Alternate SIP port for some extensions?

Is it possible to change the server port for only some extensions? For security reasons I want to run external extensions on an alternate SIP port, however, I do not want to have to change the ports on all the local extensions.

Do you have a NAT device to do the mapping ? ( you could use iptables )
if yes, then the asterisk directive is externip=1.2.3.4:50606
I am sure FreePBX people, in the latest version, have figured out a way to put it there via GUI, so you do not need to edit the files by hand.

You can’t use NAT. If you do the packets have the wrong port number in them. Asterisk can deal with writing the correct IP address when its given the public IP, however, there is no place to tell it the public port, especially on a per-extension basis.

Either Asterisk need to have knowledge of the correct public port to use on a per extension basis, or, some kind of SIP proxy to re-write the public port is going to be required.

I want to know if the former is possible.

Not sure where you get your information. While an external SIP Session Border Controller (my favorite thing to talk about, and it annoys Obelisk another bonus) certainly makes this easier Asterisk NAT traversal works just fine.

I have worked on Asterisk nodes that have 1000’s of SIP public endpoints registered.

That may be, but how many ports have you redirected? I get my information from Wireshark. Asterisk put out a packet with a Contact: <sip:*[email protected]:5060> so the phone stopped talking to 74.1.1.1:22222 and started taking to 74.1.1.1:5060.

You cannot use NAT to redirect ports unless Asterisk knows about it. Otherwise it writes the wrong port in packets.

I don’t have any ports redirected, I only have port 5060 opened in Firewall. The “core” machine has a public IP, the remote users are behind some form of NAT.

Sounds like you don’t have NAT turned on, the externip and localnet variables populated correctly on the box you are talking about.

Set these in the SIP Settings module.

What version of Asterisk and FreePBX are you running?

This is not an IP redirection question. It is a port redirection question.

I have three endpoint classes.

[list=1]
[] Peers - Trunk providers
[
] Internal Extensions
[*] External, mobile, extensions
[/list]

The Peers see the Asterisk server on a public IP and default service port, like 74.1.1.1:5060. The Internal extensions see the asterisk server as its native, internal, address like 192.168.20.1:5060, though they do not reside on the same subnet. The third class of external mobile extensions I’m trying to put on the same public IP as the peers but with a redirected port (port alias) like 74.1.1.1:22222, because I need to keep the script kiddies from hammering day an night.

I’ve been through the whole exercise with NAT which will map the traffic just fine, but without rewriting the port in the packets communication eventually breaks down because eventually the phone sees something in the packet and replies to it rather than replying to the source port.

I can think of a few ways to solve this (mind you I have no idea of asterisk’s advanced capabilities which is why I’m asking the question):

[list=s]
[] Asterisk can bind to multiple ports. I’ve researched this and it only looks like bindport can be applied globally and to one port at time.
[
] Its possible to have asterisk understand that it is multi-homed with multiple public IP/port pairs. I haven’t seen where this is possible.
[*] An external SIP proxy to rewrite all the headers based on the network architecture.
[/list]

Asterisk can only bind to one IP, this is the purpose of the externip command. If you have externip variable correctly set and your LAN defined as a Localnet you will not have this issue, the port will be rewritten in the SIP message. This is the whole purpose of Asterisk NAT and it does exactly what you want.

externip is set correctly to the external IP address, and the peers on the default service port (5060) work just fine. The mobile extensions on the alternate port (22222) do not. Asterisk has no way of knowing what port I’m NATing and can’t possible write the correct port in the packet.

Just FYI:

sip_general_additional.conf:
nat=yes
externip=74.1.1.1
localnet=10.0.0.0/255.0.0.0
localnet=192.168.0.0/255.255.0.0

Also, FYI, notice in the following network packet the UDP Source and Destination ports, then notice the Contact-URI Host Port. This contradicts what you’re saying so one of us has a serious misunderstanding.

No.     Time        Source                Destination           Protocol Length Info
     12 5.687907    74.1.1.1          208.54.94.29          SIP/SDP  911    Status: 200 OK, with session description

Frame 12: 911 bytes on wire (7288 bits), 911 bytes captured (7288 bits)
Ethernet II, Src: Ibm_63:33:d9 (00:09:6b:63:33:d9), Dst: Flowpoin_21:17:cf (00:20:6f:21:17:cf)
Internet Protocol Version 4, Src: 74.1.1.1 (74.1.1.1), Dst: 208.54.94.29 (208.54.94.29)
User Datagram Protocol, Src Port: 22222 (22222), Dst Port: 4779 (4779)
    Source port: 22222 (22222)
    Destination port: 4779 (4779)
    Length: 877
    Checksum: 0x7ce3 [validation disabled]
Session Initiation Protocol
    Status-Line: SIP/2.0 200 OK
    Message Header
        Via: SIP/2.0/UDP 208.54.94.29:4779;branch=z9hG4bKPjlNQZjDvXcWFIYLAgIN8Z7MDFQtCE7PRF;received=208.54.94.29;rport=4779
        From: "PHONE" <sip:[email protected]>;tag=1fKBCTyo7Xb9aHXeyXi3izWaky295shg
            SIP Display info: "PHONE"
            SIP from address: sip:[email protected]
            SIP tag: 1fKBCTyo7Xb9aHXeyXi3izWaky295shg
        To: <sip:*[email protected]>;tag=as22acf285
            SIP to address: sip:*[email protected]
            SIP tag: as22acf285
        Call-ID: QHhSf2lwQMFGPh.r1c0bYIMZi8SYv0BW
        CSeq: 12054 INVITE
            Sequence Number: 12054
            Method: INVITE
        Server: FPBX-2.10.0(1.8.11.0)
        Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
        Supported: replaces, timer
        Session-Expires: 1800;refresher=uas
        Contact: <sip:*[email protected]:5060>
            Contact-URI: sip:*[email protected]:5060
                Contactt-URI User Part: *43
                Contact-URI Host Part: 74.1.1.1
                Contact-URI Host Port: 5060
        Content-Type: application/sdp
        Content-Length: 282
    Message Body

Ok, you are correct, you can’t get get Asterisk to listen on two ports. Why do you need to?

To me this is not really a NAT issue. Let’s get clear are you trying to NAT the port on the Asterisk server to a different port? That’s won’t work.

Now on the other hand if the router on the client end performs PAT the NAT traversal function will do it’s best to determine the real IP of the client and port and rewrite the invite to match.

The NAT on the client side is in the T-Mobile and AT&T Broadband cloud… so PAT ain’t happening. It might actually be possible to do something on the device since its basically a softphone running on top of the network stack on an android device. It might also be possible to alter how the softphone treats the SIP packets since various interpretations - like ignoring ‘Contact’ - could work. But, I think all that is much more trouble than its worth. A SIP proxy on the network edge is probably the path of least resistance.

For security reasons!!! Access for the mobile extensions can’t be constrained because the source addresses from the providers are all over the map - this isn’t a problem with the peers since you’re dealing with fixed static servers on both ends so the firewall can constrain that.

Therefor its necessary to move the public SIP traffic to non-standard ports. Determined hackers will still find exposed services on non-standard ports using scanning techniques, but determined hackers make up a very small fraction of this activity and usually focus only on high-value targets. This leaves the script kiddies that go after the low hanging fruit, and they regularly scan well known ports and try to penetrate with common exploits. Even when they’re unsuccessful they tend to generate a lot of unnecessary traffic which is a total waste of bandwidth and IDS resources. So, deploying SIP on port 5060 in public is basically waving a flag asking for abuse. Good security is multilayered and one important rule is “don’t advertise”.

Yes, Asterisk can’t bind to two ports.

You could do this with OpenSIPS.

Why don’t you just let the internal clients register on the alternate port? Would that not solve all of your issues?

The only other thing I can think of would be a bi-directional full cone NAT in a Cisco or other high end router. If you mapped port 6622 to 22 on the inside with a reverse policy the RTP invites would still be correct in the SDP messages and the change would be invisible to Asterisk since it is still writing to port 22. The dport doesn’t matter as the network will take care of that.

Asterisk put out a packet with a Contact: so the phone stopped talking to 74.1.1.1:22222 and started taking to 74.1.1.1:5060.

Because you told asterisk to use port 5060. You need to put externip=74.1.1.1:22222 in your config. This was explained in my first message.

It’s hard to find someone even more arrogant and condesceding than I am, however Obelisk manages to exceed even his own reach.

In this case he is spot on:

https://issues.asterisk.org/view.php?id=11858

You can indeed specify bindport on externip.

Learn something new everyday.

However, if I do that asterisk will stop working with the trunk providers that are using 74.1.1.1:5060. The phones I control, the providers I don’t.

Again, I’m trying to do 74.1.1.1:5060 AND 74.1.1.1:22222 all at the same time. Unless there is a way to write those rules on a per endpoint basis I don’t know how to make that work.

…although, that is probably less of an issue than it might appear on the surface. Moving the trunk providers to the same alternate port really shouldn’t make any difference because registrations and connections are all outbound, the provider isn’t looking for a specific port and should not care what port the traffic came from as long as the SIP packets are consistent.

I had some customers having issues with some strange hangups being sent as their ISP also offered VOIP so had to use something other than port 5060 for them but didn’t want to change that for other customers. So I did a port redirect using iptables:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5080 -j REDIRECT --to-port 5060

That allowed clients to connect on either port 5060 or 5080.

I can’t swear this will work in all cases but it worked for me.