VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
View previous topic :: View next topic |
Author |
Message |
draythw at gmail.com Guest
|
Posted: Thu Jul 24, 2014 5:12 pm Post subject: [asterisk-users] TLS/TCP behind NAT; Signaling issues with o |
|
|
Issue is what subject says. Here is the background.
Version: 11.11.0
Topology: Asterisk Box at our Data Center behind Cisco Firewall. Everything works fine from remote offices over a VPN. Issue is sales team would like to connect up to our Asterisk box remotely (offnet). Common enough solution, I'm guessing.
So, I've opened all the correct holes on the firewall and hammered out inspection with Cisco. UDP transport works like a champ, but obviously we are sending SIP across as clear text when they are on wireless outside the office. I know TLS/SRTP isn't completely secure, but we can file it as "good enough" for now.
I've tested this out by using my softphone (Bria 4) on non company wireless network and captured packets via Wireshark and have pinpointed the issue, but not sure how to circumvent it.
I started with TLS, but set transport to TCP as the issue is similar on each and TCP shows what I am going to bet is also the issue with TLS. Here is a breakdown:
1. Softphone registers fine.
2. Can place a call fine. Media works fine (used media_address=<public_ip> command to resolve this, btw).
3. When I go to disconnect/transfer/place the call on hold from softphone, pretty much anything that requires signaling, my packet captures reveals that I'm trying to do this using the private IP of my Asterisk box (Nat, again, is on the firewall at data center), and I get TCP retransmissions. so the fact it isn't working makes sense, because my local box doesn't know how to get to a private IP address.
I've tried using externaddr in sip.conf to no avail. Is there some command I'm missing? Obviously if I put an interface with a public IP on the outside I'd bet that would resolve this problem, but sort of like having that guy behind a hardware firewall
I'm to the point of telling them to fire up a VPN on be done with it, but all the same I am curious if there is a way with tcp/tls transport to fix this because, well, I'm curious.
Thanks in advanced for looking at this!
DH |
|
Back to top |
|
|
draythw at gmail.com Guest
|
Posted: Thu Jul 24, 2014 5:37 pm Post subject: [asterisk-users] TLS/TCP behind NAT; Signaling issues with o |
|
|
Just found the solution in case someone down the line stumbles across this. externaddr only works with localnet defined in sip.conf.
Again, was simply misled due to UDP working but TCP not working.
This also resolved the issue with TLS which makes sense.
On Thu, Jul 24, 2014 at 5:12 PM, D.H. Williams <draythw@gmail.com (draythw@gmail.com)> wrote:
Quote: | Issue is what subject says. Here is the background.
Version: 11.11.0
Topology: Asterisk Box at our Data Center behind Cisco Firewall. Everything works fine from remote offices over a VPN. Issue is sales team would like to connect up to our Asterisk box remotely (offnet). Common enough solution, I'm guessing.
So, I've opened all the correct holes on the firewall and hammered out inspection with Cisco. UDP transport works like a champ, but obviously we are sending SIP across as clear text when they are on wireless outside the office. I know TLS/SRTP isn't completely secure, but we can file it as "good enough" for now.
I've tested this out by using my softphone (Bria 4) on non company wireless network and captured packets via Wireshark and have pinpointed the issue, but not sure how to circumvent it.
I started with TLS, but set transport to TCP as the issue is similar on each and TCP shows what I am going to bet is also the issue with TLS. Here is a breakdown:
1. Softphone registers fine.
2. Can place a call fine. Media works fine (used media_address=<public_ip> command to resolve this, btw).
3. When I go to disconnect/transfer/place the call on hold from softphone, pretty much anything that requires signaling, my packet captures reveals that I'm trying to do this using the private IP of my Asterisk box (Nat, again, is on the firewall at data center), and I get TCP retransmissions. so the fact it isn't working makes sense, because my local box doesn't know how to get to a private IP address.
I've tried using externaddr in sip.conf to no avail. Is there some command I'm missing? Obviously if I put an interface with a public IP on the outside I'd bet that would resolve this problem, but sort of like having that guy behind a hardware firewall
I'm to the point of telling them to fire up a VPN on be done with it, but all the same I am curious if there is a way with tcp/tls transport to fix this because, well, I'm curious.
Thanks in advanced for looking at this!
DH
|
|
|
Back to top |
|
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|