Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No audio with IP Office native firewall, SIP at 9.0.3

Status
Not open for further replies.

jyang12

IS-IT--Management
Aug 24, 2012
109
CA
We recently upgraded 2 sites from 7.0 to 9.0.3 with all latest patches. Everything turns out smoothly except that no audio with calls or VM - we later found out that as soon as we take off the firewall profile from the WAN interface it works again. The same native firewall profile has been working in 7.0 for a couple of years and is not doing much more from the default. As a matter of fact, we even manually opened all ports on it, or created a new default profile, to see if that change things. Apparently applying the firewall stops the audio, not really to do with opening/blocking any particular port. We use SIP trunking on these systems.

Has anybody had similar experience at 9.0(.3)? Thanks
 
I had the same issue and just put a watchguard in because the software firewall really sucks. It seems that R7 is ok and as of 8.1 it will act like this and block the SIP RTP ports.
I did not find a solution for it (tried for a couple of hours though as I am stubborn) and had the firewall handy so I used it rather than spending 20 hours on the solution to a bad Avaya program.

Joe W.

FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter
 
Thanks westi, did you need to do anything special on that watchguard unit or you simply restrict inbound to the external voice proxy with port 5060 static NAT to ip office? Wide open for outbound right?

Thanks again.
 
Yes, that way nobody else can fumble around on the SIP ports.
But I did not do the programming myself as I had a colleague at the time that did all of the companies watchguards as he liked it a special way and didn't want anyone else to do it different.


Joe W.

FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter
 
I guess I was trying to confirm whether there's anything special for firewalling ip office or its standard NAT that even a person knows nothing about SIP Trunking can do it as long as you point out the IP's and port? I have a Cisco guy that I can use in that case.
 
Nothing special to it.
As long as you have the list of ports from your SIP provider, it's pretty much straight forward.

Disable SIP inspection/SIP ALG.

Btw, the firewall change on the IPO came in 9.0, need to customize the HEX rules to make it work.
I use it for inside protection, pointing it at the LAN, letting a hardware firewall take the outside guard post.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

2cnvimggcac8ua2fg.jpg
 
Thanks Gunnar, by "disable SIP inspection/SIP ALG" you mean on the firewall unit, not the IP office right? And so besides the list of IP/port to allow from our provider, protecting an IP Office is not different than a regular data network device I suppose?

Thanks again.
 
Hi guys,

in order to make this change, on the IP Office side I only need to change the IP on the LAN2(WAN) to an internal IP that connects to the LAN port of the firewall, no need to touch any other change right? everything should just register thru the same route that goes out from LAN2 thru the firewall to the SIP provider link correct?

Thanks for all the comments.
 
That is more or less correct.

You might have to run Stun, set up correct IP routes, etc.
(and yes, I meant the ALG on the Firewall. Sorry, didn't see your reply yesterday)

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

2cnvimggcac8ua2fg.jpg
 
Thanks Gunnar. Did you mean we need to start using Stun after putting a firewall in between? We haven't been using Stun on our SIP(not sure if the provider even support it) and from what I can see we're doing strictly physical network change here which is not really SIP/VoIP specific? Same thing for routes, beside the gateway address will be the internal IP for LAN2, we should not need to change or add any new route from the existing ones right?
 
might have to", but if you haven't done it before, leave it for now.

Just try, see if you get connected.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

2cnvimggcac8ua2fg.jpg
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top