Problems with an outside SIP connection through firewall

If this question has been asked and answered before, I am sorry. I’ve searched several time in the forum, on the web, and on other recommended sites.

I have a configuration where my asterisk server (running SuSE Linux 9.0 / SuSEfirewall2) has two ethernet cards. One for the local network (including SIP phones and PC internet access), the second for the server’s connection to the internet. The server has a real IP address, and serves as a DHCP/DNS server for the phones and PCs on the local network.

Right now, this configuration works. With the firewall enabled, the phones can use the asterisk server and the PCs can see the internet.

When I try to have a SIP phone connect to the server from outside the local network (i.e. somewhere on the internet, typically behind a NAT), the phone does not connect. When checking the logs, the logs indicate that the firewall is rejecting the traffic (it fears IP Spoofing).

If I disable the firewall, the external phone connects fine and I can have a converstation between internal and external phones; however, all the PCs connected to the server can no longer see the internet. (The firewall itself seems to be providing the IP forwarding link between the local net and the internet).

I imagine that what I need to do is setup a firewall rule that correctly forwards the SIP traffic (and eventually IAX as well). If this is the case, an example would be appreciated, my experience with the firewall is very limited. Right now, the firewall is running the YAST defaults. I tried adding (opening up) the ports 123 (for NTP services), 5004 (to 5089), and 10000-20000 for RTP. But this did not seem to make any difference.

Has anyone experience with overcoming similar issues?

Thank you in advance. - Alex

Yes, this is a typical issue if you are running a fiewall without the propper ports open on it. Once you get the ports opened, all will work as you expect.

in rtp.conf, change your rtp port range to something like 10000-10010 (you only need a few ports) and make sure in sip.conf the bindport is 5060.

then forward those ports to your asterisk box. all should be well.

right now, you’re not forwarding 5060, which is why the phones cannot communicate with asterisk - 5060 is the primary SIP signalling port.

Also if you are using nat make sure to have nat=yes in sip.conf

Setting the NAT was ok, again, it (the phones) works correctly when the firewall is off.

The rtp.conf is set for 10000 to 20000

; RTP Configuration
; RTP start and RTP end configure start and end addresses
; Defaults are rtpstart=5000 and rtpend=31000
; Whether to enable or disable UDP checksums on RTP traffic
; The amount of time a DTMF digit with no ‘end’ marker should be
; allowed to continue (in ‘samples’, 1/8000 of a second)

The relevant parts of sip.conf are …

callerid=“XXX” <800-555-5555>

callerid=“XXX x210” <800-555-5555>

and my /etc/sysconfig/SuSEfirewall2 file has the settings:


Which services ON THE FIREWALL should be accessible from either the internet

(or other untrusted networks), the dmz or internal (trusted networks)?

(see no.13 & 14 if you want to route traffic through the firewall) XXX

Enter all ports or known portnames below, seperated by a space.

TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and

UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.

e.g. if a webserver on the firewall should be accessible from the internet:


e.g. if the firewall should receive syslog messages from the dmz:


For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set

FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)

Choice: leave empty or any number of ports, known portnames (from

/etc/services) and port ranges seperated by a space. Port ranges are

written like this: allow port 1 to 10 -> “1:10”

e.g. “”, “smtp”, “123 514”, “3200:3299”, “ftp 22 telnet 512:514”

For FW_SERVICES_*_IP enter the protocol name (like “igmp”) or number (“2”)

Common: smtp domain

#FW_SERVICES_EXT_TCP="10000:20000 123 4569 5060 http https imap imaps pop3 pop3s smtp ssh"
FW_SERVICES_EXT_TCP=“123 4569 5004:5088 8000:20000 http https imap imaps pop3 pop3s smtp ssh”

I originally had the first line, and based on some other suggestions tried to further expand the services listings, this did not help or hurt.

It is as if this line is being ignored by the firewall rules, so I was hoping that someone here might know where I screwed up.

When lookup up the directions for bindport, I finally saw that the port is udp, so I tried …

Type: string

Common: domain

FW_SERVICES_EXT_UDP=“123 4569 5004:4088 10000:20000”

Common: domain

in /etc/sysconfig/SuSEfirewall2

But this did not solve my problem.

Also, when I logged into the asterisk console …

bswpbx*CLI> sip show peers
Name/username Host Dyn Nat ACL Port Status
451/451 D N 5060 OK (5 ms)
407/407 D N 5060 OK (5 ms)
411/411 D N 5060 OK (5 ms)
410/410 D N 5060 OK (5 ms)
405/405 D N 5060 OK (5 ms)
258 (Unspecified) D N 0 UNKNOWN
211 (Unspecified) D N 0 UNKNOWN
210/210 D N 5060 UNREACHABLE
8 sip peers [5 online , 3 offline]

As shown above, even though nat=yes in the sip.conf file, it seems to indicate nat=N in the sip peers. This value did not change when I turned off the firewall and had a working phone.

bswpbx:/etc/sysconfig # SuSEfirewall2 stop
Removing filter rules and disabling IP forwarding …
SuSEfirewall2: clearing rules now … done
bswpbx:/etc/sysconfig # asterisk -r

handle_response_peerpoke: Peer ‘210’ is now REACHABLE! (143ms / 2000ms)
bswpbx*CLI> sip show peers
Name/username Host Dyn Nat ACL Port Status
451/451 D N 5060 OK (6 ms)
407/407 D N 5060 OK (6 ms)
411/411 D N 5060 OK (6 ms)
410/410 D N 5060 OK (6 ms)
405/405 D N 5060 OK (6 ms)
258 (Unspecified) D N 0 UNKNOWN
211 (Unspecified) D N 0 UNKNOWN
210/210 D N 5060 OK (143 ms)
8 sip peers [6 online , 2 offline]

So I’m at a loss to understand the problem and/or solution right now.

Thanks for your consideration.

I am at a loss. I would do a port scan and see if the packets are coming thru. Maybe some other setting isnt letting it thru.