Knowledge Search


×
 

[ScreenOS] Why are incoming SIP calls not working?

  [KB9093] Show Article Properties


Summary:
When source NAT/PAT is used to access the internet and there are SIP phones on the internal network, "incoming DIP" is needed to allow incoming calls from the internet.
Symptoms:
When only an outgoing (source NAT) policy to the internet is configured for SIP traffic, outgoing SIP calls will work. However, incoming calls will not work yet. For the SIP ALG to be able to open a pinhole for an incoming SIP call, it is necessary that an incoming policy towards a DIP pool is present.
Solution:

SIP calls will require different configurations based on the topology being used. If the SIP Proxy is on the untrust side, and the SIP Phones are on the trust side, use the DIP Incoming NAT feature. However, if the SIP Proxy and the SIP Phones are on the trust side, use MIP for the incoming calls.

Case 1: SIP Proxy on Untrust, and SIP Phone on Trust

This is an example working configuration (only relevant parts), that indicates how incoming SIP calls can be permitted into the local network (Trust zone), when interface NAT/PAT is used for internet access:
set interface "ethernet1/1" zone "Trust"
set interface "ethernet3/1" zone "Untrust"
set interface ethernet1/1 ip 192.168.1.1/24
set interface ethernet1/1 route
set interface ethernet3/1 ip 1.1.1.1/29
set interface ethernet3/1 route
set interface ethernet3/1 dip interface-ip incoming

set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "SIP" nat src permit
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust"  "Any" "DIP(ethernet3/1)" "SIP" permit
set policy id 3
exit

set route 0.0.0.0/0 interface ethernet3/1 gateway 1.1.1.2 preference 20

If a DIP pool is used for traffic to the internet, then this DIP pool needs to be configured as "incoming" (or "Incoming NAT" in the WebUI). The configuration will then look like this:
set interface "ethernet1/1" zone "Trust"
set interface "ethernet3/1" zone "Untrust"
set interface ethernet1/1 ip 192.168.1.1/24
set interface ethernet1/1 route
set interface ethernet3/1 ip 1.1.1.1/29
set interface ethernet3/1 route
set interface ethernet3/1 dip 4 1.1.1.5 1.1.1.10 incoming

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "SIP" nat src dip-id 4 permit
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "DIP(4)" "SIP" permit
set policy id 2
exit

set route 0.0.0.0/0 interface ethernet3/1 gateway 1.1.1.2 preference 20
 

Case 2: SIP Proxy and SIP Phone on trust zone. In this scenario, a MIP is defined for the SIP Proxy. The SIP Proxy is at 192.168.1.2, and the MIP for that SIP Proxy is 1.1.1.10

set interface "ethernet1/1" zone "Trust"
set interface "ethernet3/1" zone "Untrust"
set interface ethernet1/1 ip 192.168.1.1/24
set interface ethernet1/1 route
set interface ethernet3/1 ip 1.1.1.1/29
set interface ethernet3/1 route
set interface ethernet3/1 mip 1.1.1.10 host 192.168.1.2 netmask 255.255.255.255
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "SIP" nat src permit
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust"  "Any" "MIP(1.1.1.10)" "SIP" permit
set policy id 3
exit

set route 0.0.0.0/0 interface ethernet3/1 gateway 1.1.1.2 preference 20
 

warning:   Before incoming calls can be made, the SIP Phones must register with the SIP Proxy, and the DID numbers must be configured properly on the SIP Proxy so that calls can be received by the SIP phone.

Modification History:
2017-12-07: Article reviewed for accuracy. Added ScreenOS tag in the title. Made changes to reflect configuation of non EOL devices. Article is correct and complete.
Related Links: