[Asterisk-Users] SIP NAT question

Adams, Gavin gadams at promisant.com
Wed Aug 13 12:25:44 MST 2003


> From: George Lin [mailto:glin at cosini.com]
> 
> I want to deploy multiple SIPs phone in our office. And we have
shutdown
> the
> firewall at our office router(with ip 211.x.x.x). we have deployed the
> asterisk with IP 218.x.x.x.
> 
> All SIP phones have 192.x.x.x.

We have something similar George, * sits outside the firewall with a
registered IP address, the SIP phones sit behind the firewall with
172.16.x.x addresses.

> When the SIP phone is power on, they are registered in the asterisk.
we
> can
> check at asterisk side by issueing "sip show peers", and all the
phones
> are
> associated with 211.x.x.x:port-number.

Sounds familiar. Question, do you hide all the phones behind a single IP
address, or does each phone get a unique address? Also, what type of
firewall?

> PRoblem:
> Now some times the sip can receive call, and some time it cannot
recieve
> call. When we dumping the sip log, and see that asterisk tried to
INVITE
> the
> specified SIP phone with the 211.x.x.x:port-number, and was failed
after 5
> times. But the call orginated from SIP phone is always OK.

Yup, what we initially found. Basically, we started by attempting to
hide all the phones behind a single IP address. In this case, make sure
you uniquely assign the control port (by default UDP 5060) to something
different for each phone.

We use FireWall-1 (older version) that doesn't play nice with "hide
NAT". Basically, it would timeout UDP connections after 40 seconds of no
activity. Not good unless you reduce the reregister time to something
crazy like 30 seconds. Check to see how your firewall/NAT device handles
[P]NAT translation.

> 
> Questions are:
> 
> 1. Does asterisk remember the mapping between 192.x.x.x AND
> 211.x.x.x:port-number ?

It shouldn't. It might see the 192.x.x.x address in the SIP
conversations, but even if it did, it would not be able to route the
packets back.

> 2. When a call to a sip phone, is it asterisk responsiblility to map
the
> 211.x.x.x:port-number to the 192.x.x.x, and send to the office router
? OR
> it is the office router to remeber all the mapping between each sip
phone
> 192.x.x.x and 211.x.x.x:port-number, and asterisk juts sends the
> 211.x.x.x:port-number to the office router ??

Asterisk should attempt to contact the phone based upon the IP and port
seen during a 'sip show peers'. Network device responsible for any and
all translations.

> 3. If it is the office router's responsiblity, what should we
configure
> the
> office router even there is no firewall???

Unsure about this, I'd focus more on the NAT device. Can you describe
the topology from the SIP phone to *?

Regards,

--- Gavin



More information about the asterisk-users mailing list