[Asterisk-Dev] How IAX workd behind the firewall

Rich Adamson radamson at routers.com
Mon Jul 12 05:17:10 MST 2004

> >>IAX uses a single port (4569 udp) - firewalls are different to NATs and 
> >>IAX's ability to get through is entirely dependent on the firewall 
> >>rules. Same goes for SIP although there is 2 ports in that case
> >>
> >>Shanmuganathan Kumaravel wrote:
> >>
> >>>Hi there,
> >>>
> >>>    Can anyone suggest, how IAX works behind the firewall. Also is it possible to do 
the SIP crossing the firewall.
> >>>
> >>>Regards
> >>>Shan  
> >>>
> > 
> > 
> > Actually, with SIP you will need 3 ports.   1 for control (5060) and two for RTP.
> > 
> That's H.323 I believe, SIP just uses one RTP port as stated in SDP payloads

Sip 'will' require three ports for most calls...
 - udp5060 for the sip protocol (eg, handshaking)
 - udpXXXX for outbound rtp audio (specific port selected by *)
 - udpYYYY for inbound rtp audio (specific port selected by the remote device)

 XXXX is config'ed in rtp.conf as something like rtpstart=10000 & rtpend=20000
 YYYY is config'ed in a remote device (C7960's start_media_port and
      end_media_port in SIPDefault.cnf)

The values of XXXX and YYYY are not specified in any RFC, and therefore
are left up to the implementor to select a specific range of ports.
Cisco uses a different range then does Xten, then does Grandstream, etc.

In some cases, you can change the port range in use to limit it
to specific wanted ports making it somewhat easier to handle in
some firewall forwarding rules. If the firewall is sip-aware, it makes
things even more interesting as the firewall will inspect the contents
of the sip rtp-negotiation packets and open the appropriate ports on
your behalf.

More information about the asterisk-dev mailing list