Registration denied because of contact ACL

Home » Asterisk Users » Registration denied because of contact ACL
Asterisk Users 8 Comments

Hello All,

Some new security stuff is going on I suppose in 1.8 that I am not familiar
with and would appreciate your help

In a scenario such as the following:

Internet –> SBC –> Asterisk

upon trying to register an endpoint, the following is being observed on the
Asterisk Console. Have Googled this but haven’t come up with anything that
helped much.

[Mar 10 11:53:59] ERROR[21272]: netsock2.c:94 ast_sockaddr_stringify_fmt:
getnameinfo(): ai_family not supported
[Mar 10 11:53:59] WARNING[21272]: chan_sip.c:13120 parse_register_contact:
Domain ‘172.16.16.6:5060’ disallowed by contact ACL (violating IP )
[Mar 10 11:53:59] WARNING[21272]: chan_sip.c:13837 register_verify:
Registration denied because of contact ACL

Note, that the server IP is 172.16.16.11 and the SBC internal Interface IP
is 172.16.16.6

the following lines have been added to sip.conf

dynamic_exclude_static = yes
autodomain=yes
domain=172.16.16.6
allowexternaldomains=no

In addition, in the general endpoint template in sip.conf, I have the lines

contactdeny=0.0.0.0/0.0.0.0
contactpermit=172.16.16.0/255.255.255.0
host=dynamic

What else am I missing?

Thanks
RR

8 thoughts on - Registration denied because of contact ACL

  • It just have ACL concept. You can add permitted IPs List to any peer then
    only from that IPs user can register. If you want to permit all you can add
    0.0.0.0 to ACL

    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of RR
    Sent: Thursday, March 10, 2011 7:04 AM
    because of contact ACL

    Hello All,

    Some new security stuff is going on I suppose in 1.8 that I am not familiar
    with and would appreciate your help

    In a scenario such as the following:

    Internet –> SBC –> Asterisk

    upon trying to register an endpoint, the following is being observed on the
    Asterisk Console. Have Googled this but haven’t come up with anything that
    helped much.

    [Mar 10 11:53:59] ERROR[21272]: netsock2.c:94 ast_sockaddr_stringify_fmt:
    getnameinfo(): ai_family not supported

    [Mar 10 11:53:59] WARNING[21272]: chan_sip.c:13120 parse_register_contact:
    Domain ‘172.16.16.6:5060’ disallowed by contact ACL (violating IP )

    [Mar 10 11:53:59] WARNING[21272]: chan_sip.c:13837 register_verify:
    Registration denied because of contact ACL

    Note, that the server IP is 172.16.16.11 and the SBC internal Interface IP
    is 172.16.16.6

    the following lines have been added to sip.conf

    dynamic_exclude_static = yes

    autodomain=yes

    domain=172.16.16.6

    allowexternaldomains=no

    In addition, in the general endpoint template in sip.conf, I have the lines

    contactdeny=0.0.0.0/0.0.0.0

    contactpermit=172.16.16.0/255.255.255.0

    host=dynamic

    What else am I missing?

    Thanks

    RR

  • Thanks. but could you be a little more specific? I have added the local net
    172.16.16.0/24 almost everywhere I can think of, but it keeps giving that
    error. Even in sip.conf in the template for company IP phones, I’ve added
    contactpermit as well as just permit=172.16.16.0/24 but it still complains
    about that

  • You can add following line to your peers configuration

    permit=0.0.0.0/0.0.0.0

    It will allow to use that peer’s account from any IP

    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of RR
    Sent: Thursday, March 10, 2011 11:17 AM
    because of contact ACL

    It just have ACL concept. You can add permitted IPs List to any peer then
    only from that IPs user can register. If you want to permit all you can add
    0.0.0.0 to ACL

    Thanks. but could you be a little more specific? I have added the local net
    172.16.16.0/24 almost everywhere I can think of, but it keeps giving that
    error. Even in sip.conf in the template for company IP phones, I’ve added
    contactpermit as well as just permit=172.16.16.0/24 but it still complains
    about that

    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of RR
    Sent: Thursday, March 10, 2011 7:04 AM
    because of contact ACL

    Hello All,

    Some new security stuff is going on I suppose in 1.8 that I am not familiar
    with and would appreciate your help

    In a scenario such as the following:

    Internet –> SBC –> Asterisk

    upon trying to register an endpoint, the following is being observed on the
    Asterisk Console. Have Googled this but haven’t come up with anything that
    helped much.

    [Mar 10 11:53:59] ERROR[21272]: netsock2.c:94 ast_sockaddr_stringify_fmt:
    getnameinfo(): ai_family not supported

    [Mar 10 11:53:59] WARNING[21272]: chan_sip.c:13120 parse_register_contact:
    Domain ‘172.16.16.6:5060’ disallowed by contact ACL (violating IP )

    [Mar 10 11:53:59] WARNING[21272]: chan_sip.c:13837 register_verify:
    Registration denied because of contact ACL

    Note, that the server IP is 172.16.16.11 and the SBC internal Interface IP
    is 172.16.16.6

    the following lines have been added to sip.conf

    dynamic_exclude_static = yes

    autodomain=yes

    domain=172.16.16.6

    allowexternaldomains=no

    In addition, in the general endpoint template in sip.conf, I have the lines

    contactdeny=0.0.0.0/0.0.0.0

    contactpermit=172.16.16.0/255.255.255.0

    host=dynamic

    What else am I missing?

    Thanks

    RR

  • Thanks. But Like I said, that’s all done. Here’s the Endpoint config:

    [authentication]
    [basic-options](!) ; a template
    dtmfmode=rfc2833
    context=Phones
    type=friend
    contactdeny=0.0.0.0/0.0.0.0
    contactpermit=172.16.16.0/255.255.255.0
    deny=0.0.0.0/0.0.0.0
    permit=172.16.16.0/24
    host=dynamic
    qualify=no
    insecure=port,invite

    [natted-phone](!,basic-options) ; another template inheriting
    basic-options
    nat=yes
    directmedia=no

    [555](natted-phone)
    secret=$$ecret$$
    disallow=all
    allow=ulaw
    allow=gsm

    no deal! The irony is that we have a similar configuration at another place,
    but we didn’t need to put anything there and the phones register regardless!

    Is this broken

  • One more thing check if your SBC is configured in relay mode or forward
    mode. If it is in relay mode you will have original SIP-UA IP in all
    requests coming on asterisk and only SBC IP in via but if it is forward mode
    you may can have SBC IP all the way in all requests.

    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Vladimir
    Mikhelson
    Sent: Thursday, March 10, 2011 1:42 PM
    because of contact ACL

    Pay attention, you have permit=172.16.16.0/24 whereas suggestion was
    permit=0.0.0.0/0.0.0.0

    You can add following line to your peers configuration

    permit=0.0.0.0/0.0.0.0

    It will allow to use that peer’s account from any IP

    Thanks. But Like I said, that’s all done. Here’s the Endpoint config:

    [authentication]

    [basic-options](!) ; a template

    dtmfmode=rfc2833

    context=Phones

    type=friend

    contactdeny=0.0.0.0/0.0.0.0

    contactpermit=172.16.16.0/255.255.255.0

    deny=0.0.0.0/0.0.0.0

    permit=172.16.16.0/24

    host=dynamic

    qualify=no

    insecure=port,invite

    [natted-phone](!,basic-options) ; another template inheriting
    basic-options

    nat=yes

    directmedia=no

    [555](natted-phone)

    secret=$$ecret$$

    disallow=all

    allow=ulaw

    allow=gsm

    no deal! The irony is that we have a similar configuration at another place,
    but we didn’t need to put anything there and the phones register regardless!

    Is this broken

  • Perhaps the contactdeny is taking precedence in 1.8. Try it without the
    contactdeny – maybe the existence of a contactpermit will imply a
    contactdeny of “everything else”.

    Cheers,

    j