- Clavister cOS Core 10.x and up .
When doing NAT on a SIP registration/session there are routing information in the application headers that don´t get translated by a conventional NAT router/firewall. Using the SIP ALG this data can be tracked and corrected to work in a NAT environment. The ALG is a NAT-helper but also the SIP ALG provides security by actual SIP session tracking as well as internal route obfuscation (it changes the application field values to hide internal routing information).
Extension = Local client/phone
Please note that in this How to all call setups as well as all RTP is routing trough the PBX.
- All External->Internal calls are routed to the internal PBX which then INVITES the Internal extension.
All Internal->External calls is initiated with a INVITE from a Internal extension to the local PBX which then INVITES the external part.
All Internal->Internal calls are initiated with an INVITE from a Internal extension to the Local PBX which then INVITES the 2nd Internal extension.
Clavister cOS Core 10.x
Zoiper 3.6.25251 (Trail, buy for all features)
Clavister cOS Core configuration
1. NAT traffic to trunk provider
2. SAT traffic to local PBX
3. ALLOW traffic to local PBX
Objects-> ALG-> SIP ALG Config:
Add your extensions (Phones/Clients):
Applications->Extensions->Add an Extension (Follow the instructions on screen)
Add you Trunk (Phone Trunk link to the outside world):
Connectivity->Trunks->Add SIP Trunk :
uuuuxxxxxx = <area code u>:<number x>
SIP trunk Settings: Registration string:
A little bit tricky bit not impossible getting both the provider PBX and the SIP ALG accept any registration string option combo, so this is what I ended up with:
Everything from “PSTN (SIP trunk)” -> uuuuxxxxxx -> Extension 100
Here you can define a “Ring group” with several extensions as your destination as well.
Everyting Matching XXXXXX (Random Test Pattern I used, don’t mind)
Everything Matching XXXXXXXXXX (Typical Swedish cell phone number)
Send out on trunk TeleTek.
Since we are using the ALG as a NAT traversal helper as well as a security mechanism we turn off all NAT helpers in the Asterisk/FreePBX software. Telling the Asterisk software we should “never do NAT” and setting the IP type to public (treat as public IP connection).
Zoiper Client settings
192.168.2.80 = PBX Internal/private IP
Keep in mind:
The SIP ALG is built for compatibility with IETF RFC 3261 devices. ( https://www.ietf.org/rfc/rfc3261.txt )
Using SIP features not in RFC 3261 will likely not be allowed and thus dropped by the ALG!
Turn off STUN!
Also keep in mind your SIP traffic is not encrypted nor secure from eavesdropping.
The ALG protects somewhat from this by tracking sessions and trying to detect anomalies in the session message exchange etc. But this does not mean your voice data is safe (still sent in plain text and easily decoded).
This can be partially alleviated for internal calls by having calls from branch offices to internal numbers travel via IPsec. But that is outside the scope of this how-to.
cOS Core CLI output / Troubleshooting:
If you have trouble try the “sipalg –snoop=verbose” command to try tracing the issue
SIPALG Registration Table for ALG: SIP
sipalg –registratrations show SIP
SNo : 001
AOR URI : sip:uuuuxxxxxx@<user>.teletek.se:5060
Dependent URI: sip: uuuuxxxxxx @<ROUTER_IP>:5060
Contact URI : sip: uuuuxxxxxx @<INTERNAL_PBX_IP>:5060
Binding URIs : sip: uuuuxxxxxx @188.8.131.52:20305
Life Time : 120 seconds