[asterisk-users] TLS/TCP behind NAT; Signaling issues with offnet phones

D.H. Williams draythw at gmail.com
Thu Jul 24 17:12:04 CDT 2014 

Issue is what subject says.  Here is the background.

Version:  11.11.0
Topology:  Asterisk Box at our Data Center behind Cisco Firewall.
 Everything works fine from remote offices over a VPN.  Issue is sales team
would like to connect up to our Asterisk box remotely (offnet).  Common
enough solution, I'm guessing.

So, I've opened all the correct holes on the firewall and hammered out
inspection with Cisco.  UDP transport works like a champ, but obviously we
are sending SIP across as clear text when they are on wireless outside the
office.  I know TLS/SRTP isn't completely secure, but we can file it as
"good enough" for now.

I've tested this out by using my softphone (Bria 4) on non company wireless
network and captured packets via Wireshark and have pinpointed the issue,
but not sure how to circumvent it.

I started with TLS, but set transport to TCP as the issue is similar on
each and TCP shows what I am going to bet is also the issue with TLS.  Here
is a breakdown:

1.  Softphone registers fine.
2.  Can place a call fine.  Media works fine (used
media_address=<public_ip> command to resolve this, btw).
3.  When I go to disconnect/transfer/place the call on hold from softphone,
pretty much anything that requires signaling, my packet captures reveals
that I'm trying to do this using the private IP of my Asterisk box (Nat,
again, is on the firewall at data center), and I get TCP retransmissions.
 so the fact it isn't working makes sense, because my local box doesn't
know how to get to a private IP address.

I've tried using externaddr in sip.conf to no avail.  Is there some command
I'm missing?  Obviously if I put an interface with a public IP on the
outside I'd bet that would resolve this problem, but sort of like having
that guy behind a hardware firewall :)

I'm to the point of telling them to fire up a VPN on be done with it, but
all the same I am curious if there is a way with tcp/tls transport to fix
this because, well, I'm curious.

Thanks in advanced for looking at this!

DH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140724/98485097/attachment.html>

More information about the asterisk-users mailing list