[asterisk-users] Outgoing Calls Only -- Firewall Rules

Nicholas Blasgen nicholas at refractivedialer.com
Tue Jan 5 22:48:16 CST 2010 

Asterisk 1.4.29 or so.

access-list _dmz_acl extended permit udp 10.129.42.0 255.255.255.0 any range
10000 20000
access-list _dmz_acl extended permit udp 10.129.42.0 255.255.255.0 any eq
5060

But yes, all your feedback worked.  I didn't need to port-forward any
incoming ports, only 5060/10000-20000 for outgoing UDP.  The only issue I'm
now having is:

<--- SIP read from 66.227.100.20:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 209.34.93.68:5060;branch=z9hG4bK3eb38bde;rport=51566
....
Warning: 392 66.227.100.20:5060 "Noisy feedback tells:  pid=9611
req_src_ip=209.34.93.68 req_src_port=51566 in_uri=sip:sip.jnctn.netout_uri=sip:
sip.jnctn.net via_cnt==1"

209.34.93.68 is my IP, 209.34.93.68 is Junction Networks (for this
example).  I also get it from my backbone providers as well so it's likely
something to do with that 51566 req_src_port thing.  Any idea what this is
an how to configure it to a restricted range of IP addresses?

Nicholas Blasgen
Partner / Network Operations
Refractive Dialer LLC
(724) 252-7436


On Sun, Jan 3, 2010 at 8:29 PM, Max McGraw <max.mcgraw at gmail.com> wrote:

>  Nicholas,
>
>  you haven't specified which version, which does make
>  a lot of difference.
>
>  1.6.x  can easily traverse NAT. If you are only making
>  outbound calls, you shouldn't need to forward 5060.
>
>  Unless you have a special NAT that is blocking
>  outbound connections, the  SIP.conf  settings below
>  should work whether your provider uses SIP
>  registrations or not. My codec related settings may
>  not be applicable to your installation :
>
>  ; -------------------------------------
>  [general]
>  dtmfmode=rfc2833
>  relaxdtmf=yess
>  bandwidth=high
>  disallow=all
>  allow=ulaw
>  ;
>  ;   NAT stuff
>  ;
>  localnet=192.168.x.0/255.255.255.0
>  externip=a.b.c.d:5060
>  nat=yes
>  ;
>  ;   Media stuff
>  ;
>  canreinvite=no
>  ;
>  ;
>  [your-voip-provider-para]
>  ;
>  context=default
>  type=friend
>  ;
>  ;  your provider's outbound gateway
>  ;
>  host=w.x.y.z
>  ;
>  dtmfmode=rfc2833
>  relaxdtmf=yess
>  disallow=all
>  allow=ulaw
>  ;
>  ; -------------------------------------
>
>
>  On Sun, Jan 3, 2010,   Nicholas Blasgen    wrote:
>
> > I'm trying to move my Asterisk deployments under a Virtual IP address and
> > now remember why I dislike this.  My primary Asterisk system is now
> behind a
> > firewall in private address space.  My question is what ports are needed
> to
> > be opened just for the purpose of placing outgoing calls.  I would have
> > assumed none, but I can't even get replies on registration from any of my
> 3
> > VoIP providers.  I tried defining the External IP and some other stuff,
> but
> > I assume it's fully an issue with the firewall.  Do I really need 5060
> port
> > forwarded just to register with remote hosts?
> >
> > Nicholas Blasgen
> > Partner / Network Operations
> > Refractive Dialer LLC
> > (724) 252-7436
> >
> > __________________________________
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100105/53c0e653/attachment.htm

More information about the asterisk-users mailing list