Avaya Support Forums  

Go Back   Avaya Support Forums > Small and Medium Business Communications

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 11-17-2014, 02:43 PM
shriea shriea is offline
Member
 
Join Date: Nov 2014
Posts: 4
shriea has 10 reputation points
Default IPO SIP trunk issue (public IP address)

Thank you in advance for your help. I am new to the forum, and did some searching, but could not find anything that answers my question.

I have recently taken over a customer that has an IPO 500 V2 with VM Pro (recently upgraded from R6to R9) that is using SIP trunks for service. The company that installed the system has the configuration set up so that the LAN2 port has a public IP address, and is not behind any type of firewall. Well, they have been hacked a few times, and had calls trying to route to an international number. I have changed the system passwords, ect, but a few months later, same thing (configuration on system is actually changed). I have worked with their IT guy, and the only place we can think of them getting in, is through the Manager software via the public IP address that the SIP trunks are working through. We tried moving the system behind a SonicWall, but when we did that, the SIP service did not work. Is there anyone who has had the same issue, and been able to resolve it? I can't imagine I have to leave this thing open to the world and keep changing the passwords.
Reply With Quote
  #2  
Old 11-18-2014, 05:32 AM
mlombardi1's Avatar
mlombardi1 mlombardi1 is offline
Legend
 
Join Date: Sep 2010
Location: New York
Posts: 457
mlombardi1 has 25 to 49 reputation pointsmlombardi1 has 25 to 49 reputation pointsmlombardi1 has 25 to 49 reputation points
Default

Hopefully there's a Session Border Controller in front of the IPO. The private side of the SBC should be on the customer network together with the LAN1 port. Telco should be talking to the public side of the SBC. It's the SBC that should be delineating between trusted and untrusted, not the IPO using the two network ports.

If there's no SBC and only a Sonicwall, make sure any SIP ALG is disabled and the SIP signaling and media is port forwarded to the IPO. Look in the IPO SIP line config to find these ports. Signaling is typically UDP 5060.
Reply With Quote
  #3  
Old 11-18-2014, 12:05 PM
shriea shriea is offline
Member
 
Join Date: Nov 2014
Posts: 4
shriea has 10 reputation points
Default

No SBC, straight off the Adtran to the IPO. I will take a look at the other settings, and see what I have. This is my only site using SIP, so I am trying to catch up and learn on the go. Nothing better than trying to fix other's mistakes. Thanks for the help.
Reply With Quote
  #4  
Old 11-18-2014, 01:19 PM
zakabog zakabog is offline
Genius
 
Join Date: Aug 2014
Posts: 300
zakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation points
Default

The IP Office is on the public internet and it's not very secure at all, so anyone who wants to can get in very easily. There are a few things you can do to stop this, one is put the device behind the SonicWall but that requires configuring the SonicWall properly to let traffic get back to the IP Office. If you don't know a lot about network security and configuring SonicWall's then I would highly suggest hiring someone to do this for you. Otherwise you will spend countless hours trying to get things to work without really understanding why they work/don't work, and also leaving the customer wide open.
Reply With Quote
  #5  
Old 11-19-2014, 03:26 PM
shriea shriea is offline
Member
 
Join Date: Nov 2014
Posts: 4
shriea has 10 reputation points
Default

Checked the settings, and still no go. I am working with their IT guy to try and get this resolved. I guess I was not phrasing my question properly...
The IPO is open to the world on a public IP on the LAN2 port (was set this way by previous vendor). All SIP settings are referencing that public IP address in settings. When I try and put it behind a firewall (to get it out of public access), SIP trunks no longer work. In trying to put it behind the firewall, I am basically giving the SonicWall the public IP addressing, then trying to pass the info through to the IPO on a different IP address. This is what I can not seem to get working. Is there any particular settings that need to be addressed on the SonicWall, or IPO, to allow basically a pass-through of the information, allowing the IPO to no longer be on the public IP addressing, and keeping the SIP trunks operational?
Reply With Quote
  #6  
Old 11-19-2014, 10:59 PM
markgallagher markgallagher is offline
Legend
.
 
Join Date: May 2010
Posts: 574
markgallagher has 25 to 49 reputation pointsmarkgallagher has 25 to 49 reputation pointsmarkgallagher has 25 to 49 reputation pointsmarkgallagher has 25 to 49 reputation points
Default

You need to either deploy a proper SBC or learn how to implement STUN. Whilst the system has a public IP address is will be constantly targeted by hacking attempts (even if it is made secure from them it will still be targeted).

Talk to the SIP line provider about what their STUN server address is or what alternate they recommend. Meanwhile the support.avaya.com site has a whole raft of application notes for configuring SIP trunks with different SIP providers.
Reply With Quote
  #7  
Old 11-20-2014, 10:30 AM
zakabog zakabog is offline
Genius
 
Join Date: Aug 2014
Posts: 300
zakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation points
Default

When you put the public IP address on the Sonicwall do you have a 1 to 1 NAT pointing back to the LAN 1 address of the IP Office? Did you turn off SIP inspection options? Did you configure the access list to allow traffic from the SIP host to go through on that public IP address? What exactly doesn't work, do you see your SIP registrations going out, and do you see responses? Do you see any of this on the Sonicwall?
Reply With Quote
  #8  
Old 11-20-2014, 02:35 PM
shriea shriea is offline
Member
 
Join Date: Nov 2014
Posts: 4
shriea has 10 reputation points
Default

Zakabog: Here is their IT guy's response to your questions:

Yes and I can see the traffic coming into the Sonicwall, going to the LAN IP but the IPO never sent anything back
Reply With Quote
  #9  
Old 11-24-2014, 02:34 PM
zakabog zakabog is offline
Genius
 
Join Date: Aug 2014
Posts: 300
zakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation points
Default

In the IP Office do you have an IP Route built to send traffic to the SIP gateway through the Sonicwall? Are you able to ping your SIP host from the IP Office (they should have a pingable address for you)? If you turn on Monitor with only the SIP messages, do you see them coming in at all?
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 09:20 PM.

This Forum is provided solely for the use and convenience of Avaya customers and partners. Use of the Forum is subject to the Terms and Use and Privacy Statement found at www.avaya.com. No other use is permitted. The Forum including all content posted is “AS IS” and Avaya expressly disclaims all warranties and/or guarantees as to its accuracy, reliability, usefulness, quality or non-infringement of intellectual property. Avaya reserves the right to remove any content posted on the Forum at any time and for whatever reason.

Avaya will not be liable for any content posted on this Forum, including, without limitation, any errors or omissions or for any losses or damages of any kind incurred as a result of use or reliance on any content, regardless of its origin.

You expressly understand and agree that you assume all risks associated with use or reliance on this content.