[cisco-voip] SIP Trunking and Checkpoint Firewall

Tue Oct 27 10:14:35 EDT 2009

Does the Checkpoint support layer 7 SIP inspection?  The firewall is
going to need to be able to read the SIP messages to figure out which
UDP ports to open up for RTP (audio).  RTP uses UDP/1024-65536
typically, so you will either have to open all of those ports, or make
sure your firewall has SIP inspection.

The ASA does support SIP inspection.  I would recommend that firewall.
We are using Cisco's Zone-Based IOS Firewall on one of our routers and
the SIP inspection is buggy and does not work well at all.  I will be
replacing with an ASA soon.    

________________________________

From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of STEVEN CASPER
Sent: Sunday, October 25, 2009 10:32 AM
To: cisco-voip voyp list
Subject: [cisco-voip] SIP Trunking and Checkpoint Firewall

We have successfully installed and tested SIP trunking from Verizon and
we are now trying to run the product behind a Checkpoint firewall. So
far we have not having any luck despite installing patches from
Checkpoint. 

 Inbound calls do not complete though I see signaling exchange. On an
outbound call the call completes but there is no audio in either
direction It appears that Verizon dynamically changes ports and address
during call set up and the Checkpoint can not adapt. Has anyone been
successful running IP trunking through a Checkpoint or any other
firewall. Thinking we may give an ASA a try.

Steve
************************************
This email may contain privileged and/or confidential information that
is intended solely for the use of the addressee.  If you are not the
intended recipient or entity, you are strictly prohibited from
disclosing, copying, distributing or using any of the information
contained in the transmission.  If you received this communication in
error, please contact the sender immediately and destroy the material in
its entirety, whether electronic or hard copy.  This communication may
contain nonpublic personal information about consumers subject to the
restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.
You may not directly or indirectly reuse or disclose such information
for any purpose other than to provide the services for which you are
receiving the information.
There are risks associated with the use of electronic transmission.  The
sender of this information does not control the method of transmittal or
service providers and assumes no duty or obligation for the security,
receipt, or third party interception of this transmission.
************************************

</PRE><P>Confidentiality: The information in this electronic mail may contain confidential, sensitive and/or protected health information intended only for the addressee(s).  Any other person, including anyone who believes he/she might have received it due to an addressing error, is requested to notify this sender immediately by return e-mail, and shall delete it without further reading and retention.  The information shall not be forwarded or shared unless in compliance with MMIC policies on confidentiality, and/or the written permission of this sender.
</P>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20091027/4a73e7f3/attachment.html>