Asterisk Sends The INTERNAL IP Address Of My Equipments To My SIP Friends?!?

Home » Asterisk Users » Asterisk Sends The INTERNAL IP Address Of My Equipments To My SIP Friends?!?
Asterisk Users 7 Comments

Good morning, or Good afternoon! It depends 🙂

I have a standard Asterisk configuration:

SIP friends (phones) <-----> Asterisk <-----> SIP gateway to PSTN converter
80.236.215.61 109.69.217.6 internal IP (
10.4.0.10/255.255.255.0)

When analyzing traffic on a SIP friend/phone I see this:

INVITE sip:xxxx@80.236.215.61:64946;ob SIP/2.0
Via: SIP/2.0/UDP 109.69.217.6:5060;branch=z9hG4bK52d50250;rport Max-Forwards: 70
From: ;tag=as15b47581
To: “test” ;tag=kp1VwHD80rA9MVdBjTF4jyFIaCkrJcjh Contact:
Call-ID: MSMhw2bsheHWAQgHlae3O7yKQ2P9EcsM
CSeq: 102 INVITE
User-Agent: Asterisk Require: timer Session-Expires: 1800;refresher=uas Min-SE: 90
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces, timer Content-Type: application/sdp Content-Length: 217

v=0
o=root 664087974 664087976 IN IP4 10.4.0.10
s=Asterisk c=IN IP4 10.4.0.10
t=0 0
m=audio 8652 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

My equipement IP 10.4.0.10 is visible to the user, why?

Thank you, Mickael

7 thoughts on - Asterisk Sends The INTERNAL IP Address Of My Equipments To My SIP Friends?!?

  • You mean the SDP payload? You kind of need that…. c= is used for RTP transmission. o= always confuses me so I will just say it’s important at well.

    You can put a proxy in the middle and do topology hiding I guess however, that is beyond the scope of this list?

    Kind Regards,

    Nick.

  • Mickael MONSIEUR wrote:

    Mickael,

    What version of Asterisk are you running?

    Is the Asterisk server outside and the SIP gateway to PSTN converter inside of a NAT?

    What are the NAT SUPPORT and MEDIA HANDLING settings in sip.conf?

    Regards,

    Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer

  • Hello Matthew,

    My version is Asterisk 1.6.2.9.

    Or have you seen NAT? I have no NAT on my network. Have you seen my little diagram above?

    Here it is:

    SIP friends (phones) < -----> Asterisk < -----> SIP gateway to PSTN converter
    80.236.215.61 109.69.217.6 internal IP (
    10.4.0.10/255.255.255.0 )

    My Asterisk server has two NIC/interfaces.

    – 1 interface with public IP (109.69.217.6 to talk with SIP friends)
    – 1 interface with internal ip (10.4.0.1 to talk with SIP gateway’s)

    SIP friend should not even know that the call is routed to the SIP/PSTN
    gateway. It could be a SIP trunk to a SIP provider Internet, the user does not have to know…

    Best regards, Mickael

    2013/6/13 Matthew J. Roth

  • And it’s obviously doing NAT, if anything plugged into one interface can see anything plugged into the other.

    The important question is: Does it work? Because if so, leave it alone.

    IP addresses are not secret. If anything in your network depends on someone on the outside not knowing one or more of your inside IP addresses, then you are doing it wrong.

  • Mickael MONSIEUR wrote:

    Mickael,

    It’s hard to be certain without seeing a full SIP trace, but I think the INVITE
    with the internal IP is actually a re-INVITE that Asterisk is sending to establish a native bridge between the SIP friend and the SIP gateway to PSTN
    converter. This would allow the endpoints to send their media directly to one another, but in your case I’d expect it to cause one-way audio because the SIP
    friend shouldn’t be able to send RTP packets to the internal IP.

    If it’s a re-INVITE, start by reconfiguring Asterisk with “directmedia=no” in the [general] section of sip.conf and for all of the endpoints involved in the calls. That should completely eliminate the re-INVITEs at the expense of relaying all RTP through Asterisk, even for calls between two phones on the internal network. After you’ve confirmed that internal IPs are no longer being sent to external endpoints you can start fine-tuning the NAT SUPPORT and MEDIA
    HANDLING settings in sip.conf to only allow re-INVITEs when appropriate for your environment.

    Regards,

    Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer

  • It’s actually pretty easy.

    If an INVITE message has a tag parameter in both To and From headers, it’s a re-INVITE. If the To header doesn’t have a tag parameter, it’s an initial INVITE.

  • Andreas Sikkema wrote:

    Andreas,

    Thanks for the tip. That’s a very useful bit of information to know. It also confirms that the INVITE in Mickael’s original post [1] is a re-INVITE:

    From: ;tag=as15b47581
    To: “test”
    ;tag=kp1VwHD80rA9MVdBjTF4jyFIaCkrJcjh

    Consequently, the advice in my response [2] about initially reconfiguring Asterisk with “directmedia=no” and then fine-tuning the NAT SUPPORT and MEDIA
    HANDLING settings is valid.

    [1] http://lists.digium.com/pipermail/asterisk-users/2013-June/279435.html
    [2] http://lists.digium.com/pipermail/asterisk-users/2013-June/279450.html

    Regards,

    Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer