Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Configuration of Juniper Firewall

Discussion in '3CX Phone System - General' started by ste111, Jul 5, 2009.

Thread Status:
Not open for further replies.
  1. ste111

    Joined:
    Jul 1, 2009
    Messages:
    5
    Likes Received:
    0
    Hello,

    is there anyone using a Juniper Firewall.

    Which configuration works for you?

    Thanks in advance

    Stephan
     
  2. jdeverse

    Joined:
    Jul 15, 2009
    Messages:
    5
    Likes Received:
    0
    Hello, I have a SSG-140 using ScreenOs.

    I currently have made a custom service which includes the SIP port (5060) and a range of RTP ports for Audio (9000-9030)
    I tried to create a policy with NAT, but ended up just using a VIP - possible problems with this are that the number of Audio ports can use up your VIP allocation (depending on model)

    In order to do this I had to turn on mulit port VIP's with the command
    "set vip multi-port"

    Then I created an inbound policy for the VIP on that individual service so I could specify a diffserv marking in advanced options and finished with an outbound rule on that individual vip and allocated bandwidth as well as the diffserv marking under advanced -> traffic shaping.

    Netscreens allocate bandwidth based on the order of the policy, so the 3cx policy is above all other traffic, but below any policy based VPN setups.

    I hope this helps.
     
  3. abouelric

    Joined:
    Jan 17, 2009
    Messages:
    32
    Likes Received:
    0
    hello,
    I did the same configuration as you suggested on a juniper firewall ssg5, i am having no audio and the 3cx is saying: no rtp packets were received and the call drops after 30 sec. this is occuring when calling from an internet extension to another extension or to an outside number. what is weird is that calls to a voip provider are working perfectly.
    any idea what is missing?
    also i have stun turned off.

    thanks
    Ricardo
     
  4. ste111

    Joined:
    Jul 1, 2009
    Messages:
    5
    Likes Received:
    0
    Hello Ricardo,

    same problem here. I have also a SSG5 (Firmware 6.1.0r6.0). That's why I asked for a working configuration.

    @jdeverse
    Could you please describe your configuration with more details.

    Do I understand it right that SIP-ALG does not work correct?

    Currently I'm using Asterisk for testing and everything works with the ALG.
     
  5. jdeverse

    Joined:
    Jul 15, 2009
    Messages:
    5
    Likes Received:
    0
    Hello guys, I don't know the official config, but I have always had more success disabling the sip ALG on netscreens.

    I don't think my current config is ideal, but it seems to work. I still have a decent delay on sip trunk calls, but I have to rule out my provider first.

    I need to sit down and get a policy based NAT working, but until I have time to figure it out, I just went through these steps.

    1. Enabled multiport VIPS from the command shell.

    set vip multi-port
    and then:
    save

    2. Created custom service with these entries.
    TCP src port: 0-65535, dst port: 5060-5060
    UDP src port: 0-65535, dst port: 5060-5060
    UDP src port: 0-65535, dst port: 9000-9030 - more on this one later.

    3. Created a VIP on the untrust interface with my custom service pointing to my 3CX server

    4. Created a policy from Untrust to Trust for that VIP.


    Now, this is why the solution is not great, because when you use a VIP with multiple ports it counts against the total number of VIPS available to you. I had to settle on using 30 and limiting my range. the last line in the custom rule should say UDP src port: 0-65535, dst port: 9000-9049

    However I could not use that many VIPS. If found the range of 9000 to 9030 to be a good compromise.
    you can limit the RTP ports in the advanced settings in 3CX.

    I do want to work on a solution using NAT within a policy and get rid of the VIP altogether.

    Hope this helps.
     
  6. jdeverse

    Joined:
    Jul 15, 2009
    Messages:
    5
    Likes Received:
    0
    Oh, I also turned off UDP flood defense in the "screen settings"

    Here are a few of the lines from my config file.


    set service "Sip1" protocol tcp src-port 0-65535 dst-port 5060-5060
    set service "Sip1" + udp src-port 0-65535 dst-port 5060-5060
    set service "Sip1" + udp src-port 0-65535 dst-port 9000-9030
    set service "Sip1" timeout never

    set vip multi-port

    set interface ethernet0/2 vip interface-ip 5060 "Sip1" 192.168.0.145

    set address "Trust" "3CX" 192.168.0.145 255.255.255.255



    set policy id 30 name "3CX" from "Untrust" to "Trust" "Any" "3CX" "Sip1" permit log
    set policy id 30
    set log session-init
     
  7. abouelric

    Joined:
    Jan 17, 2009
    Messages:
    32
    Likes Received:
    0
    Hello everyone,
    I applied the same settings and i was able to get the audio to work one way and the call is no longer disconnecting on 32 sec. now how do i make the audio work both ways?
     
Thread Status:
Not open for further replies.