IPTouch sets in private network

[externalgateway_DUP]

Hi,

I am doing some testing with our SIP provider. I have OXE PBX on public IP connected to the internet.

The case that I am trying is the following:

I want to put a few (for example 5) IPTouch sets to one private network with ADSL access to the internet (in this network is a router with FW). I want these IP phones to route over the internet (without the VPN) to the PBX.

The results of our analysis are the following:

In case of one IP Touch set in private network, the set connects to PBX correctly. With the correct UDP port forwarding the set is working OK. The port 32512 is used for the registration and UDP port 32514 is used for the voice to private IP of the IP Touch set. (port forwarding is done on the firewall)

In case of two IP Touch sets in private network, we run into problems. The problem is, that the UDP communication is not started by the IP Touch set (which is behind the NAT router), but the Call Server (IP: 80.246.226.50), which is in fact in front of the FireWall. In this case it is clear, that the FireWall blocks all that traffic.

In the attached file private_net_2xIPtouch.pcap, you can see, that the communication is always started by the CPU Call Server (TFTP1). In this case, we always have the same destination port 32512 – even if we have two or more IP Touch sets in the private network. With the port forwarding in this case, we can only manage to route the trafic to only one IP Touch set.

private_net_2xIPtouch.rar

In the second attachment graf_private_2sets.doc, you can see the traffic flow, where the UDP packet comes from the Call Server (CPU) and is correctly accepted by one IP Touch set with IP 192.168.10.55 (because of the port forwarding). The other IP Touch set in the same private network (IP 192.168.10.53) does not get the UDP packet.

graf_private_2sets.doc

Theoretical Solution:

In theory, the solution could be the following:
The request for the UDP or the registration or whatever communication in the private network should always come from the same private network, which means that the IP Touch set should send that kind of request. In that case, the correct ports could be opened and the session could stop correctly. In case that the request comes from the external network, the traffic is allways blocked.

If we could not reach that logic, then the only solution is, that the Call Server (CPU), which starts the communication, is sending the UDP packets to port 32512+1 and UDP 32514+1 for the voice, so that the destination ports are not always the same. In this case, the correct administration of the routers is needed.

Does anyone have any experiance about that? Did anyone try that kind of case?
I would really appreciate if anyone could give me any advice or the suggestion about that.

I am looking forward to hearing from you,

Best Regards,

Miha

[krzysioD]

1st thing: you put a wireshark screen shot in microsoft word document, why do you people do that? couldn't you simply put a png or jpeg?

2nd: this is common scenario. you need to prepare more than 1 public ip for you pabx, and setup router very carefully. The magic is: don't use direct rtp from your sip provider to your sip phones and don't nat your ip-touch to CS/GD[GA] or CPU/IntIP.

3rd: consider putting your OXE on public IP as a security risk.

[flashmasterr_DUP]

I´m interessted in this topic,
i read the he should disable direct RTP between the the Public SIP-Provider and the IP-Phones. I deal with a Problem that concerns this feature. My SIP-Provider is not able to change the IP-Adress during a communication, so we have one way speech pass, because the communication is initalized by the GD or the GA to transmitt the Ringbacktone, after the Connect we use Direct RTP beween SIP Provider and IP-Phone, but the SIP Provider sends the RTP-Stream to the GD, and not the the IP-Phone.
The Alcatel-Support told me it is not able to prevent that behavior.
Maybe you have another idea.
Thanks.

[krzysioD]

Use some NAT router that is SIP-aware.

The "application level gateway "ALG" is a very good term to search for good nat/router/firewall box.
It should be capable of recognizing where to send SIP and where RTP.

[frank]

Flashmaster, what Alcatel Support told you that ? Is it in India, France, or USA ?
Thx

[flashmasterr_DUP]

Hi,
this was told by the india-support. As an workaround, i received a long form to fill out by the provider to get certified for the oxe as apublic provider.
Until now the sip-provider didn´t fill out the form.
Thanks fot the answers before.