Remote Users connecting in on different port.

Get help with installing and running AsteriskNOW.

Moderators: Moderator, Support

Remote Users connecting in on different port.

Postby duncanwarrender » Thu Jan 29, 2015 7:31 am

Hi, here's my scenario:

We have 3 external users that set their SIP Phone to Connect to 1 of our Public IP's that NAT's to our AsteriskNOW server. They connect in on all the default ports (5060) and everything works thing. The only problem is that our firewall is open to everybody on udp/5060(sip) and you can see from our CDR Reports on our Asterisk server that we have alot of nuisance calls.
nuisance.JPG
nuisance.JPG (108.58 KiB) Viewed 3647 times


To overcome this we entered this code into our IPTables on our Asterisk Server:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5098 -j REDIRECT --to-ports 5060

This made Asterisk listen on 2 ports (technically it redirects anything coming in to a specific port)
Then we changed our firewall rules in this order (as ACL's work top to bottom):

SIP PROVIDERS SERVER IP'S - ALLOW UDP/SIP and UDP 10000-65335
ANY IP - ALLOW UDP/5098 and UDP 10000-65335
ANY IP - DENY UDP/SIP

Now, I changed one of the external phones settings so it was connecting in on port 5098. I rebooted the phone and it worked. I could make/receive calls over the Internet fine.
I changed 1 external users phone so that it connected in on 5098 and he could get registered and make/receive calls over the Internet and call myself within the local network (where the asterisk server is) but when I called him he would pick up and he would get a "NO RESPONSE" message, but for me the phone seemed like it was still ringing.
I then contacted the other remote user who hadn't changed anything at all (was still connecting in on 5060, I rebooted his phone to reconnect the connection to the asterisk server) and he still managed to make and receive calls and contact the office and vice versa. Which is strange as it should have been blocked. A bit of black magic going on!
Does anybody have any ideas on what to do as we are still receiving these nuisance calls, and we want to change the incoming port number!
I did want to lock down the firewall so that it only allows the home IP's of the external users to connect in via 5060 but they don't have a static IP and can't (Provider wont give them one) get one.
Any help on this issue would be very much appreciated.
duncanwarrender
Newsterisk
 
Posts: 5
Joined: Fri Aug 15, 2014 3:02 am

Re: Remote Users connecting in on different port.

Postby david55 » Thu Jan 29, 2015 8:44 am

Change the bind port number on Asterisk. You should still be OK with ITSP, as your registration will tell them what port to use.

My guess is that the phone is relying on the port number in the SIP messages, which will be the one that Asterisk thinks is its.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Re: Remote Users connecting in on different port.

Postby duncanwarrender » Thu Jan 29, 2015 8:53 am

By changing this port number to say 5098, will this make asterisk only listen on 5098? or will it still listen on 5060 as well?
Our SIP provider's website specifically tells us to allow 5060 through our firewall from their servers, so by changing the bind port on Asterisk, wouldn't it cause the SIP Trunk to not register?
duncanwarrender
Newsterisk
 
Posts: 5
Joined: Fri Aug 15, 2014 3:02 am

Re: Remote Users connecting in on different port.

Postby david55 » Thu Jan 29, 2015 9:19 am

It will only listen on the new port.

Instructions from ITSPs are often misinformed, so I think it is worth trying. Insisting that people only register from 5060 would make it impossible to support more than one phone per public address, assuming the ITSP supports phones as well as PABXes.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am


Return to AsteriskNOW Support

Who is online

Users browsing this forum: No registered users and 1 guest