Asterisk cluster behind kamailio natted to pubic IP, presenting internal ip addresses in From tag
Hi All
I'm scratching my head on this one, I have set everything up in the following configuration:
Public ip natted to DMZ via Cisco ASA 5510 <= DMZ => Kamailio & RTP Proxy <= Voice DMZ => Asterisk
My kamailio configuration is based heavily on the one found here: http://saevolgo.blogspot.co.uk/2013/08/rtpproxy-revisited-kamailio-40.html & http://saevolgo.blogspot.co.uk/2011/11/how-to-increasing-voip-services.html
So far everything is working fine, I can register via the public IP address, IM & presence is working, and as does audio, however when I dial an extension the caller id comes up like this 12345@172.16.15.123:5080mailto:12345@172.16.15.123:5080 which is the ip addresses of the asterisk server that the dispatcher has assigned to the call, I have tried setting the P-Asserted-Identity, P-Preferred-Identity & Remote-Party-ID headers to no effect. What I would like to achieve is that the public IP or domain name comes up when I call an extension. From examining the sip traffic traversing the kamailio box, it seems that the From and Contact headers sent by asterisk are the source of the internal implementation information reaching the end-user.
How can I prevent implementation information like this leaking out? I consider this to be a security risk as I don't want anyone to be able to enumerate the number of servers that comprise a given cluster as easily as placing a few calls, ideally I only want data relating to the public side of the network getting out. But I would be happy if it takes digging into the sip traffic to glean any details initially.
I'm getting the feeling that this could well be an asterisk configuration issue, so apologies if this is a little off topic, however I have been unable to find a similar configuration to try and achieve my desired results.
Tim.
On 08/28/2014 12:44 PM, Tim Chubb wrote:
Hi All
...snip...
So far everything is working fine, I can register via the public IP address, IM & presence is working, and as does audio, however when I dial an extension the caller id comes up like this 12345@172.16.15.123:5080 mailto:12345@172.16.15.123:5080 which is the ip addresses of the asterisk server that the dispatcher has assigned to the call, I have tried setting the P-Asserted-Identity, P-Preferred-Identity & Remote-Party-ID headers to no effect. What I would like to achieve is that the public IP or domain name comes up when I call an extension. From examining the sip traffic traversing the kamailio box, it seems that the From and Contact headers sent by asterisk are the source of the internal implementation information reaching the end-user.
.../snip...
*Tim.*
I'm assuming with the 5080 that this call goes through the Asterisk box before hitting the registered user on Kamailio... if that's correct, have you also forced a CALLERID(name) on the call?
A grep of the sip traffic would show if you have something perhaps removing this information before sending to the client.
Fred Posner The Palner Group, Inc. http://www.palner.com (web) +1-503-914-0999 (direct) +1-954-472-2896 (fax)
I'm assuming with the 5080 that this call goes through the Asterisk box before hitting the registered user on Kamailio... if that's correct, have you also forced a CALLERID(name) on the call?
A grep of the sip traffic would show if you have something perhaps removing this information before sending to the client.
Im using realtime and setting the caller id in the db i.e. I have an entry like "Test User 6" <50006> in the caller ID column. This explanation may clarify a bit more:
1) Test User 1 (50001) dials 50006 2) Asterisk (Server resides in the voice DMZ with an IP of 172.16.52.80 listening on port 5080) sends and invite to the kamailio box's voice DMZ ip (172.16.52.70:5060) 3) This invite contains a From and Contact header looking like: From: "Test User 1" <50001@172.16.52.80:5080> & Contact: sip:50001@172.16.52.80:5080 4) Kamailio sends the invite onto the registered client 5) The registered client displays "Test User 1 50001@172.16.52.80:5080"
What I would like to be displayed when the registered client rings is something like "Test User 1 50001@sip.domain.tld" or "Test User 1 50001@publicip" or even just "Test User 1 50001"
If I enable SIP inspection on the ASA that sits infront of the kamailio box, I will get a public IP of the gateway displayed but not the one that points to the DMZ interface of the kamailio box, and it still displays the internal port that the asterisk box is on, i.e. "Test User 1 50001@123.321.123.321:5080"
Im getting the feeling that I am not grasping something really basic, or that I have misconfigured asterisk somewhere along the line, as far as I can tell kamailio is working exactly as advertised, and the problem is originating upstream, or should I use kamailio to normalise the traffic emitting from it?
On 28/08/14 20:33, Tim Chubb wrote:
I'm assuming with the 5080 that this call goes through the Asterisk box before hitting the registered user on Kamailio... if that's correct, have you also forced a CALLERID(name) on the call? A grep of the sip traffic would show if you have something perhaps removing this information before sending to the client.
Im using realtime and setting the caller id in the db i.e. I have an entry like "Test User 6" <50006> in the caller ID column. This explanation may clarify a bit more:
- Test User 1 (50001) dials 50006
- Asterisk (Server resides in the voice DMZ with an IP of 172.16.52.80 listening on port 5080) sends and invite to the kamailio box's voice DMZ ip (172.16.52.70:5060)
- This invite contains a From and Contact header looking like: From: "Test User 1" <50001@172.16.52.80:5080> & Contact: sip:50001@172.16.52.80:5080
- Kamailio sends the invite onto the registered client
- The registered client displays "Test User 1 50001@172.16.52.80:5080"
What I would like to be displayed when the registered client rings is something like "Test User 1 50001@sip.domain.tld" or "Test User 1 50001@publicip" or even just "Test User 1 50001"
If I enable SIP inspection on the ASA that sits infront of the kamailio box, I will get a public IP of the gateway displayed but not the one that points to the DMZ interface of the kamailio box, and it still displays the internal port that the asterisk box is on, i.e. "Test User 1 50001@123.321.123.321:5080"
Im getting the feeling that I am not grasping something really basic, or that I have misconfigured asterisk somewhere along the line, as far as I can tell kamailio is working exactly as advertised, and the problem is originating upstream, or should I use kamailio to normalise the traffic emitting from it?
As Fred said, there are some dialplan functions for asterisk that should help setting caller id. IIRC, there are also some specific fields in database (e.g., domain part of the user).
Anyhow, what I really wanted to point here is, if you don't get it fixed in asterisk (where is better), look at uac_replace_from() from uac module of kamailio.
Cheers, Daniel
-
Daniel-Constantin Mierla -
Fred Posner -
Tim Chubb