Summary:ASTERISK-20528: Handling of natted User Agents behind stateful firewall without SIP support
Reporter:Diego Ercolani (dercol)Labels:
Date Opened:2012-10-07 13:29:41Date Closed:2012-10-10 14:17:31
Versions:10.6.1 Frequency of
Environment:Public Asterisk Box, natted SIP phone behind Telco router (not SIP aware)Attachments:
Description:The SIP for a call from Asterisk Box (AST) to a SIP phone (UA) is done with the classical sequence:

AST <----OK------- UA
AST ----ACK------> UA

The problem is at the RTP SESSION ehrn we have a phone behing a not sip-aware firewall.
Infact is possible to tell ASTERISK and the phone to use the same port for signaling, then is possible to tell ASTERISK to qualify the phone leaving the channel open but when the RTP SESSION starts, if the first packet of the RTP session came from the PHONE, then the firewall open the port also in receipt mode from the phone. But if the first packet came from the ASTERISK box, then the firewall close the port and the guy on hook at the phone cannot her anything while asterisk is receiving the RTP stream.

It would be optimum if it is possible (per sip channel) to ask asterisk to wait the first RTP packet from the remote endpoint before start the RTP stream, this can be a smart workaround to stateful firewall that don't support SIP protocol.

This is the network topology I'm trying to describe:

+---------+     __________      +----------+   +--------+
| ASTERISK|    (          )     | NATTING  |   | NATTED |
|   BOX   +----+ INTERNET +-----+ FIREWALL +---+ PHONE  |
|         |    (__________)     +----------+   +--------+

Aip is the pubblic address of the Asterisk BOX
Bip is the pubblic address of the natting firewall that nat the remote sip phone

This is what is actuallyng telling me tcpdump:

Aip -> Bip : Request-Line: INVITE sip:roberto@Bip:1026 SIP/2.0
Aip <- Bip : Status-Line: SIP/2.0 100 Trying
Aip <- Bip : Status-Line: SIP/2.0 180 Ringing
Aip <- Bip : Status-Line: SIP/2.0 200 OK
Aip <- Bip : Request-Line: ACK sip:roberto@Bip:1026 SIP/2.0
Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2265, Time=1260141040, Mark 10104 7006
Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2266, Time=1260141200 10104 7006
Aip <- Bip : ICMP Destination unreachable (Port unreachable) 10104 7006
Aip <- Bip : ICMP Destination unreachable (Port unreachable) 10104 7006
Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2267, Time=1260141360 10104 7006
Aip -> Bip : RTP PT=ITU-T G.711 PCMU, Seq=2268, Time=1260141520 10104 7006

As you can see, first two packet of the RTP stream came from Asterisk and drop into the firewall. This doesn't permit the RTP session to startup from Asterisk to remote phone even after first packet caming from the phone....

I tried manually to accomplish what I'm saying using iptables:
from the ASTERISK box where I have rtpstart=10000 and rtpend=20000 in rtp.conf:

iptables -I OUTPUT 1 -p udp --sport 10000:20000 -d Bip -j DROP; sleep 10; iptables -D OUTPUT 1

then I call from the asterisk box to the remote phone, then after 10 seconds, correctly the remote phone can hear me (and of course I can hear it)
Comments:By: Rusty Newton (rnewton) 2012-10-10 14:17:31.778-0500

Thank you for looking through this issue and providing plenty of detail. However we are suspending this as there is no patch included.

Please see the [Asterisk Issue Guidelines | https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines#AsteriskIssueGuidelines-Howtorequestafeature]

The issue will remain suspended until you can provide a patch. At that point you can bring it up in the #asterisk-bugs channel, or on the asterisk-dev mailing list and it'll be re-opened for review.