Posted on Wednesday, 5th May 2010 by Michael

Overcoming SIP over NAT

On most of the Asterisk based PBX forums on the internet one of the top help related questions posted is “the phone rings and I can answer it but there is no voice” or one of many variants of that question. The issue is most likely due to the fact you are running the PBX behind a NAT. Most likely your PBX is either behind your home router or your enterprise firewall and you are using a RFC 1918 IP address for it. You are also most likely either doing inbound port forwarding or one to one NATing depending on your firewall.

Let’s first look at what ports are required for your PBX system to work. These are the same ports if you have to port forward or if you do a 1 to 1 NAT and firewall rules. Remember if your PBX sits on your LAN these ports will already be available to other computers and phones on the LAN already. These are ports required for external inbound and outbound communications and administration.

I have based the ports in my article from the list here: http://pbxinaflash.org/Tutorials. If you compare my list below and theirs you will notice some ports not listed. My theory is to keep it simple and secure. If you are running an Asterisk based PBX in an enterprise or office environment I would suggest not allowing any of these ports inbound. If you need to administer your PBX you should use your company’s secure remote access solution if they have one.

22: TCP port 22 is SSH. It allows secure command line access to your box. Pros: the communication channel is secure. Cons: It is a default port and many people will try to brute force your username and password. I would not worry though if you are running PBX in a flash; their fail2ban will ban the IP of the person scanning your box. If you are running another system like Trixbox you can install BFD from: http://www.rfxn.com .

69: UDP port 69 is TFTP. Unless you have external phones such as a CISCO 7900 series or any other IP based phone that needs to TFTP a configuration from the PBX this is not required externally and should not be opened.

80: TCP port 80 is http. This is required for web based administration. This can be replaced with TCP port 443 for secure web based administration if you have a SSL certificate installed. Pros: Almost all ISP’s allow this port in and out making it a reliable method for administration. If your ISP does not allow port 80 inbound you can change this to another port like 9080. Cons: It is a common port and provides information to a potential attacker about what is running on that server. A potential attacker could try to brute force the username and password or if an administrator did not change the default username and passwords they can use them to access the system. In PBX in a Flash Fail2ban will block brute force attacks and ban the offending IP address.

443: TCP port 443 is https. This will provide secure web based administration if you have a SSL certificate installed. Unless you have a certificate I would not bother opening this port.

4445: TCP port 4445 is used for the FOP (Flash Operator Panel). My system is home based and I do not require external access to this. Unless you are running a larger system and your phone administrators need access I would not open this. There are more secure ways to give them access to this feature such as through a SSL VPN or Citrix.

4569: UDP port 4569 is iax2. This port is required only if you are using the iax2 protocol for your PBX’s communications.

5000-5082: UDP ports used for SIP conversations. This is extremely important if you are using the SIP protocol for communications and most of you reading this probably are.

5038: TCP port 5038 is AstMgr. This port should be opened and not altered.

10000-20000: UDP ports used for SIP calls.

Now that you have all the required ports open for your environment it is now time to get over the hurdle of NAT. If everything above has been done correctly and your PBX has already been configured with trunks, routes, and extensions you should be able to place and receive calls at this point. If not please correct that issue before continuing as the issues with NAT usually come into play when you try to extend the functionality of your PBX system to outside your LAN, such as call forwarding to a outside number.

Since Asterisk based PBX systems that have FreePBX installed with them do not allow you to edit the main Asterisk configuration files you will need to edit the “sip_general_custom.conf” file and make your changes in there.

Steps:

  1. Login into your PBX via command line.
  2. Use your favorite Linux text editor to open the file /etc/asterisk/sip_general_custom.conf
  3. Copy the lines below and make the appropriate changes. Then paste it into the config:

rtptimeout=120

externhost=FQDN or External IP of the PBX

externrefresh=120

nat=yes

localnet=192.168.0.0/255.255.255.0 <--LAN IP and netmask

  1. Save the file
  2. At the command prompt enter the command “asterisk –r”. This will bring you into the asterisk console.
  3. In the console enter the command “reload”
  4. Once the system reloads exit the session.

At this point you should now be able to overcome the issues you were having due to the NAT such as no voice in calls and call forwarding. I have tested this on my home PBX system running PBX in a Flash and this solution works like a charm. If you have any questions comments or concerns please feel free to ask me.

Posted in Papers | Comments (1)

One Response to “Overcoming SIP over NAT”

  1. gerald Says:

    I have a dynamic broadband connection and use a dynamic dns provider. I do not use PIAF but use Trixbox. When setting up the trunk through the trix GUI, under the Trunk Details section you can add this info:

    externhost= my.fqdn.com <- Put your FQDN here
    localnet= 192.168.0.0/255.255.255.0 <- put the network your asterisk box is connected to here
    nat=yes

    This will do the same thing under trixbox as your instructions for PIAF.

    One note, I did not include the externrefresh parameter because I have a process running on a different system that handles any dns changes due to ip address change.
    Thanks!

Leave a Reply

*