[asterisk-bugs] [JIRA] Closed: (ASTERISK-20528) Handling of natted User Agents behind stateful firewall without SIP support

Rusty Newton (JIRA) noreply at issues.asterisk.org
Wed Oct 10 14:18:27 CDT 2012


     [ https://issues.asterisk.org/jira/browse/ASTERISK-20528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rusty Newton closed ASTERISK-20528.
-----------------------------------

    Resolution: Suspended

Thank you for looking through this issue and providing plenty of detail. However we are suspending this as there is no patch included.

Please see the [Asterisk Issue Guidelines | https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines#AsteriskIssueGuidelines-Howtorequestafeature]

The issue will remain suspended until you can provide a patch. At that point you can bring it up in the #asterisk-bugs channel, or on the asterisk-dev mailing list and it'll be re-opened for review.




> Handling of natted User Agents behind stateful firewall without SIP support 
> ----------------------------------------------------------------------------
>
>                 Key: ASTERISK-20528
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20528
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/Interoperability
>    Affects Versions: 10.6.1
>         Environment: Public Asterisk Box, natted SIP phone behind Telco router (not SIP aware)
>            Reporter: Diego Ercolani
>
> The SIP for a call from Asterisk Box (AST) to a SIP phone (UA) is done with the classical sequence:
> AST ---INVITE----> UA
> AST <--TRYING----- UA
> AST <--RINGING---- UA
> ...
> AST <--RINGING---- UA
> AST <----OK------- UA
> AST ----ACK------> UA
> AST <-RTPSESSION-> UA
> ...
> The problem is at the RTP SESSION ehrn we have a phone behing a not sip-aware firewall.
> Infact is possible to tell ASTERISK and the phone to use the same port for signaling, then is possible to tell ASTERISK to qualify the phone leaving the channel open but when the RTP SESSION starts, if the first packet of the RTP session came from the PHONE, then the firewall open the port also in receipt mode from the phone. But if the first packet came from the ASTERISK box, then the firewall close the port and the guy on hook at the phone cannot her anything while asterisk is receiving the RTP stream.
> It would be optimum if it is possible (per sip channel) to ask asterisk to wait the first RTP packet from the remote endpoint before start the RTP stream, this can be a smart workaround to stateful firewall that don't support SIP protocol.
> This is the network topology I'm trying to describe:
>            
> +---------+     __________      +----------+   +--------+
> | ASTERISK|    (          )     | NATTING  |   | NATTED |
> |   BOX   +----+ INTERNET +-----+ FIREWALL +---+ PHONE  |
> |         |    (__________)     +----------+   +--------+
> +---------+
> Aip is the pubblic address of the Asterisk BOX
> Bip is the pubblic address of the natting firewall that nat the remote sip phone
> This is what is actuallyng telling me tcpdump:
> Aip -> Bip : Request-Line: INVITE sip:roberto at Bip:1026 SIP/2.0
> Aip <- Bip : Status-Line: SIP/2.0 100 Trying
> Aip <- Bip : Status-Line: SIP/2.0 180 Ringing
> Aip <- Bip : Status-Line: SIP/2.0 200 OK
> Aip <- Bip : Request-Line: ACK sip:roberto at Bip:1026 SIP/2.0
> Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2265, Time=1260141040, Mark 	10104	7006
> Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2266, Time=1260141200 	10104	7006
> Aip <- Bip : ICMP Destination unreachable (Port unreachable)		10104	7006
> Aip <- Bip : ICMP Destination unreachable (Port unreachable)		10104	7006
> Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2267, Time=1260141360 	10104	7006
> Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2268, Time=1260141520 	10104	7006
> As you can see, first two packet of the RTP stream came from Asterisk and drop into the firewall. This doesn't permit the RTP session to startup from Asterisk to remote phone even after first packet caming from the phone....
> I tried manually to accomplish what I'm saying using iptables:
> from the ASTERISK box where I have rtpstart=10000 and rtpend=20000 in rtp.conf:
> iptables -I OUTPUT 1 -p udp --sport 10000:20000 -d Bip -j DROP; sleep 10; iptables -D OUTPUT 1
> then I call from the asterisk box to the remote phone, then after 10 seconds, correctly the remote phone can hear me (and of course I can hear it)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list