FW: [Asterisk-Users] NAT router and off-premise SIP audio problem

Rich Adamson radamson at routers.com
Sun Nov 2 08:59:33 MST 2003


> Rich, thank you for your informative reply. I checked with our admin and he
> replied:
> 
> "I setup from the start "nat=yes" and "canreinvite=no" on sip phones from
> Internet and modified the rtp channels (voice ports) and the rtp
> port on the phones. Still have the same problem, no sound."
> 
> Perhaps the VPN solution is something we should try but this is more
> limiting than we had wanted... the concept that we could simply attach a SIP
> phone to a high speed internet connection anywhere, anytime (such as at a
> hotel when traveling) and become one with our office was a compelling one.

As I've mentioned several times on the asterisk list, there is no shortcut
to understanding how the sip protocol works and how nat/firewall boxes 
impact the sip protocol. Trail & error guessing at parameters only ends 
in frustration. Packet sniffers are often times required.

There are plenty of people that have it working, but each implementation
has some specific vendor-dependent or software-dependent elements to it
that relates to the exact sip phone being used and the exact nat functions
implemented within a vendor's nat/firewall box.

Having worked as a network consultant (eg, protocol analysis, performance
and security) for ten years with corporations in 40+ states, your objective
to make sip connections work anywhere will only happen in "maybe" 10% to
20% of the locations visited.  The issue is truly one of the sip protocol
embedding network addressing information within the upper layers, and most
firewalls and nat boxes don't look past layer three/four. Therefore, to 
make it work requires tweaking of the nat/firewall box (which obviously the 
hotels and customer accounts won't let you do), tweaking of the phone RTP 
port range (in some cases), and tweaking of the asterisk parameters for 
specific implementation needs. (Note: STUN won't even help in the majority
of cases.)

For those hotels that I've stayed at that offer the $10.95 Internet access
specials, add a few more variations to the dozens of nat implementations. 
The few that I've used require yet another html authorization mechanism 
that's not likely to appear in sip phones anytime soon.

Someone on this list suggested there are two types of nat/firewalls on the
market. That might be true from a 10,000 foot engineering/design perspective,
but there are dozen's of different real nat implementations in commonly-
available off-the-shelf boxes, each with there own special needs.

For those folks that have asterisk on a registered Internet address, there
are many implementations of remote Internet sip phones working from behind
a nat/firewall box.  (As one example, we have a 7960, a PC with Xlite, and
a Dell wireless PDA with Xlite working from behind a single Linksys wireless 
firewall box just fine. All three can call, be called, and call between 
each other. The asterisk box is at a distant location using a registered IP 
address. If we would swap that cheap Linksys box for another vendor's box,
we would likely have to revisit all the parameters again just because of
variations in how that next vendor implemented nat.)

If asterisk is behind a nat/firewall box, and the remote sip phones are on
registered Internet IP addresses, the choice of parameters becomes a little
more difficult. If asterisk AND the sip phones are behind individual nat or
firewall boxes, the parameter selections become rather intense and require
someone sniffing actual packets to diagnose configuration issues in most
cases.

Since we support a number of corporate clients and ISP operations, we have
carried a sip phone around just like you want to. However, we generally have 
access to their registered addresses, nat boxes, etc, and can tailor the 
phone and other assets to what's needed to make them work.





More information about the asterisk-users mailing list