Hi
New to Kamailio and FreeSwitch, loosely familiar with SIP mechanics, and not a complete network idiot… but please be gentle.
J
We’re trying to get Kamailio set up in front of a FreeSwitch-based SIP application server, to do some simple policy controls and, using one of the RTP proxy modules, to help
handle the media side of things. Our SIP trunks come from our provider on a VLAN addressed as 10.x, and they provide an upstream proxy/media server (10.y address). The link also carries Internet traffic so we’re running it through a Cisco ASA which breaks
out the VLANs and static NATs the SIP stuff to our DMZ (10.z address). This is where we want to put the Kamailio box, where it should receive the calls and route them back through the ASA to the internal address (10.w range – all 10.w/x/y/z are separate, non-overlapping
networks).
Outbound calls from the application server (there are very few) should pass back up to Kamailio which will validate the numbers against an approved list (the app should only
dial a subset of numbers) and pass them to the upstream proxy if necessary. We need to ensure that inbound calls from outside trombone through our application server so that the caller doesn’t get billed for any calls, but this should be the default I think
as that side of things is handled by FS (the app stands up a new call and bridges it to the incoming). This topology should allow us to use Kamailio to hide details of the FS app from the outside world, and make life easier for the app developer who should
just send/receive to the Kamailio box with no further thought or complexity.
If we put the FreeSwitch box in the DMZ where we want to put Kamailio, and then turn on SIP packet inspection in the ASA, calls flow but quality is poor for some callers. If
we turn off SIP packet inspection, we get no audio – I can’t find any clear Cisco documentation for this but I think the SIP inspection stuff in the ASA seems to handle RTP NAT fixups and the like too. But with no docs it may as well be magic, and I want to
remove it if possible. With Kamailio in the DMZ and FS internal, we loosely followed
http://kb.asipto.com/freeswitch:kamailio-3.3.x-freeswitch-1.2.x-sbc and hacked out the voicemail and Lua stuff, but couldn’t get calls to flow, whether or not we used the SIP
inspection on the ASA. We were confused why this example isn’t define as WITH_NAT and doesn’t use a local RTP proxy. Surely that would be needed?
Questions:
1.
Should the proposed topology, with Kamailio + an RTP proxy behind a firewall, relaying to FS on an inside interface, work? (Can’t see why not)
2.
Does it need a local RTP proxy on the Kamailio box, particularly if we turn off the ASA SIP inspect stuff?
3.
Can you recommend which RTP proxy to use? There seem to be at least 3 that work with Kamailio. The box is CentOS 6.5, and it would be nice to use known-to-work packages
rather than compile from source. (But eh, if I haveta).
4.
Can anyone point me to some docs to explain what ports need to be open between the Kamailio box and my upstream proxy/media server? I can be more liberal between
inside and DMZ I guess.
5.
Is static NAT in this environment going to bite me, or should it be OK?
6.
Is there any better documentation that we should be using to make this easier, or should I just man up and try harder?
TIA
Sean
Volunteer for our Red Puppy street appeal to help puppies like Gordy become guide dogs. |
Follow us on Facebook and Twitter
#############################################################################
This email, including any attachments, is intended solely for the addressee(s)
It is confidential and may be legally privileged.
If you are not the intended recipient, you must not copy, disclose, distribute
or otherwise use it or the information in it. Please notify the sender at once
and delete it from your system immediately.
Any views or opinions expressed are solely those of the author and do not
necessarily represent those of the Blind Foundation.
The Blind Foundation does not accept responsibility for any viruses or other
malicious code that may be transmitted with this email.
#############################################################################