02-25-2012 11:17 AM - edited 02-25-2012 11:21 AM
ISP --- |(Untrust) Netscreen 5GT (Home)| --- Obihai OBI100 VOIP device
Netscreen 5GT in Home-Work mode, VPN on Work, OBI100 on Home.
Only 1 dynamic IP address from ISP. Home is a private LAN, e.g. 192.168.5.x. The SIP server is on the Untrusted side.
I'm not sure how to properly configure the policies for SIP/VOIP to work reliably.
From what I understand so far:
1) ethernet2 (Home) must be in Route mode, not NAT.
2) Policy Home-to-Untrust with NAT enabled, any/any/ANY.
3) Policy Untrust-to-Home - not sure what this one should be, if I need to select any ALG, etc.
I'm also unsure if I need to configure anything else, such as VIP, MIP, DIP, etc.
02-27-2012 06:15 AM
I am also messing around with my NetScreen 25 to make it work with my IP PBX in my LAN. VoIP is no fun with NAT!
but routeme could you specify what are you exactly trying to do exactly? are you trying to connect your Obihai to register with your IP PBX/SIP server?
coming back to your questions
1. this depends on your setup but as far as i know (and i am no expert), this is the other way around. this is my setupright now: LAN/Trust (NAT MODE). WAN/Untrust (ROUTE)
2. Yes, make sure you have NAT Source Translation on.
3. Untrust > Trust should be from ANY > MIP (PUBLIC IP). for testing you can try to allow ANY servuce and once your setup works use SIP/VOIP service.
I would recomend you use MIP if you can, as things gets more difficult with VIP/DIP. you could try to make this work with MIP and then switch to DIP.
About ALG, try your setup with it on and off and many devices dont work with this option on. you also might want to have a look at Concepts & Examples, ScreenOS Reference Guide. here is the link for v5.3
02-27-2012 08:28 AM
yes policies should be created with NAT depending on the setup. But to be honest with you, with your setup: SIP server on the internet and your VoIP box inside your LAN; there should be no fancy configurations and MIPs ...! your VoIP box should just register with the SIP server.
Only a policy should be created to allow SIP/VOIP traffice from LAN to INTERNET. The rest should work out of the box, unless you are trying to do something else than what i think.
can you also post what is your current problem with your setup? are you able to register, if yes you are not able to place calls?? also please post what policies you have created!
02-27-2012 08:33 AM - edited 02-27-2012 08:37 AM
This is the problem I have:
I tried a simple policy Untrust-to-Home Any/Any/ANY and a Home-to-Untrust NAT Any/Any/ANY policy. I tried to apply what's described under "Case 1" for my config which is slightly different, my 5GT is in Home-Work mode, but I don't think that should make a difference.
Yes, it should be easy and it should work and it does if the OBI box is behind a Linksys router without any extra config. I'm not sure why the 5GT is giving me a hard time. Any pointers how to enable debug/logging maybe for specific traffic based on IP address so I can see what's getting blocked where?
02-27-2012 10:11 AM
oh i see. your netscreen is behind a Linksys modem/router. indeed i also saw this in your other post about bridging!
it is highly recommended that you do not have this setup of NAT after NAT. As in your case this setup creates many problems and is very complicated, as you are dealing with 2 NAT s.
is it not possible for you to have your Linksys in transparent mode? this transfers all packets directly to NetScreen and any firewalling can be done there. I have this setup myself and it works nicely. and to be honest i dont see why you would not be able to change your setup to this?
it is probably not impossible to get your VoIP box working with your current setup, but you will have a hard time. Specially with VoIP/SIP which is already a pain in the neck with one NAT. have you tried doing a port forwarding of all SIP/VoIP ports to your 5GT?
02-27-2012 10:14 AM - edited 02-27-2012 10:19 AM
For the purpose of this thread, there is no Linksys involved, the Netscreen is the only device that does NAT, the Untrust is connected straight to the ISP which issues 1 dynamic IP. See the diagram in the 1st post in the thread. I realize NATing twice can be a royal pain in general not only SIP.
Not sure whether the Home-Work mode of the 5GT does something strange. I cannot change the mode though, I need the Work zone for VPN to my office and that part is working fine. I'm on firmware 5.4.0r4.0 (Firewall+VPN) and I don't think I can update it, it's controlled by the office and I don't want to break my VPN.