Screen OS

I really love this device but I have to tell you, IT IS FRUSTRATING for sure. 

I have ready article after article, pdf after pdf and I just don't get it. What do I need to do in order to get this thing to work?!

My config

PBX: 3cx 10.0.1.8

Netscreen Trust Interface:  10.0.1.1

Netscreen Untrust Interface: 71.41.2.12

My problem

I tried to be funny and setup VIPs for all the ports that 3cx stated needed to be open.  Unfortunatly this isn't a NAT and the ports are being translated and the voice isn't going through. 

Thank you all in advance for your help.

Hi,

From what I have been reading the 3CX System is a SIP PBX and you didn't post your config so it is a bit difficult to say what could be wrong. As you have discovered setting up VoIP over a firewall can be tricky.  If you are not assignig public IP addresses to your phones you will need source NATing with sticky DIP incoming.

I don't rememeber the GUI for this but from the CLI do this:

                          set interface ethernet0/0 dip interface-ip incoming
                          set dip sticky

Now create a policy which will allow phones to talk on ports DNS , SIP  outgoing , and incoming for SIP and you may also need to turn off ALG for SIP.

Gavrilo

Well, it worked and it didn't work.  I am now able to hear on both ends, but when I run my firewall test I get the following:

<20:31:42>: UDP SIP Port is set to 5060. Response received WITH TRANSLATION 2238::5060. Phase 2a check passed with WARNINGS.

<20:31:42>: Phase 2b. Check Port Forwarding to TCP SIP port, please wait...
<20:31:42>: TCP SIP Port is set to 5060. Response received WITH TRANSLATION 2238::5060. Phase 2b check passed with WARNINGS.

<20:31:42>: Phase 3. Check Port Forwarding to TCP Tunnel port, please wait...
<20:31:42>: TCP TUNNEL Port is set to 5090. Response received WITH TRANSLATION 2993::5090. Phase 3 check passed with WARNINGS.

<20:31:42>: Phase 4. Check Port Forwarding to RTP external port range, please wait...
<20:31:46>: UDP RTP Port 9000. Response received WITH TRANSLATION 1767::9000. Phase 4-01 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9001. Response received WITH TRANSLATION 1964::9001. Phase 4-02 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9002. Response received WITH TRANSLATION 2998::9002. Phase 4-03 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9003. Response received WITH TRANSLATION 1404::9003. Phase 4-04 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9004. Response received WITH TRANSLATION 2754::9004. Phase 4-05 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9005. Response received WITH TRANSLATION 1639::9005. Phase 4-06 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9006. Response received WITH TRANSLATION 2751::9006. Phase 4-07 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9007. Response received WITH TRANSLATION 2089::9007. Phase 4-08 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9008. Response received WITH TRANSLATION 1600::9008. Phase 4-09 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9009. Response received WITH TRANSLATION 2758::9009. Phase 4-10 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9010. Response received WITH TRANSLATION 2665::9010. Phase 4-11 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9011. Response received WITH TRANSLATION 1184::9011. Phase 4-12 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9012. Response received WITH TRANSLATION 2852::9012. Phase 4-13 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9013. Response received WITH TRANSLATION 1709::9013. Phase 4-14 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9014. Response received WITH TRANSLATION 1220::9014. Phase 4-15 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9015. Response received WITH TRANSLATION 2180::9015. Phase 4-16 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9016. Response received WITH TRANSLATION 1357::9016. Phase 4-17 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9017. Response received WITH TRANSLATION 2216::9017. Phase 4-18 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9018. Response received WITH TRANSLATION 1060::9018. Phase 4-19 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9019. Response received WITH TRANSLATION 2480::9019. Phase 4-20 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9020. Response received WITH TRANSLATION 2227::9020. Phase 4-21 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9021. Response received WITH TRANSLATION 1424::9021. Phase 4-22 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9022. Response received WITH TRANSLATION 2557::9022. Phase 4-23 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9023. Response received WITH TRANSLATION 2963::9023. Phase 4-24 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9024. Response received WITH TRANSLATION 1075::9024. Phase 4-25 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9025. Response received WITH TRANSLATION 1852::9025. Phase 4-26 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9026. Response received WITH TRANSLATION 1161::9026. Phase 4-27 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9027. Response received WITH TRANSLATION 1506::9027. Phase 4-28 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9028. Response received WITH TRANSLATION 1167::9028. Phase 4-29 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9029. Response received WITH TRANSLATION 1965::9029. Phase 4-30 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9030. Response received WITH TRANSLATION 1640::9030. Phase 4-31 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9031. Response received WITH TRANSLATION 2687::9031. Phase 4-32 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9032. Response received WITH TRANSLATION 2291::9032. Phase 4-33 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9033. Response received WITH TRANSLATION 1149::9033. Phase 4-34 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9034. Response received WITH TRANSLATION 1032::9034. Phase 4-35 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9035. Response received WITH TRANSLATION 2526::9035. Phase 4-36 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9036. Response received WITH TRANSLATION 1157::9036. Phase 4-37 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9037. Response received WITH TRANSLATION 1804::9037. Phase 4-38 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9038. Response received WITH TRANSLATION 1567::9038. Phase 4-39 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9039. Response received WITH TRANSLATION 1750::9039. Phase 4-40 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9040. Response received WITH TRANSLATION 2273::9040. Phase 4-41 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9041. Response received WITH TRANSLATION 1050::9041. Phase 4-42 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9042. Response received WITH TRANSLATION 2577::9042. Phase 4-43 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9043. Response received WITH TRANSLATION 2437::9043. Phase 4-44 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9044. Response received WITH TRANSLATION 1081::9044. Phase 4-45 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9045. Response received WITH TRANSLATION 2126::9045. Phase 4-46 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9046. Response received WITH TRANSLATION 1329::9046. Phase 4-47 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9047. Response received WITH TRANSLATION 2325::9047. Phase 4-48 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9048. Response received WITH TRANSLATION 2438::9048. Phase 4-49 check passed with WARNINGS.
<20:31:46>: UDP RTP Port 9049. Response received WITH TRANSLATION 2249::9049. Phase 4-50 check passed with WARNINGS.

I'm guessing that means that it's not working the way it should.  I am really unfamiliar with the dip and mip and all that on the netscreen.  I'm guessing that with NAT correctly setup my PBX is expecting no translation, port 9049 should map to 9049...

Here's my config with public IP changed and passwords removed:

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "Admin"
set admin password "removed"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.0.1.1/24
set interface trust nat
set interface untrust ip 75.151.83.1/30
set interface untrust nat
set interface untrust gateway 75.151.83.2
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface trust manage mtrace
set interface untrust vip untrust 3389 "RDP" 10.0.1.13
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option dns1 10.0.1.13
set interface trust dhcp server ip 10.0.1.75 to 10.0.1.95
unset interface trust dhcp server config next-server-ip
set interface untrust dip interface-ip incoming
set flow tcp-mss
unset flow tcp-syn-check
set domain apexavailability.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 75.75.75.75
set dns host dns2 75.76.76.76
set dns host dns3 0.0.0.0
set dns host schedule 06:28
set ippool "vpnclient" 192.168.10.1 192.168.10.99
set user "rich.m.miller" uid 2
set user "rich.m.miller" type  xauth
set user "rich.m.miller" password "Removed"
unset user "rich.m.miller" type auth
set user "rich.m.miller" "enable"
set user "vpnclient_ph1id" uid 1
set user "vpnclient_ph1id" ike-id fqdn "something" share-limit 5
set user "vpnclient_ph1id" type  ike
set user "vpnclient_ph1id" "enable"
set user-group "vpnclient_group" id 1
set user-group "vpnclient_group" user "vpnclient_ph1id"
set ike gateway "vpnclient_gateway" dialup "vpnclient_group" Aggr outgoing-interface "untrust" preshare "removed" proposal "pre-g2-3des-sha" "pre-g2-aes128-sha" "pre-g2-3des-md5" "pre-g2-aes128-md5"
set ike gateway "vpnclient_gateway" cert peer-ca all
unset ike gateway "vpnclient_gateway" nat-traversal udp-checksum
set ike gateway "vpnclient_gateway" nat-traversal keepalive-frequency 20
set ike gateway "vpnclient_gateway" xauth server "Local"
unset ike gateway "vpnclient_gateway" xauth do-edipi-auth
set ike gateway "vpnclient_gateway" dpd interval 30
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "vpnclient"
set xauth default dns1 10.0.1.3
set xauth default dns2 10.0.1.10
set vpn "vpnclient_tunnel" gateway "vpnclient_gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-aes128-sha"  "nopfs-esp-aes128-md5"
set dip sticky
set url protocol websense
exit
set policy id 3 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "RDP" permit log count
set policy id 3
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "vpnclient_in" from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "vpnclient_tunnel" id 1 log
set policy id 2
exit
set policy id 4 name "3cx PBX Out" from "Trust" to "Untrust"  "Any" "Any" "SIP" nat src permit log
set policy id 4
exit
set policy id 5 name "3cx PBX in" from "Untrust" to "Trust"  "Any" "Any" "SIP" permit log
set policy id 5
exit
unset log module system level emergency destination usb
unset log module system level alert destination usb
unset log module system level critical destination usb
unset log module system level error destination usb
unset log module system level warning destination usb
unset log module system level notification destination usb
unset log module system level information destination usb
unset log module system level debugging destination usb
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set license-key auto-update
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Thank you for your help!

-Rich

Hi,

Firstly I suspect you forgot to turn off ALG for SIP as it looks like a problem with NAT?

  If everything is working then the Firewall is probably doing it's job and allowing your SIP traffic to pass through transparently so you may need to chech with 3CX PBX Support stuff.

Gavrilo

Thank you Gavrilo,

So what is ALG for SIP do?  It is indeed a NAT problem.  I'll look at how to disable the ALG and then see if that works. 

Thanks again for all your help,

-Rich

Hi,

It looks for packet anomalies and can be turned off in the GUI for policies.

Gavrilo

So,

It was pretty easy.  The only thing I don't get about the netscreen is that NAT seems to be very complicated and not too user friendly.  Of course, this is an enterprise class firewall so there is probably more to it and easier than I think. 

Anyway,

I have found a resolution.  Basically I purchased an extra IP from my ISP and added a MIP.  The following instructions are how I set it up.

1.  Get additional IP from ISP.  This has to be a seperate and dedicated IP and cannot be the same IP you use as your untrust interface IP.

2.  Edit untrust interface - go to network -> Interfaces -> edit your untrust interface. 

3.  Add MIP to untrust interface -

• After completing steps above select MIP next to the Properties: tag at the top of the page. 
• Select New. 
• Under Mapped IP enter in the new IP your ISP has given you. 
• Enter your PBX or phone in the Host IP section. 
• Make sure your netmask is 255.255.255.255.  Y
• our Host Virtual Router Name must be your trust interface, even if your PBX or phone is in the DMZ. 
• Click OK.

4.  Create a policy allowing SIP to your PBX or your Phone.

• Select Policy
• Select Policies
• From Untrust
• To Trust
• Select New
• Name:  SIP NAT
• Source Address:  Any
• Destination Address:  Select in the drop down the MIP you just created.
• Service:  SIP
• Application:  None
• Make sure WEB Filtering is unchecked
• Action:  Permit
• Tunnel VPN:  None
• Modify matching bidirectional VPN policy:  Unchecked
• L2TP:  None
• Logging:  Your call
• at Session Beginning:  Your call
• Session-limit:  Unchcecked
• Counter: 0
• Alarm without drop:  Unchecked.
• No Advanced options.
• Click okay

5.  You should turn off SIP ALG.  Not sure why it doesn't work with it on, but it doesn't. Depending on what version of the firmware depends on where this is at.  I have version 6.2.0r9.0 (Firewall+VPN).

• Select Security in the left hand menu.
• Select ALG
• Uncheck SIP
• Click Apply

Badda Bing Badda Boom, you should be working.  Thanks again for the previous help!

Good to read that you finally got it working.

Can you explain why you need a MIP? Would a VIP not be sufficient?

After all, your policy only uses the SIP protocol...