Screen OS

I am testing a SSG5 for use with our office. I am having some issues getting our remote location phones to work at the office. The phone company is telling me i have a router issue but i think i have everything right. Ive checked multiple other posts.

The ports i need forwarded vary between udp and tcp. I found when making a custom service u can add multiple in one service. Not sure if i did this right tho. Can someone please take a look at my config below to see if i did this right or messed this up before i call the phone people again. Just not sure i did the services right. 

thanks!

unset key protection enable
set clock timezone -6
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Altigen" protocol tcp src-port 10032-10032 dst-port 10032-10032
set service "Altigen" + tcp src-port 10064-10064 dst-port 10064-10064
set service "Altigen" + udp src-port 5060-5060 dst-port 5060-5060
set service "Altigen" + udp src-port 10060-10060 dst-port 10060-65535
set service "Altigen" + udp src-port 49152-49212 dst-port 49152-49212
unset alg sip enable
unset alg mgcp enable
unset alg sccp enable
unset alg sunrpc enable
unset alg msrpc enable
unset alg xing enable
unset alg talk enable
unset alg rtsp enable
unset alg rsh enable
unset alg real enable
unset alg appleichat enable
unset alg appleichat re-assembly enable
unset alg h323 enable
unset alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "rds"
set admin password "nAJaDBr4E36OcWVAOsLC9kDtN3OBCn"
set admin user "Brad" password "nHQfJlrPHCiOcSSNasSLZUHtReBojn" privilege "all"
set admin access lock-on-failure 15
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "POS_VLAN"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "POS_VLAN" tcp-rst
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen land
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen block-frag
set zone "Trust" screen limit-session destination-ip-based
set zone "Trust" screen icmp-id
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "POS_VLAN" screen on-tunnel
set zone "POS_VLAN" screen icmp-flood
set zone "POS_VLAN" screen udp-flood
set zone "POS_VLAN" screen winnuke
set zone "POS_VLAN" screen port-scan
set zone "POS_VLAN" screen ip-sweep
set zone "POS_VLAN" screen tear-drop
set zone "POS_VLAN" screen syn-flood
set zone "POS_VLAN" screen ip-spoofing
set zone "POS_VLAN" screen ping-death
set zone "POS_VLAN" screen ip-filter-src
set zone "POS_VLAN" screen land
set zone "POS_VLAN" screen syn-frag
set zone "POS_VLAN" screen tcp-no-flag
set zone "POS_VLAN" screen unknown-protocol
set zone "POS_VLAN" screen ip-bad-option
set zone "POS_VLAN" screen ip-record-route
set zone "POS_VLAN" screen ip-timestamp-opt
set zone "POS_VLAN" screen ip-security-opt
set zone "POS_VLAN" screen ip-loose-src-route
set zone "POS_VLAN" screen ip-strict-src-route
set zone "POS_VLAN" screen ip-stream-opt
set zone "POS_VLAN" screen icmp-fragment
set zone "POS_VLAN" screen icmp-large
set zone "POS_VLAN" screen syn-fin
set zone "POS_VLAN" screen fin-no-ack
set zone "POS_VLAN" screen limit-session source-ip-based
set zone "POS_VLAN" screen syn-ack-ack-proxy
set zone "POS_VLAN" screen block-frag
set zone "POS_VLAN" screen limit-session destination-ip-based
set zone "POS_VLAN" screen component-block activex
set zone "POS_VLAN" screen icmp-id
set zone "POS_VLAN" screen tcp-sweep
set zone "POS_VLAN" screen udp-sweep
set interface "serial0/0" zone "Untrust"
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 64.199.159.190/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.10.10.254/24
set interface ethernet0/1 nat
set interface bgroup0 ip 192.168.2.1/24
set interface bgroup0 nat
set interface "ethernet0/1" pmtu ipv4
set interface "bgroup0" pmtu ipv4
set interface ethernet0/0 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface bgroup0 manage-ip 192.168.2.2
unset interface serial0/0 ip manageable
unset interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage snmp
set interface ethernet0/1 manage ssl
set interface ethernet0/1 manage web
set interface ethernet0/1 manage ident-reset
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip 64.199.159.199 10032 "Altigen" 192.168.2.211
set interface ethernet0/0 backup interface serial0/0 type track-ip
set interface ethernet0/0 backup activation-delay 15
set interface ethernet0/0 backup deactivation-delay 15
set interface ethernet0/1 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/1 dhcp server auto
set interface bgroup0 dhcp server auto
set interface ethernet0/1 dhcp server option lease 1440000
set interface ethernet0/1 dhcp server option gateway 10.10.10.254
set interface ethernet0/1 dhcp server option netmask 255.255.255.0
set interface ethernet0/1 dhcp server option domainname Level1
set interface ethernet0/1 dhcp server option dns1 8.8.8.8
set interface ethernet0/1 dhcp server option dns2 8.8.4.4
set interface bgroup0 dhcp server option gateway 192.168.2.1
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option domainname Level1
set interface bgroup0 dhcp server option dns1 8.8.8.8
set interface bgroup0 dhcp server option dns2 8.8.4.4
set interface ethernet0/1 dhcp server ip 10.10.10.1 to 10.10.10.1
set interface bgroup0 dhcp server ip 192.168.2.75 to 192.168.2.240
unset interface ethernet0/1 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&FS7=255S32=6"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain rdsSTL
set hostname rdsSTL
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 8.8.8.8 src-interface ethernet0/0
set dns host dns2 8.8.4.4 src-interface ethernet0/0
set dns host dns3 4.2.2.2 src-interface ethernet0/0
set dns host schedule 06:28
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit
set policy id 1
exit
set policy id 2 from "POS_VLAN" to "Untrust" "Any" "Any" "ANY" nat src permit traffic priority 0
set policy id 2
exit
set policy id 3 name "Phones" from "Untrust" to "Trust" "Any" "VIP(64.199.159.199)" "ANY" permit
set policy id 3
exit
unset log module system level notification destination email
unset log module system level emergency destination snmp
unset log module system level alert destination snmp
unset log module system level critical destination snmp
unset log module system level emergency destination syslog
unset log module system level alert destination syslog
unset log module system level critical destination syslog
unset log module system level error destination syslog
unset log module system level warning destination syslog
unset log module system level notification destination syslog
unset log module system level information destination syslog
unset log module system level debugging destination syslog
unset log module system level emergency destination webtrends
unset log module system level alert destination webtrends
unset log module system level critical destination webtrends
unset log module system level notification destination webtrends
unset log module system level emergency destination NSM
unset log module system level alert destination NSM
unset log module system level critical destination NSM
unset log module system level error destination NSM
unset log module system level warning destination NSM
unset log module system level notification destination NSM
unset log module system level information destination NSM
unset log module system level debugging destination NSM
unset log module system level emergency destination usb
unset log module system level alert destination usb
unset log module system level critical destination usb
unset log module system level error destination usb
unset log module system level warning destination usb
unset log module system level notification destination usb
unset log module system level information destination usb
unset log module system level debugging destination usb
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface serial0/0
set route 0.0.0.0/0 interface ethernet0/0 gateway 64.199.159.185 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

I'm not sure I follow the whole flow, but I think the issue is that your custom service is not created correctly and you are then not using that service in your policy.

set service "Altigen" protocol tcp src-port 10032-10032 dst-port 10032-10032
set service "Altigen" + tcp src-port 10064-10064 dst-port 10064-10064
set service "Altigen" + udp src-port 5060-5060 dst-port 5060-5060
set service "Altigen" + udp src-port 10060-10060 dst-port 10060-65535
set service "Altigen" + udp src-port 49152-49212 dst-port 49152-49212

 These all have the same ports for source and destination.  Typically in your situation the source will be all ports 0-65535 and the destination ports will be the ones you have listed.  The source device requesting the connection can be coming in on any port.  But the request is always delivered to the expected port of the protocol.

Then based on your description I assume this is the policy rule meant to allow the connections.

set policy id 3 name "Phones" from "Untrust" to "Trust" "Any" "VIP(64.199.159.199)" "ANY" permit

This policy should reference you custom service name Altigen instead of any as the service in the policy.

Depending on the phone system and how it works you may also need to enable the alg for sip or h323.

Alright so after some changes i fixed all my issues but one. Before i start into that i just wanted to say thank you to spuluka for all the help. That fixed a most of my issues. I am still having some SIP error issues and just wanted to make sure my forwards are correct so i can move this unit off of the test network. 

Thanks

Brad

unset key protection enable
set clock timezone -6
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Altigen" protocol tcp src-port 0-65535 dst-port 10032-10032
set service "Altigen" + tcp src-port 0-65535 dst-port 10064-10064
set service "Altigen" + udp src-port 0-65535 dst-port 5060-5060
set service "Altigen" + udp src-port 0-65535 dst-port 10060-65535
set service "Altigen" + udp src-port 0-65535 dst-port 49152-49212
unset alg sip enable
unset alg mgcp enable
unset alg sccp enable
unset alg sunrpc enable
unset alg msrpc enable
unset alg xing enable
unset alg talk enable
unset alg rtsp enable
unset alg rsh enable
unset alg real enable
unset alg appleichat enable
unset alg appleichat re-assembly enable
unset alg h323 enable
unset alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "rds"
set admin password "nAJaDBr4E36OcWVAOsLC9kDtN3OBCn"
set admin user "Brad" password "nHQfJlrPHCiOcSSNasSLZUHtReBojn" privilege "all"
set admin access lock-on-failure 15
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "POS_VLAN"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "POS_VLAN" tcp-rst
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen land
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen block-frag
set zone "Trust" screen limit-session destination-ip-based
set zone "Trust" screen icmp-id
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "POS_VLAN" screen on-tunnel
set zone "POS_VLAN" screen icmp-flood
set zone "POS_VLAN" screen udp-flood
set zone "POS_VLAN" screen winnuke
set zone "POS_VLAN" screen port-scan
set zone "POS_VLAN" screen ip-sweep
set zone "POS_VLAN" screen tear-drop
set zone "POS_VLAN" screen syn-flood
set zone "POS_VLAN" screen ip-spoofing
set zone "POS_VLAN" screen ping-death
set zone "POS_VLAN" screen ip-filter-src
set zone "POS_VLAN" screen land
set zone "POS_VLAN" screen syn-frag
set zone "POS_VLAN" screen tcp-no-flag
set zone "POS_VLAN" screen unknown-protocol
set zone "POS_VLAN" screen ip-bad-option
set zone "POS_VLAN" screen ip-record-route
set zone "POS_VLAN" screen ip-timestamp-opt
set zone "POS_VLAN" screen ip-security-opt
set zone "POS_VLAN" screen ip-loose-src-route
set zone "POS_VLAN" screen ip-strict-src-route
set zone "POS_VLAN" screen ip-stream-opt
set zone "POS_VLAN" screen icmp-fragment
set zone "POS_VLAN" screen icmp-large
set zone "POS_VLAN" screen syn-fin
set zone "POS_VLAN" screen fin-no-ack
set zone "POS_VLAN" screen limit-session source-ip-based
set zone "POS_VLAN" screen syn-ack-ack-proxy
set zone "POS_VLAN" screen block-frag
set zone "POS_VLAN" screen limit-session destination-ip-based
set zone "POS_VLAN" screen component-block activex
set zone "POS_VLAN" screen icmp-id
set zone "POS_VLAN" screen tcp-sweep
set zone "POS_VLAN" screen udp-sweep
set interface "serial0/0" zone "Untrust"
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 64.199.159.190/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.10.10.254/24
set interface ethernet0/1 nat
set interface bgroup0 ip 192.168.2.1/24
set interface bgroup0 nat
set interface "ethernet0/1" pmtu ipv4
set interface "bgroup0" pmtu ipv4
set interface ethernet0/0 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface bgroup0 manage-ip 192.168.2.2
unset interface serial0/0 ip manageable
unset interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage snmp
set interface ethernet0/1 manage ssl
set interface ethernet0/1 manage web
set interface ethernet0/1 manage ident-reset
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip interface-ip 10032 "Altigen" 192.168.2.211
set interface ethernet0/1 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/1 dhcp server auto
set interface bgroup0 dhcp server auto
set interface ethernet0/1 dhcp server option lease 1440000
set interface ethernet0/1 dhcp server option gateway 10.10.10.254
set interface ethernet0/1 dhcp server option netmask 255.255.255.0
set interface ethernet0/1 dhcp server option domainname Level1
set interface ethernet0/1 dhcp server option dns1 8.8.8.8
set interface ethernet0/1 dhcp server option dns2 8.8.4.4
set interface bgroup0 dhcp server option gateway 192.168.2.1
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option domainname Level1
set interface bgroup0 dhcp server option dns1 8.8.8.8
set interface bgroup0 dhcp server option dns2 8.8.4.4
set interface ethernet0/1 dhcp server ip 10.10.10.1 to 10.10.10.1
set interface bgroup0 dhcp server ip 192.168.2.75 to 192.168.2.240
unset interface ethernet0/1 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&FS7=255S32=6"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain rdsSTL
set hostname rdsSTL
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 8.8.8.8 src-interface ethernet0/0
set dns host dns2 8.8.4.4 src-interface ethernet0/0
set dns host dns3 4.2.2.2 src-interface ethernet0/0
set dns host schedule 06:28
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit
set policy id 1
exit
set policy id 2 from "POS_VLAN" to "Untrust" "Any" "Any" "ANY" nat src permit traffic priority 0
set policy id 2
exit
set policy id 3 name "phone" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "ANY" permit
set policy id 3
exit
unset log module system level notification destination email
unset log module system level emergency destination snmp
unset log module system level alert destination snmp
unset log module system level critical destination snmp
unset log module system level emergency destination syslog
unset log module system level alert destination syslog
unset log module system level critical destination syslog
unset log module system level error destination syslog
unset log module system level warning destination syslog
unset log module system level notification destination syslog
unset log module system level information destination syslog
unset log module system level debugging destination syslog
unset log module system level emergency destination webtrends
unset log module system level alert destination webtrends
unset log module system level critical destination webtrends
unset log module system level notification destination webtrends
unset log module system level emergency destination NSM
unset log module system level alert destination NSM
unset log module system level critical destination NSM
unset log module system level error destination NSM
unset log module system level warning destination NSM
unset log module system level notification destination NSM
unset log module system level information destination NSM
unset log module system level debugging destination NSM
unset log module system level emergency destination usb
unset log module system level alert destination usb
unset log module system level critical destination usb
unset log module system level error destination usb
unset log module system level warning destination usb
unset log module system level notification destination usb
unset log module system level information destination usb
unset log module system level debugging destination usb
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface serial0/0
set route 0.0.0.0/0 interface ethernet0/0 gateway 64.199.159.185 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

You don't mention the exact data flow, so I'll make some assumptions based on what I see in the configuration.  I'm guessing the vip you have there is for this sip connection. 

Thus the flow is from untrust to trust.

I assume you have only the interface public address

The collection of services for Altigen look like  three normal program ports.  And then they gave you a broad range of possible response ports for the connection.  These I assume are really the sip negociated ports for the protocol.  Typically a single one of these ports is negociated a run-time by the connection.  This is what the alg does is open the random port needed when it is needed.

You really can't forward all of those ports to a single device without issues in web browsing and other traffic.

I think what you need is the following if all the the above are correct guesses.

• Create three vip forwarding uisng your first three custom services.
• Turn on sip alg
• Create three policies from untrust to trust, one for each vip.  Sellect the "application" option and use sip (not none).  Select the service option and use just your custom service on each (not any).

A basic breakdown is a have a external IP of 64.199.159.190

internal phone server of 192.168.2.211

ports that need forwarded to this server are :

tcp 10032

tcp 1064

udp 5060

udp 10060

udp 49152-49212(this is the part that isnt working)

I separated them out like you mention above and turned on SIP ALG that fixed all my issues but im still not getting voice. Which after a little wireshark testing and reading online is my "range" forward. Any ideas on how i can get this working. I think it has something to do with the virtual port on the VIP service. I am really new to this so i may just need a break down on how to do this because im wondering if im still doing it wrong. 

This is my current config

note: some of the custom services i have now arent needed

unset key protection enable
set clock timezone -6
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Phone 1" protocol tcp src-port 0-65535 dst-port 10032-10032
set service "Phone 1" + udp src-port 0-65535 dst-port 10032-10032
set service "Phone 2" protocol tcp src-port 0-65535 dst-port 10064-10064
set service "Phone 2" + udp src-port 0-65535 dst-port 10064-10064
set service "Phone 3" protocol udp src-port 0-65535 dst-port 5060-5060
set service "Phone 3" + tcp src-port 0-65535 dst-port 5060-5060
set service "Phone 4" protocol udp src-port 0-65535 dst-port 10060-10060
set service "Phone 4" + tcp src-port 0-65535 dst-port 10060-10060
set service "Phone 5" protocol udp src-port 0-65535 dst-port 49152-49212
set service "Phone 5" + tcp src-port 0-65535 dst-port 49152-49212
set service "Phone 6" protocol udp src-port 0-65535 dst-port 16348-32768
unset alg mgcp enable
unset alg sccp enable
unset alg sunrpc enable
unset alg msrpc enable
unset alg xing enable
unset alg real enable
unset alg appleichat enable
unset alg appleichat re-assembly enable
unset alg h323 enable
unset alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "rds"
set admin password "nAJaDBr4E36OcWVAOsLC9kDtN3OBCn"
set admin user "Brad" password "nHQfJlrPHCiOcSSNasSLZUHtReBojn" privilege "all"
set admin access lock-on-failure 15
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "POS_VLAN"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "POS_VLAN" tcp-rst
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen land
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen block-frag
set zone "Trust" screen limit-session destination-ip-based
set zone "Trust" screen icmp-id
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "POS_VLAN" screen on-tunnel
set zone "POS_VLAN" screen icmp-flood
set zone "POS_VLAN" screen udp-flood
set zone "POS_VLAN" screen winnuke
set zone "POS_VLAN" screen port-scan
set zone "POS_VLAN" screen ip-sweep
set zone "POS_VLAN" screen tear-drop
set zone "POS_VLAN" screen syn-flood
set zone "POS_VLAN" screen ip-spoofing
set zone "POS_VLAN" screen ping-death
set zone "POS_VLAN" screen ip-filter-src
set zone "POS_VLAN" screen land
set zone "POS_VLAN" screen syn-frag
set zone "POS_VLAN" screen tcp-no-flag
set zone "POS_VLAN" screen unknown-protocol
set zone "POS_VLAN" screen ip-bad-option
set zone "POS_VLAN" screen ip-record-route
set zone "POS_VLAN" screen ip-timestamp-opt
set zone "POS_VLAN" screen ip-security-opt
set zone "POS_VLAN" screen ip-loose-src-route
set zone "POS_VLAN" screen ip-strict-src-route
set zone "POS_VLAN" screen ip-stream-opt
set zone "POS_VLAN" screen icmp-fragment
set zone "POS_VLAN" screen icmp-large
set zone "POS_VLAN" screen syn-fin
set zone "POS_VLAN" screen fin-no-ack
set zone "POS_VLAN" screen limit-session source-ip-based
set zone "POS_VLAN" screen syn-ack-ack-proxy
set zone "POS_VLAN" screen block-frag
set zone "POS_VLAN" screen limit-session destination-ip-based
set zone "POS_VLAN" screen component-block activex
set zone "POS_VLAN" screen icmp-id
set zone "POS_VLAN" screen tcp-sweep
set zone "POS_VLAN" screen udp-sweep
set interface "serial0/0" zone "Untrust"
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 64.199.159.190/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.10.10.254/24
set interface ethernet0/1 nat
set interface bgroup0 ip 192.168.2.1/24
set interface bgroup0 nat
set interface "ethernet0/1" pmtu ipv4
set interface "bgroup0" pmtu ipv4
set interface ethernet0/0 proxy dns
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface bgroup0 manage-ip 192.168.2.2
unset interface serial0/0 ip manageable
unset interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage snmp
set interface ethernet0/1 manage ssl
set interface ethernet0/1 manage web
set interface ethernet0/1 manage ident-reset
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip interface-ip 49212 "Phone 5" 192.168.2.211
set interface ethernet0/0 vip interface-ip 5060 "Phone 3" 192.168.2.211
set interface ethernet0/0 vip interface-ip 10060 "Phone 4" 192.168.2.211
set interface ethernet0/0 vip interface-ip 10064 "Phone 2" 192.168.2.211
set interface ethernet0/0 vip interface-ip 10032 "Phone 1" 192.168.2.211
set interface ethernet0/0 vip interface-ip 16348 "Phone 6" 192.168.2.211
set interface ethernet0/1 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/1 dhcp server auto
set interface bgroup0 dhcp server auto
set interface ethernet0/1 dhcp server option lease 1440000
set interface ethernet0/1 dhcp server option gateway 10.10.10.254
set interface ethernet0/1 dhcp server option netmask 255.255.255.0
set interface ethernet0/1 dhcp server option domainname Level1
set interface ethernet0/1 dhcp server option dns1 8.8.8.8
set interface ethernet0/1 dhcp server option dns2 8.8.4.4
set interface bgroup0 dhcp server option gateway 192.168.2.1
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option domainname Level1
set interface bgroup0 dhcp server option dns1 8.8.8.8
set interface bgroup0 dhcp server option dns2 8.8.4.4
set interface ethernet0/1 dhcp server ip 10.10.10.1 to 10.10.10.1
set interface bgroup0 dhcp server ip 192.168.2.75 to 192.168.2.240
unset interface ethernet0/1 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&FS7=255S32=6"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain rdsSTL
set hostname rdsSTL
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 8.8.8.8 src-interface ethernet0/0
set dns host dns2 8.8.4.4 src-interface ethernet0/0
set dns host dns3 4.2.2.2 src-interface ethernet0/0
set dns host schedule 06:28
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit
set policy id 1
exit
set policy id 2 from "POS_VLAN" to "Untrust" "Any" "Any" "ANY" nat src permit traffic priority 0
set policy id 2
exit
set policy id 3 name "Phone" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "ANY" permit
set policy id 3
exit
unset log module system level notification destination email
unset log module system level emergency destination snmp
unset log module system level alert destination snmp
unset log module system level critical destination snmp
unset log module system level emergency destination syslog
unset log module system level alert destination syslog
unset log module system level critical destination syslog
unset log module system level error destination syslog
unset log module system level warning destination syslog
unset log module system level notification destination syslog
unset log module system level information destination syslog
unset log module system level debugging destination syslog
unset log module system level emergency destination webtrends
unset log module system level alert destination webtrends
unset log module system level critical destination webtrends
unset log module system level notification destination webtrends
unset log module system level emergency destination NSM
unset log module system level alert destination NSM
unset log module system level critical destination NSM
unset log module system level error destination NSM
unset log module system level warning destination NSM
unset log module system level notification destination NSM
unset log module system level information destination NSM
unset log module system level debugging destination NSM
unset log module system level emergency destination usb
unset log module system level alert destination usb
unset log module system level critical destination usb
unset log module system level error destination usb
unset log module system level warning destination usb
unset log module system level notification destination usb
unset log module system level information destination usb
unset log module system level debugging destination usb
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface serial0/0
set route 0.0.0.0/0 interface ethernet0/0 gateway 64.199.159.185 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

This range from the random port allocation (udp 49152-49212) is used by other features like your outbound web and ftp access since this is the interface connecting you to the web.  For the interface address you really cannot dedicate a vip to forward these.  So you have two options

1-Use the alg to automatically note and open the actual port used by the specific call.

2-Use a dedicated public ip address and map this to your voip server and open all these ports to that server

I've been trying to get version 1 to work here.

• remove the forward range udp 49152-49212 from the vip
• Remove this range sevice from your service group leaving just the single port services
• Change the policy to use your service group NOT "any" AND select Application SIP NOT "none".  This tells the SSG that these custom services NEED the SIP alg.
• leave the sip alg on
• test the call

If the sip alg works for this vendor it will detect which of those random ports your call needs and allow the connection. 

Version 2 would use the MIP feature to connect one of your public addresses to your voip server.  Then you create a policy using the MIP to allow the traffic using your entire group.  Then your server will be the only one using any port on this ip address and there will be no conflicts.

spot on!!!! Thank you so much for your help! Hope this helps others in my situation. Cant thank you enough.