Access PBX from outside

configuration
Tags: #<Tag:0x00007fafc3310540>

(Brian Kramer) #1

Hi again!

Slowly getting things working. My next challenge - can anybody point me in the right direction on how I will accomplish this? My goal is to have the customer’s phone on his internet connection, logged in to my PBX.

My PBX is on my internal network, which is protected by an ASA firewall. I use port address translation at the firewall to control traffic that’s allowed in. Obviously I’ll need to allow UDP 5060 in. A problem that I foresee is the wide range of ports that FreePBX uses; I believe it was 10000 - 30000. My firewall (ASA5505) doesn’t allow me to specify that wide of a range. Are there any other options here? Also should I configure the phone internally first and then deploy, or should the client be able to configure at his home office?

Thank you!
Brian


(Rob Thomas) #2

Remove the legacy firewall, and use the FreePBX Firewall, which automatically manages all firewall rules.


(Brian Kramer) #3

Hi Rob,

I would probably consider that solution of the pbx was the only resource on your network needing firewall protection. But that’s not the case; the network based firewall is protecting multiple machines. So using the pbx firewall isn’t an option. I’m sure my situation can’t be unique though; can somebody please point me in the right direction? I’m sure it has something to do with NAT or PAT; just not positive.

Thanks!
Brian


(Rob Thomas) #4

Sorry, I was unclear. Remove the Firewall from the VoIP machine. Leave it in place for everything else.

It’s commonly referred to as a DMZ.


(Brian Kramer) #5

Creating a DMZ won’t help here - least not in my situation. I still need to redirect UDP traffic to the PBX internal IP, with or without a DMZ. Appreciate your feedback…please let me know if you know of any other solutions.

FYI my LAN setup: ISP <–> Gateway Router <–> ASA Firewall <–> Internal LAN

I only have a single IP from the ISP, which is redirected based on incoming Port. So traffic from a remote phone using (for example) UDP Port 10001 would go to my public IP address. When the router gets it, it will forward to the firewall. The firewall gets it, and (based on a static mapping) directs it to the correct internal address. In this case it goes to the PBX, based on the incoming UDP port.

I’m seeking assistance in how to do this with PAT, or if there is an alternative method I’m not aware of.

Thanks again!
Brian


(celson) #6

Hi Brian,

I have similar setup , below are the things I did.

  1. I do usually change the default SIP port of the freePBX (Even though it is protected by Firewall). RTP should be OK unless there’s existing service rule that will conflict.

  2. You need to disable the SIP default inspection of the ASA.

  3. If you only need to allow the user to connect as remote extension. Then you just need to do port-forwarding of SIP port and RTP.

Implementation:
1.Create a UDP service port and you need to create them individually.

For outgoing traffic of FreePBX.
Source: SIP port and RTP range (10000-20000) port
Destination: any

For Incoming traffic
Source: Any
Destination: SIP port and RTP range (10000-20000) port

2.Create a static NAT translation rule and specify the flow of traffic for FreePBX (direction). Select the outgoing traffic ports (above) as the Source service and Destination is any destination. Create SIP and RTP individually. You should have two NAT rules by now.

3.Incoming Access rule
Source is any and destination is FreePBX IP(Internal) then select the service port that you created above (Incoming).

4.Disable the global service default inspection for SIP (you can google this how to do it)


#7

Hi Brian
We have our FreePBX located on “internal” lan subnet.
Since we don’t want open ports visible to the bad guys, we use a VPN solution to permit secure access thru our (separate) firewall to the PBX.
Seems uncomplicated. HTH and YMMV


(Brian Kramer) #9

Hi Celson,

I have most of those ASA entries defined. But I’m confused about the two RTP entries you mentioned. I do have those lines for SIP, but nothing for RTP. So I should have a static NAT rule for both SIP and RTP?

Also I’m not sure how to disable the global service inspection for SIP (your point #4). I’ll look that up and figure it out as well.

Thanks for your info. If you’re willing, please share an example config (or at least the relevant entries) so I can see how it’s supposed to be done. I understand if you’d rather not, though.

-BK


#10

global service inspection can also be dubbed ‘ALG’ (application level gateway or somewhat like that). And yes, you need the NAT rules for RTP ports too.


#11

Buy the way, you only need to configure as many RTP ports as your user community demands. I use 10001 to 11000 and that is still more than I need. you can set the range in FreePBX.