Please check my configuration

Hi all, I’m relatively new to Asterisk and I just need some help making sure my configuration is optimal. I do not believe I have everything correct.

My phone system is in a small business (don’t worry they aren’t paying me), about 20 hardphones (Cisco 7960). They have a SIP trunk to sipgate UK which is used for ingoing and outgoing calls. As they are using a basic business broadband connection with a crap router and behind NAT, the PBX is in DMZ to avoid one way audio problems for now until I set them up with a proper pfsense firewall configured for SIP. I have moved SIP onto a non-standard port as a basic security measure temporarily.

Each phone has its own internal 3-digit extension starting with 2 (201, 202, 203 etc). All of these can call each other.
Certain phones have a second line with extension 301, which the inbound SIP trunk calls are routed to.
All phones can call out via SIP trunk by dialling 9 before the number.
50000 calls the sipgate voicemail from any phone via SIP trunk.
100 calls the sipgate test number from any phone via SIP trunk.
299 calls an internal test number which has an echo test.

Passwords etc removed from following configs
sip.conf:

[quote][general]
context=default
allowoverlap=no
bindport=5061 ; UDP Port to bind to (SIP standard port is 5060)
bindaddr=0.0.0.0 ; IP address to bind to (0.0.0.0 binds to all)
srvlookup=yes
mwi_from=asterisk
;allowguest=no
alwaysauthreject=yes
localnet=192.168.0.109/255.255.255.0
rtpstart=10000
rtpend=10200

register => sipgate-id:sipgate-pass@sipgate.co.uk/sipgate-id

[sipgate]
type=peer
secret=sipgate-pass
insecure=invite
username=sipgate-id
defaultuser=sipgate-id
fromuser=sipgate-id
context=sipgate-in
fromdomain=sipgate.co.uk
host=sipgate.co.uk
outboundproxy=proxy.live.sipgate.co.uk
nat=yes
qualify=yes
disallow=all
allow=alaw
dtmfmode=rfc2833

[201]
type=friend
host=dynamic
dtmfmode=rfc2833
nat=yes
username=201
secret=pass
context=internal
canreinvite=no
callerid=“Phone 1”

[202]
type=friend
host=dynamic
dtmfmode=rfc2833
nat=yes
disallow=all
allow=ulaw
username=202
secret=pass
context=internal
canreinvite=no
callerid=“Phone 2”

[203]
type=friend
host=dynamic
dtmfmode=rfc2833
nat=yes
disallow=all
allow=ulaw
username=203
secret=pass
context=internal
canreinvite=no
callerid=“Phone 3”

~

[301]
type=friend
host=dynamic
dtmfmode=rfc2833
nat=yes
disallow=all
allow=ulaw
username=301
secret=pass
context=sipgate-out
canreinvite=no
callerid=“External”[/quote]

extensions.conf:

[quote][default]
exten => i,1,Hangup

;route sipgate inbound calls to ext 301
exten => sipgate-id,n,Dial(SIP/301)
exten => sipgate-id,n,Hangup

[internal]
;dial 9 to route any number via sipgate
exten => _9[0-9].,1,Set(CALLERID(num)=sipgate-id)
exten => _9[0-9].,n,Dial(SIP/${EXTEN:1}@sipgate,25,trg)
exten => _9[0-9].,n,Hangup

;internal extensions below
exten => 201,1,Dial(SIP/201,25)
exten => 201,n,Hangup

exten => 202,1,Dial(SIP/202,25)
exten => 202,n,Hangup

exten => 203,1,Dial(SIP/203,25)
exten => 203,n,Hangup

~

;forward extension 100 to sipgate test number
exten => 100,1,Set(CALLERID(num)=2077413e0)
exten => 100,n,Dial(SIP/10000@sipgate,30,trg)
exten => 100,n,Hangup

;internal test number
exten => 299,1,Ringing()
exten => 299,n,Wait(3)
exten => 299,n,Answer()
exten => 299,n,Playback(dir-multi3)
exten => 299,n,SayDigits(${CALLERID(num)})
exten => 299,n,Wait(1)
exten => 299,n,Playback(channel)
exten => 299,n,Wait(1)
exten => 299,n,SayAlpha(${CHANNEL})
exten => 299,n,Wait(1)
exten => 299,n,Playback(readback-instructions)
exten => 299,n,Record(/tmp/299-${UNIQUEID}.wav,0,30)
exten => 299,n,Playback(/tmp/299-${UNIQUEID})
exten => 299,n,System(rm /tmp/299-${UNIQUEID}.wav)
exten => 299,n,Wait(1)
exten => 299,n,Playback(vm-goodbye)
exten => 299,n,Hangup

;help make the voicemail button call sipgate voicemail
exten => 50000,1,Dial(SIP/50000@sipgate,25)
exten => 50000,n,Hangup

[/quote]

Please advise if there are any blaring errors in this configuration. I’m sure it is wrong, but it’s the only way I could get everything to work properly!

Thanks.
dogman

Caller ID won’t work because you are using fromuser and haven’t provided any alternative way of signalling caller ID (this assumes that sipgate will trust any caller IDs from you).

canreinvite is deprecated and may even be obsolete.

nat=yes is deprecated. You should set the options that you actually need, if any.

type=friend is not necessary, and is, therefore, a security risk; use type=peer.

For a typical DMZ, there will be no NAT to the inside, so localnet should include the inside subnets.

There should be no bits set before the / in localnet that are not set after it (may or may not cause a problem).

All the codec choices should be the same to avoid unnecessary transcoding and a slight audio degredation. Europe use A-law, so if sipgate breaks out to the PSTN in the EU, you should use alaw.

allowguest should be explicitly set to “no”.

There should not normally be any "s in sip.conf.

Although often done, making sip.conf names easily guessable, by using extension numbers, is bad security practice.

remotesecret= more clearly indicates what it does than using insecure=invite.

username is a deprecated parameter name and serves no useful purpose for internal devices.

Thanks for the reply david77. I have made the changes you said, but I have run into some problems. If I set type=peer and remove the nat=yes option, the phones cannot make any calls, internal or through SIP trunk. In asterisk console I see this error:

[quote][Dec 31 18:07:38] WARNING[32259]: chan_sip.c:8584 check_auth: username mismatch, have <301>, digest has <201>
[Dec 31 18:07:38] NOTICE[32259]: chan_sip.c:14351 handle_request_invite: Failed to authenticate user “Phone 1” sip:201@192.168.0.109;tag=000af4a3cc320025138ba437-6760143a[/quote]

I’m not quite sure what’s going on here. If I change back to type=friend, everything works again.

A workaround for the caller id would be set the option sendrpid=yes on your sipgate config, canreinvite was renamed to directmedia, RTP start and RTP end are configured on the rtp.conf file