How do we disable NAT on SIP and SDP payloads, when using NAT? The ATRG: VoIP documentation states the following:
We're running Asterisk with ICE (Interactive Connectivity Establishment), which essentially provides multiple candidates in INVITE or SDP negotiation messages, where each is an IP and port combination. It discovers the public candidates by connecting to STUN servers on the public internet.
Why would we not want the security gateway to NAT the payload?
We intend on using Bria Stretto as a mobile SIP application. The app works perfectly in all environments, when in the foreground and subsequently registered directly to our office SIP server. The problem we're having is when the app is in the background, becoming completely inactive. Public SIP servers operated by CounterPath essentially register in place of the mobile and send a wake-up push notification when they receive a call. The push appears to provide the app with a copy of the original invite, so it should receive both the higher priority ICE host candidates as well as the lower priority server reflexive (natted IP and port) candidates.
The problem with the Check Point overwriting the SIP and SDP payload is that a mobile device connected to either private cellular APN or corporate WiFi will exclusively be provided with the public IP and results in one way audio. Everything works perfectly when the mobile is using LTE or natted through a home WiFi network.
What we're after:
We would simply like the Check Point to continue applying a NAT policy to the headers but leave the SIP and SDP payloads alone. This is typically accomplished by simply turning off SIP ALG processing.
Sample packet leaving SIP server towards CounterPath's public push servers:
Sample packet after NAT processing by Check Point:
We have not had success in following the following recommendations. Both of these however appear to apply to cases where threat prevention policies were blocking packets, not the Check Point simply natting packets like any other UDP packet and leaving the payload alone:
fw ctl set int voip_multik_enable_forwarding 0
echo voip_multik_enable_forwarding=0 >> $FWDIR/boot/modules/fwkern.conf
The following is an excellent summation of the ICE protocol:
I hope I understand your problem!
If the following setting "fw ctl set int voip_multik_enable_forwarding 0" does not work, you still have the following option.
If you want to disable NAT in SIP content, you can also set the protocol type in SIP service TCP to "none". This should also disable the SPI inspection. Therefore no PSL should be used in the F2F path or no PXL should be used in the medium path. This means that the passive streaming library is no longer used. So no SIP packet is manipulated anymore. You can find out more about PSL/PXL here R80.x Security Gateway Architecture (Logical Packet Flow)or here https://community.checkpoint.com/docs/DOC-3073-r80x-security-gateway-architecture-content-inspection.
The problem is that the negotiated RTP ports are no longer written to the state table. So you have to allow all RTP UDP high ports in a rule.
I hope I understand your problem!
If the following setting "fw ctl set int voip_multik_enable_forwarding 0" does not work, you still have the following option.
If you want to disable NAT in SIP content, you can also set the protocol type in SIP service TCP to "none". This should also disable the SPI inspection. Therefore no PSL should be used in the F2F path or no PXL should be used in the medium path. This means that the passive streaming library is no longer used. So no SIP packet is manipulated anymore. You can find out more about PSL/PXL here R80.x Security Gateway Architecture (Logical Packet Flow)or here https://community.checkpoint.com/docs/DOC-3073-r80x-security-gateway-architecture-content-inspection.
The problem is that the negotiated RTP ports are no longer written to the state table. So you have to allow all RTP UDP high ports in a rule.
Many thanks for your suggestion, your explanation does make sense but it's unfortunately not working.
We're running MDS so the global 'sip-tcp' object can not be edited or disabled. We have already created a replacement sip_tcp object and configured it not to reference a protocol. The security gateway has additionally been set to disable voip_multik_enable_forwarding. These steps were detailed in How to disable SIP ALG inspection in a specific rule in Checkpoint? Also Could this be done globally....
Herewith snippets showing the custom service object for SIP TCP:
Herewith snippets showing the custom service object for SIP UDP:
Searching for 'where used' on the default global objects shows no reference to these in the policies:
Hrm... Restarted the security gateway and it's now working. Packet capture after the Check Point NAT shows it behaving as we want it to:
| User | Count |
|---|---|
| 27 | |
| 18 | |
| 11 | |
| 9 | |
| 5 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
