SRX Services Gateway
SRX Services Gateway

VoIP and videocall problem through static NAT

‎08-23-2019 09:15 AM

Hello All,

I've set a static NAT on my juniper SRX to a VoIP server. I've specified rules so that service can flow from either side. But the calls don't work, same for the video calls.

Any idea about it please ? Is there something else to take into account and add to the configuration ?

Regards

MIMSY

15 REPLIES 15
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-23-2019 09:34 AM

Hi Mimsy,

 

Could you please let me know where the traffic is originating? Inside -> Outside or Outside to Inside.

 

Are you using SIP? If that's the case, could you please check whether the SIP ALG is enabled?

 

Since you're using Static NAT can you confirm whether L7 translations are happening? You can determine this by taking a packet capture on the SRX egress interface. Also, from the security flow session output, we can determine whether ALG is being triggered or not.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

[ Edited ]
‎08-23-2019 03:44 PM

MIMSY,

 

Can you share your static NAT and security-policies configuration related to this traffic, along with a basic topology of your network?

 

Also gather:

 

> show security alg status

 

Are the calls not getting established or once the call is established you dont hear the other person?

 

Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-24-2019 07:53 PM

That definitively sounds like an ALG problem as other people have mentioned. 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-25-2019 04:52 AM

Hello Noobster,

The traffic is originated from either side and in policies all application are allowed (SIP included).

 

SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-25-2019 05:00 AM

Hello mrojas,

Below the output of show security alg status command :

user@CORE-SRX> show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Enabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled

The static NAT configuration is the following.

rule-set RuleSet_1 {
from zone ISP;

rule VoIP_rule {
match {
destination-address 196.250.200.138/32;
}
then {
static-nat {
prefix {
10.192.37.183/32;
}
}
}
}

}

Follow the link to an example of the design. You can consider this case as the server1 on the design.

Thanks,

MIMSY

SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-25-2019 05:16 AM

What protocol does you VOIP system use? SIP of H323

You will need to insure that ALG is turned on currently you have SIP but not H323

 

And for the security policy that allows the VOIP traffic you will need to specify that protocol in the permit rules in order to engage the ALG.  If you have "any" as the application type this will need to change to the protocol in use by the system you have installed.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-25-2019 05:43 AM

Mimsy,

 

Can you please share the output for the following commands?

 

user@host> show version 
user@host> show security match-policies from-zone <zone-name> to-zone <zone-name> source-ip <source IP> destination-ip <dest IP> source-port 5060 destination-port 5060 protocol udp
user@host> show security flow session source-prefix <source IP> destination-prefix <dest IP>

 



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-26-2019 05:29 PM

MIMSY,

 

I summarizing here all the questions, from all posts, that are pending an answer:

 

-What signaling protocol are you using? (SIP, H323, other)
-Are the calls not getting established or once the call is established you dont hear the other person?
-For the security policy that allows the VOIP traffic you will need to specify the predefined junos application related to the signaling protocol being used, in order to engage its ALG. If you have application "any" then you need to change to the specific junos application for the signaling protocol being used. Can you test this?
-Can you please share the output for the following commands?

 

user@host> show version 
user@host> show security match-policies from-zone <zone-name> to-zone <zone-name> source-ip <source IP> destination-ip <dest IP> source-port 5060 destination-port 5060 protocol udp
user@host> show security flow session source-prefix <source IP> destination-prefix <dest IP>   (take this during the phone call)

 

Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-27-2019 02:37 AM

Hello mrojas,

Thanks for the summary. It's easier to answer questions like that.

- protocol : SIP

- It ring but once established none of the sides hears the other

- As for the policies, I just applied ANY for the precise destination address (which is static natted with the public IP)

- Commands output :

   show version

     node0:
          --------------------------------------------------------------------------
          Hostname: CORE-SRX-A
          Model: srx1500
          Junos: 15.1X49-D131.1
          JUNOS Software Release [15.1X49-D131.1]

          node1:
          --------------------------------------------------------------------------
          Hostname: CORE-SRX-B
          Model: srx1500
          Junos: 15.1X49-D131.1
          JUNOS Software Release [15.1X49-D131.1]

 

   show security match-policies from-zone <zone-name> to-zone <zone-name> source-ip <source IP> destination-ip <dest IP> source-port 5060 destination-port 5060 protocol udp

          Can't complete this command cause I ain't get the source IPs from the other side.

   show security flow session source-prefix <source IP> destination-prefix <dest IP> 

         Can't perform this one either, customer is not using it now.

 

Hope I've been a bit clear with answers and they can drive us to a solution.

Thanks,

MIMSY

SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-27-2019 02:59 AM
- As for the policies, I just applied ANY for the precise destination address (which is static natted with the public IP)

Your policy will need to change from any to junos-sip

 

In order for the ALG to work the policy has to be configured to detect the ALG protocol, in your case sip.  This will then open the reverse ports needed for the call and allow the full call process to work.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-27-2019 03:37 AM

Hello Steve, Great to read from you again.

As for the ALG, do I need to specify a particular configuration on the router or it's enbaled by default ?

Thanks

MIMSY

SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-27-2019 03:53 AM

Hi Mimsy,

 

For high end SRX, SIP is by default disabled and has to be enabled using the command "set security alg sip".

 

From the output you previously shared, I see that your device is an SRX1500 which is an high end device. However, the output shows that SIP is already enabled.

 

Thanks,

Pradeep.

SRX Services Gateway

Re: VoIP and videocall problem through static NAT

[ Edited ]
‎08-27-2019 12:56 PM
 
As per the provided outputs the SIP ALG is already enabled on your firewall:
 
user@CORE-SRX> show security alg status 
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Disabled
SCCP : Disabled
SIP : Enabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
 
In this case your security-policy needs to be using application junos-sip for the traffic to be processed properly. Please make sure your policy looks similar to the following example and provide us with your security-policy configuration if possible:
 
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-2-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-2-TRUST match destination-address [Internal_10.192.37.183]
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-2-TRUST match application junos-sip
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-2-TRUST then permit
 
Likewise, for the policy permitting outgoing traffic, try:
 
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-2-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-2-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-2-UNTRUST match application junos-sip
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-2-UNTRUST then permit
 
Make sure these policies dont have another policy before them, hence the traffic will hit the other policy and will never hit the junos-sip application. If you need to reorder the policies please use the following method:
 
 
 
 
Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-27-2019 01:00 PM

For some reason a lot of "By" were inserted at the beginning of each of the lines in my previous post, please ignore those "By".

 

Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: VoIP and videocall problem through static NAT

‎08-28-2019 04:11 AM

Hi MROJAS,

Very clear explanations !

Really appreciate your feedback. I'll put them into practice and ask customer for feedback.

Lots of thanks you All, You're the Best.

MIMSY