Sagacious Himself — brevity in circumlocution: never blague — suffering genius

October 2, 2009

Hazaa! how to disable SIP ALG on Westell 9100

Filed under: CIO,Hackery,How To,social engineering,verizon circumvention,voip — Sagacious Himself @ 4:26 pm
Tags:

Hazaa how to disable SIP ALG on Westell 9100em

ZERO help from verizon on this topic: ZERO help via phone, ZERO help via email, ZERO help via live chat, ZERO help via forum, ZERO help via paper mail.  All verizon avenues assert it is not possible to disable the SIP ALG in the 9100em westell.  Errrn! wrong.

Export conf, edit file, load conf, reboot.

advanced
yes
configuration file
save configuration file

remove ONE line: (alg(sip_udp))
save changes to file

advanced
yes
configuration file
load configuration file
advanced
yes
reboot

For a little more sanity modify the 9100em SIP service definition from only ONE UDP port, 5060, to include expected defaults-  or YOUR SIP and RTP ports.. you’ll be redefining the 9100 SIP service to be voip service as creating your own voip service definition will not suffice — thanks verizon for making “open” RG “better”.

Yes, delightfully you will be making multiple modifications in several locations in the config file: service, meh why ruin your fun you can find the rest right?  protocol(17) = UDP  protocol(6) = TCP.  For a little more joy craft some advanced filters (firewall settings, yes, advanced filtering) to allow traffic in, Initial Rules, from your ITSP server(s) or otherwise with the SIP/RTP ports you use. Enable rules logging to verify, syslog daemon preferred, but do not leave enabled.

Tested against
9100em hardware revision A
9100em hardware revision D

Only functional SIP ALG exists with Cisco (not linksys) and Juniper networks.  By default every NAT’ing device sold in a big box store has similar piss poor NAT.  PFsense for everyone!

@ verizon fios

Now that I have your attention.. I would like an option to receive an IPA lease from a netblock without correlation to my geographic position.  (this is not challenging for you to implement).  GeoIP location violates privacy and deters confident exercise of freedom of speech.

It would also be super to buy an additional IPA since this device was designed with that in mind.  That’d be easier than the solution for multi IPA I employ now which I won’t outline.

* 2010 update: the least painful way to escape fios cpe SIP ALG is to use SIP ports _other_ than 5060 on server (or proxy).  DEMAND your ITSP/VSP offer such ports or upgrade to one that does [viatalk].  DEMAND your VSP support SIP TCP & TLS.

* Sept 26 2010:  actual Cisco NAT & ALG

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htsmpws.html
NAT Optimized SIP Media Path with SDP

.

[ Himself.wordpress.com ]

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 70 other followers

%d bloggers like this: