[asterisk-bugs] [Asterisk 0018757]: SIP RTP with 2 UA and Asterisk all NATTED through a stateful (but not SIP aware) firewall

Asterisk Bug Tracker noreply at bugs.digium.com
Sun Feb 6 08:38:37 CST 2011


The following issue has been SUBMITTED. 
====================================================================== 
https://issues.asterisk.org/view.php?id=18757 
====================================================================== 
Reported By:                dercol
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   18757
Category:                   Core/RTP
Reproducibility:            always
Severity:                   feature
Priority:                   normal
Status:                     new
Asterisk Version:           1.8.2.3 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2011-02-06 08:38 CST
Last Modified:              2011-02-06 08:38 CST
====================================================================== 
Summary:                    SIP RTP with 2 UA and Asterisk all NATTED through a
stateful (but not SIP aware) firewall
Description: 
The situation I'm going to describe is a situation where 2 user agent are
natted between a nat firewall, and Asterisk is also natted. canreinvite=no
so the media stream is handled by asterisk. Asterisk is 1.8.2.1

B is one User Agent
C is the other
A is Asterisk

B and C are registered to the asterisk with they public IP via STUN
server

B call C via the asterisk box.
So on the port 5060 UDP, B send an INVITE to the asterisk (A) BOX with
indication of the udp ports for the RTP stream of the UA (B), asterisk
rings the endpoint C (the endpoint C is reacheable if the firewall that is
natting endpoint C know about an active session on port 5060 between
endpoint C and Asterisk A)
When endpoint C answer, Asterisk try to start a RTP media session from
Asterisk to endpoint B (with parameters included in the INVITE from
endpoint B).
The issue is that firewall doesn't know anything about the new session
starting from A to B because from the firewall point of view is a new
session coming from outside to the inside so it simply disallow it. The
only manner Asterisk (A) can instance an RTP stream to endpoint B is that
endpoint B firstly starts an RTP session to Asterisk, so UDP packets
flowing from Asterisk to B are recognized by the firewall as RELATED to a
request from the SIP UA endpoint.
The question is:
How it is possible to tell asterisk not to start the RTP connection to the
B endpoint? (and even to the A endpoint that suffer for the same issue) but
to force User agents to start the communication?
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2011-02-06 08:38 dercol         New Issue                                    
2011-02-06 08:38 dercol         Asterisk Version          => 1.8.2.3         
2011-02-06 08:38 dercol         Regression                => No              
2011-02-06 08:38 dercol         SVN Branch (only for SVN checkouts, not tarball
releases) => N/A             
======================================================================




More information about the asterisk-bugs mailing list