Asterisk behind a firewall

we have a bit a sticky problem on our Asterisk server, which we are struggling to resolve, I’m hoping someone with more knowledge than me can help.

We are running Asterisk 1.8.23.0 on Centos 6.4 and our phones and asterisk server are sitting on the inside of a firewall and our voip service providers are on the outside. The firewall is setup and managed by an external company.

We currently have two voip service providers, A, who handles most of of inbound traffic and all our outbound traffic, and B who handles some of our inbound traffic, which gets routed to our call centre via an external IVR.

In a recent security audit we were told that we should have all our voip traffic running through a firewall, and it’s been decided that we we should do this in two phases.

The first phase is to put the inbound traffic that we recieve from B through a firewall, and then in phase two send the inbound and outbound traffic from A through the firewall as well. We are currently stuck on phase one.

Initially we tried setting externip and localnet in the [general] section of our sip.conf file, but that broke the voip traffic on our primary voip service provider A, so we’ve tried to set them in the specific entry in our sip.conf file for our secondary voip service provider, B, like this:

[code][A]
type=friend
disallow=all
allow=alaw
allow=g729
context=fromneotel
host=aaa.aaaa.aaa.aaa
insecure=port,invite
nat=no
directmedia=no

[B]
type=friend
disallow=all
allow=g711
allow=g729
allow=alaw
context=fromis1
host=bbb.bbb.bbb.bbb
insecure=port,invite
nat=yes
directmedia=no
externip=ccc.ccc.ccc.ccc
localnet=192.68.20.0/255.255.252.0[/code]

where aaa.aaa.aaa.aaa is the ip of A and bbb.bbb.bbb.bbb is the ip of B and ccc.ccc.ccc.ccc is the external ip of the firewall.

With these settings in place, the call centre can recieve phone calls via the IVR, but once the calls are connected, the external caller can hear the call centre agent, but the call centre agent cannot hear the caller.

Our voip service provider tells us that in the 200 OK SIP response from ccc.ccc.ccc.ccc the SDP portion is giving them the ddd.ddd.ddd.ddd IP Adress to send media to.

ddd.ddd.ddd.ddd is the ip of our asterisk server that B would normally connect to when we are not trying to pass traffic through the firewall. this is the information we recieve from them:

[code]Via: SIP/2.0/UDP bbb.bbb.bbb.bbb:5060;branch=z9hG4bKmm63qe00d8ogcio100k0.1;received=bbb.bbb.bbb.bbb
From: “Anonymous”<sip:@bbb.bbb.bbb.bbb:5060;user=phone>;tag=1641833502-1377756054727-
To: “”<sip:@ccc.ccc.ccc.ccc:5060>;tag=as43201e45
Call-ID: BW0800547272908131094994481@eee.eee.eee.eee
CSeq: 609518180 INVITE
Server: Asterisk PBX 1.8.23.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Contact: <sip:@ccc.ccc.ccc.ccc>
Content-Type: application/sdp
Content-Length: 260

v=0
o=root 1148542603 1148542603 IN IP4 ddd.ddd.ddd.ddd
s=Asterisk PBX 1.8.23.0
c=IN IP4 ddd.ddd.ddd.ddd
t=0 0
m=audio 11064 RTP/AVP 18 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv[/code]
according to B, our secondary voip service provider, this is the line causing the trouble: o=root 1148542603 1148542603 IN IP4 ddd.ddd.ddd.ddd

eee.eee.eee.eee is an ip address that I don’t recognise and know nothing about.

Any help is greatly appreciated.

Sounds like your firewall is also a NAT device. You are nto configured for using NAT (nat = is for various hacks). You need to specify your external host name or IP address or an address of a STUN server.

So is it not neccasary to use nat=yes?
I was under the impression that setting externip=xxx.xxx.xxx.xxx/externaddr=xxx.xxx.xxx.xxx would configure Asterisk to use xxx.xxx.xxx.xxx in the header of the data packets? Or is that wrong?
Thanks.

nat=yes is deprecated in the latest versions; you are expected to select the individual options. For 1.8, I am not sure if nat=yes is the same as specifying all the options. You may or may not need some of the options, depending on exactly how port numbers get mangled by the router.

externip etc., do set the address in the header. That is normally the right thing to do with NAT, as otherwise Asterisk will use the non-routable local address. It is advisable to disable any feature in the router that tries to manipulate SIP headers in the router.

Thanks for your help. I’ve managed to resolve the incorrect ip in the data packet headers issue, but we’re still getting one way audio. However, the matter is being handed over to a network specialist who is currently here auditing our network.

Had a similar issue and I think if I read the documents right externip=xxx.xxx.xxx.xxx was a global setting so you can only use that trick to work with one provider? Someone can correct me but that’s my understanding so you end up maybe with needing two Asterisk boxes acting as gateways to traverse the NAT and provide two different external ips.

Also you could look to using iptables on your Asterisk box locally to satisfy the firewall requirement too. Our Asterisk box is internal and we still use iptables on it, restrict SIP regisrations to the voice lan, run SIP on port other than 5060. In todays environment of script kiddies and tools like sipvicious you would be crazy not to.

Unless you have a system that supports Border Gateway Protocol and you have your own autonomous system number, you should only have one external IP address. That doesn’t stop you using multilple ITSPs.

Where life gets difficult is if you have non-mutually routable, private network connections to more than one ITSP. That is just about manageable if the relevant interfaces are directly on the Asterisk box.