|
Right, didn't think about using the ITSP address instead of the Cisco
gateway address. I guess I'm just used to working with PSTN gateways.
Thanks for catching that one. Also wasn't aware of conntrack. Shows how much I work with iptables. Try that same rule I posted earlier except use the address of your ITSP instead of the cisco router. I've never tried to put a redirect in the INPUT chain but I suppose it doesn't hurt to try it that way. You may also need to do source port redirection as Mr. Varsanyi has indicated, if the ITSP is expecting SIP traffic from port 5060. I'm sure their SIP server will let you know if this is the case by either ignoring your SIP traffic or giving you nasty errors. If you can't get the ITSP to divulge the IP address(es) of their servers then I think your luck has run out. I agree that you should seize any opportunity to find a new ITSP if ever possible, even if you manage to get this working. Eric Varsanyi wrote: FWIW using NAT rules in iptables is not exactly 'turning on the firewall', but you should be careful to unload the SIP NAT modules.The other problem is I'd think you'd want that example rule below to apply to the ip of your ITSP (the -s field) rather than your cisco, the source address of SIP traffic won't be from your local router. I'd also probably use the INPUT chain rather than the PREROUTING chain since this is ON the box, but they are both in the inbound path and you are not using this as a router so it really doesn't matter in this case. If the ITSP cares about your source address being 5060 you'll also need an SNAT rule as the first packet may be from you to them and thus there won't be a conntrack entry for the outbound traffic. I wouldn't recommend this as an 'easy' way to get this done, but if you read up on how iptables works, don't turn on the 'firewall' aspects (filtering), and be careful about the conntrack helper modules that are loaded (what folks here like to refer to as an ALG) you should be able to make it work. The mostly likely subtle failure to debug would be affecting traffic internal to the box (sipXecs likes to bind internal connections to the external IP addresses rather than use localhost). If you can't keep the nat rule from messing with internal traffic (or you can't know the source IP address the ITSP will use) you could also add a 2nd IP address alias to the interface and do the natting on that (changing the IP address as well, and this time in the prerouting table). SipXecs seems pretty oblivious to additional interfaces that are not called 'eth0' from my internal testing (eth0 is hardcoded in several places) so this might work for you. -Eric On Feb 2, 2010, at 9:30 PM, Hiral Patel wrote:Hi tony, Why would you not recommend enabling a firewall on sipX, is this not supported configuration by sipX? Regards, Hiral Patel, Operations Manager OnRelay Elizabeth House | 39 York Road, London SE1 7NQ, UK | +44 (0) 2079028138| [email protected] | www.onrelay.com | This electronic message transmission contains information from OnRelay, Ltd., that may be confidential or privileged. The information is intended solely for the recipient and use by any other party is not authorised. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information or any attachment, is prohibited. If you have received this electronic transmission in error, please notify us immediately by electronic mail ([email protected]) and delete this message, along with any attachments, from your computer. Registered in England No 04006093 | Registered Office 1st Floor, 236 Gray's Inn Road, London WC1X 8HL -----Original Message----- From: Tony Graziano [mailto:[email protected]] Sent: 03 February 2010 13:47 To: [email protected] Cc: Hiral Patel; [email protected] Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? I would not turn a firewall on in sipx. ============================ Tony Graziano, Manager Telephone: 434.984.8430 Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ ----- Original Message ----- From: Josh Patten <[email protected]> To: Tony Graziano <[email protected]> Cc: [email protected] <[email protected]>; [email protected] <[email protected]> Sent: Tue Feb 02 21:44:29 2010 Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? I don't know how well that iptables scenario will work with remote workers. Do your remote workers come in on the same Cisco router as your SIP trunk(s)? Josh Patten wrote: You could probably use iptables (should already be installed on your sipX box) to accomplish this. Use webmin (http://www.webmin.com download and install the RPM) to set up iptables (networking->linux firewall->allow all traffic) and then try adding/replacing the following lines to the top of your /etc/sysconfig/iptables file: ________________________________ *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p udp -m udp -s ip.addr.of.cisco --dport 5060 -j REDIRECT --to-ports 5080 COMMIT ________________________________ where ip.addr.of.cisco is the IP address of your cisco device and restart iptables by running service iptables restart to make sure this survives a restart, run chkconfig iptables on Tony Graziano wrote: Additionally the alg on the cisco might cause an issue. Again, I don't think you can get there from here. ============================ Tony Graziano, Manager Telephone: 434.984.8430 Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ ----- Original Message ----- From: [email protected] <[email protected]> <mailto:[email protected]> To: Hiral Patel <[email protected]> <mailto:[email protected]> ; [email protected] <[email protected]> <mailto:[email protected]> ; Tony Graziano <[email protected]> <mailto:[email protected]> ; [email protected] <[email protected]> <mailto:[email protected]> Cc: Dwayne Kee <[email protected]> <mailto:[email protected]> ; Gabor Paller <[email protected]> <mailto:[email protected]> ; [email protected] <[email protected]> <mailto:[email protected]> Sent: Tue Feb 02 20:57:01 2010 Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? That is outside of my skill set, but I was advised against attempting something similar when I ran into the issue. We translate 5060 to 5080 on traffic from the Verizon SBC. That has worked fine for us. They were not able to alter the port for a particular customer either. Sent via BlackBerry from T-Mobile -----Original Message----- From: "Hiral Patel" <[email protected]> <mailto:[email protected]> Date: Wed, 3 Feb 2010 01:46:12 To: <[email protected]> <mailto:[email protected]> ; <[email protected]> <mailto:[email protected]> ; Tony Graziano<[email protected]> <mailto:[email protected]> ; <[email protected]> <mailto:[email protected]> Cc: Dwayne Kee<[email protected]> <mailto:[email protected]> ; Gabor Paller<[email protected]> <mailto:[email protected]> ; <[email protected]> <mailto:[email protected]> Subject: RE: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? Thanks for your input, and that is my option two - the Cisco router which terminates the SIP trunk has feature called ALG (application level gateway) running to handle NAT from LAN to WAN. I don't want to break that, I may test this and see what happens. Do you know if my original suggestion will work? If not why? Hiral Patel, Operations Manager OnRelay Elizabeth House | 39 York Road, London SE1 7NQ, UK | +44 (0) 2079028138| [email protected] | www.onrelay.com | This electronic message transmission contains information from OnRelay, Ltd., that may be confidential or privileged. The information is intended solely for the recipient and use by any other party is not authorised. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information or any attachment, is prohibited. If you have received this electronic transmission in error, please notify us immediately by electronic mail ([email protected]) and delete this message, along with any attachments, from your computer. Registered in England No 04006093 | Registered Office 1st Floor, 236 Gray's Inn Road, London WC1X 8HL -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: 03 February 2010 12:42 To: Hiral Patel; [email protected]; Tony Graziano; [email protected] Cc: Dwayne Kee; Gabor Paller; [email protected] Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? If you have control of the LAN, ca you add a router that can do a port translation? I had a similar issue. Sent via BlackBerry from T-Mobile -----Original Message----- From: "Hiral Patel" <[email protected]> <mailto:[email protected]> Date: Wed, 3 Feb 2010 01:37:16 To: Tony Graziano<[email protected]> <mailto:[email protected]> ; <[email protected]> <mailto:[email protected]> Cc: Dwayne Kee<[email protected]> <mailto:[email protected]> ; Gabor Paller<[email protected]> <mailto:[email protected]> ; <[email protected]> <mailto:[email protected]> Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? Hey Tony, Thanks for replying so fast, I can not get a new ITSP unfortunately so I have to find a solution! I should have mentioned that the SIP trunk I have is a dedicated WAN link into the Tier 1 Operator network the network side is connect to a Acme Packet SBC (its like a standard product they have so they are not able to make an configure change without months of planning and risk analysis. And sending port is definitely a no no anyway! I have full control over the LAN but the problem is I can not change the incoming port from the trunk as mentioned, I would like to understand why my proposed solution will not work, can you please help with that? On paper it seems very straight forward, so from your input I will adjust my design systematically until I come to the perfect solution which fits my requirements. Regards, Hiral Patel, Operations Manager OnRelay Elizabeth House | 39 York Road, London SE1 7NQ, UK | +44 (0) 2079028138| [email protected] | www.onrelay.com | This electronic message transmission contains information from OnRelay, Ltd., that may be confidential or privileged. The information is intended solely for the recipient and use by any other party is not authorised. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information or any attachment, is prohibited. If you have received this electronic transmission in error, please notify us immediately by electronic mail ([email protected]) and delete this message, along with any attachments, from your computer. Registered in England No 04006093 | Registered Office 1st Floor, 236 Gray's Inn Road, London WC1X 8HL -----Original Message----- From: Tony Graziano [mailto:[email protected]] Sent: 03 February 2010 12:22 To: Hiral Patel; [email protected] Cc: Dwayne Kee; Gabor Paller; [email protected] Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? Your best option is to get a new itsp. Then use a real firewall, your hands are REALLY tied. You would have to run 2 instances of sipxbridge with 2 different public ip addresses (one for remote users, the other for trunking). Since that means firewall changes you can't make, you are STUCK. Fire the ITSP, then the incapable firewall manager and get REAL replacements. Plainly said, you can't get there from here. Good luck. ============================ Tony Graziano, Manager Telephone: 434.984.8430 Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ ----- Original Message ----- From: [email protected] <[email protected]> <mailto:[email protected]> To: M. Ranganathan <[email protected]> <mailto:[email protected]> Cc: Dwayne Kee <[email protected]> <mailto:[email protected]> ; Gabor Paller <[email protected]> <mailto:[email protected]> ; [email protected] <[email protected]> <mailto:[email protected]> Sent: Tue Feb 02 20:16:01 2010 Subject: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? Hello All, Purpose: Need to enable SipXecs bridge to solve lack of REFER support on SIP trunk. Problem: 1. SIP trunk provider has very strict rules about changing any configuration on any component that they manage. The SIP trunk comes with a Cisco 2801 router which is managed by the Operator and the port they signal on is 5060, this is a problem because all requests from the trunk are bypassing SipXecs bridge which listens on port 5080 therefore REFER can not be influenced. 2. SIP trunk Operator will not change port on trunk 3. SIP trunk Operator will not change config on Router, so I can not do any NAT as recommended here: http://sipx-wiki.calivia.com/index.php/SIP_Trunking_with_sipXecs:_Overvi ew_and_Configuration#2._Configure_SipXbridge 4. Do not want to change SipXecs internal port to some else, sounds dangerous and messy 5. Do not want to try another sip trunk provider My solution to the problem: (please provide feedback and answer my question below) 1. Configure two physical sipX components (a) sipXbridge(only) IP Add: 192.168.0.1 Port 5060 (b) sipXpbx(proxy) IP add: 192.168.0.99 port 5060 2. Configure (b) sipXpbx with provider gateway address 123.123.123.234 3. Configure (b) sipXpbx with route under gateway config to SipXbridge(a)IP add: 192.168.0.1 4. Configure SipXbridge (a) to receive/send signalling from provider gateway and pass to/from (b) sipXpbx Questions: 1. Will this solve my problems? 2. is my suggestion possible? 3. if so, how do I configure sipXbridge? 4. if so, are there any draw backs that you are aware of by implementing this design? Your help would be much appreciated. Regards Hiral Patel, Operations Manager OnRelay Elizabeth House | 39 York Road, London SE1 7NQ, UK | +44 (0) 2079028138| [email protected] | www.onrelay.com | This electronic message transmission contains information from OnRelay, Ltd., that may be confidential or privileged. The information is intended solely for the recipient and use by any other party is not authorised. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information or any attachment, is prohibited. If you have received this electronic transmission in error, please notify us immediately by electronic mail ([email protected]) and delete this message, along with any attachments, from your computer. Registered in England No 04006093 | Registered Office 1st Floor, 236 Gray's Inn Road, London WC1X 8HL -----Original Message----- From: M. Ranganathan [mailto:[email protected]] Sent: 27 January 2010 05:20 To: Hiral Patel Cc: [email protected] Subject: Re: [sipx-users] How to map external 5060 to internal 5080 On Tue, Jan 26, 2010 at 12:41 PM, Hiral Patel <[email protected]> <mailto:[email protected]> wrote: My SipXecs PBX is connected an unauthenticated sip trunk for which I need to enable SipXecs bridge to be able to work around the lack of REFER support on the sip trunk. The sip trunk sends to sipX on port 5060 therefore any incoming dialogue bypasses sipXbridge and hence outgoing signalling also are bypassing sipXbridge for the same dialogue. What I would like to know is if it is possible to re-configure sipX so that sipXbridge listens on 5060 and sipX listens on 5080? No you should not configure it this way. You should configure it as follows: 1. Allow sipx proxy server to continue to listen on port 5060. 2. Allow sipxbridge to continue to listen on port 5080 ( both of these are defaults ). 3. Set the public port in the sipxbridge configuration page to port 5060. See http://sipx-wiki.calivia.com/index.php/SIP_Trunking_with_sipXecs:_Overvi ew_and_Configuration#2._Configure_SipXbridge 4. Map your NAT to send WAN packets arriving at 5060 to port 5080 on the host where sipxbridge is configured and vice versa. Ranga I understand there is a way to map external 5060 to internal 5080, but I am not sure how to do this, can anyone help? Also, if the above is possible does it have any implications e.g. Ranga mentioned that remote worker maybe effected? Regards, Hiral Patel, OnRelay _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/ ________________________________ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/ |
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
