Scenario
-
You have an Asterisk server behind a Check Point firewall trying to
contact a VOIP provider located on the Internet
Problem
-
SIP requires that your VOIP provider be able to contact you through your
firewall on the port that you registered from -
When your Asterisk box registers it registers with both source and
destination port of UDP 5060 -
Unfortunately, Check Point NATs the source port on the way out to some
random high-numbered port -
The VOIP provider sees that high-numbered port as the return port
number, and initiates contact with you on that port -
Check Point takes that incoming high-numbered port traffic and sends it
back to the Asterisk server-WHICH THE ASTERISK SERVER ISN’T LISTENING ON -
The Asterisk server responds with ICMP Port Unreachable messages,
basically saying, “Dude, I said 5060–what the hell is this other crap
you’re sending me?”
Rant
Basically, the issue is that you can’t tell Check Point to NOT mangle
the source port of your outgoing SIP connections.
I’ve tried static NAT and I’ve tried editing the SIP service so that it uses
the “none” protocol handler. Nope. Regardless of the settings used, Check
Point changes the source port on the way out and breaks SIP.
The really sad part is that Linksys has solved this problem; you can
configure a cheapo router to use the original source port–but not a full,
enterprise-level Check Point box. It makes me physically ill. ::
[ I’m using a fully functioning demo of R65, for those of you who asked. The
fact that it’s a trial doesn’t effect its NAT functionality ]
0 responses on "Some Clarification on How I View Most Believers"