[Asterisk-Users] A solution for SIP and NAT

Michael Kane mkane at to-talk.com
Wed Jul 2 04:37:21 MST 2003 

At the end of the day we all probably can get SIP and NAT to work together
if we spend  TIME configuring our NAT boxes and SIP devices to negotiate the
traversal of a NAT.  In the end result, the WAN IP must be is correctly
added to the contact table(sipd) or location table(SER), allowing the proxy
to route a call destined for that UA.  Now, my delima as a service provider,
is how do I document this for every SIP device out there where my mother can
purchase a UA device, plug it in, and start placing calls without putting on
a poodle suit and jump through flaming hoops.  That's why(for me) it becomes
an operational nightmare, not only to document vendor configs(if they
support NAT traversal), but, then support the end user on how to config
their devices.  That why I have looked into(implemented) such technologies
like STUN and probably will be forced to purchase a SIP aware firewall that
will spoof and re-arrange SIP messages destined for my proxy server.



Michael Kane
To-Talk Communications LLC.
37 Sandusky Dr.
Wareham, Ma. 02571
www.to-talk.com
508-295-2826
----- Original Message ----- 
From: "Andrew Radke" <andrew at radke.iig.com.au>
To: <asterisk-users at lists.digium.com>
Cc: <sarp-devel at lists.sourceforge.net>
Sent: Wednesday, July 02, 2003 5:46 AM
Subject: Re: [Asterisk-Users] A solution for SIP and NAT


> Ok I guess it's time for me to weigh in on this since I started the
> whole thing and am the main developer of SaRP.
>
> NAT and SIP _can_ work okay under very very restricted circumstance.
> Multiple SIP UAs behind one NATed IP _can_ work okay with a very
> intelligent router/firewall.
>
> BUT, not everyone can afford Cisco gear. Not everyone needs Cisco gear.
> A home user wanting to talk via a public network to an office SIP device
> does NOT need or want Cisco or other high end gear just so he can talk
> and also will still want to be able to talk to users on the net.
>
> So now that I've presented my arguements I'm going to lay out some of
> the technical stuff. If you have a fancy SIP aware Cisco router at home
> between your two PCs and the Internet then apparently you can ignore all
> of this.
>
> Example UA: X-Lite/X-Pro
>    This UA will be sending RTP data from a different dynamic port to what
>    it will receive on. This will not NAT no matter what you do since the
>    incoming RTP data will never be associated with the outgoing data by
>    your router. The outside user will get your audio but nothing will
>    come back.
>
> Example users: two people on one IP that want to be directly contactable
>    The only way to do this is have every UA on a different forwarded port
>    for each UA. i.e. sip:user1 at domain.com:5060, sip:user2 at domain.com:5061
>    I want my sip url to be just like an email address, after all that's
>    how they were designed. i.e. user1|user2|... at domain.com
>
> Example security: hmmm....
>    SIP breaks just about every security policy on the planet. What were
>    the people thinking! I don't know any business (other than VoIP
>    dedicated companies) that would allow SIP traffic directly in/out from
>    a client PC! And Asterisk isn't much better. Not because there is
>    anything wrong with it but because it is a big complex peice of
>    software. You should ALWAYS have something sit in between it and an
>    untrusted network. And while you're at it DON'T leak you internal
>    network addresses/configuration to the outside world!
>
> Okay, I can go on for quite a while longer. Let's just say that there is
> a lots of smarts in routers that can handle SIP but even with that
> you're not going to be able to do any of this except the first item.
>
> Regards,
>
> Andrew Radke
>
> John Todd wrote:
>
> >
> > You may be correct about the Via: header, but you're incorrect in the
> > concept as to how it relates to Asterisk, notably in your reversal of
> > what side of the transaction is putting data in the Via: header to make
> > SIP work correctly.
> >
> > This is cluttering up the list.  Talk to me off line if you want a
> > better understanding of how NAT and SIP work with Cisco devices.
> >
> > Again, for those of you who might be trying to figure out what the
> > result of this conversation is:  SIP clients behind NAT works fine in
> > both directions (incoming and outgoing calls), Asterisk makes it work,
> > it's not using STUN.  Cisco devices work especially well.
> >
> > JT
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list