MichaelMiracle
asked on
Port-forwarding of ports TCP/UDP 5060 on Juniper NetScreen 5GT to use Asterisk from outside
Hello,
I am trying to setup port-forwarding on NetScreen 5GT so that I can register softphone over the Internet to Asterisk PBX which is running inside company office LAN.
Asterisk has IP address of 192.168.1.100.
Up to now, I cannot connect to Asterisk from outside network.
I configured three things below:
1. Added Custom services for UDP 5060 (I have tried several patterns of TCP 5060 only, both TCP&UDP 5060, and TCP/UDP5060 + UDP 10000-20000)
2. I added VIP on 'Untrust' interface using Custom services called "AsteriskUDP".
3. Also added policy to allow traffic from 'Untrust' to 'Trust' for the above service.
The relevant portion is copied and pasted in the following:
set service "AsteriskUDP" protocol udp src-port 0-65535 dst-port 5060-5060
set alg sip app-screen unknown-message route permit
set alg sip app-screen unknown-message nat permit
set alg sip app-screen protect deny dst-ip 192.168.1.100/24
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set interface untrust vip untrust 5060 "AsteriskUDP" 192.168.1.100
set policy id 16 from "Untrust" to "Trust" "Any" "VIP(untrust)" "AsteriskUDP" nat dst ip
192.168.1.100 permit log
set policy id 16
With this configuration, I was trying to connect Softphone to Asterisk, but the network does not seem to go through. I used portal site of 'www.cman.jp' to check if the port-forwarding is active or not. But UDP cannot be confirmed with this service. Even TCP 5060 does not go through when I put TCP 5060 port-forwarding setup on 5GT separately.
On Asterisk, I enabled "TCPENABLE" statement to allow for registration using TCP packets.
But the situation does not change.
Please let me know if some configuration is missing or other things must be done.
Thanks in advance.
I am trying to setup port-forwarding on NetScreen 5GT so that I can register softphone over the Internet to Asterisk PBX which is running inside company office LAN.
Asterisk has IP address of 192.168.1.100.
Up to now, I cannot connect to Asterisk from outside network.
I configured three things below:
1. Added Custom services for UDP 5060 (I have tried several patterns of TCP 5060 only, both TCP&UDP 5060, and TCP/UDP5060 + UDP 10000-20000)
2. I added VIP on 'Untrust' interface using Custom services called "AsteriskUDP".
3. Also added policy to allow traffic from 'Untrust' to 'Trust' for the above service.
The relevant portion is copied and pasted in the following:
set service "AsteriskUDP" protocol udp src-port 0-65535 dst-port 5060-5060
set alg sip app-screen unknown-message route permit
set alg sip app-screen unknown-message nat permit
set alg sip app-screen protect deny dst-ip 192.168.1.100/24
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set interface untrust vip untrust 5060 "AsteriskUDP" 192.168.1.100
set policy id 16 from "Untrust" to "Trust" "Any" "VIP(untrust)" "AsteriskUDP" nat dst ip
192.168.1.100 permit log
set policy id 16
With this configuration, I was trying to connect Softphone to Asterisk, but the network does not seem to go through. I used portal site of 'www.cman.jp' to check if the port-forwarding is active or not. But UDP cannot be confirmed with this service. Even TCP 5060 does not go through when I put TCP 5060 port-forwarding setup on 5GT separately.
On Asterisk, I enabled "TCPENABLE" statement to allow for registration using TCP packets.
But the situation does not change.
Please let me know if some configuration is missing or other things must be done.
Thanks in advance.
ASKER
I could register X-Lite phone inside the LAN network.
But when I tested 'telnet 192.168.1.100 5060', it says
"Connecting To 192.168.1.100...Could not open connection to the host, on port 506
0: Connect failed"
Please let me know how I can proceed.
Thanks.
But when I tested 'telnet 192.168.1.100 5060', it says
"Connecting To 192.168.1.100...Could not open connection to the host, on port 506
0: Connect failed"
Please let me know how I can proceed.
Thanks.
No firewall enabled on the system blocking 5060? The system being whatever OS you're running Asterisk on. CentOS?
MO
MO
ASKER
The O/S of Asterisk machine is Ubuntu. I haven't checked this machine as to any firewall setup. Since all the hard-phones are working on the same network as Asterisk, I think port 5060 (I don't know it is TCP or UDP) is open, but telnet connection is only prohibited?
Telnet is TCP based, so I was suggesting you use that since you commented that you enabled TCP for registration. If it's only UDP you might try netcat or hping to test with.
Obvisouly if you attempt registration externally it should log on the Juniper. Can you capture some logs and post them while attempting a registration externally?
MO
Obvisouly if you attempt registration externally it should log on the Juniper. Can you capture some logs and post them while attempting a registration externally?
MO
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I tried to register soft-phone from external network location and got the attached log at "Policies".
Please kindly refer to the attached (part of address was cut out due to privacy reason).
Also according to the suggestion from Sangarnc, I disables SIP ALG.
But please instruct me on how to enable source-based NAT on Juniper.
Thanks.
5GT.bmp
I tried to register soft-phone from external network location and got the attached log at "Policies".
Please kindly refer to the attached (part of address was cut out due to privacy reason).
Also according to the suggestion from Sangarnc, I disables SIP ALG.
But please instruct me on how to enable source-based NAT on Juniper.
Thanks.
5GT.bmp
for the policy carrying SIP traffic, if you click on edit > advanced at the top of the screen you will see
Source Translation (DIP on) None (Use Egress Interface IP)
enable this setting using the check mark and leave DIP option as is.
Source Translation (DIP on) None (Use Egress Interface IP)
enable this setting using the check mark and leave DIP option as is.
ASKER
Is the suggested 'Policy' option for "outbound policy for the SIP traffic"?
Since I am not sure which it is, then I enabled Source Translation on both of 'Un-trust' to 'Trust' for SIP and 'Trust' to 'Un-trust' (Any - Any) policy.
And I did not create any entry into DIP on 'Un-trsut' Interface. Is this ok?
For the moment, situation does not change at all.
Since I am not sure which it is, then I enabled Source Translation on both of 'Un-trust' to 'Trust' for SIP and 'Trust' to 'Un-trust' (Any - Any) policy.
And I did not create any entry into DIP on 'Un-trsut' Interface. Is this ok?
For the moment, situation does not change at all.
ASKER
Hello,
To segregate the root cause between router and Asterisk, I replaced router with a simple broadband router with minimum functions.
And I just put port-forwarding of UDP=5060, and UDP=10000-20000 to the SIP server.
Besides, I noticed that I did not put NAT=YES in sip.conf. This was NAT=NO previously. I modified it accordingly and restarted Asterisk.
Then I could register X-Lite, and voice went through in both ways.
Also in-coming call made X-Lite rings properly and conversation could take place.
I may need to go back to Juniper firewall, and see if the current configuration should be good enough or not. And let you know.
Thanks for the moment. And I will come back soon.
To segregate the root cause between router and Asterisk, I replaced router with a simple broadband router with minimum functions.
And I just put port-forwarding of UDP=5060, and UDP=10000-20000 to the SIP server.
Besides, I noticed that I did not put NAT=YES in sip.conf. This was NAT=NO previously. I modified it accordingly and restarted Asterisk.
Then I could register X-Lite, and voice went through in both ways.
Also in-coming call made X-Lite rings properly and conversation could take place.
I may need to go back to Juniper firewall, and see if the current configuration should be good enough or not. And let you know.
Thanks for the moment. And I will come back soon.
ASKER
Registration issue on Juniper was solved. But voice does not go through at all.
Let me post another new question concerning UDP 10000-20000 port-forwarding.
Thanks for your help in registration.
Let me post another new question concerning UDP 10000-20000 port-forwarding.
Thanks for your help in registration.
ASKER
The answer stopped and nothing came so far. I wanted to be followed up to the end.<br />Is it always like this in this forum?
MichaelMiracle, I'm confused. The last correspondence we got from you was on 7-13 and it seemed to indicate that you were going to update Experts Exchange when you were ready to continue troubleshooting. We just now heard from you this morning 7-19. Was your expectation that we were all just watching and waiting for you to post again so we could immediately comment? Not even close to 24 hours has passed since your update post at 00:51:18 this morning.
Please have a little patience and the experts will be back in touch. Unfortunately, that's all I have to add to this. I'm not a Juniper guy, and it appears your issues are specific to the Juniper appliance you have. Most of our equipment is Cisco, so I can't really contribute much more.
Now that you've accepted an answer it's not likely that you'll get more comments. The only reason I returned to the thread was to see what the accepted resolution was. You might have to repost.
MO
Please have a little patience and the experts will be back in touch. Unfortunately, that's all I have to add to this. I'm not a Juniper guy, and it appears your issues are specific to the Juniper appliance you have. Most of our equipment is Cisco, so I can't really contribute much more.
Now that you've accepted an answer it's not likely that you'll get more comments. The only reason I returned to the thread was to see what the accepted resolution was. You might have to repost.
MO
ASKER
Hi,
Sorry for your confusion. But I thought that I could not have any more answers at the time of 13th when I was not updated for two days. That is because I posted another comments on 13th. But any reply including the questions made on 11th came to me after 13th. I was expecting at least something or just a note from experts. But no one came back after three straight comments. But maybe I should have more patient on this.
The reason why I selected the best answer was it was concerning practical Juniper configuration method. However, I have not obtained exact configuration of 5GT, and only registration was solved by entering NAT=YES (on SIP.conf) which information, I happened to know from another source.
Sorry for your confusion. But I thought that I could not have any more answers at the time of 13th when I was not updated for two days. That is because I posted another comments on 13th. But any reply including the questions made on 11th came to me after 13th. I was expecting at least something or just a note from experts. But no one came back after three straight comments. But maybe I should have more patient on this.
The reason why I selected the best answer was it was concerning practical Juniper configuration method. However, I have not obtained exact configuration of 5GT, and only registration was solved by entering NAT=YES (on SIP.conf) which information, I happened to know from another source.
So there is still a lingering issue, right? Phones are registering, you get dial tone, the phone rings out, etc. which means signalling is fine? You have no RTP stream (you're not hearing the recipient of the call and they aren't hearing you) though when someone picks up the call, right?
MO
MO
ASKER
Yes, I have. Precisely the situation is shown below:
Inside -> Out : When calling outside extension, only voice message appears saying this extension is not available. And of course, outside extension does not ring at all.
Outside -> Inside : Extension can call inside extension and both side can hear calling tone. But after picking up the handset, nothing happens. The connection is kept, but both sides can hear anything.
For allowing RTP packets going through, I think UDP 10000-20000 ports should be allowed.
But how exactly I can configure this is not known. Maybe combination of Address Object and Policy Setting can solve this. What I want to know is how I should make entry into Juniper F/W.
Inside -> Out : When calling outside extension, only voice message appears saying this extension is not available. And of course, outside extension does not ring at all.
Outside -> Inside : Extension can call inside extension and both side can hear calling tone. But after picking up the handset, nothing happens. The connection is kept, but both sides can hear anything.
For allowing RTP packets going through, I think UDP 10000-20000 ports should be allowed.
But how exactly I can configure this is not known. Maybe combination of Address Object and Policy Setting can solve this. What I want to know is how I should make entry into Juniper F/W.
Have you tried to use the incoming predefined policy for VOIP? Drop any custom policy you might have created for this and use the VOIP policy. You don't need one definied for SIP specifically because it's part of VOIP. SIP ALG should be enabled so you don't have to worry about setting up a policy or policies to allow RTP through. ALG for SIP will do the dynamic opening of ports for you.
MO
MO
Also here's a good read that might help you out: http://www.juniperforum.com/index.php?topic=6120.0
MO
MO
ASKER
After I enabled SIP ALG and added VOIP group service in the POLICIES for Untrust to Trust zdirection, situation could not be changed, unfortunately. It is the same as before.
Once concern is there comes no logging information on this new policy.
Once concern is there comes no logging information on this new policy.
I'm afraid I'm not much more help as I'm not entirely familiar with Juniper appliances. My recommendation would be to open a new question to attract more experts. If the device is under warranty you might also reach out to Juniper support.
MO
MO
ASKER
Thanks for your help so far. This machine is very old and no support contract, nor warranty.
example from command line: telnet 192.168.1.100 5060
If it allows the connection you'll most likely just get a black screen. If that works then we can move onto the firewall.
If the firewall appears to be the issue can you review the logs to determine if the connection from the system/softphone is being denied? Some firewalls explicitly block port 5060. You might review the configuration to see if that's a possibility.
MO