Proxying Asterisk Server the other way help!
Status: Beta
Brought to you by:
tries
Menu
▾
▴
I am trying to do a transparent proxy, with an asterisk server behind a firewall that i have sproxd on. now insted of all the other ways mentioned here, i dont need outgoing sip calls from asterisk, but need a sip phone to connect to my asterisk from the outside-in. is it as easy as following one of the sample configs? i didnt really see one or could peice one together that would work for me. So, I have a grandstream trying to connect as a client to my asterisk server that is behind a nat firewall running sproxd. As of right now, i cannot even get the phone to register with sproxyd. I would love if it is possible to do a pass-thru registration to the asterisk server, since it already has all the registration information for the clients, is that possible? If not maintaining a seperate user list for registrations on the siproxd firewall is fine. below is my config so far and what i am getting when trying to register the phone. also for more info, shelby.dguard.com is the public ip, 192.168.10.183 is my asterisk which is on the inside network 192.168.10.1 is the sproxd firewall. my grandstream trying to connect is behind its own nat, but using stun and connecting to to the public ip (shelby.dguard.com) with no proxy server specified and the registration user/pass i use that i duplicated in sproxd_passwd.cfg also fxp0 is my outside fxp1 is inside
if_inbound = fxp0
if_outbound = fxp1
hosts_allow_reg = 0.0.0.0/0
sip_listen_port = 5060
daemonize = 0
silence_log = 0
log_calls = 1
user = nobody
registration_file = /usr/local/etc/siproxd_registrations
autosave_registrations = 300
pid_file = /var/run/siproxd/siproxd.pid
rtp_proxy_enable = 1
rtp_port_low = 7070
rtp_port_high = 7079
rtp_timeout = 300
rtp_dscp = 46
default_expires = 600
proxy_auth_realm = Authentication_Realm
proxy_auth_pwfile = /usr/local/etc/siproxd_passwd.cfg
debug_level = -1
debug_port = 0
outbound_proxy_host = 192.168.10.183
outbound_proxy_port = 5060
here is log:
22:19:03 sock.c:125 received UDP packet from 69.208.122.114, count=440
---BUFFER DUMP follows---
52 45 47 49 53 54 45 52 20 73 69 70 3a 73 68 65 REGISTER sip:she
6c 62 79 2e 64 67 75 61 72 64 2e 63 6f 6d 20 53 lby.dguard.com S
49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 IP/2.0..Via: SIP
2f 32 2e 30 2f 55 44 50 20 36 39 2e 32 30 38 2e /2.0/UDP 69.208.
31 32 32 2e 31 31 34 3a 35 34 31 35 39 3b 62 72 122.114:54159;br
61 6e 63 68 3d 7a 39 68 47 34 62 4b 33 30 36 61 anch=z9hG4bK306a
61 35 34 30 34 30 38 38 39 30 37 63 0d 0a 46 72 a5404088907c..Fr
6f 6d 3a 20 22 49 61 6e 20 50 65 72 72 79 22 20 om: "Ian Perry"
3c 73 69 70 3a 49 61 6e 40 73 68 65 6c 62 79 2e <sip:Ian@shelby.
64 67 75 61 72 64 2e 63 6f 6d 3e 3b 74 61 67 3d dguard.com>;tag=
36 33 31 39 38 34 30 64 61 65 37 35 32 66 33 66 6319840dae752f3f
0d 0a 54 6f 3a 20 3c 73 69 70 3a 49 61 6e 40 73 ..To: <sip:Ian@s
68 65 6c 62 79 2e 64 67 75 61 72 64 2e 63 6f 6d helby.dguard.com
3e 0d 0a 43 6f 6e 74 61 63 74 3a 20 2a 0d 0a 43 >..Contact: *..C
61 6c 6c 2d 49 44 3a 20 32 32 39 37 35 39 64 37 all-ID: 229759d7
32 36 33 30 61 30 62 36 40 31 39 32 2e 31 36 38 2630a0b6@192.168
2e 33 2e 32 30 32 0d 0a 43 53 65 71 3a 20 31 30 .3.202..CSeq: 10
30 20 52 45 47 49 53 54 45 52 0d 0a 45 78 70 69 0 REGISTER..Expi
72 65 73 3a 20 30 0d 0a 55 73 65 72 2d 41 67 65 res: 0..User-Age
6e 74 3a 20 47 72 61 6e 64 73 74 72 65 61 6d 20 nt: Grandstream
42 54 31 30 30 20 31 2e 30 2e 36 2e 32 0d 0a 4d BT100 1.0.6.2..M
61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d ax-Forwards: 70.
0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 41 .Allow: INVITE,A
43 4b 2c 43 41 4e 43 45 4c 2c 42 59 45 2c 4e 4f CK,CANCEL,BYE,NO
54 49 46 59 2c 52 45 46 45 52 2c 4f 50 54 49 4f TIFY,REFER,OPTIO
4e 53 2c 49 4e 46 4f 2c 53 55 42 53 43 52 49 42 NS,INFO,SUBSCRIB
45 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 E..Content-Lengt
68 3a 20 30 0d 0a 0d 0a h: 0....
---end of BUFFER DUMP---
22:19:03 accessctl.c:53 deny list (SIP):*NULL*
22:19:03 accessctl.c:55 allow list (SIP):*NULL*
22:19:03 accessctl.c:57 allow list (REG):0.0.0.0/0
22:19:03 accessctl.c:154 [0] extracted address=0.0.0.0
22:19:03 accessctl.c:155 [0] extracted mask =0
22:19:03 utils.c:114 DNS lookup - from cache: 0.0.0.0 -> 0.0.0.0
22:19:03 accessctl.c:172 [0] (0x0) <-> (0x0)
22:19:03 accessctl.c:95 granted REG/SIP access
22:19:03 accessctl.c:102 access check =3
22:19:03 security.c:48 security_check_raw: size=440
22:19:03 siproxd.c:362 checking Max-Forwards (=70)
22:19:03 siproxd.c:408 received SIP type REQ:REGISTER
22:19:03 utils.c:114 DNS lookup - from cache: shelby.dguard.com -> 68.61.56.25
22:19:03 utils.c:322 fetching interface IP by INTERFACE [1]
22:19:03 utils.c:379 cleaning ifaddr cache (entry 0)
22:19:03 utils.c:379 cleaning ifaddr cache (entry 1)
22:19:03 utils.c:432 get_ip_by_ifname: if fxp0 has IP:68.61.56.25 (flags=ffff8843) UP
22:19:03 utils.c:452 ifname lookup - store into cache, entry 0)
22:19:03 utils.c:322 fetching interface IP by INTERFACE [0]
22:19:03 utils.c:432 get_ip_by_ifname: if fxp1 has IP:192.168.10.1 (flags=ffff8843) UP
22:19:03 utils.c:452 ifname lookup - store into cache, entry 1)
22:19:03 auth.c:72 proxy-auth required, not supplied by UA
22:19:03 register.c:204 proxy authentication needed for Ian@shelby.dguard.com
22:19:03 auth.c:138 created nonce=""429d2927000921560ff6d5df3f54bc7e""
22:19:03 auth.c:117 added authentication header
22:19:03 sock.c:164 send UDP packet to 69.208.122.114: 54159
---BUFFER DUMP follows---
53 49 50 2f 32 2e 30 20 34 30 37 20 50 72 6f 78 SIP/2.0 407 Prox
79 20 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e y Authentication
20 52 65 71 75 69 72 65 64 0d 0a 56 69 61 3a 20 Required..Via:
53 49 50 2f 32 2e 30 2f 55 44 50 20 36 39 2e 32 SIP/2.0/UDP 69.2
30 38 2e 31 32 32 2e 31 31 34 3a 35 34 31 35 39 08.122.114:54159
3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 33 ;branch=z9hG4bK3
30 36 61 61 35 34 30 34 30 38 38 39 30 37 63 0d 06aa5404088907c.
0a 46 72 6f 6d 3a 20 22 49 61 6e 20 50 65 72 72 .From: "Ian Perr
79 22 20 3c 73 69 70 3a 49 61 6e 40 73 68 65 6c y" <sip:Ian@shel
62 79 2e 64 67 75 61 72 64 2e 63 6f 6d 3e 3b 74 by.dguard.com>;t
61 67 3d 36 33 31 39 38 34 30 64 61 65 37 35 32 ag=6319840dae752
66 33 66 0d 0a 54 6f 3a 20 3c 73 69 70 3a 49 61 f3f..To: <sip:Ia
6e 40 73 68 65 6c 62 79 2e 64 67 75 61 72 64 2e n@shelby.dguard.
63 6f 6d 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 32 com>..Call-ID: 2
32 39 37 35 39 64 37 32 36 33 30 61 30 62 36 40 29759d72630a0b6@
31 39 32 2e 31 36 38 2e 33 2e 32 30 32 0d 0a 43 192.168.3.202..C
53 65 71 3a 20 31 30 30 20 52 45 47 49 53 54 45 Seq: 100 REGISTE
52 0d 0a 45 78 70 69 72 65 73 3a 20 30 0d 0a 43 R..Expires: 0..C
6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 ontent-Length: 0
0d 0a 0d 0a ....
---end of BUFFER DUMP---
22:19:03 siproxd.c:269 going into sipsock_wait
22:19:05 register.c:474 sip_agemap, t=1117595945
22:19:07 register.c:474 sip_agemap, t=1117595947
22:19:09 register.c:474 sip_agemap, t=1117595949
This is exactly the reverse of what siproxd actually can do. Siproxd can proxy UAs (clients) sitting behind a NAT firewall, but not servers.
Have you tried to play with asterisks NAT traversal capabilities (starting with 1.0.7 I think) and port forwarding on the NAT device?
/Thomas
Yes I have actually. I can get the client to connect to the server when 5060 udp is forwarded, and i specified the block of RTP udp to use 10000-10010 and forwarded those, but it doesnt work. I can register just fine, and make a call but the rtp media stream is lost.
I havent looked at the packets, but i knoticed it does work when i create a vpn between the server and client (so i assume the RTP is still using the internal ips)
I guess i would have to re-write the RTP packet going out with the outside ip? anyone have any success port forwarding to a asterisk server thru a nat?
Yes I have actually. I can get the client to connect to the server when 5060 udp is forwarded, and i specified the block of RTP udp to use 10000-10010 and forwarded those, but it doesnt work. I can register just fine, and make a call but the rtp media stream is lost.
I havent looked at the packets, but i noticed it does work when i create a vpn between the server and client (so i assume the RTP is still using the internal ips)
I guess i would have to re-write the RTP packet going out with the outside ip? anyone have any success port forwarding to a asterisk server thru a nat?