Connecting to PIAF from the internet

PBX in a Flash Version = 1.7.5.7 Running on HARDWARE
FreePBX Version = 2.8.1.4
Running Asterisk Version = 1.8.7.2
Asterisk Source Version = 1.8.7.2
Dahdi Source Version = 2.5.0.2+2.5.0.2
Libpri Source Version = 1.4.12
IP Address = 172.18.1.128 on eth0
Operating System = CentOS release 5.7 (Final)
Kernel Version = 2.6.18-274.3.1.el5 - 32 Bit

I have two extensions configured, I can connect from the intranet but I can’t connect from the internet.

I went into ‘asterisk -r’ and ran 'sip set debug on’
I can see the internet phone opening the sip channel, sending a “REGISTER” message and getting a 401/403 response.

However, headers seem incorrect:
The machine has a local ip 172.x.x.x, the router has an external (local) ip 10.x.x.x assigned by the ISP, I have an external (internet) IP that is mapped to the 10.x.x.x ip.
The phone has a local ip 10.x.x.x, which is nat’ed with an external (internet ip).
Headers in the PBX show the Phones external ip correctly, but it shows the external (local) ip instead of the external (internet) ip. Since I can’t modify the IP my router gets assigned I’m wondering if there is any way to get this sorted out.

I assume this is not a simple NAT issue since I do see the messages and packages coming in, I also receive the response in the phone (401/403) are passed correctly. This works locally, but not remotely, so it could be a configuration issue, but I’m running out of options of what/where to look for/at respectively.

Here is a log from a phone trying to connect remotely (software used is X-Lite 4.0, same software and configuration works from the intranet with no issues):

<--- SIP read from UDP:189.125.23.208:61464 --->
REGISTER sip:10.166.76.254 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.21:65102;branch=z9hG4bK-d8754z-6328415b3405e37b-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:[email protected]:61465;rinstance=e10c9ce6b2d01664;transport=udp>
To: <sip:[email protected]>
From: <sip:[email protected]>;tag=23e05e7a
Call-ID: OTMxYjkzMjZjMDRkOWVkZGEyYzU4NjI5OTdlNDcxYzk.
CSeq: 1 REGISTER
Expires: 3600
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
User-Agent: X-Lite 4 release 4.1 stamp 63215
Content-Length: 0

<------------->
--- (12 headers 0 lines) ---
Sending to 189.125.23.208:61464 (NAT)

<--- Transmitting (NAT) to 189.125.23.208:61464 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.0.0.21:65102;branch=z9hG4bK-d8754z-6328415b3405e37b-1---d8754z-;received=189.125.23.208;rport=61464
From: <sip:[email protected]>;tag=23e05e7a
To: <sip:[email protected]>;tag=as4a8f668b
Call-ID: OTMxYjkzMjZjMDRkOWVkZGEyYzU4NjI5OTdlNDcxYzk.
CSeq: 1 REGISTER
Server: FPBX-2.8.1(1.8.7.2)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="4721abd5"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog 'OTMxYjkzMjZjMDRkOWVkZGEyYzU4NjI5OTdlNDcxYzk.' in 32000 ms (Method: REGISTER)

<--- SIP read from UDP:189.125.23.208:61464 --->
REGISTER sip:10.166.76.254 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.21:65102;branch=z9hG4bK-d8754z-2782d72f74071248-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:[email protected]:61465;rinstance=e10c9ce6b2d01664;transport=udp>
To: <sip:[email protected]>
From: <sip:[email protected]>;tag=23e05e7a
Call-ID: OTMxYjkzMjZjMDRkOWVkZGEyYzU4NjI5OTdlNDcxYzk.
CSeq: 2 REGISTER
Expires: 3600
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
User-Agent: X-Lite 4 release 4.1 stamp 63215
Authorization: Digest username="2001",realm="asterisk",nonce="4721abd5",uri="sip:10.166.76.254",response="454295734276056b0c34072343dbfdfe",algorithm=MD5
Content-Length: 0

<------------->
--- (13 headers 0 lines) ---
Sending to 189.125.23.208:61464 (NAT)

<--- Transmitting (NAT) to 189.125.23.208:61464 --->
SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 10.0.0.21:65102;branch=z9hG4bK-d8754z-2782d72f74071248-1---d8754z-;received=189.125.23.208;rport=61464
From: <sip:[email protected].254>;tag=23e05e7a
To: <sip:[email protected]>;tag=as4a8f668b
Call-ID: OTMxYjkzMjZjMDRkOWVkZGEyYzU4NjI5OTdlNDcxYzk.
CSeq: 2 REGISTER
Server: FPBX-2.8.1(1.8.7.2)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog 'OTMxYjkzMjZjMDRkOWVkZGEyYzU4NjI5OTdlNDcxYzk.' in 32000 ms (Method: REGISTER)

Thanks in advance for reading. Any suggestions or comments will be appreciated.

Have you followed the instructions for remote extensions found here:

http://www.freepbx.org/support/documentation/howtos/howto-setup-a-remote-sip-extension

I would consider myself a novice but not a rookie.

I did forward the ports form the router, set the info in the extension, hardened the password, added ip restrictions to the ip I’m using, etc.

However if I do not remove iptables the connection does not go trough.
I thin the whitelist part of the Incredible PBX is actually affecting me. Thanks for the suggestion thought, and for reading.

I wonder if using a different protocol instead of SIP would make this easier.