I am trying to setup port-forwarding on NetScreen 5GT so that I can register softphone over the Internet to Asterisk PBX which is running inside company office LAN.
Asterisk has IP address of 192.168.1.100.
Up to now, I cannot connect to Asterisk from outside network.
I configured three things below:
1. Added Custom services for UDP 5060 (I have tried several patterns of TCP 5060 only, both TCP&UDP 5060, and TCP/UDP5060 + UDP 10000-20000)
2. I added VIP on 'Untrust' interface using Custom services called "AsteriskUDP".
3. Also added policy to allow traffic from 'Untrust' to 'Trust' for the above service.
The relevant portion is copied and pasted in the following:
set service "AsteriskUDP" protocol udp src-port 0-65535 dst-port 5060-5060
set alg sip app-screen unknown-message route permit
set alg sip app-screen unknown-message nat permit
set alg sip app-screen protect deny dst-ip 192.168.1.100/24
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set interface untrust vip untrust 5060 "AsteriskUDP" 192.168.1.100
set policy id 16 from "Untrust" to "Trust" "Any" "VIP(untrust)" "AsteriskUDP" nat dst ip
192.168.1.100 permit log
set policy id 16
With this configuration, I was trying to connect Softphone to Asterisk, but the network does not seem to go through. I used portal site of 'www.cman.jp'
to check if the port-forwarding is active or not. But UDP cannot be confirmed with this service. Even TCP 5060 does not go through when I put TCP 5060 port-forwarding setup on 5GT separately.
On Asterisk, I enabled "TCPENABLE" statement to allow for registration using TCP packets.
But the situation does not change.
Please let me know if some configuration is missing or other things must be done.
Thanks in advance.
example from command line: telnet 192.168.1.100 5060
If it allows the connection you'll most likely just get a black screen. If that works then we can move onto the firewall.
If the firewall appears to be the issue can you review the logs to determine if the connection from the system/softphone is being denied? Some firewalls explicitly block port 5060. You might review the configuration to see if that's a possibility.