asterisk users - Jan 2010 - Asterisk 403 Forbidden message with port translation

Hello,

  -------------         --------          ---       --------
|Sip Softphone|-------|Internet|--------|F.W|-----|Asterisk|
  -------------         --------          ---       --------
          	          IP addresses: a.b.c.d    q.w.e.r

The SIP softphone(x-lite) is configured to register with the asterisk 
server through port 9090 (Domain q.w.e.r:9090).Firewall(F.W) is setup as 
the outbound proxy for the softphone(Outbound proxy a.b.c.d:9090). 
Authentication credentials for the softphone match the user registered 
in asterisk's sip.conf. F.W runs Kamailio and rtpproxy, with Kamailio 
listening on port 5060.

The asterisk server is setup to listen on port 5060.

The Firewall(F.W), uses a libnetfilter_queue based program to :

(a) Rewrite the destination port 9090 as 5060, and rewrite all other 
occurrences of 9090 as 5060 in the SIP message, for packets from the 
softphone to the asterisk server.

(b) Rewrite the source port 5060 as 9090, and rewrite all other 
occurrences of 5060 as 9090 in the SIP message, for packets from the 
asterisk server to the softphone.

The following exchange of SIP messages take place
-Sip softphone sends a REGISTER message to asterisk
-Asterisk responds with a 401 UNAUTHORIZED
-Sip softphone replies with a REGISTER message containing auth. info.
-Asterisk responds with a 403 FORBIDDEN : BAD AUTHORIZATION

The above setup works when the softphone uses port 5060, so there 
problem here does not have anything to do with Authorization credentials.

Is it possible i might be modifying parts of the packet that shouldn't 
be modified or i might not be modifying some relevant parts of the packet ?

Thanks in advance,
Vikram.

Hello,

I managed to get it working. Seems like i was overwriting fields used in 
computation of the digest response. Once i turn off authentication the 
call flow works perfectly. I will need to make necessary modifications 
to work with digest authentication.

As a next step i will be implementing encryption/decryption on the F.W 
server.

Thanks and Regards,
Vikram.


Vikram Ragukumar wrote:
> Hello,
> 
>  -------------         --------          ---       --------
> |Sip Softphone|-------|Internet|--------|F.W|-----|Asterisk|
>  -------------         --------          ---       --------
>                        IP addresses: a.b.c.d    q.w.e.r
> 
> The SIP softphone(x-lite) is configured to register with the asterisk 
> server through port 9090 (Domain q.w.e.r:9090).Firewall(F.W) is setup as 
> the outbound proxy for the softphone(Outbound proxy a.b.c.d:9090). 
> Authentication credentials for the softphone match the user registered 
> in asterisk's sip.conf. F.W runs Kamailio and rtpproxy, with Kamailio 
> listening on port 5060.
> 
> The asterisk server is setup to listen on port 5060.
> 
> The Firewall(F.W), uses a libnetfilter_queue based program to :
> 
> (a) Rewrite the destination port 9090 as 5060, and rewrite all other 
> occurrences of 9090 as 5060 in the SIP message, for packets from the 
> softphone to the asterisk server.
> 
> (b) Rewrite the source port 5060 as 9090, and rewrite all other 
> occurrences of 5060 as 9090 in the SIP message, for packets from the 
> asterisk server to the softphone.
> 
> The following exchange of SIP messages take place
> -Sip softphone sends a REGISTER message to asterisk
> -Asterisk responds with a 401 UNAUTHORIZED
> -Sip softphone replies with a REGISTER message containing auth. info.
> -Asterisk responds with a 403 FORBIDDEN : BAD AUTHORIZATION
> 
> The above setup works when the softphone uses port 5060, so there 
> problem here does not have anything to do with Authorization credentials.
> 
> Is it possible i might be modifying parts of the packet that shouldn't 
> be modified or i might not be modifying some relevant parts of the packet ?
> 
> Thanks in advance,
> Vikram.
> 
>