[Asterisk-Users] NAT router and off-premise SIP audio problem

Rich Adamson radamson at routers.com
Sat Nov 1 06:52:50 MST 2003 

Jim,

> Off-premise SIPs are all behind simple NAT routers.
> 
> Off-premise SIPs have been able to receive calls from and make calls 
> through the PSTN. No problem. Calls between on-premise SIPs, not a problem.
> Calls between off-premise SIPs and any other SIPs connected to the server 
> are a problem... they ring up but no audio is passed in either direction.
> 
> SIP.CONF has NAT=YES.
> 
> We presume that a dedicated IP address for the Asterisk server would resolve
> this but we would like to avoid the extra
> expense.
> 
> What are we missing? TIA.

It's the same problem that lots of others have posted about for months,
and basically relates to not understanding the sip protocol during call
setup. From a 10,000 foot view, here's what happens during call setup:
 1. sip phone A dials sip phone B (communicates with * on udp 5060)
 2. asterisk tells phone A to contact B directly (on udp 5060) and phone
    A does that (works since phone A is behind the nat box and is allowed
    the outbound dataflow)
 3. phone A and phone B negotiate to establish the RTP channel (on some 
    other udp port that is "dependent" upon the phone manufacturer)
 4. phone A is allowed to communicate on that RTP port through the 
    outbound nat box.
 5. phone B is "not" allowed to pass inbound through the nat box on the
    choosen RTP port (since RTP is used for voice, it fails).

That last step is the problem.

You only have three choices today to fix the RTP problem in your case:
 1. use the canreinvite=no statement on the phone definitions in
    sip.conf (which then forces "all" RTP sessions to pass through
    the asterisk box, increasing the processor workload of the box), or,
 2. map each of the internal sip phones to a real registered IP address
    on the outside of the nat box. (Cheap nat boxes usually don't have
    this capability, however more expensive routers and firewalls do.)
 3. replace the nat boxes with the VPN equivalents, and use the VPN
    tunneling to force the external phones to appear on the inside of
    your asterisk network.

In those cases where there is only a single sip phone behind the nat
box (and assuming a cheap nat box), one can change the RTP port range
on some sip phones to some small specific set of udp ports, and then
map those udp ports in the nat box to the individual internal sip phone.
On the Cisco 7960 phones, the RTP port range can be set via Settings,
SIP Config, item 16 (Start Media Port) and item 17 (End Media Port).
One udp port will be required for each simultanous conversation supported
by the sip phone, therefore on a six-line phone using a udp port range
with at least six ports should work just fine.

Also note that not all nat boxes work the same. Some vendors include
special functions (and their marketing people exclude that technical
detail in their published data), while others boxes are just plain
dumb nat boxes.

The only realistic way to see what is going on is to use a packet
sniffer (like ethereal) to actually observe what the phone and nat
box is really doing.

Some working nat config's are just now beginning to get documented
at the http://www.voip-info.org site.

More information about the asterisk-users mailing list