Firewall for SIP

Hi!

I have been using ASA 5505 as a simple ACL based firewall. Basically, only allowing VoIP provider's IPs inside. I have 2 systems in production - one is based on proprietary hardware and is using TDM for all DID terminations and the other one is FreePBX (Asterisk) used mostly for testing and only several live DIDs. The problem I'm having with 5505 is that it works with sip inspect enabled for 1 system but doesn't work with Asterisk unless I disable sip inspect option (only inbound traffic gets through) and vice versa. I'm thinking of replacing it with something that will be more SIP friendly and hopefully easier to configure (I don't have issues using ASA CLI myself but I wanted to introduce other members of my team to the device). Ideally, under $1K.

Your suggestions will be greatly appreciated.

Find more posts tagged with

Comments

shodown

Umm

I would usually suggest not having a firewall for SIP trunks. I would ask a few questions.

1. Is your SIP on public IP's
2. Most routers are not SIP friendly at this point no matter what the vendors say.

I do about 2-3 SIP trunks a month and will use a cisco router to function as a cube. If there is a public IP and I have a ASA 5505 its only gonna be that one device. I don't even think you can get it to work correctly on a 5510/20 with context.

IT-Fella

Thank you for your prompt reply!

I have 2 different ISPs with dedicated firewalls - one with 5505 - Comcast (managed by me) and the other one - Level3 - (Fortigate 100D) is managed by provider. I receive all SIP traffic through 5505 and deliver it to servers' local IPs since both networks (Fortinet and Cisco) are merged together. So both PBX's are behind firewall. 5505 has a public IP mapped one-to-one to an Asterisk server. Router that has 5505 attached to it is configured with ALG and is a basic Comcast router that doesn't do anything besides acting as a default gateway for 5505.
Looks like sip inspect setting helps main production PBX but prevents Asterisk from working.