[Asterisk-Users] SIP & IAX behind NAT

[Philipp von Klitzing]

Hi!

> I am trying to achieve the same thing.
> I have bothe asterisk and X-lite behind NAT.

Here (see below) comes some collected wisdom I took from reading this 
list and searching its archive during the past 2 weeks or so.

> sip uses port 5060
> X-lite can be configured to use an rtp port, and you can specify your
> external address...

As long as you don't use build 1079 of X-Lite which has a bug where it 
ignores any settings that you make concerning RTP ports.

> y configured my nat to foward 5060 to my *
> ports 8000 and 8001 too.

Hm... don't you want 8000 and 8001 for your X-Lite client instead? Press 
F9 in X-Lite to see which ports are actually in use. Also check rtp.conf 
to make sure things are fine on the * side.

> I also tried with the sip with no nat. and my result where the same...
> I have 5 seconds of audio... so I guess there is another extra port involved
> in the operation, one which signals the communication status.
> does someone knows anything about this?

Try the "qualify=" setting for this SIP user in sip.conf. I haven't tried 
that myself, but I use it for IAX and registration. From what I read here 
this should also work for sip.conf, e.g. qualify=500. The trick is that 
you keep the connection constantly open and thus prevent the firewall to 
shut this down (which I assume is happening in your case - unless you are 
testing with music-on-hold, which you shouldn't, because MOH can be a 
completely different problem with exactly the same symptom).

Ok, here are the collected info (a couple of small snippets).

Cheers, Philipp


*** Firewall issues (NAT and SIP) ***

http://www.iptel.org/fcp/
http://www.voip-info.org/wiki-NAT+and+VOIP
http://www.voip-info.org/wiki-STUN
http://www.voip-info.org/wiki-Asterisk+sip+reinvite

http://www.sipcenter.com/files/SIPNATtraversal.pdf
http://www.cisco.com/en/US/tech/tk652/tk701/technologies_tech_note09186a00800f2853.shtml


The Firewall Communication Protocol (FCP) connects signaling servers such 
as SIP Proxies or H.323 gatekeepers with firewalls, NATs and possibly 
other intermediate network devices ("middleboxes").  
FCP is primarily thought to accomplish traversal of Internet telephony 
accross firewalls and NATs. It can be easily used by other complex 
applications as well, for example RTSP.


>>> You could do this with Asterisk via the existing "qualify=500" 
>>> syntax or similar in sip.conf to keep a packet going between 
>>> Asterisk and the SIP device every 45 seconds (or whatever you hacked 
>>> the timer to use, if you don't like that value.)  This keeps the 
>>> mapping open just fine for any NAT device I've ever seen.  It works 
>>> fine with dynamic hosts, even behind NAT - I just triple-checked and 
>>> it does do what I expected it to do.

Hardcoded check if host is up: every 60 sec
Hardcoed check if host is down: every 10 sec


> If you leave "reinvite" permission turned on, Asterisk will supposedly
> send the audio between the two SIP endpoints.  However, if NAT is in
> the equation, you're out of luck, since there needs to be an external
> media router that can translate between the two endpoints.  If you
> choose to do clever things like use the "t" or "T" dial options, then
> you cannot release the media away from Asterisk since the system needs
> to listen to the RTP stream for cues.


  Along with RTP proxy SER can help any *symmetric* SIP user agent to
  get through NAT.

  (A symmetric SIP user agent is a user agent that uses the same source
  port for receiving signalling and media as for sending them. Vast
  majority of SIP user agents as of today is symmetric, including
  Windows Messenger, Cisco phones, Grandstream phone a.s.o.).


NATs are worst things that ever happened to SIP. These devices are very 
popular because they help to conserve IP address space and save money 
charged for IP addresses. Unfortunately, they translate addresses in a 
way which is not compatible with SIP. SIP advertises receiver addresses 
in its payload. The advertised addresses are invalid out of NATted 
networks. As a result, SIP communication does not work accross NATs 
without extra effort.  

There are few methods that may be deployed to traverse NATs. How proper 
their use is depends on the deployment scenario. Unfortunatelly, all the 
methods have some limitations and there is no straight-forward solution 
addressing all scenarios. Note that none of these methods takes explicit 
support in SER.  


>>are you aware of any documentation on how to configre SER to be a front-
>>end to Asterisk?

> At TeleSIP we run a cluster of several geographically distributed SER
> Servers  that hande all our SIP Routing. SER is a robust, fast and >
> stable platform which has worked flawlessly for us.  We use * as our
> company PBX and PSTN Gateway.  Basically what you need to do is to
> device a numbering plan so that SERs routing logic can forward the
> call to * when it needs to. 

Thank you for the good example!
Another example can be found in the SER handbook, found on IPtel.org. The 
example mentions how to use SER as a frontend to a Cisco PSTN gateway, 
but also applies to using SER as a frontend to Asterisk.  

>SER is a very capable SIP router, much more sophisticated than Asterisk
>as it can look inside packets and route based on what it finds or even
>re-write packets based on user specified logic.
>
>One other nice feature is that SER users can set up their own SIP
>accounts using a web interface and not needing  to edit *.conf files.
>
>See here for details http://www.iptel.org/ser/

      * * *