Help with new Firewall and Sip Registration


#1

Hello all,

I am looking for some help please, We have replaced our Dreytek router with a new Cisco ASA and I am having issues getting some phones to register to the SIP network.

I understand I will need to get some ports opened up on the Firewall, now when I have done this before the Phone company will give me a list of ports and the IP addresses that will attempt to come back through the firewall all works ok but the phones we have at the moment I believe are setup to use the STUN.sipgate.net setup which I understands helps with NAT side of things so I assume I need to turn this off and setup the handset a different way and maybe change ports the phone uses?

Any help or tips would be great!

Many thanks!

Regards,
Simon


#2

What handsets are you using and what phone system do you use


#3

Sorry missed that important detail!

We are using a GXP1625

Thanks.


#4

Phone system make and/or provider?


#5

All I have is the provider is SIPGATE.co.uk there is now system just handsets so to speak.

Thanks


#6

So what are the make/model of the handsets?


#7

Grandstream GXP1625 handset


#8

GS handsets including the GXP1625 are supported by sipgate. Have you looked at these links on the sipgate site?


It should give you all you need to know


#9

Thank you.


#10

You need to:
Set each phone up with a reserved or static IP so that each will always have the same IP.
You need to turn off any SIP ALG in the router
You need to setup each phone with its OWN LOCAL SIP port and LOCAL RTP port so that no two phone are using the same.
You need to setup each phone with security to avoid ghost calls. Enable accept calls from SIP proxy only and enable validate SIP messages.
If you have a static public IP on the ASA, then in each phone in the field “NAT IP”, insert your public IP.
If you do not have a static IP, then subscribe to a DDNS service and obtain a FQDN and insert that into the NAT IP field.
In the router, set port forwarding of UDP from to each phone such that you are forwarding the local SIP and local RTP ports associated to each phone to the respective phone with the same local ports.

So if phone A has a static IP of 192.168.0.2 and a Local SIP port of 5060 and local RTP ports of 5004-50X0, then forward these ports to that phone. If the next phone has a local SIP port of 5062 and RTP ports 50X1-502X to the next phone B at 192.168.0.3 and so on.

You should also strongly consider building some firewall rules around the providers IP(s) for the SIP ports so that only their traffic is allowed to traverse into your network.


#11

Hello,

Thanks for you help with this. I have the below setup on one phone and just want to confirm the port forwarding.

Phone Static IP 192.168.1.20

Local RTP Port - 49104

Sip Settings ( Basic)
Local Sip Port 49160

Both ports are local so I am confused what the real port is and the local on the asa?

Regards,
Simon


#12

They should not be the same as they are two different services.
So if phone A has a static IP of 192.168.0.2 and a Local SIP port of 5060 and local RTP ports of 5004-50X0, then forward these ports to that phone. If the next phone has a local SIP port of 5062 and RTP ports 50X1-502X to the next phone B at 192.168.0.3 and so on.


#13

All working!

Thanks for your help!


#14

great.