Firewall ports

We are setting up an asterisk server inside the company firewall. This server will have one sip trunk to a sip provider.

The firewall has no outgoing blocks, but blocks most incoming ports. There is no NAT, its all routeable IP addresses.

Which ports have to be unblocked incoming for the Asterisk server?

Which ports have to be unblocked incoming for the Sip Phones?

Standard ones like DNS, UDP 5060, the range of UDP ports specified in rtp.conf.

Where are the phones in relation to the firewall? Do you intend to re-invite the RTP stream out of Asterisk?

If all of the phones are on the same lan with the Asterisk server. Do those need incoming 5060 and the full rtp range incoming from the firewall?

Does this change if there are softphones outside the firewall?

Depends on the answer to my second question. They shouldn’t need 5060, but, if you allow re-inviting, they will need the UDP port range configured in the respective phone. Re-inviting will reduce the load on Asterisk.

They don’t add any requirements not already needed for the trunks.

So with “canreinvite=no”, does that mean

  • all the rtp traffic from outside the firewall is with the asterisk server.

  • sip phones on the lan with the asterisk server don’t need any firewall ports unblocked.

It would be much easier to unblock ports just to the asterisk server’s IP.

In this scenario, would sip phones outside the firewall require any additional unblocking?

Does running with “canreinvite=no” add so much load to the asterisk server that 20 simultaneous calls on the sip trunk would require high end hardware on the asterisk server?

ALL RTP traffic would go through the server, and internal phones only need to be able to see the server.

20 erlangs is probably supportable, but I generally work with development systems, not production ones, so I’d seek a second opinion.

Re RTP ports, you will need 4 free UDP ports for RTP per call.

If you are not wanting to accept anonymous SIP calls, only allow 5060/UDP traffic from your SIP provider (as well as the handset subnet…obviously), it will reduce the SPIT and extension enumeration attacks as is becomming ever more frequent.

20 calls is pretty straight forward on most current hardware provided there is no codec translation. Thats the CPU killer. Try to keep it all g711 or g729 or even g722 if your bandwidth and ITSP support it. So long as you dont have to convert the audio.

We have a similar situation, only we have NAT and we are using port forwarding on the Asterisk box. Its a Via C3 running at 800MHz with 512Mb RAM and a standard EIDE 80Gb disk. It manages to keep up with 6-8 calls and no complaints. I recon I could double it, judging by the overall CPU usage. All handsets are running g711a (alaw which is standard for Australia) to the ITSP. The box handles all SIP and RTP traffic from the handsets to the trunk.

Check out There are some good rule of thumb examples there.

Good luck and let us know how you go.