SRX

Expand all | Collapse all

How to allow SIP port from SRX 650

  • 1.  How to allow SIP port from SRX 650

    Posted 01-14-2021 17:01
    Hello

    The SIP port tcp 5060  now allowed through two zones in SRX650 even i create security policy with "any" application, and that not make the cisco phone that using SIP to not register.

    Appreciate your support

    Thanks


  • 2.  RE: How to allow SIP port from SRX 650

    Posted 01-15-2021 06:38
    Did you make sure that you are using a network phone rather than a plug and use? Some phones are for use on the network with sip and other protocols. Others are for use on devices such as a cable modem with the phone jack ports directly on the modem. They use sip but you cant use them on the internal network, past a gateway. I know I read documents and Avaya phones and others were that way. It's been some time since I've checked if the current standard has changed. Which I kinda doubt.

    Some network phones(ethernet jack) are for preconfigured sip use which are plugged into other devices. They dont operate on configurable devices like the Juniper SRX.

    I think I read that. You should find this out if you dont know already.

    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)


  • 3.  RE: How to allow SIP port from SRX 650

    Posted 01-15-2021 11:02
    You going to need to provide more information than that. Are you sure the traffic is hitting your policy? You can try enabling logging for the policy and see if traffic is hitting the Policy. Couple things you can do.
    1. Verify your policy is for the correct zones and is indeed permitted.
    2. Verify routing .

    ------------------------------
    Lou Rosa
    ------------------------------



  • 4.  RE: How to allow SIP port from SRX 650

     
    Posted 01-16-2021 13:14
    The sip connection requires opening return ports automatically for the reverse direction of flow which Junos refers to as ALG - application layer gateways.  You apply these to the policy for the phone policy instead of the "any" rule and the SRX knows to allow for the full bi-directional protocol.

    example:

    set security policies from-zone private to-zone public policy outgoing match source-address phone
    set security policies from-zone private to-zone public policy outgoing match destination-address pbx
    set security policies from-zone private to-zone public policy outgoing match application junos-sip
    set security policies from-zone private to-zone public policy outgoing then permit

    Using the session command you can verify the traffic is permitted and hitting the desired policy using the ip address of the phone as x and pbx as y.

    show security flow session source-address x.x.x.x/32 destination-address y.y.y.y/32


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------