[asterisk-bugs] [JIRA] Created: (ASTERISK-20528) Handling of natted User Agents behind stateful firewall without SIP support

Diego Ercolani (JIRA) noreply at issues.asterisk.org
Sun Oct 7 13:30:27 CDT 2012


Handling of natted User Agents behind stateful firewall without SIP support 
----------------------------------------------------------------------------

                 Key: ASTERISK-20528
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20528
             Project: Asterisk
          Issue Type: Improvement
      Security Level: None
          Components: Channels/chan_sip/Interoperability
    Affects Versions: 10.6.1
         Environment: Public Asterisk Box, natted SIP phone behind Telco router (not SIP aware)
            Reporter: Diego Ercolani


The SIP for a call from Asterisk Box (AST) to a SIP phone (UA) is done with the classical sequence:

AST ---INVITE----> UA
AST <--TRYING----- UA
AST <--RINGING---- UA
...
AST <--RINGING---- UA
AST <----OK------- UA
AST ----ACK------> UA
AST <-RTPSESSION-> UA
...


The problem is at the RTP SESSION ehrn we have a phone behing a not sip-aware firewall.
Infact is possible to tell ASTERISK and the phone to use the same port for signaling, then is possible to tell ASTERISK to qualify the phone leaving the channel open but when the RTP SESSION starts, if the first packet of the RTP session came from the PHONE, then the firewall open the port also in receipt mode from the phone. But if the first packet came from the ASTERISK box, then the firewall close the port and the guy on hook at the phone cannot her anything while asterisk is receiving the RTP stream.

It would be optimum if it is possible (per sip channel) to ask asterisk to wait the first RTP packet from the remote endpoint before start the RTP stream, this can be a smart workaround to stateful firewall that don't support SIP protocol.


This is the network topology I'm trying to describe:

           
+---------+     __________      +----------+   +--------+
| ASTERISK|    (          )     | NATTING  |   | NATTED |
|   BOX   +----+ INTERNET +-----+ FIREWALL +---+ PHONE  |
|         |    (__________)     +----------+   +--------+
+---------+

Aip is the pubblic address of the Asterisk BOX
Bip is the pubblic address of the natting firewall that nat the remote sip phone


This is what is actuallyng telling me tcpdump:

Aip -> Bip : Request-Line: INVITE sip:roberto at Bip:1026 SIP/2.0
Aip <- Bip : Status-Line: SIP/2.0 100 Trying
Aip <- Bip : Status-Line: SIP/2.0 180 Ringing
Aip <- Bip : Status-Line: SIP/2.0 200 OK
Aip <- Bip : Request-Line: ACK sip:roberto at Bip:1026 SIP/2.0
Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2265, Time=1260141040, Mark 	10104	7006
Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2266, Time=1260141200 	10104	7006
Aip <- Bip : ICMP Destination unreachable (Port unreachable)		10104	7006
Aip <- Bip : ICMP Destination unreachable (Port unreachable)		10104	7006
Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2267, Time=1260141360 	10104	7006
Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2268, Time=1260141520 	10104	7006


As you can see, first two packet of the RTP stream came from Asterisk and drop into the firewall. This doesn't permit the RTP session to startup from Asterisk to remote phone even after first packet caming from the phone....

I tried manually to accomplish what I'm saying using iptables:
from the ASTERISK box where I have rtpstart=10000 and rtpend=20000 in rtp.conf:

iptables -I OUTPUT 1 -p udp --sport 10000:20000 -d Bip -j DROP; sleep 10; iptables -D OUTPUT 1

then I call from the asterisk box to the remote phone, then after 10 seconds, correctly the remote phone can hear me (and of course I can hear it)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list