I'm not sure about the NAT doors


#1

hi,
The local SIP of my UCM port is standard 5060, so the Extensions are locally registered on the 5060,
based on the screen that I attach the remote extensions (without VPN) are registered on the 45060. (External HOST is deliberately hidden only in the picture).
My doubt is if I have to do the NAT on the firewall:

  • 45060 external to 45060 of the UCM
    or
  • 45060 external to 5060 of the UCM

thanks to those who can help me.


#2

This one. You want to bind an external port (45060) to a local port (5060) on the device. Note that you will need to do the same for your RTP ports.


#3

yes, of course, RTP ports done in nat to UCM.
I’m just doing some tests, until now I used also remotely the 5060 (leaving the default), I read that many of you change that port for security reasons and I’m just doing some tests.
I did nat from 45060 to 45060 and it doesn’t work, then I did from 45060 to 5060 and it works, so I wanted to compare myself with you, just to understand how to behave.
Do you normally leave the 5060 or change it remotely?


#4

I usually leave the 5060 port because I use VPN for remote locations. However, I understand the security risk. Some people will change it and it’s not a bad thing, you just need to make sure your config templates are using the right ports.

The first one you tried would have bound 45060 to the 45060 of the UCM. Which WOULD work if the SIP port on the UCM was set to 45060. (Not the external SIP port, which is different).


#5

Yes, in fact, by testing with Wireshark I realized


#6

thank you @fmarcoux96 you’re always very kind (like everyone else) :smiley:


#7

I also also leave at 5060, but I use a firewall to filter the allowable IPs into the network and before it gets to the UCM. While I also use VPNs, my choice is nothing more than not seeing a real reason to change it to something else. Moving the port, may make it somewhat less of a target by scanners and it is your choice to do so, but the scanners are not unknowing of the ploy and if the port is discovered, the same feeding frenzy will occur prompting you to move it again or to employ filtering anyway.


#8

We’re here to help each other without being meanful or disrespectful :blush:


#9

Exactly! Firewalls are better than moving the port number.

However, I am curious, what do you do for remote softphones like mobile clients? These have dynamic IP so can’t really be filtered.


#10

for this I leave the basic 5060, so much on the Firewall active the rules in ACL, I just wanted your advice.
On Host in the NAT page you insert ip_public:5060 or only ip_public?


#11

Only public IP or FQDN if one is used.


#12

on mobile interiors where I can filter with the range of the Provider (whenever possible), better than open to the whole world


#13

They can be filtered to an extent. I have found that you can do a search of various mobile providers to see what ranges they use. T-Mobile, for instance uses 172.32.01-172.62.255.254, so my firewall has the range. I have done for others as well and so far, so good. While it is a range and conceivably a scanner could make use of same, this does not appear to have been an issue (so far) as I suspect using cellular data is not the connection method that scanners would want to employ.

I have also used VPNs on the cellular (android) level using IPsec on the router. Now then if GS ever develops a built-in tunnel for the Wave similar to 3CX…


#14

That I didn’t know. Here in Canada, providers don’t tell us anything about how their infra is built.

As for a 3CX Tunnel-like for GSWave, it would be awesome, even if we have config to do on UCMs to make it work.


#15

Exactly, if UCM supported a kind of tunnel, such as the 5090 of the 3cx, there would be significant improvements in security and bidirectional audio.
I’m very happy with the IAX remote extensions.


#16

to see the range of the Provider I for a few days I marked ip that was dynamically assigned to me, keep in mind that these ranges can change from one day to another and make vain the search already done.
For example Iliad in Italy used until a few days ago often French ip, now they are aligned with Italian ip.


#17

That’s what I mean. Sometimes providers use one range, sometimes they have many many ranges.


#18

I often notice that they are different ranges and not just one, and sometimes they change over time.


#19

That’s why I simply don’t use a whitelist. I use a good firewall to block bad requests and the UCM then filters what’s a call and what’s a hacker.


#20

I put this in a enhancement request. Perhaps if others join me…