Simple Question regarding SIP and IAX + FWD

[dankers]

Installed asterisk yesterday and had a good play with it, but due to my home network running NAT(well, PAT) and a Cisco 827 ADSL router I'm forced to connect to FWD via IAX.

My question being is that where a SIP call via FWD will send audio data direct from calling IP address to called IP address via RTP, if I use IAX, when someone calls my FWD number via SIP, does all traffic have to go through FWD to be "translated".

Regarding the Cisco 827, it forces me to IAX as it won't let me redirect a port range inbound. As RTP needs port 10000 to 20000 UDP directing to the Asterisk box for SIP, that's a lot of "ip nat inside source static udp" entries. The only way I can see to achive this would be to inside source static the global address to my Asterisk box. But this opens all ports to the world & I'd rather not have my Asterisk box port scanned and script kiddie attacked. Anyone know away around this?

[mberlant]

As has been addressed here, you have stumbled upon a well known limitation of Asterisk - the lack of a STUN client. Many people put their Asterisk servers in public and many, like I do, put the Asterisk in their router's DMZ.

I examine my system log regularly and find that attacks have been neither plentiful nor successful. The biggest thing you can do to help yourself is to put a strong password on Root and any other usernames you have on your Asterisk box and to reduce the number of valid usernames to the fewest you can live with.

I find that in the course of a month there will be a few hundred access attempts promulgated by three or four different kiddies. They spend some time trying to get into Root and then try "guest", "anonymous", some common given names and some other random dictionary words. Then, they get tired and go away. Since they are script kiddies they don't generally return at all once abuse@Kiddie'sISP gets my email and log snippet.

By the way, I haven't seen any service impact from these attacks and have only learned about them by reading the log.

You are mostly right about how IAX works. Unlike SIP, which uses periodic reregistration to keep the SIP server informed as to the health and location of your SIP client, IAX keeps the control channel open all the time and sets up incoming calls by a call back system. The IAX server sends the client a control packet with all the information necessary to "pick up the parked call". The router then treats this call as an outbound call, and lets it through.

[dankers]

Thanks! Things are making a lot more sense now, spending a lot of time on Asterisk lately - I'm a fairly accomplished Cisco voice guy and being a bit lazy I was using Asterisk via AMP. AMP is great but I'm one of those people who has to find out how everything works and I have now started using Asterisk via the conf files instead. It is of course a lot more to learn but despite the fact that AMP is a very good tool, it doesn't have the power of the config files (and of course nor the complexity).

I figured out, as you stated, that using IAX isn't the best thing to do with FWD if you are mainly getting calls from SIP clients as the FWD system ends up being a media gateway between the SIP client and my Asterisk box. All traffic must then pass through the FWD servers where as with SIP, the FWD server will hand off the connection to the two parties to talk directly. IAX works perfectly in a NAt'd enviroment for FWD however, traffic from a SIP client in my home town in Oz would have to got to FWD in the US and back to me, I'd rather avoid the latency and save FWD some bandwidth.

The first thing I learnt from looking at the config files & with help from Duanne at E164.org is that 10000 to 20000 is just the Asterisk default for RTP ports, rtp.conf can be changed and all you need is one port for each different call. If I only direct 10 ports inbound, things should work hence not too much config on the router.

I'm still not sure how well that would work when someone calls me, I need to look into how the call setup works in SIP and how RTP ports are agreed and do some testing. The Cisco 827 also has a nice feature where it will inspect SIP packets and change the IP address within the packets to reflect the outside global address, which is nice & could avoid some pitfalls with SIP in a NAT'd enviroment.

The trouble with sitting this Asterisk box in the DMZ is that it doesn't just run Asterisk, it's actually a 1.6Ghz P4 laptop that has seen better days & run a fair few other apps - not a good idea on a PBX but I'm running EAP-TLS on the wireless LAN and need radius for example.

[mberlant]

<chuckle>... It's not a real good idea to put your Radius server in the DMZ, is it?

There are some situations, like effecting a transfer or a 3-way conference, when you will need more than one RTP port per station. Some folks recommend four per service to be safe. Sipura devices default to 16384-16482. So, take your pick.

You might want to do a port scan on Ports 1-10000 on your Asterisk box to see what ports it is listening for, in order to configure your router's port mapping feature. You will definitely need UDP 5060 plus whatever RTP ports you end up with. If you want to pass SSH, etc., you will need to open those ports, too.

You may also be better off dedicating a junk PC to the endeavour. I, for example, am happily running my Asterisk on Linux on a Pentium MMX 200 with 96MB RAM and 3GB HDD.

[dankers]

Just thought I'd update this thread with a "fix" for Asterisk & NAT to FWD with my setup and hopefully it will help someone else out.

I limited the ports for RTP to just 20 and have them redirected from outside to the * server, same goes for 5060. I had to upgrade to 12.3T train of IOS for SIP inspection on the 827 as 12.3 didn't have that feature. The bonus of Cisco NAT inspection is that I do not have to have externalIP=xx.xx.xx.xx is my sip.conf, this is good because I have a dynamic IP address.