Need help with AT&T IP flex sip configuration on asterisk FreePBX

I have got my server setup and running ad have all phones working internally but now it is te to get my trunks configuration done for att inflexible reach and I am not having any luck I have made many phone calls to att and no luck in any help I am hopping someone on here has set a successful trunk up using att iP flex and could help me with a sample configuration for now I have everything setup as chan_sip
Thank you
Peter

I have no personal experience with AT&T but found this:
https://www.mcbsys.com/blog/2019/02/navigating-the-mysteries-of-att-ip-flexible-reach/
It’s for a competing PBX but should tell you all you need to know.

(I assume that you configured chan_sip to bind to port 5060.)

In your system, at the Asterisk command prompt type
sip set debug on
and make a test call.
Report what response, if any, your INVITE gets.

If none, can you ping the AT&T host?

Show us what you have so far. You can mask IPs.

Thank you guys for your response I will be back in the office tomorrow and will put what I have got on here.

In-flexible reach indeed… The FreePBX side config is rather basic but AT&Ts requirements are less than ideal.

Have you had “Test & Turn Up” yet for the voice services on the line?
If not, you’ll need to do that in order for them to enable communication between their PBXs and yours. I don’t remember at what point we received them, but their server addresses were not on our welcome docs, I think we got them from them by asking during Test & Turn Up. Anyways, you should receive two addresses a primary and secondary, and the route they make will only allow these servers to communicate with your server via a certain IP (ask them) on your side (could be your gateway could be another address in your assigned range, which was the case for us) so you’re PBX will need to communicate on that IP or have them change it during Test & Turn Up. Also their PBX’s don’t support authentication (unless that is an option now), so you’ll need to allow anonymous peers (bad if you’ll have SIP open to the web for remote clients, which by default they will also have blocked on that IP). So make sure to have them unblock SIP/5060 on your IP in order to allow external clients (2 IAX trunked PBX’s is what we used to maintain security, more on that below), you’ll also need to sign a doc accepting responsibility in order for them to unblock SIP on that IP to the world. You’ll also receive two test numbers, although the DID (or as they called it, “How many numbers they send”) may not match the actual DID, you can have them change that, but it’s like pulling teeth… (we have DIDs prefixed with a ton of 0s, DIDs missing area codes, and DIDs sent 10 digits as expected)

Anyways, the FreePBX settings:
Create two trunks (don’t remember if the trunk name mattered to them, I don’t think it did)
On General Tab: Name it whatever you want, set CallerID to your main preferred number (“CNAME” <NXXNXXXXXX>, can be overridden elsewhere) and allow any CID under “CID Options”.
on SIP settings tab: Incoming, leave all blank and Outgoing, put Trunk Name: att-ipflex-pri or att-ipflex-sec, and use the following for PEER Details:
type=peer
qualify=2000
host=(ATTs PBX IP)

Inbound Routes: create a route with DID Number & CallerID Number both set to Any (for testing for now, since we need to figure out what DID’s ATT is sending and they will call the test numbers too during turn up), under the Advanced tab, set “Signal RINGING” to Yes and “Reject Reverse Charges” to Yes (your preference here though) and “Force Answer” to No. set the destination on the General Tab to what ever extension you want to test with.

Outbound Route: create a route with Trunk sequence set to ATT primary, then secondary, use a dial pattern of “.” with no prepend, prefix or CallerID for now for testing.

Asterisk SIP Settings
General Tab:
“Allow Anonymous Inbound SIP Calls”: No
“Allow SIP Guests”: Yes
“External Address”: Set to the IP ATT is expecting to see your PBX at (only one comms will work between them with)
“RTP Port Ranges” I have set to 10000 - 20000, with Checksum & Strict turned on, Timeout at 30, Hold at 300 and Keep Alive at 0, but don’t remember if that stuff was needed
everything else is blank past their, except Codecs: ulaw, alaw, gsm, g726 & g722 enabled (but don’t remember which they needed)
“SIP Legacy Settings” Tab
NAT: yes, IP: Static, Reinvite: No, Notify Ringing: Yes, Notify Hold: Yes, Registration Timeout: 20, Attempts: 0, Min Exp: 60, Max Exp: 3600, Default Exp: 120, Jitter Buffer: No, Default Context: from-sip-external, Bind: 0.0.0.0, Port: 5060, SRV: No, TCP: No, Call Events: Yes, Other SIP Settings: None (again don’t remember which were needed so just gave what I have)

And those are all the settings I have in place on our ATT interfacing systems…

As for handing security, our main firewall only allows communication between ATTs two PBX servers and our Server and blocks all other traffic there (other than HTTP/S for updates). We use this server for communicating with ATT only, and have it trunked via IAX to a secondary server which has all the clients, IVRs, Inbound Routes and all the phone system type stuff on it, so basically this is just a trunk interfacing ATT with IAX and we point our Client PBX to this (all the DIDs just get passed over to the client PBX and we handle everything there). As for finding the DIDs ATT sends, call each one then check your CDR Reports and you’ll see them there, then you can add rules for them.

Hope this helps, let me know if you have questions…

Hi Nick I haven’t had much information from At&T but after reading your reply I think you are saying that I need to do test and turn up to be able to get everything working. We already have a ip flex in place a 50 x 50 fiber and they just installed the new Cisco router for the sip circuit and we have internet on it. Now comes the problem I am facing the configuration they have given me 2 ipv6 addresses as their border elements and the paper work that came with the Cisco router have ipv4 addresses one for the wan and one for our lan so not sure here if I need to configure the trunk with the border elements or not. I am also guessing that they are sending me chan_sip and not pjsip. I am off work today and will be back in the office in the morning I will post what they gave me with the IP address masked see if you can make sense of it and I want to thank you for your time in helping me and the others
Thank you
Peter

I assume by “don’t support authentication” you mean by SIP credentials (username and password). That’s actually less secure, because someone could steal those credentials and make calls on your account. AT&T (as well as SIPStation, Twilio, Flowroute and most other high end providers) only accept calls for your account from your server’s IP address; it’s very unlikely that an attacker could hijack that.

And, you don’t have to allow anonymous peers – just set your trunk to Match (Permit) AT&T’s server addresses. If you’re still on chan_sip, you’ll need to set up two trunks.

For even better security, have two NICs on your PBX, one solely to communicate with AT&T on a dedicated public IP (locked down by both AT&T and your iptables) and one for your extensions (your firewall and iptables allow external access only as needed). IMO using additional servers is overkill. This method also avoids the need to sign a special waiver.

If by “border elements” they mean the addresses where you are to send calls, your trunk configuration must include those. You should absolutely avoid any translation between IPv4 and IPv6. So, you either need to get IPv4 addresses at AT&T where they will accept your calls, or get the Cisco router and your server to work properly with IPv6. In the example previously posted, AT&T accepted calls on IPv4 addresses. I assume that they can still do that.

Peter, it’s been several years since we brought up our last site, but at that time yes we did need to do a “Test and Turn up” on Voice with them for them to enable our voice services. Looking back through my emails, previous to that it looks like I was receiving a response from their server as:
405 “Method Not Allowed” “Reason: Q.850;cause=55;text=Call Terminated" (Incoming calls barred within Closed User Group)

They were also referencing their PBX IP’s as “IP Border Element Assignments” which is what we used in our Trunk settings, so that sounds like them although ours were IPv4 (they also mentioned “SD Media IP Address” but we never used those IPs in use on our systems). When we setup our first site much longer ago it was chan_sip, so I just stuck with that working config going forward, so not sure if pjsip will work, other may know.

Stewart,
Correct, there were no SIP credentials, I’ll try turning off SIP Guests and adding Permit to the trunk outside hours when I get a chance, I like that much better :slight_smile: (but I’ll still keep them firewall locked)
We have IP Flex service in a few sites and I also use the IAX trunking to link them all to our main colo PBX; our DIDs are sprinkled about between them but handled at the main and I also use them for extra outbound channels if the main one gets too full. At some point I’ll light a fire under ATT again about porting all the numbers to the colo site…

Hi Guys I am in the office today and here is what I got from AT&T


TheTop part of Image I got when I called the vendor that sold me the ipflex and the second one came with the cisco router as you can see they gave me ipv6 address and also some ipv4 address I have masked them out but I hope that after you guys look at them you might beable to point me in the right directon
thank you so much
Peter

Peter,

The IPBE IP Addreses (IP Border Element) would be the IPs for the trunk peers. Not sure if the IP your PBX should appear on is in those docs anywhere (mine wasn’t) and I also don’t have any experience with IPv6 in PBX land, so you might want to check into running pure IPv6 or getting IPv4 addresses for trunk peers like Stewart mentioned

Have you put any configuration into your trunks yet and tried to connect, attempting a connection with SIP debugging on would give you an idea of where in the chain things are stopping and give hint as to why. You may also need to have test and turn up for it all to work, ATT should still be able to work with you and change things after that if you end up needing to change IPs.

Also, fyi, the old less edited image is still publicly visible, under the pencil/edit button in the top right of the post, so you might want to look into how to remove that…

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.