In article <616B4ECE1290D441AD56124FEBB03D0818EB7AE075@mailserver2007.nyigc.globe>, Eric Wieling <[email protected]> wrote: > I would be very surprised is anyone uses WatchGuard SIP ALG. For the > past 12 years the advice has always been "Disable SIP ALG and let > Asterisk do the NAT fixup itself" on any firewall, regardless of brand. > I wish you the best of luck.
The only way we were able to get that to work was by using the "media_address" setting within sip.conf to override the IP address in the SDP: ; The IP address used for media (audio, video, and text) in the SDP can also be overridden by using ; the media_address configuration option. This is only applicable to the general section and ; can not be set per-user or per-peer. ; ; media_address = 172.16.42.1 However, this only works if the box is ONLY talking to outside SIP endpoints, since for some bizarre reason, media_address is global rather than per-peer. So setting it to the customer's external IP address renders all internal SIP endpoints non-functional, as they then receive the external IP address in the SDP. But as I said, the proper solution to a broken SIP ALG is to fix the ALG, not just to give up on it. There's no reason it can't be made to work correctly, and it enables RTP ports to be opened and closed as required, instead of having a complete range permanently open. Such a pity WatchGuard is closed-source. Cheers Tony > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Tony Mountifield > Sent: Tuesday, April 22, 2014 12:12 PM > To: [email protected] > Subject: Re: [asterisk-users] Anyone used WatchGuard SIP ALG? > > In article > <CAHE6+j3hb5d8mJfY69F73TVwZus9ZAQrDakt4+iW+tx58_uZ=g...@mail.gmail.com>, > Ishfaq Malik <[email protected]> wrote: > > On 22 April 2014 16:24, Tony Mountifield <[email protected]> wrote: > > > > > Has anyone here used Asterisk inside a WatchGuard firewall, talking > > > via the WatchGuard SIP Application Layer Gateway to an outside SIP > > > service? > > > > > > I have a customer doing just that, and I am 100% convinced there is > > > a bug in the ALG regarding the media port number it inserts into the > > > SDP when it rewrites it. However, either they or WatchGuard will not > > > accept there is a bug, despite my very detailed description of it. > > > > > > So if anyone else has any experience of using this product, I'd be > > > very interested to hear from you. Thanks! > > > > > Just about every SIP ALG (Watchguard included) makes things worse or > > simply not work. > > Maybe, but that doesn't mean the concept is flawed. It should be > possible to do it correctly. > > > Have you tried to simply disable it? > > Yes, the customer has tried that, but since NAT is involved, the lack of > SDP rewriting means that the media streams do not get routed correctly. > > But I am specifically looking for people with experience of this > particular product, rather than for general advice, as I am seeking > support for my assertion that it has a specific bug that the vendor > needs to acknowledge and fix. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- Tony Mountifield Work: [email protected] - http://www.softins.co.uk Play: [email protected] - http://tony.mountifield.org -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
