Just wondering on your NAT rule, is it translating the source/dest ports, or you using originals? Using a static nat where you have one external IP? If you have more than one external IP, use a specific one for the NAT.
You could also create a separate service for 5060, and under advanced choose None as the protocol type. Then build a rule to allow your asterisk to talk to the sipgate. I haven't tested any of this, but I've had to do protocol none on lots of things to get some stuff through the inspections. I believe SmartDefense also has some VOIP specific checks, I suppose try disabling these as well, most times SmartDefense checks override even when protocol type none is selected. Derek O'Flynn LSU Health Sciences Center Enterprise Information Security (504)628-4431 [EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: Monday, September 25, 2006 5:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] FW-1 and Asterisk PBX This will NOT work as long as your local sip proxy is behind a checkpoint firewall, Juniper/NetScreen or Cisco Pix firewall. These vendors claim to be "sip" compliant; however, it is not a guarantee thing. For this to work properly, you would need something like Session Border Controller (SBC) nearend and farend. I've gone through a few months ago with with something similar to Asterisk for Juniper/Netscreen firewall. HTH Markus Hauke <[EMAIL PROTECTED]> wrote: Hi there, I've just configured an Asterisk PBX with some SIP-Phones connected to it on the LAN and an ISDN link. So far everything is working fine. But now I've tried to connect the PBX to an external SIP provider (sipgate.de in this case) through my VPN-1 NGX R61. I configured static NAT for the Asterisk machine, but the SIP registrations fails all the time. I observed some strange behavior in the NAT. The SIP registration packet (source port 5060, destination port 5060) reaches the firewall, changes the source port at the interior interface and to another high port at the exterior interface. But the answer packet will not be translated correctly. This is what I see in fw monitor (n.n.n.n is my external IP address, 217.10.79.9 is the sipgate proxy): eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0 UDP: 5060 -> 5060 eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0 UDP: 17973 -> 5060 eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0 UDP: 17973 -> 5060 eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510 id=0 UDP: 40625 -> 5060 eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404 id=5495 UDP: 5060 -> 40625 eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495 UDP: 5060 -> 17973 eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495 UDP: 5060 -> 17973 eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495 UDP: 5060 -> 17973 So you can see, the answer packet does not get translated back to destination port 5060 and will not be accepted by the Asterisk machine (it answers with an ICMP port unreachable...) Has anyone a hint for me? There are no SmartDefense settings for SIP and I tried to configure a VoIP Domain SIP Proxy rule with no success. Thanks Markus ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2ยข/min or less. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================