NAT TeleTek SIPtrunk using the Clavister SIP ALG

Security Gateway Articles and How to's
Post Reply
Siby
Posts: 5
Joined: 03 Sep 2010, 08:16
Location: Clavister HQ - Örnsköldsvik

NAT TeleTek SIPtrunk using the Clavister SIP ALG

Post by Siby » 17 Dec 2014, 11:42

This How-to applies to:
  • Clavister cOS Core 10.x and up .
Problem:

When doing NAT on a SIP registration/session there are routing information in the application headers that don´t get translated by a conventional NAT router/firewall. Using the SIP ALG this data can be tracked and corrected to work in a NAT environment. The ALG is a NAT-helper but also the SIP ALG provides security by actual SIP session tracking as well as internal route obfuscation (it changes the application field values to hide internal routing information).

Solution:

Extension = Local client/phone

Please note that in this How to all call setups as well as all RTP is routing trough the PBX.
  • All External->Internal calls are routed to the internal PBX which then INVITES the Internal extension.
    All Internal->External calls is initiated with a INVITE from a Internal extension to the local PBX which then INVITES the external part.
    All Internal->Internal calls are initiated with an INVITE from a Internal extension to the Local PBX which then INVITES the 2nd Internal extension.
SIP.png
SIP.png (111.37 KiB) Viewed 2976 times
Software:
Clavister cOS Core 10.x
FreePBX 2.11.0.38
Zoiper 3.6.25251 (Trail, buy for all features)


Clavister cOS Core configuration
Policies->Main:
1. NAT traffic to trunk provider
2. SAT traffic to local PBX
3. ALLOW traffic to local PBX
MAIN_SAT_ALLOW.png
MAIN_SAT_ALLOW.png (16.48 KiB) Viewed 2385 times

Objects-> ALG-> SIP ALG Config:
ALG_CFG.png
ALG_CFG.png (50.68 KiB) Viewed 2976 times

Objects->Services->Sip-udp Service:
SIP_UDP_Service.png
SIP_UDP_Service.png (64.16 KiB) Viewed 2976 times

FreePBX Configurations
Add your extensions (Phones/Clients):
Applications->Extensions->Add an Extension (Follow the instructions on screen)
Add you Trunk (Phone Trunk link to the outside world):

Connectivity->Trunks->Add SIP Trunk :
uuuuxxxxxx = <area code u>:<number x>
SIPtrunk1_2.png
SIPtrunk1_2.png (15.6 KiB) Viewed 2976 times
SIP trunk Settings:
SIPtrunk2.png
SIPtrunk2.png (43.36 KiB) Viewed 2976 times
Registration string:
A little bit tricky bit not impossible getting both the provider PBX and the SIP ALG accept any registration string option combo, so this is what I ended up with:
uuuuxxxxxx@<user>.teletek.se:<password>:<user>.teletek.se@sip4.teletek.se/uuuuxxxxxx

Inbound route:
Everything from “PSTN (SIP trunk)” -> uuuuxxxxxx -> Extension 100
Here you can define a “Ring group” with several extensions as your destination as well.
ROUTE_IN_2.png
ROUTE_IN_2.png (33.75 KiB) Viewed 2976 times
Outbound Route:
Everyting Matching XXXXXX (Random Test Pattern I used, don’t mind)
Everything Matching XXXXXXXXXX (Typical Swedish cell phone number)
Send out on trunk TeleTek.
ROUTE_OUT_2.png
ROUTE_OUT_2.png (44.29 KiB) Viewed 2976 times
NAT SETTINGS:
Since we are using the ALG as a NAT traversal helper as well as a security mechanism we turn off all NAT helpers in the Asterisk/FreePBX software. Telling the Asterisk software we should “never do NAT” and setting the IP type to public (treat as public IP connection).
No_NAT.png
No_NAT.png (12.94 KiB) Viewed 2976 times

Zoiper Client settings
Zoiper.png
Zoiper.png (28.31 KiB) Viewed 2976 times
192.168.2.80 = PBX Internal/private IP

Additional notes:

Keep in mind:
The SIP ALG is built for compatibility with IETF RFC 3261 devices. ( https://www.ietf.org/rfc/rfc3261.txt )
Using SIP features not in RFC 3261 will likely not be allowed and thus dropped by the ALG!

Turn off STUN!

Also keep in mind your SIP traffic is not encrypted nor secure from eavesdropping.
The ALG protects somewhat from this by tracking sessions and trying to detect anomalies in the session message exchange etc. But this does not mean your voice data is safe (still sent in plain text and easily decoded).

This can be partially alleviated for internal calls by having calls from branch offices to internal numbers travel via IPsec. But that is outside the scope of this how-to.

cOS Core CLI output / Troubleshooting:

If you have trouble try the “sipalg –snoop=verbose” command to try tracing the issue

SIPALG Registration Table for ALG: SIP
sipalg –registratrations show SIP
-----------------------------------------------------
SNo : 001
AOR URI : sip:uuuuxxxxxx@<user>.teletek.se:5060
Dependent URI: sip: uuuuxxxxxx @<ROUTER_IP>:5060
Contact URI : sip: uuuuxxxxxx @<INTERNAL_PBX_IP>:5060
Binding URIs : sip: uuuuxxxxxx @176.10.249.67:20305
Life Time : 120 seconds
-----------------------------------------------------

Post Reply