Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] SIP/VoIP problems

To: [email protected]
Subject: [FW-1] SIP/VoIP problems
From: Jon Allingham <[email protected]>
Date: Fri, 24 Oct 2003 10:05:42 -0400
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Thread-index: AcOaNTZgb1S/CQdiQnyoDbduTWKx+gAAC5Lg
Thread-topic: SIP/VoIP problems

I've been trying to make SIP VoIP work through an NG-AI firewall now for
quite some time. We've gotten it to the point where it seems that the
signaling is working in simple peer-peer instances, but the RTP doesn't
work. In a proxy configuration, I'm still stymied by the "illegal
redirection" message.
My configuration is as follows:
Hide NAT, with the NAT address the external FW address. Automatic
translation rules ticked. I have some static NAT mappings, but this
particular test uses a SIP phone with automatic hide NAT. (I know that
there is some problem in mixing static and hide NAT in the same VoIP
call.)
In Smart Defense I do NOT have verify SIP header content checked.
In the VoIP settings, I allow calls using a proxy or redirect server,
allow SIP IM, and allow redirects.
Two firewall rules, one for outbound and one for inbound:
        ANY     Internal-Network        SIP_ANY ALLOW
        Internal-Network        ANY     SIP_ANY ALLOW
At the moment I don't care if I can protect against hand-offs or
redirects because I can't even get the basics working.
When I call a SIP phone outside the firewall, the phones think they
connect, so the SIP signaling, including NAT, appears to be working, yet
the RTP connection doesn't come through and I see log messages
indicating the RTP connection from outside back in is getting blocked by
the firewall, instead of allowed through.
FWIW, because this was an upgrade from 4.1, I do not have 'Allow
bi-directional NAT' or 'Translate Dest on client side' for either
Automatic or manual rules set. I've never really understood why I would
want to change those settings and it isn't clear to me what happens if I
do change them on an otherwise working FW.

Here's an example of the Illegal Redirection message when I have a proxy
server in the outbound direction. Proxy is inside the FW. The external
address happens to be directly attached on our external router which is
also directly attached to the FW.

Action:                 Drop
Service:        sip (5060)
Source:         lab2n-chn-float (10.10.34.108)
Destination:    204.42.175.122
Protocol:       udp
Source Port:    10000
Information:    sip reason: Illegal redirection
10.10.34.108->10.10.30.121

--
Jon Allingham
Director, IT
Leapstone Systems

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Stable version of IPSO 3.7 , AI and HFA for fresh inst all
Next by Date: Re: [FW-1] Stable version of IPSO 3.7 , AI and HFA for fresh inst all
Previous by thread: Re: [FW-1] NG FP2 - SecureClient logging into the Policy Server
Next by thread: Re: [FW-1] Stable version of IPSO 3.7 , AI and HFA for fresh inst all
Index(es):
- Date
- Thread