Inbound call matching based on IP address AND user

Asterisk Asterisk SIP
1

There is Asterisk 20.4.0 with PJSIP 2.13.1 worked on Ubuntu 22.04 x64.
It is necessary to allow only single IP which hard/soft phone can be used for connection with appropriate PBX extension from:

I read that Asterisk with PJSIP now suports endpoint (extension) based ACLs.

I added deny/permit to necessary endpoints:

[marketing]
type = endpoint
................
deny = 0.0.0.0/0.0.0.0
permit = 192.168.0.15/32

[warehouse]
type = endpoint
................
deny = 0.0.0.0/0.0.0.0
permit = 192.168.0.40/32

[sales]
type = endpoint
................
deny = 0.0.0.0/0.0.0.0
permit = 192.168.0.100/32

And such IPs are not at global ACL section.

But softphone can not connect to:

[Apr 14 17:58:00] NOTICE[88846]: acl.c:784 ast_apply_acl_internal: SIP ACL: Rejecting '192.168.0.100' due to a failure to pass ACL '(BASELINE)'
[Apr 14 17:58:00] WARNING[88846]: res_pjsip_acl.c:134 apply_acl: Incoming SIP message from 192.168.0.100:59130 did not pass ACL test

Also I tried to set such ACLs at acl.conf:
acl.conf

[marketing_acl]
deny = 0.0.0.0/0.0.0.0
permit = 192.168.0.15/32

and put it to endpoint:

[marketing]
type = endpoint
................
acl = marketing_acl

But there is no success.

If such IPs is to put to global ACL section all works.
But global ACL can content of several IPs.
But I need single and exact (different) allowed IP for each necessary extension.

What is wrong or what is necessary to set up instead or additionally ?

2

Just asking out of interest, because I was struggling with something similar some weeks ago. And I am still not sure how I got it working.

Do you notice a difference if you use

permit = 192.168.0.100/255.255.255.255

?

3

Just tried.
No changes - no success.
Can you post part of your configuration ?

What Asterisk and PJSIP do you use ?

4

If you have a /32 address, you don’t need ACLs. Use identify_by=ip in the enpoint sectin and use contact, rather than max_contacts, in the type=aor section. Use a type=identify section with the IP.

https://docs.asterisk.org/Latest_API/API_Documentation/Module_Configuration/res_pjsip/#identify_by

5

It’s great to identify by ip, but i have trunk where several extensions connects to using the same IP and I need to use match_header.
But there is no user_id and ip at one header and I need either multiple match - by ip and header or restrict ip and match by header.

Anyway I need also user/pass, that is userpass AND ip.

Here is links:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+Configuration_res_pjsip#Asterisk13Configuration_res_pjsip-endpoint_acl

This link I cannot open.

https://gitee.com/tianhuajain/asterisk/blob/master/CHANGES

 * Endpoint IP Access Controls
   Added new configuration Endpoint options:
    "acl" - list of IP ACL section names in acl.conf
    "deny" - List of IP addresses to deny access from
    "permit" - List of IP addresses to permit access from
    "contact_acl" - List of Contact ACL section names in acl.conf
    "contact_deny" - List of Contact header addresses to deny
    "contact_permit" - List of Contact header addresses to permit

Anyway I don’ t understand why it doesn’ t work.

6

These are different, and you can have both.

I don’t know which link you cannot open. Both work for me, although the second one is not the definitive repository for Asterisk. The definitive link for the second would be:

If you are trying to use the ACL to resolve an ambiguity in other idnetifiers, I suspect that the ACL is only applied after the final selection has been made, so will reject the call, rather than looking for an alternative match that is consistent with the ACL.

7

Why ?

I need that either local client (hard or soft) or some remote trunk could place an incoming call to the PBX using appropriate extension only with authentication by user/pass AND ip.

But some extensions can be used wih the trubk with the same ip and port

So, what is the best way ?

8

I just tried on my asterisk 18.15.1 (PJPROJECT 2.12.1)

deny=0.0.0.0/0.0.0.0
contact_deny=0.0.0.0/0.0.0.0
permit=10.0.0.234/255.255.255.255
contact_permit=10.0.0.234/255.255.255.255

And it works as it should. But I can remember some weeks ago also getting this “due to a failure to pass ACL ‘(BASELINE)’” message and I was not sure why. I was a bit in a hurry and got it working then somehow after some conf editing and restarts. I then thought that it was maybe a typo in the first place.

9

Did you provide endpoint configuration part ?

10

I showed you my deny/permit lines of the endpoint configuration. I don’t think that any other part of my configuration is relevant here.

11

I asked because I tried the same but failed.
I upgraded to 20.6.0.
But nothing changed.
May be some global parameter is important.

I could get working endpoint based ACL but if there is no global ACL at all or there is no deny = 0.0.0.0/0 and contact_deny = 0.0.0.0/0

Do you have global ACL section ?

12

There is Asterisk 20.6.0 with PJSIP 2.13.1 worked on Ubuntu 22.04 x64.

There are some trunks.
Some of them have the same IP and port but diffrent usernames/passwords.

I need that incoming (inbound)calls from such trunks to Asterisk could be received by Asterisk only after IP, port AND username matching.
For example, if a call comes from trunk with IP 192.168.0.200:6000 as anonymous or with username ‘trunk2’ Asterisk will not receive such call. but if a call comes from trunk with the same IP 192.168.0.200:6000 but with different username ‘abc22’ such call will be accepted and handled by Asterisk further…

What is the best and most right way to authorize these trunks with the same IP and port using IP AND username ?

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.