asterisk users - Jan 2009 - sip peer permit/deny - Need some explanation

Hi all,

I tested with few Asterisk versions from 1.4.18 to 1.4.21, same result.

Here is the problem: I have a peer -which is peer AND user- setted up 
like this

[MyPeer]
;
type=peer
host=xxx.xxx.xxx.139
deny=0.0.0.0/0.0.0.0
permit=xxx.xxx.xxx.136/255.255.255.248 ;IP address from range 138 to 142
permit=yyy.yyy.yyy.yyy/255.255.255.255
context=from-MyPeer
dtfmode=auto
disallow=all
allow=ulaw,alaw
insecure=port,invite
nat=yes
canreinvite=no
call-limit=15
accountcode=MyPeer

On incoming calls, when the peer address is the one terminating with 
.139 everything is OK.

If I change the external IP from the peer *ON* the peer machine to let's 
say .140 (or any other permitted address from this peer), incoming calls 
are not recognized despite the deny/permit stanza. If I modify the host 
to .140 in my peer definition, it's again working normally.

Question is: why even by allowing in the permit stuff the allowed IPs 
from a peer, Asterisk does only accept calls from those peers if the 
peer machine has the IP address from the host definition in my peer sip.conf

Thanks for any hint.

-- 
Daniel

Administrator TOOTAI wrote:
> [MyPeer]
> host=xxx.xxx.xxx.139
> deny=0.0.0.0/0.0.0.0
> permit=xxx.xxx.xxx.136/255.255.255.248 ;IP address from range 138 to 142
> permit=yyy.yyy.yyy.yyy/255.255.255.255
> On incoming calls, when the peer address is the one terminating with 
> .139 everything is OK.
>
> If I change the external IP from the peer *ON* the peer machine to
let's
> say .140 (or any other permitted address from this peer), incoming calls 
> are not recognized despite the deny/permit stanza. If I modify the host 
> to .140 in my peer definition, it's again working normally.
>
> Question is: why even by allowing in the permit stuff the allowed IPs 
> from a peer, Asterisk does only accept calls from those peers if the 
> peer machine has the IP address from the host definition in my peer
sip.conf
>   
Since you are including a specific IP address in the host line, Asterisk 
will not accept calls from any other IP address.  If you want to accept 
calls from multiple IP addresses, you *must* set host to dynamic and 
then use the permit/deny lines to restrict calls accordingly.

Of course, since your sip peer is now set to "dynamic", it will now
need
to register with Asterisk.

Something like has been discussed a few day ago, i think you need to 
remove the hoststring and add username/password.

Right now asterisk may allow you request from the autorized IP ranges, 
but the authentification
of the request fail due to the invalid host. you need to switch to 
username/password authentification.

Administrator TOOTAI a ?crit :
> Hi all,
>
> I tested with few Asterisk versions from 1.4.18 to 1.4.21, same result.
>
> Here is the problem: I have a peer -which is peer AND user- setted up 
> like this
>
> [MyPeer]
> ;
> type=peer
> host=xxx.xxx.xxx.139
> deny=0.0.0.0/0.0.0.0
> permit=xxx.xxx.xxx.136/255.255.255.248 ;IP address from range 138 to 142
> permit=yyy.yyy.yyy.yyy/255.255.255.255
> context=from-MyPeer
> dtfmode=auto
> disallow=all
> allow=ulaw,alaw
> insecure=port,invite
> nat=yes
> canreinvite=no
> call-limit=15
> accountcode=MyPeer
>
> On incoming calls, when the peer address is the one terminating with 
> .139 everything is OK.
>
> If I change the external IP from the peer *ON* the peer machine to
let's
> say .140 (or any other permitted address from this peer), incoming calls 
> are not recognized despite the deny/permit stanza. If I modify the host 
> to .140 in my peer definition, it's again working normally.
>
> Question is: why even by allowing in the permit stuff the allowed IPs 
> from a peer, Asterisk does only accept calls from those peers if the 
> peer machine has the IP address from the host definition in my peer
sip.conf
>
> Thanks for any hint.
>