SIP issues with new firewall

[jimcoo]

Hello, we have a Mitel 3300 v7.0

We attempted to change our firewall. With the new firewall in place, I could make a call out to my cell phone, but when I answered it, there was no audio.
The firewall guy says he has reproduced all port settings, rules and addresses. Since the only thing that has changed is the MAC address of the firewall, he was wondering if there are any settings in the Mitel SIP settings that might depend on the MAC address of the firewall.

Any help is appreciated.

thx
Jim

 

[bribob]

MBG doesn't care about MAC, only IP. I would lean towards UDP not being allowed on the inbound/outbound policy. Or possibly an overlooked NAT setting.

Is the MBG in the DMZ or LAN?

Firewall make/model?

Where are your test phones located (Internet, LAN, DMZ, etc...)

Is this a SIP trunking issue or a TW issue?

You should mention the version of your MBG as well.



-b

 

[bribob]

I need to refine my SIP question: Is this a SIP trunking or SIP Teleworker issue?


-b

 

[jimcoo]

The MBG is in the DMZ
The test phones were all on the LAN
This is a SIP issue, as we did not test TW phones
MBG version is 8.1.25

I will try to find out my firewall version from my firewall guy.

thanks,

 

[jimcoo]

The new firewall is a

TMG 2010 Migration

Cheers,
Jim

 

[bribob]

Might want to double check that firewall type, [Microsoft ForeFront] TMG 2010 is set to be EOS in 2020 so I doubt you're migrating to that platform just to migrate again in 2 years..

SIP trunking w/ no audio - the audio stream is UDP from IP phone (LAN) to MBG (DMZ), then UDP from MBG (DMZ) to SIP trunk provider in <Internet/WAN??>

Advise your firewall guy to inspect/capture the UDP/TCP port 5060+5061 traffic coming into the LAN interface, from the IP address of the 3300 to/from the MBG. Use a tool like WireShark to inspect the SDP portion of the SIP packets and you will find the UDP port number that the MBG/IP phones are to use for the audio stream. Repeat the process for traffic to/from the SIP provider and the MBG.

Note that the audio UDP port will not be the same for every call.

You can simplify the capture by looking at the LAN interface for ALL traffic coming from the IP address of the IP phone you are testing from. At the same time, look at the DMZ interface for ALL traffic coming from the IP address of the same IP phone. If you see traffic on the LAN interface, but not on the DMZ interface, your first place to troubleshoot is the LAN-to-DMZ and DMZ-to-LAN policies.

Once you've confirmed that UDP audio is streaming from the LAN to the DMZ, focus your attention to the DMZ-to-<SIP PROVIDER INTERFACE>. I'll assume your SIP provider is accessible via the Internet/WAN? Repeat the process looking for the IP addresses of the MBG and SIP provider. If you don't see UDP traffic to/from both IP addresses when looking at the DMZ interface AND the Internet/WAN interface, focus your attention on the DMZ-to-Internet/WAN and Internet/WAN-to-DMZ policies.

Note that some SIP trunking providers may use one IP address for SIP call control (UDP/TCP 5060/5061, port numbers may be different) and a different IP address for SIP media (UDP audio, port numbers are different)


-b