Fwd: FW: [Asterisk-Users] SIP NAT question

[Paul Cheng]

Just in case other people on the list have this problem...

Begin forwarded message:

> From: "George Lin" <glin at cosini.com>
> Date: Thu Aug 14, 2003  6:54:46  AM Europe/Budapest
> To: "Paul Cheng" <asterisk at klarium.com>
> Subject: RE: FW: [Asterisk-Users] SIP NAT question
>
> Dear Paul,
>
> Thanks for the suggestion. It works now.
>
> Thank you very much.
>
> George Lin
>
> -----Original Message-----
> From: Paul Cheng [mailto:asterisk at klarium.com]
> Sent: Wednesday, August 13, 2003 2:54 PM
> To: George Lin
> Subject: Re: FW: [Asterisk-Users] SIP NAT question
>
>
> What kind of router do you have? That makes a huge difference!
>
> Try the qualify first and the restart Asterisk and wait for the SIP UAs
> to register. Then run Asterisk in command line (asterisk -vvvvcr) and
> do a sip show peers. You should see each UA and then their status
> (hopefully they say OK (x ms)).
>
> Now try dial each extension to see if that worked.
>
> If the problem still exists, then e-mail me again with your router type
> and we can go from there.
>
> On Wednesday, August 13, 2003, at 11:58  PM, George Lin wrote:
>
>> Dear Paul,
>>
>> Thanks for the note. SO what should I configure the router at my 
>> office
>> router ??
>>
>> I will add qualify=yes in each entry at sip.conf.
>>
>> In our case, we already shutdown the firewall, only the NAT. for such
>> case,
>> what should we configure the router ? what is your experience with 
>> your
>> router ??
>>
>> Thanks,
>>
>> George Lin
>>
>> -----Original Message-----
>> From: asterisk-users-admin at lists.digium.com
>> [mailto:asterisk-users-admin at lists.digium.com]On Behalf Of Paul Cheng
>> Sent: Wednesday, August 13, 2003 1:38 PM
>> To: asterisk-users at lists.digium.com
>> Subject: Re: [Asterisk-Users] SIP NAT question
>>
>>
>> Hi George,
>>
>> Do you have qualify=yes set in sip.conf for your phones?
>>
>> When you check sip show peers, does it give you an OK (X ms) or does 
>> it
>> say UNREACHABLE or UNMONITORED?
>>
>> If you enable qualify=yes or qualify=[some number] then Asterisk will
>> poll the SIP UA every once in a while to make sure it is still
>> reachable. This may or may not work. In some cases, if the UA doesn't
>> support the SIP OPTIONS correctly, it will come back and Asterisk will
>> think it is unreachable until it sends another register command. In
>> other cases, it helps keep the ports open on the firewall.
>>
>> BTW, we have successfully tested NAT with multiple user agents as you
>> describe with pretty much plug and play with Linksys, SMC,
>> Shorewall/Linux and various other NAT router/fw devices with great
>> success. Thus far, we've only had problems with DrayTek routers
>> mangling the UDP packets. In those cases, the UAs registered
>> successfully and all inbound calls worked, but outbound calls did not
>> as the UDP/RTP streams weren't getting handled correctly by the 
>> router.
>> They have an updated firmware that solves this problem, but we haven't
>> finished testing it.
>>
>> On Wednesday, August 13, 2003, at 09:25  PM, Adams, Gavin wrote:
>>
>>>> From: George Lin [mailto:glin at cosini.com]
>>>>
>>>> I want to deploy multiple SIPs phone in our office. And we have
>>> shutdown
>>>> the
>>>> firewall at our office router(with ip 211.x.x.x). we have deployed
>>>> the
>>>> asterisk with IP 218.x.x.x.
>>>>
>>>> All SIP phones have 192.x.x.x.
>>>
>>> We have something similar George, * sits outside the firewall with a
>>> registered IP address, the SIP phones sit behind the firewall with
>>> 172.16.x.x addresses.
>>>
>>>> When the SIP phone is power on, they are registered in the asterisk.
>>> we
>>>> can
>>>> check at asterisk side by issueing "sip show peers", and all the
>>> phones
>>>> are
>>>> associated with 211.x.x.x:port-number.
>>>
>>> Sounds familiar. Question, do you hide all the phones behind a single
>>> IP
>>> address, or does each phone get a unique address? Also, what type of
>>> firewall?
>>>
>>>> PRoblem:
>>>> Now some times the sip can receive call, and some time it cannot
>>> recieve
>>>> call. When we dumping the sip log, and see that asterisk tried to
>>> INVITE
>>>> the
>>>> specified SIP phone with the 211.x.x.x:port-number, and was failed
>>> after 5
>>>> times. But the call orginated from SIP phone is always OK.
>>>
>>> Yup, what we initially found. Basically, we started by attempting to
>>> hide all the phones behind a single IP address. In this case, make
>>> sure
>>> you uniquely assign the control port (by default UDP 5060) to
>>> something
>>> different for each phone.
>>>
>>> We use FireWall-1 (older version) that doesn't play nice with "hide
>>> NAT". Basically, it would timeout UDP connections after 40 seconds of
>>> no
>>> activity. Not good unless you reduce the reregister time to something
>>> crazy like 30 seconds. Check to see how your firewall/NAT device
>>> handles
>>> [P]NAT translation.
>>>
>>>>
>>>> Questions are:
>>>>
>>>> 1. Does asterisk remember the mapping between 192.x.x.x AND
>>>> 211.x.x.x:port-number ?
>>>
>>> It shouldn't. It might see the 192.x.x.x address in the SIP
>>> conversations, but even if it did, it would not be able to route the
>>> packets back.
>>>
>>>> 2. When a call to a sip phone, is it asterisk responsiblility to map
>>> the
>>>> 211.x.x.x:port-number to the 192.x.x.x, and send to the office 
>>>> router
>>> ? OR
>>>> it is the office router to remeber all the mapping between each sip
>>> phone
>>>> 192.x.x.x and 211.x.x.x:port-number, and asterisk juts sends the
>>>> 211.x.x.x:port-number to the office router ??
>>>
>>> Asterisk should attempt to contact the phone based upon the IP and
>>> port
>>> seen during a 'sip show peers'. Network device responsible for any 
>>> and
>>> all translations.
>>>
>>>> 3. If it is the office router's responsiblity, what should we
>>> configure
>>>> the
>>>> office router even there is no firewall???
>>>
>>> Unsure about this, I'd focus more on the NAT device. Can you describe
>>> the topology from the SIP phone to *?
>>>
>>> Regards,
>>>
>>> --- Gavin
>>> _______________________________________________
>>> Asterisk-Users mailing list
>>> Asterisk-Users at lists.digium.com
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>
>> _______________________________________________
>> Asterisk-Users mailing list
>> Asterisk-Users at lists.digium.com
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>