NAT TeleTek SIPtrunk using the Clavister SIP ALG

Security Gateway Articles and How to's
Post Reply
Posts: 6
Joined: 03 Sep 2010, 08:16
Location: Clavister HQ - Örnsköldsvik

NAT TeleTek SIPtrunk using the Clavister SIP ALG

Post by Siby » 17 Dec 2014, 11:42

This How-to applies to:
  • Clavister cOS Core 10.x and up .

When doing NAT on a SIP registration/session there are routing information in the application headers that don´t get translated by a conventional NAT router/firewall. Using the SIP ALG this data can be tracked and corrected to work in a NAT environment. The ALG is a NAT-helper but also the SIP ALG provides security by actual SIP session tracking as well as internal route obfuscation (it changes the application field values to hide internal routing information).


Extension = Local client/phone

Please note that in this How to all call setups as well as all RTP is routing trough the PBX.
  • All External->Internal calls are routed to the internal PBX which then INVITES the Internal extension.
    All Internal->External calls is initiated with a INVITE from a Internal extension to the local PBX which then INVITES the external part.
    All Internal->Internal calls are initiated with an INVITE from a Internal extension to the Local PBX which then INVITES the 2nd Internal extension.
SIP.png (111.37 KiB) Viewed 6912 times
Clavister cOS Core 10.x
Zoiper 3.6.25251 (Trail, buy for all features)

Clavister cOS Core configuration
1. NAT traffic to trunk provider
2. SAT traffic to local PBX
3. ALLOW traffic to local PBX
MAIN_SAT_ALLOW.png (16.48 KiB) Viewed 6321 times

Objects-> ALG-> SIP ALG Config:
ALG_CFG.png (50.68 KiB) Viewed 6912 times

Objects->Services->Sip-udp Service:
SIP_UDP_Service.png (64.16 KiB) Viewed 6912 times

FreePBX Configurations
Add your extensions (Phones/Clients):
Applications->Extensions->Add an Extension (Follow the instructions on screen)
Add you Trunk (Phone Trunk link to the outside world):

Connectivity->Trunks->Add SIP Trunk :
uuuuxxxxxx = <area code u>:<number x>
SIPtrunk1_2.png (15.6 KiB) Viewed 6912 times
SIP trunk Settings:
SIPtrunk2.png (43.36 KiB) Viewed 6912 times
Registration string:
A little bit tricky bit not impossible getting both the provider PBX and the SIP ALG accept any registration string option combo, so this is what I ended up with:

Inbound route:
Everything from “PSTN (SIP trunk)” -> uuuuxxxxxx -> Extension 100
Here you can define a “Ring group” with several extensions as your destination as well.
ROUTE_IN_2.png (33.75 KiB) Viewed 6912 times
Outbound Route:
Everyting Matching XXXXXX (Random Test Pattern I used, don’t mind)
Everything Matching XXXXXXXXXX (Typical Swedish cell phone number)
Send out on trunk TeleTek.
ROUTE_OUT_2.png (44.29 KiB) Viewed 6912 times
Since we are using the ALG as a NAT traversal helper as well as a security mechanism we turn off all NAT helpers in the Asterisk/FreePBX software. Telling the Asterisk software we should “never do NAT” and setting the IP type to public (treat as public IP connection).
No_NAT.png (12.94 KiB) Viewed 6912 times

Zoiper Client settings
Zoiper.png (28.31 KiB) Viewed 6912 times = PBX Internal/private IP

Additional notes:

Keep in mind:
The SIP ALG is built for compatibility with IETF RFC 3261 devices. ( )
Using SIP features not in RFC 3261 will likely not be allowed and thus dropped by the ALG!

Turn off STUN!

Also keep in mind your SIP traffic is not encrypted nor secure from eavesdropping.
The ALG protects somewhat from this by tracking sessions and trying to detect anomalies in the session message exchange etc. But this does not mean your voice data is safe (still sent in plain text and easily decoded).

This can be partially alleviated for internal calls by having calls from branch offices to internal numbers travel via IPsec. But that is outside the scope of this how-to.

cOS Core CLI output / Troubleshooting:

If you have trouble try the “sipalg –snoop=verbose” command to try tracing the issue

SIPALG Registration Table for ALG: SIP
sipalg –registratrations show SIP
SNo : 001
AOR URI : sip:uuuuxxxxxx@<user>
Dependent URI: sip: uuuuxxxxxx @<ROUTER_IP>:5060
Contact URI : sip: uuuuxxxxxx @<INTERNAL_PBX_IP>:5060
Binding URIs : sip: uuuuxxxxxx @
Life Time : 120 seconds

Post Reply