Fwd: FW: [Asterisk-Users] SIP NAT question
asterisk at klarium.com
Wed Aug 13 22:58:28 MST 2003
Just in case other people on the list have this problem...
Begin forwarded message:
> From: "George Lin" <glin at cosini.com>
> Date: Thu Aug 14, 2003 6:54:46 AM Europe/Budapest
> To: "Paul Cheng" <asterisk at klarium.com>
> Subject: RE: FW: [Asterisk-Users] SIP NAT question
> Dear Paul,
> Thanks for the suggestion. It works now.
> Thank you very much.
> George Lin
> -----Original Message-----
> From: Paul Cheng [mailto:asterisk at klarium.com]
> Sent: Wednesday, August 13, 2003 2:54 PM
> To: George Lin
> Subject: Re: FW: [Asterisk-Users] SIP NAT question
> What kind of router do you have? That makes a huge difference!
> Try the qualify first and the restart Asterisk and wait for the SIP UAs
> to register. Then run Asterisk in command line (asterisk -vvvvcr) and
> do a sip show peers. You should see each UA and then their status
> (hopefully they say OK (x ms)).
> Now try dial each extension to see if that worked.
> If the problem still exists, then e-mail me again with your router type
> and we can go from there.
> On Wednesday, August 13, 2003, at 11:58 PM, George Lin wrote:
>> Dear Paul,
>> Thanks for the note. SO what should I configure the router at my
>> router ??
>> I will add qualify=yes in each entry at sip.conf.
>> In our case, we already shutdown the firewall, only the NAT. for such
>> what should we configure the router ? what is your experience with
>> router ??
>> George Lin
>> -----Original Message-----
>> From: asterisk-users-admin at lists.digium.com
>> [mailto:asterisk-users-admin at lists.digium.com]On Behalf Of Paul Cheng
>> Sent: Wednesday, August 13, 2003 1:38 PM
>> To: asterisk-users at lists.digium.com
>> Subject: Re: [Asterisk-Users] SIP NAT question
>> Hi George,
>> Do you have qualify=yes set in sip.conf for your phones?
>> When you check sip show peers, does it give you an OK (X ms) or does
>> say UNREACHABLE or UNMONITORED?
>> If you enable qualify=yes or qualify=[some number] then Asterisk will
>> poll the SIP UA every once in a while to make sure it is still
>> reachable. This may or may not work. In some cases, if the UA doesn't
>> support the SIP OPTIONS correctly, it will come back and Asterisk will
>> think it is unreachable until it sends another register command. In
>> other cases, it helps keep the ports open on the firewall.
>> BTW, we have successfully tested NAT with multiple user agents as you
>> describe with pretty much plug and play with Linksys, SMC,
>> Shorewall/Linux and various other NAT router/fw devices with great
>> success. Thus far, we've only had problems with DrayTek routers
>> mangling the UDP packets. In those cases, the UAs registered
>> successfully and all inbound calls worked, but outbound calls did not
>> as the UDP/RTP streams weren't getting handled correctly by the
>> They have an updated firmware that solves this problem, but we haven't
>> finished testing it.
>> On Wednesday, August 13, 2003, at 09:25 PM, Adams, Gavin wrote:
>>>> From: George Lin [mailto:glin at cosini.com]
>>>> I want to deploy multiple SIPs phone in our office. And we have
>>>> firewall at our office router(with ip 211.x.x.x). we have deployed
>>>> asterisk with IP 218.x.x.x.
>>>> All SIP phones have 192.x.x.x.
>>> We have something similar George, * sits outside the firewall with a
>>> registered IP address, the SIP phones sit behind the firewall with
>>> 172.16.x.x addresses.
>>>> When the SIP phone is power on, they are registered in the asterisk.
>>>> check at asterisk side by issueing "sip show peers", and all the
>>>> associated with 211.x.x.x:port-number.
>>> Sounds familiar. Question, do you hide all the phones behind a single
>>> address, or does each phone get a unique address? Also, what type of
>>>> Now some times the sip can receive call, and some time it cannot
>>>> call. When we dumping the sip log, and see that asterisk tried to
>>>> specified SIP phone with the 211.x.x.x:port-number, and was failed
>>> after 5
>>>> times. But the call orginated from SIP phone is always OK.
>>> Yup, what we initially found. Basically, we started by attempting to
>>> hide all the phones behind a single IP address. In this case, make
>>> you uniquely assign the control port (by default UDP 5060) to
>>> different for each phone.
>>> We use FireWall-1 (older version) that doesn't play nice with "hide
>>> NAT". Basically, it would timeout UDP connections after 40 seconds of
>>> activity. Not good unless you reduce the reregister time to something
>>> crazy like 30 seconds. Check to see how your firewall/NAT device
>>> [P]NAT translation.
>>>> Questions are:
>>>> 1. Does asterisk remember the mapping between 192.x.x.x AND
>>>> 211.x.x.x:port-number ?
>>> It shouldn't. It might see the 192.x.x.x address in the SIP
>>> conversations, but even if it did, it would not be able to route the
>>> packets back.
>>>> 2. When a call to a sip phone, is it asterisk responsiblility to map
>>>> 211.x.x.x:port-number to the 192.x.x.x, and send to the office
>>> ? OR
>>>> it is the office router to remeber all the mapping between each sip
>>>> 192.x.x.x and 211.x.x.x:port-number, and asterisk juts sends the
>>>> 211.x.x.x:port-number to the office router ??
>>> Asterisk should attempt to contact the phone based upon the IP and
>>> seen during a 'sip show peers'. Network device responsible for any
>>> all translations.
>>>> 3. If it is the office router's responsiblity, what should we
>>>> office router even there is no firewall???
>>> Unsure about this, I'd focus more on the NAT device. Can you describe
>>> the topology from the SIP phone to *?
>>> --- Gavin
>>> Asterisk-Users mailing list
>>> Asterisk-Users at lists.digium.com
>> Asterisk-Users mailing list
>> Asterisk-Users at lists.digium.com
More information about the asterisk-users