ScreenOS Firewalls (NOT SRX)
Reply
Visitor
oZEEo
Posts: 9
Registered: ‎11-15-2011
0

NetScreen 25 with VoIP/SIP

[ Edited ]

Hello all.

i have a IP PBX/SIP server with SIP trunk that does not register. this server is in my LAN and i believe that my settings in NetScreen are blocking this registration. 

 

this is my current setup on my NetScreen 25 running firmware 5.4.0r14.0 (Firewall+VPN)

 

Interfaces:

eth0trust/LAN 192.168.3.254/24 NAT

eth3untrust/WAN  XX.XX.XX.202/29Route

 

All MIPs are done on eth3 interface, including the one for my PBX. IP address of xx.xx.xx.205 is assigned to my PBX on 192.168.3.61.

 

Policies:

Trust > Untrust

192.168.3.61/32Any Service: SIP/VoiPNAT Source TranslationLogging enabled

 

Untrust > Trust

AnyMIP(xx.xx.xx.205)Service: SIP/VOIPLoging enabled

 

on my Trust>untrust logs i do not see anything in my logs, as i think a higher up policy (LAN > ANY) is being used instead. how can i place this policy higher than my LAN > ANY to make sure my NAT SOURCE TRANSLATION is used.

 

secoundly this is what i am getting on my untrust . trust policy logs.

 

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason

 

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason

2012-02-24 01:06:0187.211.128.138:50147xx.xx.xx.205:506087.211.128.138:50147192.168.3.61:5060SIP21 sec.2060Close - AGE OUT
2012-02-24 01:05:5787.211.128.138:50196xx.xx.xx.205:8087.211.128.138:50196192.168.3.61:80HTTP5 sec.16704951Close - TCP FIN
2012-02-24 01:05:5187.211.128.138:50171xx.xx.xx.205:8087.211.128.138:50171192.168.3.61:80HTTP4 sec.16696708Close - TCP FIN

 

what could be the reason for this?

Visitor
routeme
Posts: 7
Registered: ‎02-25-2012
0

Re: NetScreen 25 with VoIP/SIP

[ Edited ]

No expert here and I posted this info in my thread too, but Juniper seems to imply that policy based NAT must be used for VOIP.

 

See #2: [Bidirectional] How to configure one-to-one, bi-directional NAT (MIPs and other NAT combinations)

 

Important:  Use Policy-based NAT vs Interface-based NAT for VoIP traffic.

Visitor
oZEEo
Posts: 9
Registered: ‎11-15-2011
0

Re: NetScreen 25 with VoIP/SIP

[ Edited ]

Dear routeme, i had a look at these items and the supplimentary material such as 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11909

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11911

 

as far as i understand, basically what this says is if your communication is bidirectional you should use MIP. Furthermore on the trust > untrust policy NAT Source Translation should be enabled. and this has been done in my setup.

 

As i mnetioned above my policy for Trust>untrust was under a general policy which over-rules this policy and i did not see anyhting in the log. i just moved my trust>untrust policy to the top and i am getting this data on my log:

 

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason

2012-02-27 17:10:17192.168.3.61:5060204.11.192.23:5060xx.xx.xx.205:5060204.11.192.23:5060SIP79 sec.35760Close - AGE OUT
2012-02-27 17:09:57192.168.3.61:5060204.11.192.22:5060xx.xx.xx.205:5060204.11.192.22:5060SIP79 sec.35760Close - AGE OUT
2012-02-27 17:09:37192.168.3.61:5060204.11.192.39:5060xx.xx.xx.205:5060204.11.192.39:5060SIP79 sec.35760Close - AGE OUT

 

Any idea why am i getting Close -AGE OUT message?

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: NetScreen 25 with VoIP/SIP

Hi,

 

This means that the voice gateway does not accept these sessions. This can also be a FW policy on the VOIP provider site.

ScreenOS 5.4 is a very, very old version and NS25 cannot be upgraded to the 6.x. I am sure that the SIP ALG will not work correctly. Try to disable SIP ALG, create a custom SIP service and configure this policy with Application "Ignore".

Custom SIP service:

TCP src port 0-65535, dst port:5060, UDP  port range - depends on the vendor!

Also open the SIP access from 204.11.192.23 to your IP PBX.

And, you are right, a MIP is the best choice for this environment.

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.