3

I am trying to configure an Asterisk (Elastix) box to receive SIP calls from a provider without requiring allowguest=yes to be enabled in sip.conf.

Basically the SIP trunk provider uses multiple IPs to send the calls to our PBX and so without the matching host= field, the call is dropped. However, by enabling allowguest=yes, anyone can send calls to our PBX. We could firewall the PBX to only allow incoming SIP from our provider but this stops our SIP handsets from being able to register anywhere in the world.

This must be a common issue, and I can see in the past that Asterisk hasn't got support for saying host={subnet} or multiple host= entries. Is this still the case? How should I get around this issue?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
justacodemonkey
  • 153
  • 1
  • 7

2 Answers2

1

Correct solution - ask provider all ips and add all as trunk1-trunk2...trunkX

arheops
  • 708
  • 1
  • 5
  • 13
0

I think you can set host=dynamic and restric access with permit/deny clauses, as in:

[trunk]
...
host=dynamic
deny=0.0.0.0/0.0.0.0             ; deny access
permit=192.168.0.0/255.255.255.0 ; allow 192.168.0.0/24 subnet
...

Also, you can easily setup an iptables chain to restrict access to the 5060 port (or whatever your SIP port is), which you should do anyway.

Daniele Santi
  • 2,479
  • 1
  • 25
  • 22