Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

VOIP and Firewalls need help

From: mike () genxweb net
Date: Wed, 7 Oct 2009 09:39:55 -0500 (CDT)
Iam using asterisknow 1.5 from http://www.asterisknow.org. I currently do
not have a voip provider but instead using the system to call internal
extension in my house for testing. I have created 3 extensions
1100, 1300 and 1400. 1100 and 1300 are internal in my house and pass voice
back and forth fine. Extension 1400 is external out on the internet. Using
x-lite my friend is able to configure the client to connect and register
successfully to my pbx over the internet. They are able to call me and I
am able to call him. The issue is he can hear me but I can never hear him.


From what I read you need to make some changes to the asterisk config to

the file sip_nat.conf which I have done as you can see below. You also
have
to make sure that in the extensions you set nat to yes and qualify to yes.
I have done all that. Also according to the articles SIP does not work
well
over nat and when it uses nat it will use udp ports 10,000 to 20,000 and
not udp 5060 to send the voice.

So I opened my netscreen 5gt firewall up to allow this as you can see in
my config and rules below. To test this manually I setup a netcat listener
on port 10,000 udp (nc -l -u -p 10000 -e /bin/bash). I then had a friend
try to netcat to that port nc xxx.xxx.xxx.xxx -u 10000 and it looks like
it connected but nothing shows I had them try to issue "ls" command and
echo test >> test.txt and nothing happens it will eventually time out if
they dont send any data.

Asterisk settings:

[root@localhost asterisk]# cat sip_nat.conf
nat=yes
externip=68.xxx.xxx.xxx
localnet=10.10.9.0/255.255.255.0
[root@localhost asterisk]#

Firewall settings (Netscreen 5gt)

admin@10.10.9.1's password:
Remote Management Console
pink-taco-> get policy
Total regular policies 4, Default deny.
ID From     To       Src-address  Dst-address  Service  Action State ASTLC
1 Trust   Untrust  Any    Any    ANY      Permit enabled                  
                                                  4 Untrust  Trust    Any 
        VIP::1       vonage   Permit enabled
5 Untrust  Trust    Any          VIP::1       HTTPS    Permit enabled     
3 Untrust  Trust    Any          Any          ANY      Deny   enabled

pink-taco-> get policy id 4
name:"voip-test" (id 4), zone Untrust -> Global,action Permit, status
"enabled"
src "Any", dst "VIP::1", serv "vonage"
Policies on this vpn tunnel: 0
nat off, url filtering OFF
vpn unknown vpn, policy flag 0000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log yes, log count 10, alert no, counter yes(1) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/1
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/-1
No Authentication
No User, User Group or Group expression set

I am mimicking netscreen support response of ports needed.

pink-taco-> get serv vonage
Name:       vonage
Category:   other          ID:  0   Flag:  User-defined

Transport    Src port     Dst port   ICMPtype,code  Timeout(min) Application
udp           0/65535    5060/5061                         1
udp           0/65535      123/123                         1
udp           0/65535        69/69                         1
udp           0/65535        53/53                         1
udp           0/65535  10000/20000                         1

Firewall logs

My snoop filter is as follows:

pink-taco-> snoop info
Snoop: ON
Filters Defined: 1, Active Filters 1
Detail: OFF, Detail Display length: 96
Snoop filter based on:
id 1(on): IP dst-port 10000 proto 17 dir(B)
pink-taco->

pink-taco->get db stream

754269.0: 1(i):00059ad26401->0010db993c31/0800
              206.xxx.xxx.xxx->68.xxx.xxx.xxx/17, tlen=28
              vhl=45, tos=00, id=15745, frag=0000, ttl=40
              udp:ports 39891->10000, len=8

As you can see the (i) shows inbound and there is never a outbound (o). I
believe this is due to udp not being stateful.

My main goal here is to be able to have a remote user use a sip client to
call my house and talk to me.

Can anyone help me with this issue. If I can get this to work then I plan
to get a voip provider as this will allow me make calls through my home
pbx from any wifi and SIP enabled device over the internet. It will also
allow me have a internal PBX for internal calls, paging and so on.

Thanks

mike




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: