New to Asterisk and have questions about firewall

I recently installed Asterisk on a Fedora Core Linux box. It is currently behind a firewall and I am wondering if anyone knows what ports I need to let pass through the firewall to this box?

Any help would be greatly appreciated… Thanks in advance

Firewall issues are more than just “which ports do I open”.

SIP doesn’t play well with NAT. When a SIP session is started, an object will send a packet to another object, (say, a phone to an Asterisk Box). INSIDE the packet, (not just in the packet header) is the IP address of the sending device.

Though a packet header may be changed because of NAT address change, the contents of the packet (specifically, the SIP originating address) won’t be.

So, you need a device that can explicitly insert a KNOWN address to the packet so that you can get a return the message from the Asterisk box, OR you need to build a STUN server.

Other than that, you’ll need to open these ports (depending on the services you use).

SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well.
IAX2 the IAX protocol port 4569. (Also 5036 for common IAX, not IAX v2.)
RTP media stream ports 10000 through 20000. (You can adjust this to another range in configuration files, but this is the default.)
MGCP if you use media gateway control protocol in your configuration, port 2727.

Click here to learn more:

Ok… Sounds like I need to do a little more work than I anticipated.

Please forgive my ignorance but, what is a STUN server and what do I need to do to accomplish this?

After re-reading your post, I may not need to do this. Please let me know what you think.

I will have the Asterisk server (as well as the rest of my network (including my IP phones)) behind a firewall. So, the phones are on the same side of the firewall as the Asterisk server. I was wondering what I needed to open up to get to the PSTN. Would I need a “STUN” server for this?

Again, thank you for your help.

hi deadeye8,

I your asterisk and softphone are in the same network then you don’t need stun server only forward 5060 and 5061 through your firewall of fedora Linux. and about PSTN line,
If you buy card and hook telephone line to it then you just need to install card and configure card with asterisk (extension.conf) and that’s it. Iin that case(only for PSTN) you don’t even to forward any ports.

Cheers ,

True. deepenm is right.

If you’re not attempting to extend any calls across the network there’s really no need for any firewall holes at all.

A PSTN connection can be made easily from any analog adapter card or ATA device.

If you’re trying to get your PSTN connection through a VOIP provider like, say, Skype-out services, you’ll need to investigate what firewall support that service will require.

A STUN server is a server that attempts to learn the true internet address of a SIP packet. It uses that information to update the contents of the packet so that it’s destination device has correct information about where to direct a reply packet.

They sort of work, but can be problematic. If all of your phones, and the PBX will be on one side of the firewall, you won’t need it.

You may have to hard code a NAT ip address to use an internet SIP/VOIP provider as a gateway to the PSTN, but that should be fairly easy to do. If you use something like Skype services with Chanskype, you may not need to worry about NAT at all.

Ok… It’s making a little more sense now. I thank you both very much for your help.

I do have another question… If I go the route of connecting to a provider (through VoIP) outside my firewall, would that pose an issue? I do have the option on my firewall/router of port forwarding and of putting a device (Asterisk server) in the “DMZ.” If I put this device in the DMZ, would that take care of my issue?

Also, if I go the PSTN route, what do you recommend as far as a connection? I have a standard modem card (which I would believe wouldn’t do what’s needed).

Again, you guys have been a boat load of help and I greatly appreciate it.

Again, it depends on the provider.

SIP can be done, but you’d have to hard code the “outside” address into your configuration files. If your outside address is subject to change, (because of DHCP) you may encounter problems if it gets changed.

An IAX provider is a bit easier to deal with. Skype signalling survives NAT nicely, but setting up Chanskype can be tricky.

Your DMZ would still present the same NAT issues I think. Your machine doesn’t acquire the IP address from the internet. So it’s packets would still be incorrectly formed unless you, again, hard code in the outside IP address.

If you’re going to use an analog line, you could just buy a Digium TDM card, and an FXO daugther card to adapt the line. Or you could buy any of a number of ATA devices (ATA = Analog Telephone Adapter). Make sure you have one that’s designed with an FXO port. Most are just one FXS port.

People used to use voicemodems, (which you’ll see available as X100 cards) but those are no longer supported by Asterisk. They will sort-of work, but the audio quality is terrible, and things like caller-ID delivery may not work at all. I would NOT buy one. Even if they’re cheap.

Ok… As time goes on, I start to understand more. I do have DDNS which will update if that changes, would that help?