NAT -> SIP Issues

Hey all... I'm trying to assist someone who is having issues with their NS20 but I don't understand enough about their topology to get them working properly. So I have a quick question regarding SIP ;)

This is the relevant portion of their get config (at least pertaining to SIP)

set service "PBXtra" protocol udp src-port 0-65535 dst-port 5060-5060
set service "PBXtra" + udp src-port 0-65535 dst-port 10000-51000
set service "PBXtra" + udp src-port 0-65535 dst-port 4569-4569
set alg sip app-screen unknown-message route permit
set alg sip app-screen unknown-message nat permit
set interface untrust ip 10.10.5.190/29
set interface untrust nat
set interface "untrust" mip 10.10.5.189 host 10.134.160.16 netmask 255.255.255.
set interface "untrust" mip 10.10.5.188 host 10.134.160.10 netmask 255.255.255.
set address Untrust "0.0.0.0/0" 0.0.0.0 0.0.0.0
set policy id 6 name "PBXtra" from "Untrust" to "Trust"  "Any" "MIP(10.10.5.189)" "PBXtra" permit log
set policy id 6 application "SIP"
set policy id 6
set service "SIP"

... According to them, they cannot register phones from their location to the PBX to ours...

They don't want to place their PBX in a DMZ, they want it doing NAT, and from what I understand NAT+SIP is sketchy...

What's happening because of NAT is, when an outbound call goes out, the Netscreen's IP address replaces everything in the SIP message:

>From 10.10.5.188 --> Netscreen --> 10.10.5.189 --> PBX
PBX 10.10.5.189  --> Netscreen ... Netscreen (And what I'm I to do with this!)

Is there a surefire implementation someone has used to get this working? TIA

--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My experience shows that the SIP ALG is not working in all cases. Try to
turn the SIP ALG off.

Regards, John

J. Oquendo skrev:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFwRNl46bRmLVBInERAi+pAKCmgvHHIQ1IAnngyGx7YtGEq/EloQCgpw6q
b0UFhUb69JUAez4+iXYMRjs=
=w/3J
-----END PGP SIGNATURE-----
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Not only yours, John :)
Actually SIP alg is only needed in a case of stupid client, which itself can't work around NAT. Todays clients almost all can do it. Trying together to cheat each other SIP alg and a client disturb the normal way of working.

So usually it's normal to say

unset sip alg

Keep in mind, that ScreenOS 5.1 (or maybe even 5.2) and older don't give a tip for 'set sip ?' for some reason. So don't be afraid, just say 'unset alg sip' :)

To get SIP-telephony working properly, you usually need to configure policies for RTP. If two sides of calls may be situated by the different sides of NetSreen. RTP uses UDP protocol, but it's quite crazy with port numbers. First, ports depend on your SIP client. Second, saying 'a port' for RTP you mean source port, not destination.

So for example if you use X-lite, you sould say something like

set service "RTP_XLITE" protocol udp src-port 8000-8001 dst-port 1-65535

and than use RTP_XLITE in a policy:

set pol from trust to untrust sip-clients sip-pbx RTP_XLITE permit

I hope that's it.

--
Regards,
Pavel


_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn