Comments on: Checkpoint Firewall-1 and The SIP Protocol http://blog.sekiur.com/2008/12/checkpoint-firewall-1-and-the-sip-protocol/ VoIP, Mobility, Security, Open Source, Science, Politics, and Technology. Mon, 17 Oct 2011 01:43:00 +0000 hourly 1 http://wordpress.org/?v= By: Duderonomy http://blog.sekiur.com/2008/12/checkpoint-firewall-1-and-the-sip-protocol/comment-page-1/#comment-30 Duderonomy Sat, 28 Mar 2009 21:00:52 +0000 http://blog.sekiur.com/?p=669#comment-30 were you using manual or automatic NAT? Auto-NAT seems to work fine, but anything else causes it to crap out. We're still having the same problem, after removing manual NAT rules, upgrading to R65 HFA 02, changing protocol type to none, disabling MGCP and SIP SmartDefense protections. On the phone with CP support for over four hours the other night with no success. Does anyone have any other suggestions? were you using manual or automatic NAT?
Auto-NAT seems to work fine, but anything else causes it to crap out.
We're still having the same problem, after removing manual NAT rules, upgrading to R65 HFA 02, changing protocol type to none, disabling MGCP and SIP SmartDefense protections. On the phone with CP support for over four hours the other night with no success. Does anyone have any other suggestions?

]]> By: Daniel Miessler http://blog.sekiur.com/2008/12/checkpoint-firewall-1-and-the-sip-protocol/comment-page-1/#comment-29 Daniel Miessler Fri, 27 Mar 2009 12:13:08 +0000 http://blog.sekiur.com/?p=669#comment-29 I solved it by moving to a Linksys router. A $40 system handles the NAT better than Check Point. Quite sad. I solved it by moving to a Linksys router. A $40 system handles the NAT better than Check Point. Quite sad.

]]> By: jvortega http://blog.sekiur.com/2008/12/checkpoint-firewall-1-and-the-sip-protocol/comment-page-1/#comment-28 jvortega Fri, 27 Mar 2009 07:40:46 +0000 http://blog.sekiur.com/?p=669#comment-28 Have you solved this yet? Have you tried increasing the UDP virtual session timeouts? Any performance issues on the firewall? Have you tried moving the sip rule closer to the top of the rule base? and do you have cleanup rules at the bottom for high port udp traffic? Have you solved this yet? Have you tried increasing the UDP virtual session timeouts? Any performance issues on the firewall? Have you tried moving the sip rule closer to the top of the rule base? and do you have cleanup rules at the bottom for high port udp traffic?

]]> By: Daniel Miessler http://blog.sekiur.com/2008/12/checkpoint-firewall-1-and-the-sip-protocol/comment-page-1/#comment-24 Daniel Miessler Wed, 18 Feb 2009 20:29:00 +0000 http://blog.sekiur.com/?p=669#comment-24 I disabled SmartDefense to make sure it wasn't the problem. As for the externip settings, I have those NAT settings in place buy my provider is still sending me traffic to my internal IP rather than to my external IP. I'm not sure how it's even making it back to me, but it seems like it should be coming to the host defined in externhost or externip. Thoughts? I disabled SmartDefense to make sure it wasn't the problem. As for the externip settings, I have those NAT settings in place buy my provider is still sending me traffic to my internal IP rather than to my external IP. I'm not sure how it's even making it back to me, but it seems like it should be coming to the host defined in externhost or externip.

Thoughts?

]]> By: jvortega http://blog.sekiur.com/2008/12/checkpoint-firewall-1-and-the-sip-protocol/comment-page-1/#comment-23 jvortega Wed, 18 Feb 2009 19:15:24 +0000 http://blog.sekiur.com/?p=669#comment-23 Have you tried playing around with the smartdefense settings.? Under SIP the only option disabled should be to block calls from unregistered users as this will be done by the asterisk box. Under SIP custom properties, the only option checked should be to block SIP calls that use two different voice connections and under SIP filtering you should not do any filtering and not drop unknown SIP methods. You should a rule on your firewall allowing udp 5060 and udp >10000 & < 20000. On your asterisk box, your sip_custom.conf config file should look like this. <br /> <br /> bindport = 5060 <br /> pedantic=no <br /> <br /> externip=[public ip address] <br /> localnet=A.B.C.0/255.255.255.0 <br /> <br /> Hope this helps. <br /> Have you tried playing around with the smartdefense settings.? Under SIP the only option disabled should be to block calls from unregistered users as this will be done by the asterisk box. Under SIP custom properties, the only option checked should be to block SIP calls that use two different voice connections and under SIP filtering you should not do any filtering and not drop unknown SIP methods. You should a rule on your firewall allowing udp 5060 and udp &gt;10000 &amp; &lt; 20000. On your asterisk box, your sip_custom.conf config file should look like this.

bindport = 5060

pedantic=no

externip=[public ip address]

localnet=A.B.C.0/255.255.255.0

Hope this helps.

]]> By: Daniel Miessler http://blog.sekiur.com/2008/12/checkpoint-firewall-1-and-the-sip-protocol/comment-page-1/#comment-22 Daniel Miessler Wed, 18 Feb 2009 04:37:07 +0000 http://blog.sekiur.com/?p=669#comment-22 I am having the same problem with outbound SIP connections getting their source port mangled by Check Point. I have modified my SIP service to the 'none' protocol handler, but the source port mangling is still taking place. How did you get Check Point to leave the source port alone on outbound SIP connections? Any help would be appreciated. I am having the same problem with outbound SIP connections getting their source port mangled by Check Point. I have modified my SIP service to the 'none' protocol handler, but the source port mangling is still taking place. How did you get Check Point to leave the source port alone on outbound SIP connections?

Any help would be appreciated.

]]>