How to disable SIP ALG

SOURCE:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG

Many of today’s commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers’ ALG implementations are wrong and break SIP.

CheckPoint
login to Smart Dashboard
click Smart Defence tab
expand Application Intelligence
expand VoIP
disable all features on H.323

Cisco
(config)# no ip nat service sip tcp port 5060
(config)# no ip nat service sip udp port 5060

ASA
(config)# policy-map global_policy
(config)# no inspect sip

Cyberoam
> cyberoam system_modules sip unload

D-Link
Open a browser and enter the router’s IP address in the address bar. Go to “Firewall Settings” under the “Advanced” item.
Uncheck the box to disable SPI – usually, directly below this item are options for “NAT Endpoint Filtering” that must be changed to “Endpoint Independent” for both TCP and UDP.
Next, find the “Application Level Gateway (ALG) Configuration” area and uncheck the box for SIP.
Save these settings and reboot the device if requested

FortiGate
disable SIP ALG
# config system settings
# set sip-helper disable
# set sip-nat-trace disable
# end
verify
# show full-configuration system settings
delete sip
# config system session-helper
(session-helper) # show
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
(session-helper) # delete 13
(session-helper) # end

Juniper
https://kb.juniper.net/InfoCenter/index?page=content&id=KB7078&actp=search
# set security alg sip disable
# commit and quit

Mikrotik
> ip firewall service-port set sip disabled=yes

Netgear
From Wan Setup Menu, NAT Filtering, uncheck the box next to “Disable SIP ALG”

PaloAlto
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Disable-SIP-ALG/ta-p/60637
# set shared alg-override application sip alg-disabled yes

Peplink
go to http://<router.LAN.IP>/cgi-bin/MANGA/support.cgi
Click the “Disable” button under “SIP ALG Support”

SonicWall
in GUI, go to VOIP>Settings>General Settings
tick Enable consistent NAT
untick Enable SIP Transformations

SpeedTouch
telnet router
> connection unbind application=SIP port=5060
> saveall

Zyxel
telnet router
Menu option “24. System Maintenance”.
Menu option “8. Command Interpreter Mode”.
ip nat service sip active 0

Blocking Browsec Chrome Extension

Browsec is VPN extension similar to ZenMate

CheckPoint:

Cisco ASA:

Cyberoam:

Fortigate:

Juniper:

Mikrotik:

/ip firewall address-list

add address=12.12.12.0/24 list=LAN

/ip firewall layer7-protocol

add name=browsec regexp=”^.+(postls.com).*\$”

/ip firewall filter

add action=drop chain=forward layer7-protocol=browsec src-address-list=LAN

PaloAlto:

SonicWall:

Blocking Opera Turbo

CheckPoint:

Cisco ASA:

FortiGate:

Juniper:

Mikrotik:

/ip firewall address-list

add address=12.12.12.0/24 list=LAN

/ip firewall layer7-protocol

add name=opera regexp=”^.+(opera-mini.net).*\$”

/ip firewall filter

add action=drop chain=forward layer7-protocol=opera src-address-list=LAN

PaloAlto:

SonicWall:

Blocking Telegram

Telegram is like WhatsApp that can be downloaded here

https://telegram.org

CheckPoint:

Cisco ASA:

interface Ethernet0

 nameif outside

 security-level 0

 ip address dhcp

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 12.12.12.1 255.255.255.0

clock timezone gmt 7

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 8.8.8.8

 name-server 8.8.4.4

object network PAT

 subnet 12.12.12.0 255.255.255.0

object network telegram1

 subnet 91.108.4.0 255.255.252.0

object network telegram2

 subnet 91.108.56.0 255.255.252.0

object network telegram3

 subnet 149.154.160.0 255.255.252.0

object network telegram4

 subnet 149.154.164.0 255.255.252.0

object network telegram5

 subnet 149.154.168.0 255.255.252.0

object network telegram6

 subnet 149.154.172.0 255.255.252.0

object-group network objgrp-telegram

 network-object object telegram1

 network-object object telegram2

 network-object object telegram3

 network-object object telegram4

 network-object object telegram5

 network-object object telegram6

access-list LAN extended permit ip any any

access-list acl-telegram extended deny ip any object-group objgrp-telegram

access-list ping extended permit icmp any interface outside

access-list ping extended permit icmp any interface inside

access-list outside_access_out extended deny ip any object-group objgrp-telegram

access-list outside_access_out extended permit ip any any

object network PAT

 nat (inside,outside) dynamic interface

access-group outside_access_out out interface outside

access-group LAN in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.10.1 1

user-identity default-domain LOCAL

http server enable

http 10.0.10.0 255.255.255.0 outside

http 12.12.12.0 255.255.255.0 inside

ntp server 180.211.88.211

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

 

FortiGate:

config system interface

    edit “port1”

        set vdom “root”

        set mode dhcp

        set allowaccess ping https ssh http fgfm

        set type physical

        set snmp-index 1

    next

    edit “port2”

        set vdom “root”

        set ip 12.12.12.1 255.255.255.0

        set allowaccess ping https ssh fgfm

        set type physical

        set snmp-index 2

    next

end

config firewall policy

    edit 1

        set name “PAT”

        set uuid 170d4c60-0d49-51e6-102b-cc84e02a9dfb

        set srcintf “port2”

        set dstintf “port1”

        set srcaddr “all”

        set dstaddr “all”

        set action accept

        set schedule “always”

        set service “ALL”

        set nat enable

    next

    edit 2

        set name “telegram”

        set uuid 0b2d9320-0d5b-51e6-ce90-307685813f39

        set srcintf “port2”

        set dstintf “port1”

        set srcaddr “all”

        set dstaddr “telegramgroup”

        set schedule “always”

        set service “HTTP” “HTTPS”

        set logtraffic all

    next

end

config firewall address

    edit “telegram”

        set uuid 532c2ac0-0d5a-51e6-754f-62c1c2f11af6

        set subnet 91.108.4.0 255.255.252.0

    next

    edit “telegram2”

        set uuid a0149520-0d5a-51e6-b083-9fda96570787

        set subnet 91.108.56.0 255.255.252.0

    next

    edit “telegram3”

        set uuid a0149520-0d5a-51e6-b083-9fda96570787

        set subnet 149.154.160.0 255.255.252.0

    next

    edit “telegram4”

        set uuid a0149520-0d5a-51e6-b083-9fda96570787

        set subnet 149.154.164.0 255.255.252.0

    next

    edit “telegram5”

        set uuid a0149520-0d5a-51e6-b083-9fda96570787

        set subnet 149.154.168.0 255.255.252.0

    next

    edit “telegram6”

        set uuid a0149520-0d5a-51e6-b083-9fda96570787

        set subnet 149.154.172.0 255.255.252.0

    next

end

config firewall addrgrp

    edit “telegramgroup”

        set uuid 72081cc0-0d5e-51e6-f4e3-e05511d7c552

        set member “telegram” “telegram2” “telegram3” “telegram4” “telegram5” “telegram6”

    next

end

Juniper:

# show

version 12.1X46-D10.2;

system {

    host-name SRX1;

    root-authentication {

        encrypted-password “$1$htJmWkYL$Dij6D2dwMvBOvSm64mJVt0”; ## SECRET-DATA

    }

    name-server {

        8.8.8.8;

        8.8.4.4;

    }

    services {

        ssh;

        web-management {

            http {

                interface ge-0/0/0.0;

            }

        }

    }

    syslog {

        file messages {

            any any;

        }

    }

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                filter {

                    input BLOCK-TELEGRAM;

                }

                dhcp;

            }

        }

    }

    ge-0/0/1 {

        unit 0 {

            family inet {

                address 12.12.12.1/24;

            }

        }

    }

}

routing-options {

    static {

        route 0.0.0.0/0 next-hop 10.0.10.1;

    }

}

policy-options {

    prefix-list ADDRESSLIST-TELEGRAM {

        91.108.4.0/22;

        91.108.56.0/22;

        149.154.160.0/22;

        149.154.164.0/22;

        149.154.168.0/22;

        149.154.172.0/22;

    }

}

security {

    screen {

        ids-option untrust-screen {

            icmp {

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    queue-size 2000; ## Warning: ‘queue-size’ is deprecated

                    timeout 20;

                }

                land;

            }

        }

    }

    nat {

        source {

            rule-set PAT {

                from zone trust;

                to zone untrust;

                rule PAT {

                    match {

                        source-address 0.0.0.0/0;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

    }

    policies {

        from-zone trust to-zone trust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone trust to-zone untrust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone untrust to-zone trust {

            policy default-deny {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    deny;

                }

            }

        }

    }

    zones {

        security-zone trust {

            tcp-rst;

            interfaces {

                ge-0/0/1.0;

            }

        }

        security-zone untrust {

            screen untrust-screen;

            interfaces {

                ge-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {

                            dhcp;

                        }

                    }

                }

            }

        }

    }

}

firewall {

    filter BLOCK-TELEGRAM {

        term LIST-TELEGRAM {

            from {

                source-prefix-list {

                    ADDRESSLIST-TELEGRAM;

                }

            }

            then {

                discard;

            }

        }

        term ALLOW-REST {

            then accept;

        }

    }

}

 

Mikrotik:

/ip firewall address-list

add address=12.12.12.0/24 list=LAN

add address=149.154.160.0/22 list=telegram

add address=149.154.164.0 /22 list=telegram

add address=149.154.168.0 /22 list=telegram

add address=149.154.172.0 /22 list=telegram

add address=91.108.4.0/22 list=telegram

add address=91.108.56.0/22 list=telegram

/ip firewall filter

add action=drop chain=forward dst-address-list=telegram src-address-list=LAN

PaloAlto:

SonicWall:

Blocking ZenMate

CheckPoint:

Cisco ASA:

(config)# object-group network zenmate

(config)# network-object host 78.137.98.120

(config)# network-object host 78.137.98.123

(config)# network-object host 162.159.244.96

(config)# network-object host 162.159.245.96

(config)# network-object host 207.244.77.22

(config)# network-object host 103.10.197.146

(config)# network-object host 46.165.220.211

(config)# network-object host 81.17.26.242

(config)# network-object host 149.3.140.250

(config)# access-list acl-inside extended deny ip any object-group zenmate

Cyberoam:

FortiGate:

Juniper:

Mikrotik:

SOURCE: http://askaexpert.blogspot.co.id/2015/05/how-to-block-zenmate-with-mikrotik.html

# export

/ip firewall address-list

add address=12.12.12.0/24 list=LAN

/ip firewall layer7-protocol

add name=zenmate regexp=”^.+(zenguard.biz|zenmate.io|zenguard.zendesk.com|zendesk.com|zenguard.org).*\$”

/ip firewall filter

add action=drop chain=forward disabled=yes layer7-protocol=zenmate src-address-list=LAN

PaloAlto:

SonicWall:

Blocking YouTube

CheckPoint:

Cisco:

FortiGate:

Juniper:

 

Mikrotik:
/ip firewall layer7-protocol
add name=youtube regexp=”^.+(c.youtube.com|googlevideo.com).*\$”
/ip firewall address-list
add address=12.12.12.0/24 list=LAN
/ip firewall filter
add action=drop chain=forward layer7-protocol=youtube src-address-list=LAN

PaloAlto:

SonicWall:

Site-to-Site IPsec VPN Cisco Router to Cyberoam

SOURCE: http://blog.webernetz.net/2015/02/02/ipsec-site-to-site-vpn-fortigate-cisco-router/

ROUTER1
# sh run
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname RTR2811a
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M10.bin
warm-reboot count 10 uptime 7
boot-end-marker
aaa new-model
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 10.0.31.201 10.0.31.254
ip dhcp excluded-address 10.0.31.1 10.0.31.100
ip dhcp pool pool10.0.31.0
network 10.0.31.0 255.255.255.0
default-router 10.0.31.1
dns-server 8.8.8.8 8.8.4.4
no ip domain lookup
ip domain name nbctcp.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
redundancy
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key P@ssw0rd address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec profile 3DESMD5
set transform-set TS
set pfs group2
!
interface Tunnel1
ip unnumbered FastEthernet0/0.206
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.207
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel2
ip unnumbered FastEthernet0/0.221
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.221
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel3
ip unnumbered FastEthernet0/0.224
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.224
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel4
ip unnumbered FastEthernet0/0.226
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.226
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel5
ip unnumbered FastEthernet0/0.228
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.228
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel6
ip unnumbered FastEthernet0/0.230
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.230
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel7
ip unnumbered FastEthernet0/0.232
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.232
tunnel protection ipsec profile 3DESMD5
!
interface FastEthernet0/0
ip address 10.0.10.206 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.31.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.10.1
ip route 10.0.41.0 255.255.255.0 Tunnel1
ip route 10.0.42.0 255.255.255.0 Tunnel2
ip route 10.0.43.0 255.255.255.0 Tunnel3
ip route 10.0.44.0 255.255.255.0 Tunnel4
ip route 10.0.45.0 255.255.255.0 Tunnel5
ip route 10.0.46.0 255.255.255.0 Tunnel6
ip route 10.0.47.0 255.255.255.0 Tunnel7
access-list 101 permit ip 10.0.31.0 0.0.0.255 any
!
control-plane
mgcp fax t38 ecm
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
line vty 5 15
transport input ssh
scheduler allocate 20000 1000
end

CYBEROAM2:
-create necessary objects

Troubleshoot
Cisco:
# sh crypto isakmp sa
# sh crypto ipsec sa
# debug crypto isakmp
# debug crypto ipsec

Cyberoam:
console> tcpdump ‘host 10.0.31.101 and host 10.0.43.101

You can try ping from PC1 to PC2 now

Site-to-Site IPsec VPN Cyberoam to FortiGate

SOURCE: http://kb.cyberoam.com/default.asp?id=1945

http://kb.cyberoam.com/?id=1035

CYBEROAM1

-create FGT2LAN network
-create 2 Firewall rules
-create a VPN IPsec Connection

-click Activate on the new ipsec rule.

We will click Connection after FortiGate configured

FORTIGATE2
-create 2 objects address

-create a VPN tunnel

-Create 2 Policy/IPv4

-create a Static route

-back to CYBEROAM1
click Connection

You can try ping from PC1 to PC2 now

Site-to-Site IPsec VPN Cisco ASA and Cyberoam

SOURCE: http://kb.cyberoam.com/default.asp?id=1967

ASA1

CYBEROAM2

click Active on Status

You can try ping from PC1 to PC2 now

Site-to-Site IPsec VPN Cyberoam to Cyberoam

Cyberoam1:
WAN1 ip: 10.0.10.223
LAN ip: 10.0.33.1
WLAN ip: 10.0.53.1

1.click VPN/IPsec/Wizard
Name: CR1toCR2
click Start

Cyberoam1:

WAN1 ip: 10.0.10.223

LAN ip: 10.0.33.1

WLAN ip: 10.0.53.1

1.click VPN/IPsec/Wizard

Name: CR1toCR2

click Start

click Active on Connection Type/CR1toCR2Create two firewall rules

Cyberoam2:
WAN1 ip: 10.0.10.224
LAN ip: 10.0.43.1
WLAN ip: 10.0.63.1

1. click VPN/IPsec/Wizard
Name: CR2toCR1
click Start

click Active on Connection Type/CR2toCR1
click ConnectionCreate two Firewall rules

You can try ping from PC1 to PC2 now