Is it possible to change the server port for only some extensions? For security reasons I want to run external extensions on an alternate SIP port, however, I do not want to have to change the ports on all the local extensions.
Do you have a NAT device to do the mapping ? ( you could use iptables )
if yes, then the asterisk directive is externip=18.104.22.168:50606
I am sure FreePBX people, in the latest version, have figured out a way to put it there via GUI, so you do not need to edit the files by hand.
You can’t use NAT. If you do the packets have the wrong port number in them. Asterisk can deal with writing the correct IP address when its given the public IP, however, there is no place to tell it the public port, especially on a per-extension basis.
Either Asterisk need to have knowledge of the correct public port to use on a per extension basis, or, some kind of SIP proxy to re-write the public port is going to be required.
I want to know if the former is possible.
Not sure where you get your information. While an external SIP Session Border Controller (my favorite thing to talk about, and it annoys Obelisk another bonus) certainly makes this easier Asterisk NAT traversal works just fine.
I have worked on Asterisk nodes that have 1000’s of SIP public endpoints registered.
That may be, but how many ports have you redirected? I get my information from Wireshark. Asterisk put out a packet with a
Contact: <sip:*[email protected]:5060> so the phone stopped talking to 22.214.171.124:22222 and started taking to 126.96.36.199:5060.
You cannot use NAT to redirect ports unless Asterisk knows about it. Otherwise it writes the wrong port in packets.
I don’t have any ports redirected, I only have port 5060 opened in Firewall. The “core” machine has a public IP, the remote users are behind some form of NAT.
Sounds like you don’t have NAT turned on, the externip and localnet variables populated correctly on the box you are talking about.
Set these in the SIP Settings module.
What version of Asterisk and FreePBX are you running?
This is not an IP redirection question. It is a port redirection question.
I have three endpoint classes.
 Peers - Trunk providers
 Internal Extensions
[*] External, mobile, extensions
The Peers see the Asterisk server on a public IP and default service port, like 188.8.131.52:5060. The Internal extensions see the asterisk server as its native, internal, address like 192.168.20.1:5060, though they do not reside on the same subnet. The third class of external mobile extensions I’m trying to put on the same public IP as the peers but with a redirected port (port alias) like 184.108.40.206:22222, because I need to keep the script kiddies from hammering day an night.
I’ve been through the whole exercise with NAT which will map the traffic just fine, but without rewriting the port in the packets communication eventually breaks down because eventually the phone sees something in the packet and replies to it rather than replying to the source port.
I can think of a few ways to solve this (mind you I have no idea of asterisk’s advanced capabilities which is why I’m asking the question):
 Asterisk can bind to multiple ports. I’ve researched this and it only looks like bindport can be applied globally and to one port at time.
 Its possible to have asterisk understand that it is multi-homed with multiple public IP/port pairs. I haven’t seen where this is possible.
[*] An external SIP proxy to rewrite all the headers based on the network architecture.
Asterisk can only bind to one IP, this is the purpose of the externip command. If you have externip variable correctly set and your LAN defined as a Localnet you will not have this issue, the port will be rewritten in the SIP message. This is the whole purpose of Asterisk NAT and it does exactly what you want.
externip is set correctly to the external IP address, and the peers on the default service port (5060) work just fine. The mobile extensions on the alternate port (22222) do not. Asterisk has no way of knowing what port I’m NATing and can’t possible write the correct port in the packet.
sip_general_additional.conf: nat=yes externip=220.127.116.11 localnet=10.0.0.0/255.0.0.0 localnet=192.168.0.0/255.255.0.0
Also, FYI, notice in the following network packet the UDP Source and Destination ports, then notice the Contact-URI Host Port. This contradicts what you’re saying so one of us has a serious misunderstanding.
No. Time Source Destination Protocol Length Info 12 5.687907 18.104.22.168 22.214.171.124 SIP/SDP 911 Status: 200 OK, with session description Frame 12: 911 bytes on wire (7288 bits), 911 bytes captured (7288 bits) Ethernet II, Src: Ibm_63:33:d9 (00:09:6b:63:33:d9), Dst: Flowpoin_21:17:cf (00:20:6f:21:17:cf) Internet Protocol Version 4, Src: 126.96.36.199 (188.8.131.52), Dst: 184.108.40.206 (220.127.116.11) User Datagram Protocol, Src Port: 22222 (22222), Dst Port: 4779 (4779) Source port: 22222 (22222) Destination port: 4779 (4779) Length: 877 Checksum: 0x7ce3 [validation disabled] Session Initiation Protocol Status-Line: SIP/2.0 200 OK Message Header Via: SIP/2.0/UDP 18.104.22.168:4779;branch=z9hG4bKPjlNQZjDvXcWFIYLAgIN8Z7MDFQtCE7PRF;received=22.214.171.124;rport=4779 From: "PHONE" <sip:[email protected]>;tag=1fKBCTyo7Xb9aHXeyXi3izWaky295shg SIP Display info: "PHONE" SIP from address: sip:[email protected] SIP tag: 1fKBCTyo7Xb9aHXeyXi3izWaky295shg To: <sip:*[email protected]>;tag=as22acf285 SIP to address: sip:*[email protected] SIP tag: as22acf285 Call-ID: QHhSf2lwQMFGPh.r1c0bYIMZi8SYv0BW CSeq: 12054 INVITE Sequence Number: 12054 Method: INVITE Server: FPBX-2.10.0(126.96.36.199) Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Session-Expires: 1800;refresher=uas Contact: <sip:*[email protected]:5060> Contact-URI: sip:*[email protected]:5060 Contactt-URI User Part: *43 Contact-URI Host Part: 188.8.131.52 Contact-URI Host Port: 5060 Content-Type: application/sdp Content-Length: 282 Message Body
Ok, you are correct, you can’t get get Asterisk to listen on two ports. Why do you need to?
To me this is not really a NAT issue. Let’s get clear are you trying to NAT the port on the Asterisk server to a different port? That’s won’t work.
Now on the other hand if the router on the client end performs PAT the NAT traversal function will do it’s best to determine the real IP of the client and port and rewrite the invite to match.
The NAT on the client side is in the T-Mobile and AT&T Broadband cloud… so PAT ain’t happening. It might actually be possible to do something on the device since its basically a softphone running on top of the network stack on an android device. It might also be possible to alter how the softphone treats the SIP packets since various interpretations - like ignoring ‘Contact’ - could work. But, I think all that is much more trouble than its worth. A SIP proxy on the network edge is probably the path of least resistance.
For security reasons!!! Access for the mobile extensions can’t be constrained because the source addresses from the providers are all over the map - this isn’t a problem with the peers since you’re dealing with fixed static servers on both ends so the firewall can constrain that.
Therefor its necessary to move the public SIP traffic to non-standard ports. Determined hackers will still find exposed services on non-standard ports using scanning techniques, but determined hackers make up a very small fraction of this activity and usually focus only on high-value targets. This leaves the script kiddies that go after the low hanging fruit, and they regularly scan well known ports and try to penetrate with common exploits. Even when they’re unsuccessful they tend to generate a lot of unnecessary traffic which is a total waste of bandwidth and IDS resources. So, deploying SIP on port 5060 in public is basically waving a flag asking for abuse. Good security is multilayered and one important rule is “don’t advertise”.
Yes, Asterisk can’t bind to two ports.
You could do this with OpenSIPS.
Why don’t you just let the internal clients register on the alternate port? Would that not solve all of your issues?
The only other thing I can think of would be a bi-directional full cone NAT in a Cisco or other high end router. If you mapped port 6622 to 22 on the inside with a reverse policy the RTP invites would still be correct in the SDP messages and the change would be invisible to Asterisk since it is still writing to port 22. The dport doesn’t matter as the network will take care of that.
Because you told asterisk to use port 5060. You need to put externip=184.108.40.206:22222 in your config. This was explained in my first message.
It’s hard to find someone even more arrogant and condesceding than I am, however Obelisk manages to exceed even his own reach.
In this case he is spot on:
You can indeed specify bindport on externip.
Learn something new everyday.
However, if I do that asterisk will stop working with the trunk providers that are using 220.127.116.11:5060. The phones I control, the providers I don’t.
Again, I’m trying to do 18.104.22.168:5060 AND 22.214.171.124:22222 all at the same time. Unless there is a way to write those rules on a per endpoint basis I don’t know how to make that work.
…although, that is probably less of an issue than it might appear on the surface. Moving the trunk providers to the same alternate port really shouldn’t make any difference because registrations and connections are all outbound, the provider isn’t looking for a specific port and should not care what port the traffic came from as long as the SIP packets are consistent.
I had some customers having issues with some strange hangups being sent as their ISP also offered VOIP so had to use something other than port 5060 for them but didn’t want to change that for other customers. So I did a port redirect using iptables:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5080 -j REDIRECT --to-port 5060
That allowed clients to connect on either port 5060 or 5080.
I can’t swear this will work in all cases but it worked for me.