PDA

View Full Version : SIP client accessing Asterisk via VPN



Geek4414
06-06-2011, 11:35 PM
Does anyone know the ports required to be forwarded for an external SIP client to connect to an Asterisk server behind a NAT router?

I can VPN into the network and access any of the SMB shares, can open the web UI for the router etc, so the VPN is working fine. But the SIP client cannot register with Asterisk.

Currently, I have port 1723 and 500 forwarded for VPN access. Also forwarded UDP 5060 and UDP 10000 - 20000 to the Asterisk Server.

Is there any configuration change on the Asterisk end to allow SIP client connecting in via VPN?

Chilling_Silence
07-06-2011, 12:57 PM
If you're VPN'd in, then make sure it's going properly across the VPN.
You shouldnt need to forward ports if you're using a VPN.

You need port 5060 forwarded on the server-side, not the client side, if you're not going through a VPN.

Unless you're mucking around by locking it down via IP, then no, you shouldn't need to make any changes :)

razzarphenix
07-06-2011, 01:09 PM
Does the VPN use a virtual ip range? If so you will need to tell it about the private range something like this:
localnet=10.6.1.0/24 as well as having a line like this: externip=8.8.8.8
depends on your pbx but it often goes into sip.conf or a variant of that sip_general.custom.conf or sip_nat.conf etc..

if the asterisk's box's default gateway is not also the same box as the vpn endpoint then you might also need to put a static into the asterisk box to tell it how to communicate with the vpn network.

Regarding ports technically the whole range is:
UDP: 5060
the SIP RTP ports are dynamic and can be anything really historically it was:
UDP 16384 - 53999 with asterisk often using 10000 - 20000 you can make this whatever you like in rtp.conf rtpstart=10000
rtpend=20000

Just make sure there's enough ports. You might also need to check the port with sip show peers to see if you need another sip port open particularly if your blocking outbound traffic from the pbx back to the vpn.

Lastly you might need to check the firewall if it has any built in support for SIP turning of SIP ALG for instance may be required.

Rob