Security Basics mailing list archives
VOIP and Firewalls need help
From: mike () genxweb net
Date: Wed, 7 Oct 2009 09:39:55 -0500 (CDT)
Iam using asterisknow 1.5 from http://www.asterisknow.org. I currently do not have a voip provider but instead using the system to call internal extension in my house for testing. I have created 3 extensions 1100, 1300 and 1400. 1100 and 1300 are internal in my house and pass voice back and forth fine. Extension 1400 is external out on the internet. Using x-lite my friend is able to configure the client to connect and register successfully to my pbx over the internet. They are able to call me and I am able to call him. The issue is he can hear me but I can never hear him.
From what I read you need to make some changes to the asterisk config to
the file sip_nat.conf which I have done as you can see below. You also have to make sure that in the extensions you set nat to yes and qualify to yes. I have done all that. Also according to the articles SIP does not work well over nat and when it uses nat it will use udp ports 10,000 to 20,000 and not udp 5060 to send the voice. So I opened my netscreen 5gt firewall up to allow this as you can see in my config and rules below. To test this manually I setup a netcat listener on port 10,000 udp (nc -l -u -p 10000 -e /bin/bash). I then had a friend try to netcat to that port nc xxx.xxx.xxx.xxx -u 10000 and it looks like it connected but nothing shows I had them try to issue "ls" command and echo test >> test.txt and nothing happens it will eventually time out if they dont send any data. Asterisk settings: [root@localhost asterisk]# cat sip_nat.conf nat=yes externip=68.xxx.xxx.xxx localnet=10.10.9.0/255.255.255.0 [root@localhost asterisk]# Firewall settings (Netscreen 5gt) admin@10.10.9.1's password: Remote Management Console pink-taco-> get policy Total regular policies 4, Default deny. ID From To Src-address Dst-address Service Action State ASTLC 1 Trust Untrust Any Any ANY Permit enabled 4 Untrust Trust Any VIP::1 vonage Permit enabled 5 Untrust Trust Any VIP::1 HTTPS Permit enabled 3 Untrust Trust Any Any ANY Deny enabled pink-taco-> get policy id 4 name:"voip-test" (id 4), zone Untrust -> Global,action Permit, status "enabled" src "Any", dst "VIP::1", serv "vonage" Policies on this vpn tunnel: 0 nat off, url filtering OFF vpn unknown vpn, policy flag 0000, session backup: on traffic shapping off, scheduler n/a, serv flag 00 log yes, log count 10, alert no, counter yes(1) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/1 priority 7, diffserv marking Off tadapter: state off, gbw/mbw 0/-1 No Authentication No User, User Group or Group expression set I am mimicking netscreen support response of ports needed. pink-taco-> get serv vonage Name: vonage Category: other ID: 0 Flag: User-defined Transport Src port Dst port ICMPtype,code Timeout(min) Application udp 0/65535 5060/5061 1 udp 0/65535 123/123 1 udp 0/65535 69/69 1 udp 0/65535 53/53 1 udp 0/65535 10000/20000 1 Firewall logs My snoop filter is as follows: pink-taco-> snoop info Snoop: ON Filters Defined: 1, Active Filters 1 Detail: OFF, Detail Display length: 96 Snoop filter based on: id 1(on): IP dst-port 10000 proto 17 dir(B) pink-taco-> pink-taco->get db stream 754269.0: 1(i):00059ad26401->0010db993c31/0800 206.xxx.xxx.xxx->68.xxx.xxx.xxx/17, tlen=28 vhl=45, tos=00, id=15745, frag=0000, ttl=40 udp:ports 39891->10000, len=8 As you can see the (i) shows inbound and there is never a outbound (o). I believe this is due to udp not being stateful. My main goal here is to be able to have a remote user use a sip client to call my house and talk to me. Can anyone help me with this issue. If I can get this to work then I plan to get a voip provider as this will allow me make calls through my home pbx from any wifi and SIP enabled device over the internet. It will also allow me have a internal PBX for internal calls, paging and so on. Thanks mike ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- VOIP and Firewalls need help mike (Oct 07)