External extensions can connect tot he server, but when placing calls there is no audio and the call times out according to the settings on the server. I have reviewed quite a lot of posts and as far as I can tell the NAT is setup correctly in FreePBX and on our firewall. It is a 1:1 NAT and the phone server has a dedicated IP. Everything else on the phone system works fine. It is just some of our users that spend about half of their time at client sites that have this issue when they are at the are off-site. Inside the network everything works.
either you don’t have the sip config on the pbx set up properly or you don’t have all the correct ports open on the firewall. a bit more information would certainly get you some more directly help. what type of firewall, what ports are open, what ports are forwarded, is the remote connection a vpn connection, etc.
You have a huge checklist here, this is not a simple answer.
Do you know if your trunk provider proxies the media?
You have to allow the media as well as sip to route, you have sip settings on the server which need to be verified…
Does an outbound call work versus an inbound call?
Just trying to fish for some simple answers and point you in the right direction.
The firewall is wide open and forwards anything from the external IP to the server, basically an any/any config (as advised by the company that provides the service/connection to the outside world). The only real firewall doing any kind of blocking is on the phone server itself. Our firewall is a Juniper SSG20. Since the Juniper is wide open when it comes to the phone server IP and the best guess for limitation I can hit at right now is the server firewall, here is the iptables as configured by our provider:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp – anywhere anywhere
fail2ban-apache-auth tcp – anywhere anywhere
fail2ban-SIP all – anywhere anywhere
fail2ban-PBX-GUI all – anywhere anywhere
fail2ban-BadBots tcp – anywhere anywhere
fail2ban-SSH tcp – anywhere anywhere
fail2ban-recidive all – anywhere anywhere
ACCEPT tcp – anywhere anywhere tcp dpt:apc-6547
ACCEPT udp – anywhere anywhere udp dpt:apc-3052
ACCEPT tcp – anywhere anywhere tcp dpt:apc-3052
fail2ban-SSH tcp – anywhere anywhere
fail2ban-SIP all – anywhere anywhere
fail2ban-FTP tcp – anywhere anywhere
fail2ban-BadBots tcp – anywhere anywhere
fail2ban-PBX-GUI tcp – anywhere anywhere
RH-Firewall-1-INPUT all – anywhere anywhere
ACCEPT tcp – anywhere anywhere tcp dpt:sip
ACCEPT udp – anywhere anywhere udp dpt:sip
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all – anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – anywhere anywhere udp spt:apc-3052
ACCEPT tcp – anywhere anywhere tcp spt:apc-3052
ACCEPT tcp – anywhere anywhere tcp spt:http
ACCEPT all – anywhere 10.0.0.0/8
ACCEPT all – anywhere 172.16.0.0/12
ACCEPT all – anywhere 192.168.0.0/16
DropIRCOut tcp – anywhere anywhere tcp dpts:6660:ircu-3
DropIRCOut tcp – anywhere anywhere tcp dpt:afs3-fileserver
Chain DropBadIPs (7 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 10/min burst 5 LOG level warning ip-options prefix `Known Bad Guy DROPPED '
DROP all – anywhere anywhere
Chain DropIRCOut (2 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 10/min burst 5 LOG level warning ip-options prefix `IRC Out Attempt DROPPED: '
DROP all – anywhere anywhere
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
DropBadIPs all – tv.cciintellisys.com anywhere
DropBadIPs all – 69-50-160-0.westerncable.ca/19 anywhere
DropBadIPs all – 85-255-112-0.mediatrendsystem.com/20 anywhere
DropBadIPs all – 0.de.1243.static.theplanet.com/24 anywhere
DropBadIPs all – nk210-202-53-48.vdsl.static.apol.com.tw anywhere
DropBadIPs all – 121.134.8.168 anywhere
DropBadIPs all – 216.223.9.11 anywhere
ACCEPT icmp – anywhere anywhere icmp any
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp – loopback/8 anywhere
ACCEPT udp – anywhere anywhere state NEW udp spts:filenet-rpc:65535 dpts:traceroute:33523
ACCEPT all – 208.93.92.0/22 anywhere
ACCEPT all – 72-55-209-245.mammothnetworks.com anywhere
ACCEPT all – 200.qwest.vpxp.com/29 anywhere /* SenaWave-cb /
ACCEPT all – 74.122.76.56/29 anywhere / SenaWave-76.56 /
ACCEPT all – 173-14-230-129-utah.hfc.comcastbusiness.net anywhere / SolutionStream Public */
ACCEPT all – 10.10.0.0/16 anywhere
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh recent: CHECK name: PKAUTH side: source
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:http recent: CHECK name: PKAUTH side: source
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:https recent: CHECK name: PKAUTH side: source
ACCEPT udp – anywhere anywhere state NEW udp dpt:snmp recent: CHECK name: PKAUTH side: source
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:smux recent: CHECK name: PKAUTH side: source
ACCEPT udp – anywhere anywhere state NEW udp dpt:sip recent: CHECK name: PKAUTH side: source
LOG tcp – anywhere anywhere multiport dports 7464,7465,7467,7468 LOG level warning ip-options prefix portknock PKAUTH Closed ' DROP tcp -- anywhere anywhere multiport dports 7464,7465,7467,7468 recent: REMOVE name: PKAUTH side: source DROP tcp -- anywhere anywhere multiport dports 7464,7465,7467,7468 LOG tcp -- anywhere anywhere tcp dpt:7466 LOG level warning ip-options prefixportknock PKAUTH OPENED '
DROP tcp – anywhere anywhere tcp dpt:7466 recent: SET name: PKAUTH side: source
DROP tcp – anywhere anywhere tcp dpt:7466
ACCEPT udp – anywhere anywhere udp dpt:ntp
ACCEPT udp – 208.93.92.0/22 anywhere udp dpt:sip
ACCEPT udp – anywhere anywhere udp dpts:ndmp:dnp
DROP all – anywhere anywhere
Chain fail2ban-BadBots (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
Chain fail2ban-FTP (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
Chain fail2ban-PBX-GUI (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
Chain fail2ban-SIP (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
Chain fail2ban-SSH (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
In the Extension module for each external extension, did you change the NAT field from “no” to “yes.”?
Did you configure the NAT settings in the Asterisk SIP Settings module??
Yes, the NAT has been setup in the Asterisk SIP. I am not finding an external Extension Module. That may be the problem.
[http://www.solutionstream.com/ss-logo.png]
Jared Grange
Systems Administrator
O 801 492 7700 Ext 276
[email protected]mailto:[email protected]
The NAT field in the Extension Module is set to “yes” and the NAT settings in the Asterisk SIP module are configured.
Sorry, I misread the email. All settings are setup for NAT. The Asterisk SIP module is configured and in the Extension module the NAT field is set to yes.
[http://www.solutionstream.com/ss-logo.png]
Jared Grange
Systems Administrator
O 801 492 7700 Ext 276
[email protected]mailto:[email protected]