[asterisk-users] Asterisk 403 Forbidden message with port translation

Vikram Ragukumar vragukumar at signalogic.com
Fri Jan 22 10:59:31 CST 2010 

Hello,

I managed to get it working. Seems like i was overwriting fields used in 
computation of the digest response. Once i turn off authentication the 
call flow works perfectly. I will need to make necessary modifications 
to work with digest authentication.

As a next step i will be implementing encryption/decryption on the F.W 
server.

Thanks and Regards,
Vikram.


Vikram Ragukumar wrote:
> Hello,
> 
>  -------------         --------          ---       --------
> |Sip Softphone|-------|Internet|--------|F.W|-----|Asterisk|
>  -------------         --------          ---       --------
>                        IP addresses: a.b.c.d    q.w.e.r
> 
> The SIP softphone(x-lite) is configured to register with the asterisk 
> server through port 9090 (Domain q.w.e.r:9090).Firewall(F.W) is setup as 
> the outbound proxy for the softphone(Outbound proxy a.b.c.d:9090). 
> Authentication credentials for the softphone match the user registered 
> in asterisk's sip.conf. F.W runs Kamailio and rtpproxy, with Kamailio 
> listening on port 5060.
> 
> The asterisk server is setup to listen on port 5060.
> 
> The Firewall(F.W), uses a libnetfilter_queue based program to :
> 
> (a) Rewrite the destination port 9090 as 5060, and rewrite all other 
> occurrences of 9090 as 5060 in the SIP message, for packets from the 
> softphone to the asterisk server.
> 
> (b) Rewrite the source port 5060 as 9090, and rewrite all other 
> occurrences of 5060 as 9090 in the SIP message, for packets from the 
> asterisk server to the softphone.
> 
> The following exchange of SIP messages take place
> -Sip softphone sends a REGISTER message to asterisk
> -Asterisk responds with a 401 UNAUTHORIZED
> -Sip softphone replies with a REGISTER message containing auth. info.
> -Asterisk responds with a 403 FORBIDDEN : BAD AUTHORIZATION
> 
> The above setup works when the softphone uses port 5060, so there 
> problem here does not have anything to do with Authorization credentials.
> 
> Is it possible i might be modifying parts of the packet that shouldn't 
> be modified or i might not be modifying some relevant parts of the packet ?
> 
> Thanks in advance,
> Vikram.
> 
>

More information about the asterisk-users mailing list