[asterisk-bugs] [Asterisk 0018757]: SIP RTP with 2 UA and Asterisk all NATTED through a stateful (but not SIP aware) firewall

Asterisk Bug Tracker noreply at bugs.digium.com
Tue Feb 8 16:06:56 CST 2011


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=18757 
====================================================================== 
Reported By:                dercol
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   18757
Category:                   Core/RTP
Reproducibility:            always
Severity:                   feature
Priority:                   normal
Status:                     feedback
Asterisk Version:           1.8.2.3 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2011-02-06 08:38 CST
Last Modified:              2011-02-08 16:06 CST
====================================================================== 
Summary:                    SIP RTP with 2 UA and Asterisk all NATTED through a
stateful (but not SIP aware) firewall
Description: 
The situation I'm going to describe is a situation where 2 user agent are
natted between a nat firewall, and Asterisk is also natted. canreinvite=no
so the media stream is handled by asterisk. Asterisk is 1.8.2.1

B is one User Agent
C is the other
A is Asterisk

B and C are registered to the asterisk with they public IP via STUN
server

B call C via the asterisk box.
So on the port 5060 UDP, B send an INVITE to the asterisk (A) BOX with
indication of the udp ports for the RTP stream of the UA (B), asterisk
rings the endpoint C (the endpoint C is reacheable if the firewall that is
natting endpoint C know about an active session on port 5060 between
endpoint C and Asterisk A)
When endpoint C answer, Asterisk try to start a RTP media session from
Asterisk to endpoint B (with parameters included in the INVITE from
endpoint B).
The issue is that firewall doesn't know anything about the new session
starting from A to B because from the firewall point of view is a new
session coming from outside to the inside so it simply disallow it. The
only manner Asterisk (A) can instance an RTP stream to endpoint B is that
endpoint B firstly starts an RTP session to Asterisk, so UDP packets
flowing from Asterisk to B are recognized by the firewall as RELATED to a
request from the SIP UA endpoint.
The question is:
How it is possible to tell asterisk not to start the RTP connection to the
B endpoint? (and even to the A endpoint that suffer for the same issue) but
to force User agents to start the communication?
====================================================================== 

---------------------------------------------------------------------- 
 (0131712) dercol (reporter) - 2011-02-08 16:06
 https://issues.asterisk.org/view.php?id=18757#c131712 
---------------------------------------------------------------------- 
Thankyou for your answer, really I want to keep asterisk on the media path
so I like to have canreinvite=no. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2011-02-08 16:06 dercol         Note Added: 0131712                          
======================================================================




More information about the asterisk-bugs mailing list