Problems with Check Point, NAT, and SIP

Scenario

1. You have an Asterisk server behind a Check Point firewall trying to contact a VOIP provider located on the Internet

Problem

1. SIP requires that your VOIP provider be able to contact you through your firewall on the port that you registered from

2. When your Asterisk box registers it registers with both source and destination port of UDP 5060

3. Unfortunately, Check Point NATs the source port on the way out to some random high-numbered port

4. The VOIP provider sees that high-numbered port as the return port number, and initiates contact with you on that port

5. Check Point takes that incoming high-numbered port traffic and sends it back to the Asterisk server-WHICH THE ASTERISK SERVER ISN’T LISTENING ON

6. The Asterisk server responds with ICMP Port Unreachable messages, basically saying, “Dude, I said 5060–what the hell is this other crap you’re sending me?”

Rant

Basically, the issue is that you can’t tell Check Point to NOT mangle the source port of your outgoing SIP connections.

I’ve tried static NAT and I’ve tried editing the SIP service so that it uses the “none” protocol handler. Nope. Regardless of the settings used, Check Point changes the source port on the way out and breaks SIP.

The really sad part is that Linksys has solved this problem; you can configure a cheapo router to use the original source port–but not a full, enterprise-level Check Point box. It makes me physically ill. ::

[ I’m using a fully functioning demo of R65, for those of you who asked. The fact that it’s a trial doesn’t effect its NAT functionality ]

Related posts:

1. You Should Be Running Your Own VPN Server

2. No, Moving Your SSH Port Isn’t Security by Obscurity

3. Whitelisting Cloudflare With IPTABLES