installed and tested.

 

Sometimes it works with the alg on.

Sometimes it works with the alg off.

 

Maybe someone with more experience with voip can say why, but that's been my practical experience on the ground. Just try it both ways and see what works.

 

If neither work then open a case with JTAC and they will help you figure it out.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Juniper SSG5 - SIP problem - how to keep the NAT port translation fixed

Hi!

 

The modern IPBX devices are NAT-aware und do not need often any "support" from the firewall in the middle. I observed how the SIP ALG was modifying the packet payload, while communicating systems did not need it. The result was an unidirectional voice flow. I had also to select Application "Ignore" in the FW policy in addtition to disabling of the ALG. The release was, as far as I remember, ScreenOS 5.4.

 

Kind regards,

Edouard

Kind regards,
Edouard
Visitor
PlusIT
Posts: 6
Registered: ‎07-07-2010
0

Re: Juniper SSG5 - SIP problem - how to keep the NAT port translation fixed

thank you for these tips.  The VoIP provider specifc asked for the SIP ALG function.  I'm at the loacation this afternoon to do some extra testing lets hope i can get it to work and i'll come back to this afterwards

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.