I have a problem about TFTP traffic which is passed on firewall.
SIP server ---------------- FW ----------------- IPphone
My IPphone will be assigned an IP address from Firewall. First step is IPphone must download firmware from SIP server. All traffic will be NAT (Source NAT + proxyARP and address persistant is enabled). It seems like IPphone can't download firmware via TFTP. I captured packet. The output are below
Please suggest me.
Looks like the icmp traffic is what is blocked while the tftp seems to be working. Do you have ping allowed in the policy that permits the tftp traffic?
From the view it looks like the icmp needs to be permitted in the opposite direction as the tftp download. The policy would be from the server to the client in this case that is not working.
I belive these ICMP messages are not a reply for an ICMP req, but rather the server informing that the port is not availabel, most possible reason is the server is busy. Can you share the complete pcap?
Complete PCAP file is in link below (I can't attach file).
You can filter for TFTP only. And I already allow policy from server to client. There's no hit count.
I move IPphone without NAT performing. It's working normaly.
can you collect "show security flow session source-prefix <iphone ip> destination-prefix <server IP>" in both scenarios
Output are below.
root# ...ion source-prefix 192.168.20.70 destination-prefix 10.105.62.53 Session ID: 22061, Policy name: TFTP-outgoing/7, Timeout: 60, ValidResource information : TFTP ALG, 9, 0In: 192.168.20.70/1024 --> 10.105.62.53/69;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 2, Bytes: 156, Out: 10.105.62.53/69 --> 172.19.0.196/3179;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,
Session ID: 22073, Policy name: TFTP-outgoing/7, Timeout: 18, ValidResource information : TFTP ALG, 11, 0In: 192.168.20.70/1025 --> 10.105.62.53/69;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 89, Out: 10.105.62.53/69 --> 172.19.0.196/23837;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0, Total sessions: 2
root# ...ion source-prefix 10.105.62.53 destination-prefix 192.168.20.70 Total sessions: 0
What is tftp alg status? is it in disabled state? if yes, enable it and check
show security alg status
It looks like you are doing source nat on the IP phone is that correct?
This would be why the reverse icmp traffic does not work. The server is trying to ping the nat address and it would need a destination or static nat rule in place for that to work.
Is that source nat required?
You're correct. I configured source NAT (pool) at first. It's till not working. Then I configure source NAT (1:1 mapping) with destination NAT instead of an old way. Problem is gone!
But mow, TFTP is done but IPphone still can't make a call. I think. Root cause is NAT. Could you suggest me what type of NAT is recommended for IP Phone? Source NAT or Static NAT?
Progress at least.
Make sure your policy to allow the connection uses the specific application that matches your pbx system and not just the "any" application.
Then make sure the matching ALG for the pbx application is turned on for the SRX.
This will allow the ALG to permit the random high ports for the call streams to occur for the calls to work.
The alternative is to find the protocol (usually udp) direction and port ranges used by the calling protocol and setup policies that allow those streams to occur.