Link to home
Start Free TrialLog in
Avatar of MichaelMiracle

asked on

Port-forwarding of ports TCP/UDP 5060 on Juniper NetScreen 5GT to use Asterisk from outside


I am trying to setup port-forwarding on NetScreen 5GT so that I can register softphone over the Internet to Asterisk PBX which is running inside company office LAN.
Asterisk has IP address of

Up to now, I cannot connect to Asterisk from outside network.

I configured three things below:
1. Added Custom services for UDP 5060 (I have tried several patterns of TCP 5060 only, both TCP&UDP 5060, and TCP/UDP5060 + UDP 10000-20000)

2. I added VIP on 'Untrust' interface using Custom services called "AsteriskUDP".

3. Also added policy to allow traffic from 'Untrust' to 'Trust' for the above service.

The relevant portion is copied and pasted in the following:
set service "AsteriskUDP" protocol udp src-port 0-65535 dst-port 5060-5060
set alg sip app-screen unknown-message route permit
set alg sip app-screen unknown-message nat permit
set alg sip app-screen protect deny dst-ip
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set interface untrust vip untrust 5060 "AsteriskUDP"
set policy id 16 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "AsteriskUDP" nat dst ip permit log
set policy id 16

With this configuration, I was trying to connect Softphone to Asterisk, but the network does not seem to go through. I used portal site of '' to check if the port-forwarding is active or not. But UDP cannot be confirmed with this service. Even TCP 5060 does not go through when I put TCP 5060 port-forwarding setup on 5GT separately.

On Asterisk, I enabled "TCPENABLE" statement to allow for registration using TCP packets.
But the situation does not change.

Please let me know if some configuration is missing or other things must be done.

Thanks in advance.
Avatar of Michael Ortega
Michael Ortega
Flag of United States of America image

First thing first, can you register phones internally in the office? Can you do a simple telnet test from a workstation on the LAN to the PBX using port 5060?

example from command line: telnet 5060

If it allows the connection you'll most likely just get a black screen. If that works then we can move onto the firewall.

If the firewall appears to be the issue can you review the logs to determine if the connection from the system/softphone is being denied? Some firewalls explicitly block port 5060. You might review the configuration to see if that's a possibility.

Avatar of MichaelMiracle


I could register X-Lite phone inside the LAN network.
But when I tested 'telnet 5060', it says
"Connecting To not open connection to the host, on port 506
0: Connect failed"

Please let me know how I can proceed.

No firewall enabled on the system blocking 5060? The system being whatever OS you're running Asterisk on. CentOS?

The O/S of Asterisk machine is Ubuntu. I haven't checked this machine as to any firewall setup. Since all the hard-phones are working on the same network as Asterisk, I think port 5060 (I don't know it is TCP or UDP) is open, but telnet connection is only prohibited?
Telnet is TCP based, so I was suggesting you use that since you commented that you enabled TCP for registration. If it's only UDP you might try netcat or hping to test with.

Obvisouly if you attempt registration externally it should log on the Juniper. Can you capture some logs and post them while attempting a registration externally?

Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

I tried to register soft-phone from external network location and got the attached log at "Policies".
Please kindly refer to the attached (part of address was cut out due to privacy reason).

Also according to the suggestion from Sangarnc, I disables SIP ALG.
But please instruct me on how to enable source-based NAT on Juniper.

for the policy carrying SIP traffic, if you click on edit > advanced at the top of the screen you will see

 Source Translation        (DIP on)   None (Use Egress Interface IP)

enable this setting using the check mark and leave DIP option as is.
Is the suggested 'Policy' option for "outbound policy for the SIP traffic"?
Since I am not sure which it is, then I enabled Source Translation on both of 'Un-trust' to 'Trust' for SIP and 'Trust' to 'Un-trust' (Any - Any) policy.

And I did not create any entry into DIP on 'Un-trsut' Interface. Is this ok?

For the moment, situation does not change at all.
To segregate the root cause between router and Asterisk, I replaced router with a simple broadband router with minimum functions.
And I just put port-forwarding of UDP=5060, and UDP=10000-20000 to the SIP server.

Besides, I noticed that I did not put NAT=YES in sip.conf. This was NAT=NO previously. I modified it accordingly and restarted Asterisk.

Then I could register X-Lite, and voice went through in both ways.
Also in-coming call made X-Lite rings properly and conversation could take place.

I may need to go back to Juniper firewall, and see if the current configuration should be good enough or not. And let you know.

Thanks for the moment. And I will come back soon.
Registration issue on Juniper was solved. But voice does not go through at all.
Let me post another new question concerning UDP 10000-20000 port-forwarding.
Thanks for your help in registration.
The answer stopped and nothing came so far. I wanted to be followed up to the end.<br />Is it always like this in this forum?
MichaelMiracle, I'm confused. The last correspondence we got from you was on 7-13 and it seemed to indicate that you were going to update Experts Exchange when you were ready to continue troubleshooting. We just now heard from you this morning 7-19. Was your expectation that we were all just watching and waiting for you to post again so we could immediately comment? Not even close to 24 hours has passed since your update post at 00:51:18 this morning.

Please have a little patience and the experts will be back in touch. Unfortunately, that's all I have to add to this. I'm not a Juniper guy, and it appears your issues are specific to the Juniper appliance you have. Most of our equipment is Cisco, so I can't really contribute much more.

Now that you've accepted an answer it's not likely that you'll get more comments. The only reason I returned to the thread was to see what the accepted resolution was. You might have to repost.

Sorry for your confusion. But I thought that I could not have any more answers at the time of 13th when I was not updated for two days. That is because I posted another comments on 13th. But any reply including the questions made on 11th came to me after 13th. I was expecting at least something or just a note from experts. But no one came back after three straight comments. But maybe I should have more patient on this.
The reason why I selected the best answer was it was concerning practical Juniper configuration method. However, I have not obtained exact configuration of 5GT, and only registration was solved by entering NAT=YES (on SIP.conf) which information, I happened to know from another source.
So there is still a lingering issue, right? Phones are registering, you get dial tone, the phone rings out, etc. which means signalling is fine? You have no RTP stream (you're not hearing the recipient of the call and they aren't hearing you) though when someone picks up the call, right?

Yes, I have. Precisely the situation is shown below:

Inside -> Out : When calling outside extension, only voice message appears saying this extension is not available. And of course, outside extension does not ring at all.

Outside -> Inside : Extension can call inside extension and both side can hear calling tone. But after picking up the handset, nothing happens. The connection is kept, but both sides can hear anything.

For allowing RTP packets going through, I think UDP 10000-20000 ports should be allowed.
But how exactly I can configure this is not known. Maybe combination of Address Object and Policy Setting can solve this. What I want to know is how I should make entry into Juniper F/W.
Have you tried to use the incoming predefined policy for VOIP? Drop any custom policy you might have created for this and use the VOIP policy. You don't need one definied for SIP specifically because it's part of VOIP. SIP ALG should be enabled so you don't have to worry about setting up a policy or policies to allow RTP through. ALG for SIP will do the dynamic opening of ports for you.

Also here's a good read that might help you out:

After I enabled SIP ALG and added VOIP group service in the POLICIES for Untrust to Trust zdirection, situation could not be changed, unfortunately. It is the same as before.
Once concern is there comes no logging information on this new policy.
I'm afraid I'm not much more help as I'm not entirely familiar with Juniper appliances. My recommendation would be to open a new question to attract more experts. If the device is under warranty you might also reach out to Juniper support.

Thanks for your help so far. This machine is very old and no support contract, nor warranty.