[Asterisk-Dev] Re: [Asterisk-Users] Asterisk and SIP phones

John Paul Morrison jmorrison at bogomips.com
Thu Oct 7 11:17:51 MST 2004 

NAT is unfortunately a necessary evil and will never go away, one that the
IETF theoretical types seem to ignore the reality of - witness SIP and IPsec
which have been forced to deal with the real world, something that should
have been considered from the start. 

I posted a hack to deal with SIP reinvites for working around NATs, and
asked for feedback
on how to "properly" integrate this into Asterisk. 

I think the best approach is to create a new sip.conf entry like
"natcontext" so you can have "natcontext=customer-1" for a group of devices,
"natcontext=customer-2" etc. so that an Asterisk adminstrator can better
control the way reinvites are issued. If you are operating a centralized
Asterisk SIP server (like an IP Centrex) - you want to have reinvite=no for
outside calls (to get through NAT, or for centralized control), but you
really want to have reinvite=yes for local calls, so a call to the office
next door does not go across the continent and back. (Or in my case, a
double bounce across a satellite link).

I'll code this but would appreciate some feedback. 



> -----Original Message-----
> From: asterisk-dev-bounces at lists.digium.com 
> [mailto:asterisk-dev-bounces at lists.digium.com] On Behalf Of 
> Benjamin on Asterisk Mailing Lists
> Sent: Wednesday, October 06, 2004 9:44 AM
> To: Michael Di Martino; Asterisk Developers Mailing List
> Subject: [Asterisk-Dev] Re: [Asterisk-Users] Asterisk and SIP phones
> 
> 
> On Wed, 6 Oct 2004 11:58:38 -0400, Michael Di Martino 
> <mdm at telx.com> wrote:
> > No I meant I am NOT opposed to setting up another Asterisk server. 
> > Please tell me more about that solution.
> 
> Rerun by popular demand ...
> 
> Benjk's law of VoIP NAT traversal:
> 
> 1) If you must use SIP, don't use NAT.
> 
> 2) If you must use NAT, use IAX instead of SIP
> 
> 3) If you cannot avoid neither NAT nor SIP, build a VPN 
> tunnel, preferably IPsec.
> 
> 
> and in more detail:
> 
> #2 SIP/IAX gateway
> 
> [SIP-phone1]---SIP--->[Asterisk1]===IAX===>[Asterisk2]---SIP--
> ->[SIP-phone2]
> 
> The above is secure (against break-in not against 
> eavesdropping) and reliable.
> 
> Set up an Asterisk server at each location. Connect your SIP 
> phones as usual to their local Asterisk server. Set up IAX 
> peering between the two Asterisk servers (over the Internet, 
> including NAT traversal scenarios), then set up your dialplan 
> such that calls to remote phones are delivered through the 
> IAX peering link. Asterisk will do the work converting from 
> SIP to IAX and from IAX to SIP, the SIP phones will not be 
> aware there is an IAX link in between.
> 
> For more details, search the Wiki with keywords NAT traversal 
> and IAX peering.
> 
> #3 VPN tunnel
> 
> Scenario 1: standalone Windoze box with Xlite wants to 
> connect to remote Asterisk
> 
> [Xlite]---SIP--->[Network-layer]===PPTP===(internet)===>[PIX]-
> --SIP--->[Asterisk]
> 
> Scenario 2: two LANs joined via VPN tunnel, Asterisk on one 
> side, phones on both
> 
> [SIP-phones]---SIP--->[PIX]===IPsec===>[PIX]---SIP--->[Asterisk]
> 
> Scenario 3: Like Scenario 2 but no money for PIX VPN license, 
> using IPsec pass-through
> 
> [SIP-phones]--SIP-->[Wolverine]==IPsec==[PIX]==IPsec==>[Wolver
> ine]---SIP-->[Asterisk]
> 
> All of the above are secure (against break-in and 
> eavesdropping) and reliable.
> 
> rgds
> benjk
> 
> -- 
> Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 
> Shibuya, Tokyo, Japan.
> 
> NB: Spam filters in place. Messages unrelated to the * 
> mailing lists may get trashed. 
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com 
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>

More information about the asterisk-dev mailing list