CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: SIP - the other side of one of the fences

  1. #1
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default SIP - the other side of one of the fences

    </rant>
    So i've been spending a lot of time with SIP on Cisco ASA routers. What i have to report is that the other side of this fence is not all green grass. Its full of all the same brown crunchy grass. Debugging is a PITA. Debugging also crashed the router. Did a code upgrade and it no longer crashes the router... but... now when debugs are enabled the SIP session breaks even more (went from 1 way audio to not even ringing). Disable debug back to 1 way audio. Disable SIP inspection.. things magically work.

    ...sigh... I hate you SIP. IAX works with a single UDP stream. Too bad its only used for trunks.

  2. #2
    Join Date
    2006-09-26
    Posts
    3,150
    Rep Power
    15

    Default Re: SIP - the other side of one of the fences

    Quote Originally Posted by jflemingeds View Post
    </rant>
    So i've been spending a lot of time with SIP on Cisco ASA routers. What i have to report is that the other side of this fence is not all green grass. Its full of all the same brown crunchy grass. Debugging is a PITA. Debugging also crashed the router. Did a code upgrade and it no longer crashes the router... but... now when debugs are enabled the SIP session breaks even more (went from 1 way audio to not even ringing). Disable debug back to 1 way audio. Disable SIP inspection.. things magically work.

    ...sigh... I hate you SIP. IAX works with a single UDP stream. Too bad its only used for trunks.
    1- Are you referring to Cisco ASA running ASA code or Cisco ASA running FirePower add-on or Cisco ASA running Firepower Thread Defense (FTD)? Technically, there is no such thing as ASA routers :-(

    2- ALL Firewall vendors suck when it comes to SIP including Cisco when integrating with its own products. Checkpoint is no better :-(

    3- About Disabling SIP. Even with Cisco you need to read this: https://www.cisco.com/c/dam/en/us/td...uide-X8-10.pdf PAGE 63 stated: For a router/firewall to properly perform ALG functions for SIP and H.323 traffic, it is therefore of utmost importance that the router/firewall understands and properly interprets the full content of the payload it is inspecting. Since H.323 and SIP are standards/recommendations which are in constant development, it is not likely that the router/firewall will meet these requirements, resulting in unexpected behavior when using H.323 and SIP applications in combination with such routers/firewalls.
    There are also scenarios where the router/firewall normally will not be able to inspect the traffic at all, for example when using SIP over TLS, where the communication is end-to-end secure and encrypted as it passes through the router/firewall.
    As per the recommendations in the Introduction section of this appendix, it is highly recommended to disable SIP and H.323 ALGs on routers/firewalls carrying network traffic to or from a Expressway-E, as, when enabled this is frequently found to negatively affect the built-in firewall/NAT traversal functionality of the Expressway-E itself.


    The problem with this stupid comment from Cisco is that if you have a NAT environment and Internet facing, you can NOT disable SIP inspection because it will render the application useless or to make it work, you have to high-port ranges from the Internet to hit the SIP server, I don't think security people will let that happen.

    This issue is not only with Cisco but Checkpoint as well :-(

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: SIP - the other side of one of the fences

    In this case asterisk has a work around for dealing with sip and nat without alg. As I said before everything started working once sip inspection was disabled. Src nat is a hide and dst is static nat (different firewall).

    https://community.asterisk.org/t/wha...-setting/67205
    Last edited by jflemingeds; 2017-12-22 at 09:10.

  4. #4
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    5

    Default Re: SIP - the other side of one of the fences

    Quote Originally Posted by cciesec2006 View Post
    1- Are you referring to Cisco ASA running ASA code or Cisco ASA running FirePower add-on or Cisco ASA running Firepower Thread Defense (FTD)? Technically, there is no such thing as ASA routers :-(

    2- ALL Firewall vendors suck when it comes to SIP including Cisco when integrating with its own products. Checkpoint is no better :-(

    3- About Disabling SIP. Even with Cisco you need to read this: https://www.cisco.com/c/dam/en/us/td...uide-X8-10.pdf PAGE 63 stated: For a router/firewall to properly perform ALG functions for SIP and H.323 traffic, it is therefore of utmost importance that the router/firewall understands and properly interprets the full content of the payload it is inspecting. Since H.323 and SIP are standards/recommendations which are in constant development, it is not likely that the router/firewall will meet these requirements, resulting in unexpected behavior when using H.323 and SIP applications in combination with such routers/firewalls.
    There are also scenarios where the router/firewall normally will not be able to inspect the traffic at all, for example when using SIP over TLS, where the communication is end-to-end secure and encrypted as it passes through the router/firewall.
    As per the recommendations in the Introduction section of this appendix, it is highly recommended to disable SIP and H.323 ALGs on routers/firewalls carrying network traffic to or from a Expressway-E, as, when enabled this is frequently found to negatively affect the built-in firewall/NAT traversal functionality of the Expressway-E itself.


    The problem with this stupid comment from Cisco is that if you have a NAT environment and Internet facing, you can NOT disable SIP inspection because it will render the application useless or to make it work, you have to high-port ranges from the Internet to hit the SIP server, I don't think security people will let that happen.

    This issue is not only with Cisco but Checkpoint as well :-(
    Someone is still passionate about Cisco's Security line of products : )). Now do you know if Cisco really intends to move on with a FW centralized mgmt also?

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,480
    Rep Power
    16

    Default Re: SIP - the other side of one of the fences

    Quote Originally Posted by jflemingeds View Post
    I hate you SIP. IAX works with a single UDP stream. Too bad its only used for trunks.
    Definitely prefer IAX from the mucking about I did with Asterisk back in the day. SIP is...problematic.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. 2 680's vpn'd but on one side I can't get to the admin page of the other 680
    By roveer in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2016-04-18, 04:50
  2. Client side VPN not connecting through R71
    By dub_boy2k in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2010-09-08, 09:47
  3. slow VPN from Cisco side.
    By munem in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2010-01-11, 12:47
  4. NGX NAT Client side/non Client side
    By Brentd in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2006-10-02, 12:29
  5. SecurRemote / SecureClient side by side
    By harrisi in forum SecureClient/SecuRemote
    Replies: 2
    Last Post: 2006-02-28, 18:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •