Asterisk behind Firewall

Get help with installing and running AsteriskNOW.

Moderators: Moderator, Support

Asterisk behind Firewall

Postby teryaqi » Wed Aug 12, 2015 8:17 am

Dears
I installed asteriskNow and and it have basic configuration that created 2 extensions and from the local lAN I can call each extension using Zoiper softphone with no problem
now am trying to get this work from outside my lan (both zoiper softphone out side the network), so I created rules in my firewall to forward all incoming traffic for SIP port 5060 and ports RTP ports 10000 to 20000 to the Astersik server
both extensions can register, however when I make a call it open the line but no voice on both
I enabled trace of SIP on the server and find that it send SDP invite to the caller extension and make around 7 times transmitting of such invite without getting ACK, so I make tcptrace on the extension using wireshark and noticed that the extension is sending the ACK back to the server but in different port other than 5060, it send it to random port 56847 which is closed on my firewall

my question what I can do to force both to communicate through port 5060

here is the SDP sent from the server

Frame 379: 974 bytes on wire (7792 bits), 974 bytes captured (7792 bits) on interface 0
Interface id: 0 (\Device\NPF_{7D9E5138-67D3-467C-8FC3-8CF7A9C853F9})
Encapsulation type: Ethernet (1)
Arrival Time: Aug 12, 2015 16:16:23.130357000 Jerusalem Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1439385383.130357000 seconds
[Time delta from previous captured frame: 0.020583000 seconds]
[Time delta from previous displayed frame: 0.020583000 seconds]
[Time since reference or first frame: 17.540095000 seconds]
Frame Number: 379
Frame Length: 974 bytes (7792 bits)
Capture Length: 974 bytes (7792 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:sip:sdp]
[Number of per-protocol-data: 1]
[Session Initiation Protocol, key 6]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: HuaweiTe_b9:89:42 (60:e7:01:b9:89:42), Dst: AskeyCom_e2:7f:09 (00:26:b6:e2:7f:09)
Destination: AskeyCom_e2:7f:09 (00:26:b6:e2:7f:09)
Address: AskeyCom_e2:7f:09 (00:26:b6:e2:7f:09)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: HuaweiTe_b9:89:42 (60:e7:01:b9:89:42)
Address: HuaweiTe_b9:89:42 (60:e7:01:b9:89:42)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 178.20.184.148 (178.20.184.148), Dst: 192.168.1.107 (192.168.1.107)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 960
Identification: 0x8375 (33653)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 48
Protocol: UDP (17)
Header checksum: 0xd6fb [validation disabled]
[Good: False]
[Bad: False]
Source: 178.20.184.148 (178.20.184.148)
Destination: 192.168.1.107 (192.168.1.107)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5060 (5060)
Source Port: 5060 (5060)
Destination Port: 5060 (5060)
Length: 940
Checksum: 0x0000 (none)
[Stream index: 40]
Session Initiation Protocol (200)
Status-Line: SIP/2.0 200 OK
Status-Code: 200
[Resent Packet: False]
[Request Frame: 188]
[Response Time (ms): 7828]
Message Header
Via: SIP/2.0/UDP 188.247.76.121:63419;branch=z9hG4bK-524287-1---ff2356fd8deca265;received=188.247.76.121;rport=38376
Transport: UDP
Sent-by Address: 188.247.76.121
Sent-by port: 63419
Branch: z9hG4bK-524287-1---ff2356fd8deca265
Received: 188.247.76.121
RPort: 38376
From: <sip:2000@178.20.184.148;transport=UDP>;tag=61688f52
SIP from address: sip:2000@178.20.184.148;transport=UDP
SIP from address User Part: 2000
SIP from address Host Part: 178.20.184.148
SIP From URI parameter: transport=UDP
SIP from tag: 61688f52
To: <sip:2001@178.20.184.148;transport=UDP>;tag=as5648738d
SIP to address: sip:2001@178.20.184.148;transport=UDP
SIP to address User Part: 2001
SIP to address Host Part: 178.20.184.148
SIP To URI parameter: transport=UDP
SIP to tag: as5648738d
Call-ID: Y3cOmwYIiLOGbxDWznQCwQ..
CSeq: 2 INVITE
Sequence Number: 2
Method: INVITE
Server: FPBX-AsteriskNOW-12.0.74(11.16.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Session-Expires: 1800;refresher=uas
Contact: <sip:2001@178.20.184.148:56847>
Contact URI: sip:2001@178.20.184.148:56847
Contact URI User Part: 2001
Contact URI Host Part: 178.20.184.148
Contact URI Host Port: 56847
Content-Type: application/sdp
Require: timer
Content-Length:316
Message Body

No. Time Source Destination Protocol Length Info
56847 17.560099000 192.168.1.107 178.20.184.148 SIP 468 Request: ACK sip:2001@178.20.184.148:56847 |
and here the ACK sent back (Please notice the port wh
Frame 380: 468 bytes on wire (3744 bits), 468 bytes captured (3744 bits) on interface 0
Interface id: 0 (\Device\NPF_{7D9E5138-67D3-467C-8FC3-8CF7A9C853F9})
Encapsulation type: Ethernet (1)
Arrival Time: Aug 12, 2015 16:16:23.150361000 Jerusalem Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1439385383.150361000 seconds
[Time delta from previous captured frame: 0.020004000 seconds]
[Time delta from previous displayed frame: 0.020004000 seconds]
[Time since reference or first frame: 17.560099000 seconds]
Frame Number: 380
Frame Length: 468 bytes (3744 bits)
Capture Length: 468 bytes (3744 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:sip]
[Number of per-protocol-data: 1]
[Session Initiation Protocol, key 6]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: AskeyCom_e2:7f:09 (00:26:b6:e2:7f:09), Dst: HuaweiTe_b9:89:42 (60:e7:01:b9:89:42)
Destination: HuaweiTe_b9:89:42 (60:e7:01:b9:89:42)
Address: HuaweiTe_b9:89:42 (60:e7:01:b9:89:42)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: AskeyCom_e2:7f:09 (00:26:b6:e2:7f:09)
Address: AskeyCom_e2:7f:09 (00:26:b6:e2:7f:09)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.1.107 (192.168.1.107), Dst: 178.20.184.148 (178.20.184.148)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 454
Identification: 0x7132 (28978)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0x9b38 [validation disabled]
[Good: False]
[Bad: False]
Source: 192.168.1.107 (192.168.1.107)
Destination: 178.20.184.148 (178.20.184.148)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 56847 (56847)
Source Port: 5060 (5060)
Destination Port: 56847 (56847)
Length: 434
Checksum: 0x6407 [validation disabled]
[Stream index: 42]
Session Initiation Protocol (ACK)
Request-Line: ACK sip:2001@178.20.184.148:56847 SIP/2.0
Method: ACK
Request-URI: sip:2001@178.20.184.148:56847
Request-URI User Part: 2001
Request-URI Host Part: 178.20.184.148
Request-URI Host Port: 56847
[Resent Packet: False]
Message Header
Via: SIP/2.0/UDP 188.247.76.121:63419;branch=z9hG4bK-524287-1---e9226f85895746c1;rport
Transport: UDP
Sent-by Address: 188.247.76.121
Sent-by port: 63419
Branch: z9hG4bK-524287-1---e9226f85895746c1
RPort: rport
Max-Forwards: 70
Contact: <sip:2000@188.247.76.121:63419;transport=UDP>
Contact URI: sip:2000@188.247.76.121:63419;transport=UDP
Contact URI User Part: 2000
Contact URI Host Part: 188.247.76.121
Contact URI Host Port: 63419
Contact URI parameter: transport=UDP
To: <sip:2001@178.20.184.148;transport=UDP>;tag=as5648738d
SIP to address: sip:2001@178.20.184.148;transport=UDP
SIP to address User Part: 2001
SIP to address Host Part: 178.20.184.148
SIP To URI parameter: transport=UDP
SIP to tag: as5648738d
From: <sip:2000@178.20.184.148;transport=UDP>;tag=61688f52
SIP from address: sip:2000@178.20.184.148;transport=UDP
SIP from address User Part: 2000
SIP from address Host Part: 178.20.184.148
SIP From URI parameter: transport=UDP
SIP from tag: 61688f52
Call-ID: Y3cOmwYIiLOGbxDWznQCwQ..
CSeq: 2 ACK
Sequence Number: 2
Method: ACK
User-Agent: Z 3.9.32144 r32121
Content-Length: 0

No. Time Source Destination Protocol Length Info
56852 17.569555000 192.168.1.107 178.20.184.148 RTP 214 PT=ITU-T G.711 PCMU, SSRC=0x2AAB97F0, Seq=53054, Time=3708596992, Mark
teryaqi
Newsterisk
 
Posts: 7
Joined: Wed Aug 12, 2015 7:43 am

Re: Asterisk behind Firewall

Postby david55 » Wed Aug 12, 2015 3:03 pm

There is no SDP in that trace.

Asterisk would only send a contact header with that high port number if explicitly configured to do so, so I would assume you have a problem with the HuaWei router.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Re: Asterisk behind Firewall

Postby teryaqi » Thu Aug 13, 2015 1:04 am

hi and thanks for your reply
when you say "Asterisk would only send a contact header with that high port number if explicitly configured to do so", where is this configured in Asterisk, I mean which parameter

for HuaWei router, its just forwarding all traffic in and out, nothing blocked at this router
teryaqi
Newsterisk
 
Posts: 7
Joined: Wed Aug 12, 2015 7:43 am

Re: Asterisk behind Firewall

Postby teryaqi » Thu Aug 13, 2015 3:29 am

here is my full tcpdump
[url]
http://wikisend.com/download/100508/tt42000.pcapng
[/url]
teryaqi
Newsterisk
 
Posts: 7
Joined: Wed Aug 12, 2015 7:43 am

Re: Asterisk behind Firewall

Postby david55 » Thu Aug 13, 2015 5:05 am

sip.conf, but you cannot set it different from the value for the port on which Asterisk would look for the INVITE.

Maybe you should double check by using sip debug (it is slightly easier to read, as well), but I think your router is rewriting the Contact header.

Actually, it is not just Contact, it looks like the router has set a different port number on the rport parameter. Sending rport without a value is the standard way round this sort of broken NAT. In any case, it looks like the client doesn't understand rport, as it has used the value from Contact.

Also note that this is not AsteriskNOW specific, so you should have used Asterisk Support and it is best to mark long log extracts as code, so that they get a scrolling frame.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Re: Asterisk behind Firewall

Postby teryaqi » Thu Aug 13, 2015 5:43 am

thanks again
I just perform a test on TCP rather than UDP and it work well, asterisk sent the INVITE contact on 5060 and the client replied with ACK with same port
so I do not know why is this difference between the 2 protocols.

my clients is Zoiper client V3.9.32144, I checked rport setting on the client but the same results

sorry for posting here but am new to this forum, so please advice if I can change it to Astersik support
teryaqi
Newsterisk
 
Posts: 7
Joined: Wed Aug 12, 2015 7:43 am


Return to AsteriskNOW Support

Who is online

Users browsing this forum: No registered users and 1 guest