From Askozia Handbook
Jump to: navigation, search

In this chapter the LAN (Local Area Network) configuration of AskoziaPBX is explained. This is essential for using AskoziaPBX with VoIP providers as well as within a local network. We particularly recommend that you read Topologies.

Also described in this chapter, are ISDN and analog ports, logical provider group ports, settings for firewall, fail2ban and secure calling and general information about interface cards and gateways.


Click Networking in the menu bar to get into the network configuration menu. Network configuration is especially important if you want to use VoIP providers. Misconfiguration might prevent the completion of calls.

AskoziaPBX automatically recognizes the network interface and its MAC address. In case your telephone system has more than one network interface you can choose which one you would like to use.

There are two ways to configure your IP address, Gateway and DNS server:

  • DHCP (Dynamic Host Configuration Protocol) can be used to automatically configure your IP address, Gateway and DNS server. Chose configured via DHCP client for this option. For most users this option is recommended. To lock these settings in (and no longer rely on your DHCP server to provide the same address) click on use DHCP settings permanently.
  • If you do not want to use DHCP, the network can also be configured manually. This requires some knowledge about the network topology. The drop-down menu to the right of the text field of the IP address is the subnet mask in CIDR (Classless Inter-Domain Routing) notation. You can use alternatives to the classical "" formatting: /8 corresponds to the Subnet Mask, /16 corresponds to and /24 corresponds to
Network settings

It is also possible to modify the MAC address of your network interface (MAC spoofing). This option is only needed under very special conditions. The MAC address needs to be specified in "xx:xx:xx:xx:xx:xx" notation. Leave the text box empty to use the standard MAC address of the interface, which applies for the majority of the users.


Depending on the topology of your network, the following configuration steps may differ. You can chose between Public IP address, NAT+static public IP and NAT+dynamic Public IP.

NAT (Network Address Translation) is the process of modifying network address information in IP packets in order to communicate with other networks. Most routers used at home or in small businesses utilize NAT routing. Because of this, most users should choose NAT + dynamic public IP. In the following section the options are explained in greater detail:

  • If your telephone system has a Static Public IP or is behind a NAT and has a static public IP address, enter it in the Static Public IP text box.
  • If your telephone system works behind a NAT and has a dynamic public IP address, a Public Hostname is required. Now you have two choices: Either the router is maintaining the DNS settings or AskoziaPBX does that. Choose My Router, if your router should maintain the DNS information. To leave the updating process to AskoziaPBX, choose This PBX. An additional menu will appear, Dynamic DNS Client. Choose the Service Type and enter your Username and Password. Wildcards can be used if all subdomains of the domain used should be forwarded to this telephone system (e.g. Select Yes to use this option.
Dynamic DNS client

Click Save to finish the configuration.

Telephony Ports

Depending on the features of your telephone system, a number of analog and ISDN ports may be available. AskoziaPBX recognizes and configures these ports automatically. Personal customization is optional. Additionally to ISDN and analog ports, you can configure provider port groups. More about this in the next section.

To start, click on Telephony Ports in the navigation bar. "Analog" is selected by default.

Overview of ISDN and analog ports

Provider Port Groups

A provider port group is a logical collection of (physical) ports which belong to the same provider. This enables a single provider account to use multiple physical ports for outgoing and incoming calls. If one port is busy, another port out of the group can be used. To configure an existing provider port group click on Askozia edit.png, to add a new group, click on Askozia add.png.

In the configuration menu, a name can be assigned to the port group and ports can be added to or removed from a provider port group by drag-and-drop.

Provider port group settings

Click Save to finish the configuration.

Analog Phone and Provider Ports

By default the port names are numbered in ascending order. It makes sense to give each port a meaningful name.

If your calls have an echo you might need to activate Echo Cancellation and/or increase the canceller's window size. The default window size is 16 milliseconds.

You can adjust the volume of calls in case they are too loud or too quiet. Receive and transmit levels can be adjusted independently. The measuring unit is decibel.

The Start Signaling is how your system determines if a phone has been hung-up or picked-up. Usually Kewl Start (pronounced: "cool start") is the best choice. Some providers work better with other options though. If your calls do not start or end reliably, try using one of the other options. Choices are Ground Start and Loop Start.

Configuration of analog ports

Click Save to finish the configuration.

ISDN Phone and Provider Ports

The configuration of ISDN ports differs from analog port configuration in only one way. Nevertheless, this section provides information about all the options available for ISDN ports.

By default the ports are numbered in ascending order. It makes sense to give each port a meaningful name.

If your calls have an echo you might need to activate Echo Cancelation and/or increase the canceller's window size. The default window size is 16 milliseconds.

You can adjust the Volume of calls in case they are too loud or too quit. Receive and transmit levels can be adjusted separately. The measuring unit is decibel.

There are two choices for ISDN signaling, Point-to-Point and Point-to-Multipoint. At home most people usually have Point-to-Multipoint signaling, in most offices Point-to-Point is used. Make sure the Switchtype is suitable for the region of your residence. Disable Overlap Digits (DDI) if you do not want Askozia to wait after the last digit it receives.'

Configuration of ISDN ports

Click Save to finish the configuration.

beroNet Telephony Ports

AskoziaPBX supports beroNet VoIP Gateways and beroNet PCI/PCIe Gateway cards. A list of beroNet hardware which can be auto-configured with AskoziaPBX, can be found in the Supported Hardware chapter.

After activating beroNet Support under Advanced -> Miscellaneous, mounted beroNet Interface Cards are recognized and initialized.

Activation of beroNet Support for Interface Cards and Gateways

The following video explains the auto-configuration of beroNet interface cards with AskoziaPBX.

When the interface cards have been initialized, the telephony ports appear in the AskoziaPBX web interface.

Recognized analog ports

The port configuration for beroNet ports is similar to those described in Telephony ports. Additionally, the ISDN BRI port type configuration can be changed between Phone and Provider via software. There is no need to change the jumper configuration off the beroNet interface card. Choose the desired port configuration from the drop down menu.

Configure BRI ports

Click save to finish the configuration.


Askozia provides its own internal firewall. Please not that the Askozia firewall does not replace a network firewall but provides additional protection for the PBX. The following video provides a short introduction to the firewall and fail2ban settings of AskoziaPBX.

The following video explains the internal firewall and fail2ban settings of AskoziaPBX more in detail.


The internal Firewall provides security settings for AskoziaPBX that can be enabled by activating the Status checkbox.

Under template, pre-defined configuration templates can be selected. Different scenarios are considered. In-house is recommended if AskoziaPBX is situated within a private network. Hosted is recommended to protect installations that are located on external servers. Alternatively, you can choose to build your own configuration by selecting the desired options in Predefined Rules. Under Network, the internal network can be defined more precisely to enable additional security options. For this purpose, the IP address and the associated subnet of AskoziaPBX have to be defined.

General settings for integrated AskoziaPBX firewall

Under Predefined Rules, the predefined settings of the selected template can be adapted to individual requirements. The possible security settings are divided into three areas of the network. Block local subnet disables hits coming from the internal network. Block LocalIntranet limits number of hits from the defined Intranet, and Internet Block blocks IP addresses which are located outside the defined intranets.

Predefined rules for integrated AskoziaPBX firewall

The following protocols and applications can be blocked:

  • Web Interface blocks access to the AskoziaPBX administration interface. A recovery IP should be defined to assure that you can still access the web interface.
  • CTI disables Call Control CTI.
  • Welcome Page disables the welcome page where you can choose between CTI and web interface.
  • SSH disables access on AskoziaPBX through SSH.
  • SIP blocks SIP connections. It should be ensured that this setting excludes SIP phones that are already registered to AskoziaPBX. They can continue to build and accept SIP connections. This ensures that internal phones remain functional but new phones are prevented from registering with AskoziaPBX.
  • SIPS SIPS refers to encrypted SIP connections. See the "SIP" paragraph above for more information.
  • IAX blocks incoming connections that use the "Inter Asterisk Exchange" protocol.
  • RTP/SRTP disables RTP/SRTP connections. RTP/SRTP is the protocol that transmits the audio data during a VoIP call.
  • FTP disables the possibility of accessing AskoziaPBX through FTP.
  • TFTP disables the possibility of accessing AskoziaPBX through TFTP.
  • AMI blocks access to the "Asterisk Manager Interface".
  • AstManProxy blocks applications that access the Asterisk Manager.
  • Auto-Configuration disables auto-provisioning of phones by AskoziaPBX.

Under Advanced, custom rules can be defined by means of standard iptables statements. The custom rules always have a higher priority. A click on the Show iptables button reveals the active iptables statements for the chosen rules. These statements can be helpful for defining additional custom rules.

Advanced settings for integrated AskoziaPBX firewall

The following video introduces Askozia's internal IPtables firewall and provides a live demo.


Fail2ban bans IPs that show malicious signs such as too many password failures, seeking for exploits, etc. It is used to update firewall rules in order to reject the IP addresses for a specified amount of time. Fail2ban is able to reduce the rate of incorrect authentication attempts. However, it cannot eliminate the risk caused by weak authentication.

Fail2ban monitors Asterisk, the AskoziaPBX web interface, Call Control CTI and SSH. If a certain number of failed login attempts occurs (max retry) during a certain period (find time), the source IP will be banned for a certain amount of time (ban time).

Fail2Ban settings for AskoziaPBX

Max Retry specifies the maximum number of login attempts until the corresponding IP address is blocked. It is recommended that enter a value of at least 5 or lower.

In Find Time, the time span is set in seconds in which the maximum number of login attempts must have occurred in order to block the corresponding IP address.

In Ban Time, the time span is set in seconds, for which an IP address remains blocked.

The White List defines an IP address which is not blocked by fail2ban. Entering an IP address in whitelist is strongly recommended in order to prevent a "lock-out" from AskoziaPBX.

By activiating the checkbox at Public Access, IPs from rejected public access calls are blocked. This options adds a filter for rejected public access calls to Fail2ban. To prevent provider banning, it might be necessary to add a catch-all field to each provider as explained under Incoming Extensions in the Call Routing for Providers section of the Accounts chapter.

Bans shows which IP addresses are currently blocked, and since when and for how long they are blocked. If a high number of bans is listed in a short time, it can be assumed that an attempt was made to attack AskoziaPBX.

External firewall

Please note that the Askozia firewall does not replace a network firewall but provides additional protection for the PBX. The video below explains how to properly set up a network firewall based on the example of pfsense.

Secure Calling

Secure telephony denotes a VoIP connection that is secured by using the SIPS and SRTP protocols. It enables encrypted connection and an encrypted audio data transmission between and AskoziaPBX and a telephony device. The following video introduces secure calling with AskoziaPBX.

SIPS and SRTP require certificates for encrypted communication. AskoziaPBX can either create self-signed certificates, or the user can upload certificates from a third party. Both cases are discussed in the following subsections.

Choice of certificate type for secure calling

Creating self-signed certificates

To create self-signed certificates, select Self- signed certificates and click on Generate. This opens the input screen for the certificate data. The following data can be entered in the mask.

Generating a self-signed certificate
  • Country Name is an abbreviation of the country where your AskoziaPBX is located (for example, "DE" for Germany).
  • State or Province is the state where your AskoziaPBX is located.
  • City is the city where your AskoziaPBX is located.
  • Organization Name is the name of your company or organisation.
  • In Common Name, the IP address or the domain name is registered that is used by AskoziaPBX to set up the connections to the IP phones.
  • In Email Address, a valid e-mail address needs to be entered.
  • The field Certificate Validity specifies in days for how long the created certificate remains valid.

After the data has been entered, the certificate is created by clicking on Generate. Furthermore, an overview of the registered phones opens.

After you have saved your configuration by clicking the Save button at the end of the page, the certificate can be downloaded by clicking on the Download button.

Generated self-signed certificate

Clicking on Delete and subsequently on Save, deletes the certificate.

Uploading user-supplied certificates

In order to upload existing certificates, User Supplied Certificates needs to be selected. By doing so, three input fields appear for uploading the certificate data. After the respective files have been selected, they are uploaded by clicking on Upload. This opens an overview of the registered phones.  

Uploading user-supplied certificates for secure calling

Activating secure calling for phones

After certificates have been generated or uploaded, supported IP phones will be listed under Secure SIP phones. Secure calling can be activated for each phone individually. AskoziaPBX distinguishes between automatic and manual setup for secure calling. For automatic setup, using drag-and-drop is enough to activated secure calling. For manual setup, additional configuration via the phone's web interface is necessary.

SIP phones with activated secure calling

To enable secure calling, the respective phone accounts have to be pulled into the enabled column with drag-and-drop and the settings subsequently to be saved. In the telephone overview page, a Askozia lock.png will be displayed for all the phones with activated secure calling as shown in the example below. To deactivate secure calling for individual phones again, the respective accounts need to be pulled back into the disabled column and the settings to be saved.

Phone accounts overview after enabling secure calling

Furthermore, a distinction is made between Automatic Setup and Manual Setup. Phones listed in Automatic Setup won't need any other settings to activate secure calling. After clicking on Save, the phones restart and are provisioned with activated secure calling.

Phones that are listed in Manual Setup, require additional manual configuration on the phone itself. Please see the instructions listed below for the steps that are required to activate secure calling.

Web interface of a Gigaset DE700 IP Pro


If authentication is activated, supported IP phones will be configured to only accept connections from verified peers, i.e. certificates that are deemed trustworthy. This trust can either be expressed by the user explicitly trusting the certificate through the phones own interface, or implicitly if the certificate has been signed by a certification authority (CA) that is known by the phone. The second can only be offered for user-supplied certificates. Please check with the phone’s manufacturer which CAs are accepted.

Advanced options for secure calling


beroNet Gateways

AskoziaPBX supports beroNet VoIP Gateways and beroNet PCI/PCIe Gateway cards. A list of beroNet hardware which can be auto-configured with AskoziaPBX, can be found in the Supported Hardware chapter.

After activating beroNet Support under Advanced -> Miscellaneous, the Gateways options appear in the web interface in the Connectivity section.

Activation of beroNet Support for Interface Cards and Gateways

The following video explains how to configure beroNet gateways with AskoziaPBX.

Under Connectivity -> Gateways, click on Askozia add.png to add a new beroNet Gateway.

Create a new beroNet Gateway account

For connecting the gateway, enter the following settings.

  • Name of the remote gateway.
  • Remote IP is the gateway's IP address.
  • Remote Netmask is the gateway's netmask.
  • Remote Gateway is the network gateway, used by the beroNet gateway.
  • Username is the admin user name of the beroNet web interface.
  • Old Password is the current password, used for the gateway's web interface.
  • New Password of the web interface of the gateway.
Enter data for connecting with the gateway

Click connect to review the gateway's login information.

Gateway overview

Click save to finish the configuration and start the auto configuration of the gateway.

The gateway will appear in the overview.

List of connected Gateways

Once the gateway has received its configuration, its ports can be configured in the AskoziaPBX web interface under Telephony ports.

Gateway ports in the telephony ports list

General information for cards and gateways

This chapter provides general information about interface cards and gateways. For information about debugging interface cards, please check Debugging Interface Cards in the chapter Help for Integrators.


During configuration

After configuring the beroNet telephony ports, the interface card will start reconfiguring. During this time, the card will reboot and will not be functional. While reconfiguring, some status messages will appear next to the listed ports in the web interface. This also applies to devices and providers, connected to those ports.

configuring - Is shown while the interface card writes its configuration

reloading Configuration - Is shown while the new configuration is loaded

starting - Is shown while the card/gateway is rebooting

Numbering of the ports

In Askozia's web interface the ports are labeled the same as on the hardware.

beroNet cards and gateways can be provided with different hardware port configurations. Some of the configurations need Y-connectors (included if needed). Using these cables, allows to double the hardware ports. The cables have two jacks, labeled with A and B. This way port 1 can be split into 1A and 1B.

Numbering of the ports