SIP and Netscreen Firewalls

VoIP using SIP and RTP is a cool thing, but can be somewhat of a pain to get working from behind a firewall (NAT) device. First, an overview of the protocol:

SIP
TCP port 5060 (typically) to set up calls – Session Initalisation Protocol
RTP
UDP random ports 10,000 – 30,000 for call data (audio, video, etc) – Real Time Protocol

The problem is thus: when an RTP packet is sent from a gateway (eg, an Asterisk box) to a register from behind a NAT, then naturally the packet headers need modification as normal for a NAT. However, the SIP protocol contains data in the payload – including IP addres(es) (the ‘Via’ option).

For perfect use, this would need to update the packet payload to be modified. Looks like Netfilter in Linux is on the way to doing this with two kernel modules: ip_conntrack_sip and ip_nat_sip: see here.

However, pay lots of money for a Netscreen, and it doesn’t do this, despite having a ‘SIP ALG’ – according to Juniper support, the manufacturers of the Netscreen.

*sigh*