[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] SIP/VoIP problems
I've been trying to make SIP VoIP work through an NG-AI firewall now for quite some time. We've gotten it to the point where it seems that the signaling is working in simple peer-peer instances, but the RTP doesn't work. In a proxy configuration, I'm still stymied by the "illegal redirection" message. My configuration is as follows: Hide NAT, with the NAT address the external FW address. Automatic translation rules ticked. I have some static NAT mappings, but this particular test uses a SIP phone with automatic hide NAT. (I know that there is some problem in mixing static and hide NAT in the same VoIP call.) In Smart Defense I do NOT have verify SIP header content checked. In the VoIP settings, I allow calls using a proxy or redirect server, allow SIP IM, and allow redirects. Two firewall rules, one for outbound and one for inbound: ANY Internal-Network SIP_ANY ALLOW Internal-Network ANY SIP_ANY ALLOW At the moment I don't care if I can protect against hand-offs or redirects because I can't even get the basics working. When I call a SIP phone outside the firewall, the phones think they connect, so the SIP signaling, including NAT, appears to be working, yet the RTP connection doesn't come through and I see log messages indicating the RTP connection from outside back in is getting blocked by the firewall, instead of allowed through. FWIW, because this was an upgrade from 4.1, I do not have 'Allow bi-directional NAT' or 'Translate Dest on client side' for either Automatic or manual rules set. I've never really understood why I would want to change those settings and it isn't clear to me what happens if I do change them on an otherwise working FW. Here's an example of the Illegal Redirection message when I have a proxy server in the outbound direction. Proxy is inside the FW. The external address happens to be directly attached on our external router which is also directly attached to the FW. Action: Drop Service: sip (5060) Source: lab2n-chn-float (10.10.34.108) Destination: 204.42.175.122 Protocol: udp Source Port: 10000 Information: sip reason: Illegal redirection 10.10.34.108->10.10.30.121 -- Jon Allingham Director, IT Leapstone Systems ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|