[j-nsp] Non default SIP port and NAT

[Sven Juergensen]

Hi list,

I'm currently banging my head against
the issues of sip+nat on client and
registrar side.

Basic scenario is an ssg550m (5.4.0r2.0)
MIPping the private ip address of a sip
registrar and two possibilities at the
UA-end:
(1) using a router w/ nat + STUN
(2) 'raw' access to the internet + STUN

A 'permit any' policy for the mip has
been defined

Using sjphone for testing purposes, (2)
works well, the RTP-stream gets through
without any problems.

Sniffing packets on the machine using the
softphone, scenarion (1) however tries to
forward the packets to the private ip of the
registrar, which obviously does not work.

I've been playing for a while with NAT-dst,
NAT-src and those combined as well as MIP;
alas it doesn't really seem to matter which
mechanism is being used here - currently
MIP is my favored way to go.

Am i correct to assume that, given the fact
that SIP doesn't run on port 5060 here, the ALG
of the netscreen device isn't kicking in and
if so, a 'permit any' to the MIPped host should
in theory do the trick?

I've been trying the same scenario on a cisco
pix and it works like a charm: 1:1 static nat,
'permit any'-rule and it works pretty much out
of the box. Netscreen lingo for 1:1 NAT would
be MIP, right?

Is there anything I'm missing? I'm aware that
dual NAT is a dreaded scenario in this context,
still: is it doable with screen os?

Thank you in advance and best regards,

Sven