D.H. Williams
2014-Jul-24 22:12 UTC
[asterisk-users] TLS/TCP behind NAT; Signaling issues with offnet phones
Issue is what subject says. Here is the background. Version: 11.11.0 Topology: Asterisk Box at our Data Center behind Cisco Firewall. Everything works fine from remote offices over a VPN. Issue is sales team would like to connect up to our Asterisk box remotely (offnet). Common enough solution, I'm guessing. So, I've opened all the correct holes on the firewall and hammered out inspection with Cisco. UDP transport works like a champ, but obviously we are sending SIP across as clear text when they are on wireless outside the office. I know TLS/SRTP isn't completely secure, but we can file it as "good enough" for now. I've tested this out by using my softphone (Bria 4) on non company wireless network and captured packets via Wireshark and have pinpointed the issue, but not sure how to circumvent it. I started with TLS, but set transport to TCP as the issue is similar on each and TCP shows what I am going to bet is also the issue with TLS. Here is a breakdown: 1. Softphone registers fine. 2. Can place a call fine. Media works fine (used media_address=<public_ip> command to resolve this, btw). 3. When I go to disconnect/transfer/place the call on hold from softphone, pretty much anything that requires signaling, my packet captures reveals that I'm trying to do this using the private IP of my Asterisk box (Nat, again, is on the firewall at data center), and I get TCP retransmissions. so the fact it isn't working makes sense, because my local box doesn't know how to get to a private IP address. I've tried using externaddr in sip.conf to no avail. Is there some command I'm missing? Obviously if I put an interface with a public IP on the outside I'd bet that would resolve this problem, but sort of like having that guy behind a hardware firewall :) I'm to the point of telling them to fire up a VPN on be done with it, but all the same I am curious if there is a way with tcp/tls transport to fix this because, well, I'm curious. Thanks in advanced for looking at this! DH -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140724/98485097/attachment.html>
D.H. Williams
2014-Jul-24 22:36 UTC
[asterisk-users] TLS/TCP behind NAT; Signaling issues with offnet phones
Just found the solution in case someone down the line stumbles across this. externaddr only works with localnet defined in sip.conf. Again, was simply misled due to UDP working but TCP not working. This also resolved the issue with TLS which makes sense. On Thu, Jul 24, 2014 at 5:12 PM, D.H. Williams <draythw at gmail.com> wrote:> Issue is what subject says. Here is the background. > > Version: 11.11.0 > Topology: Asterisk Box at our Data Center behind Cisco Firewall. > Everything works fine from remote offices over a VPN. Issue is sales team > would like to connect up to our Asterisk box remotely (offnet). Common > enough solution, I'm guessing. > > So, I've opened all the correct holes on the firewall and hammered out > inspection with Cisco. UDP transport works like a champ, but obviously we > are sending SIP across as clear text when they are on wireless outside the > office. I know TLS/SRTP isn't completely secure, but we can file it as > "good enough" for now. > > I've tested this out by using my softphone (Bria 4) on non company > wireless network and captured packets via Wireshark and have pinpointed the > issue, but not sure how to circumvent it. > > I started with TLS, but set transport to TCP as the issue is similar on > each and TCP shows what I am going to bet is also the issue with TLS. Here > is a breakdown: > > 1. Softphone registers fine. > 2. Can place a call fine. Media works fine (used > media_address=<public_ip> command to resolve this, btw). > 3. When I go to disconnect/transfer/place the call on hold from > softphone, pretty much anything that requires signaling, my packet captures > reveals that I'm trying to do this using the private IP of my Asterisk box > (Nat, again, is on the firewall at data center), and I get TCP > retransmissions. so the fact it isn't working makes sense, because my > local box doesn't know how to get to a private IP address. > > I've tried using externaddr in sip.conf to no avail. Is there some > command I'm missing? Obviously if I put an interface with a public IP on > the outside I'd bet that would resolve this problem, but sort of like > having that guy behind a hardware firewall :) > > I'm to the point of telling them to fire up a VPN on be done with it, but > all the same I am curious if there is a way with tcp/tls transport to fix > this because, well, I'm curious. > > Thanks in advanced for looking at this! > > DH >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140724/c9ea621c/attachment.html>