Comments on: Problems with Check Point, NAT, and SIP

By: TabTwo

TabTwo — Sun, 22 Feb 2009 01:53:03 +0000

The basic issue here: SIP just sucks with NAT

Why should a NAT-device user the same source port? What if a second connection uses the same?

By: TabTwo

TabTwo — Sat, 21 Feb 2009 20:53:03 +0000

The basic issue here: SIP just sucks with NAT

Why should a NAT-device user the same source port? What if a second connection uses the same?

By: Check Point and Streaming Video

Check Point and Streaming Video — Wed, 18 Feb 2009 19:15:48 +0000

[...] Apparently Check Point breaks SIP. Daniel Miessler describes an issue Check Point has with an Asterisk VOIP server. [...]

By: Daniel Miessler

Daniel Miessler — Wed, 18 Feb 2009 19:00:12 +0000

Ok, I tried this and it looks like it's solved most of my problem. Awesome.

I did, however, get a failed call after placing an outgoing call, and received a bunch of unreachables like before. I wonder if it's because during the call I didn't have any outgoing registrations occurring (I haven't tested that yet), which would possibly cause the existing session to time out. If that's the case then it's going to be highly annoying to have to accept that I'll miss some calls if they happen to fall within a certain window.

Any thoughts on how to handle that? Should I increase my virtual session window even more to try and account for that? I want to avoid getting too extreme with it, and would rather implement a real solution than some sort of hack to get around this.

Thanks very much for the virtual session timeout tip, though--that seems to have have solved most of my unreachable issue.

By: Daniel Miessler

Daniel Miessler — Wed, 18 Feb 2009 17:59:56 +0000

The problem isn't the incoming port mapping; it's the outgoing SIP connection coming from the Asterisk system. The Check Point system doesn't give the packets back to port 5060 on the Asterisk box (the original source port); instead it gives it to the Asterisk box as the high level port IT created, which of course isn't accepting traffic–hence the ICMP unreachables.

By: RafalWeglarz

RafalWeglarz — Wed, 18 Feb 2009 16:42:13 +0000

I think I get the problem now ;). I'm not the VOIP guy, but isn't there any setting in Asterisk that says how external servers should reach it? So that you could do a mapping of extip:port->intip:port?
Besides it seems that VOIP is broken in the first place ;)

By: Augusto Paes de Barros

Augusto Paes de Barros — Wed, 18 Feb 2009 16:32:29 +0000

It should be handled by the "UDP virtual session" concept. The problem would be if the interval between UDP packets is too big, as the firewall will clean the state tables and will not understand the incoming packet as part of a previous "virtual session". If the communication is something regular it can be solved by increasing the UDP virtual session timeout, but if the packet flow is not constant (i.e. there are long time intervals between each UDP packet) it won't help at all.

For some stuff like this one, Check Point should have more granular controls, like UDP virtual session timeouts per protocol and/or rule.

By: RafalWeglarz

RafalWeglarz — Wed, 18 Feb 2009 14:30:19 +0000

Hi,
I have tested it. And although CheckPoint does change the source port, it does properly handle messages coming back. It properly changes the ports.
You mentioned that it is during the initial phase. If it not be during initial phase than I would guest that the problem might be that the UDP session times out. But it should be alive for at least 40 seconds (which is default). Could you provide me with pcap dumps? I do not want to install the whole asterisk thing :)

By: ghost16825

ghost16825 — Wed, 18 Feb 2009 13:31:02 +0000

Er....are you serious?
So you mean you can't create an inbound port forwarding rule? (which on most devices implies that the outbound source ports will be preserved)
Also are you sure the device doesn't have any SIP Application Layer Gateway functionality enabled?

By: Daniel Miessler

Daniel Miessler — Wed, 18 Feb 2009 12:19:11 +0000

Nope, that's the protocol handler trick I mentioned I already tried. Didn't work. But thanks for the link; I appreciate the effort.

By: RafalWeglarz

RafalWeglarz — Wed, 18 Feb 2009 08:27:16 +0000

Hi,
maybe this will help
http://blog.sekiur.com/2008/12/checkpoint-firew...

By: Daniel Miessler

Daniel Miessler — Wed, 18 Feb 2009 05:15:35 +0000

Hopefully I missed something. If anyone knows a solution for this I'd love to hear about it.