Help configuring freepbx behind ssg140

I’m hoping someone might be able to give me a few pointers on a FreePBX 10/Juniper SSG140 combo. I inherited this firewall and an old TrixBox CE setup. As active development and updates to Trixbox stopped eons ago I built a FreePBX VM and attempted to cut over to it yesterday evening but had to revert to the Trixbox after I couldn’t get it fully working. I could place outbound calls without issue. I could place one or two inbound calls without issue as well, however, after either a few calls or a few minutes I could no longer place inbound calls. This would be the case until asterisk was restarted.

I’m guessing I’m missing something in my firewall config. When I try an inbound call and it doesn’t work I see nothing happening in the asterisk cli with the verbosity set very high.

The SSG140 untrust interface is set to route. I created a MIP and the FreePBX has its own IP. There is a policy from untrust to trust for that MIP with the appropriate ports allowed. Application (ALG) is set to None and NAT is NOT checked for source or destination translation.

Do I turn NAT on in the policy src, dest, or both?) and what should the FreePBX NAT settings be?

The MIP takes care of the NAT.

What are the “appropriate ports”? What services do you have bound?

Please post output of show policy id x (where x is the untrust to trust) and show us your egress policy also.

Please also post service detail for the services bound to the policy ‘get service service_name’

As far as Asterisk NAT, go to the SIP_settings module and make sure you have the network/NAT set to match your network.

Thank you for the quick response. The Trix setup was done oddly and there are far more ports open than necessary. They are only open to my SIP provider’s servers though. udp 10000-50000, udp 5060-5082, tcp 5060-5061. I will fix these later. While trouble shooting this last night I changed it to allow anything in to eliminate it as the issue and I still had the problem.

MIP Policy:
SSG140-> get policy id 32
name:“none” (id 32), zone Untrust -> Trust,action Permit, status "enabled"
4 sources: “CBeyond DNS1”, “CBeyond DNS2”, “CBeyond SIP1”, "CBeyond SIP2"
1 destination: "MIP(X.X.X.X)"
1 service: "VOIP Custom Services"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010200, session backup: on
traffic shaping off, scheduler n/a, serv flag 00
log close, log count 81, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 10731, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set

Egress Policy:
SSG140-> get policy id 1
name:“none” (id 1), zone Trust -> Untrust,action Permit, status "enabled"
src “Any”, dst “Any”, serv "ANY"
Rules on this VPN policy: 0
nat src, Web filtering disabled
vpn unknown vpn, policy flag 00010420, session backup: on
traffic shaping off, scheduler n/a, serv flag 00
log init close, log count 389765, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 940946901, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set

Service Detail:
SSG140-> get service "VOIP Custom Services"
Name: VOIP Custom Services
Category: other ID: 0 Flag: User-defined Session-cache: Disabled

Transport Src port Dst port ICMPtype,code Timeout(min|10sec*) Application
udp 0/65535 10000/50000 1
tcp 0/65535 5060/5061 30
udp 0/65535 5060/5082 1

As for the SIP_Settings module, I got the exact same issue regardless of whether I had NAT on or off - and I am unsure which is correct. I have my static IP and local networks configured correctly.

Anyone have any info?? I’m going to start hacking away at this in about an hour and it’d be a big help if anyone has any ideas…

I don’t see anything in the firewall configured wrong.

If you don’t have anonymous SIP turned on you won’t see the traffic in the CLI unless you have SIP debug enabled.

Do I need an outbound policy as well for the MIP? I’ve seen some people mention that.

Could it have been from having the rtp port range beginning at 10000 and having webmin enabled to? I have since changed it to begin at 10001 but haven’t cut it back over to test yet.

Also, just to confirm, whatever the setup you only want one thing doing nat correct? If the SSG were doing it I would turn it off in the PBX settings and if the SSG is not doing it then I turn it on in the PBX settings… is that right?

First, yes you must have a matching trust to untrust policy.

Second, Asterisk is not doing NAT. NAT is NAT processing of SIP packets. That’s different. The firewall is doing a 1:1 NAT from the public to the private IP.

ALG’s are not NAT either, Asterisk doesn’t play nice with even well built ALG’s like the Juniper.

NAT must be on and the SIP NAT settings must have your correct outside IP and defined localnet blocks.

I think I’m looking at this from the wrong angle. My Trixbox works with the firewall setup as is. I plug in the new FreePBX and then I have this issue. If the Trixbox works fine maybe it’s a setting I have configured incorrectly on the newer PBX. Also, it seems like some sort of timeout issue. I can place inbound calls with no issues for about 5 minutes and then it will stop working. I’ve also noticed that other things besides an asterisk restart will get them working again temporarily. For instance, if I place a call to the google voice trunk I have setup (which always works, no timeout on inbound) and then try inbound on my primary trunk again it will work for a few minutes again – as if that reset whatever might be timing out? I’m really very confused by this. Any ideas on areas to check would be very much appreciated. Thanks SkykingOH for your prior posts.

No, I would doubt it is a setting. The bottom line is newer versions of Asterisk are much more sensitive to oddities, like asymmetric paths.

If the Juniper is NAT’ing the connection one side is going to be on a different port. The SDP message will be received and RTP continuity established but then the Asterisk keep alive goes back and looks in the wrong place. At least that’s the best idea I have to date.

You can tell this by looking at the source and destination ports. Any oddities in the ‘sip show peers’ port list?

Thanks.

That actually makes a lot of sense. I looked at the log for the Untrust to Trust Policy for the MIP in the SSG (which has logging enabled) and I don’t see any traffic on it. All of my other MIPs (to the mail server for instance) work and log correctly. Basically, I take that to mean that the old PBX is somehow only using the default Trust to Untrust Any Any rule and that doesn’t even explain inbound traffic. Could that even work?? I honestly don’t understand how I have a working Trixbox phone system to begin with.

Further, I noticed that in order for that outbound rule to work source translation has to be checked in the advanced NAT settings on the rule, otherwise internet and phones here do not work. I have never seen a SSG config with the interface in route mode where that had to be checked on a policy rule.

I ran sip show peers and didn’t see anything glaringly wrong. All of the entries have a local address, dynamic is set to D, no nat, and ACL reads A and the ports are all 5060, status ok.

If it’s not hitting the policy then it must be a policy above it that matches. Move the policy to the top.

Unfortunately, it is already at the top. The only thing above it are VPN policies. I moved it above those just for the heck of it… but it it didn’t change anything.

If the policy isn’t logging anything and there is no other policy set to accept traffic, I seriously do not understand how the phones are currently working unless it is possible for them to work with only an outbound any any policy.

Okay, I think I’ve answered part of my own question. Because there was never a trust to untrust policy for the MIP, I think the PBX registers using the public IP assigned to my default untrust interface using my default any any outbound rule. I can see UDP traffic going both directions on that policy’s log. Once it’s registered on that IP then my provider will continue initiating traffic on it. What’s curious to me is how that works without a matching inbound rule (untrust to trust), of which there is none. Could it have something to do with the default ALG being turned on in the default any any trust to untrust? One thing is for certain, it is not using that MIP.

You should not have SIP ALG on. Assuming you have the NAT rule in the “catch all” policy it’s going to use the IP of the egress interface as defined in the outbound route.

If you have multiple IP’s you need to setup a trust to untrust and then choose that MIP. MIP’s always take precedence over DIP’s.

See this KB for more info:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB12835

It is the asymmetry in the traffic flow that is tripping up Asterisk.

I do have source translation turned on for my catch all policy. I’ll have another go at it after hours and report back once I get the MIPs passing symmetrical traffic…

It turned out to be a combination of misconfigured settings in my SSG. Because traffic was leaving the catch all policy instead of the appropriate MIP the natting was asymmetrical. Also, because the MIP uses multiple services the policy for it cannot be set to ignore for the ALG. SIP ALG had to be disabled in the ALG settings so that None could be used in the policy instead.

SkyKing, thanks for your help and pointing me in the right direction. Much appreciated.

-Eric