[Asterisk-Users] Asterisk configuration inside a DMZ w/SIP

Brian D'Arcy bdarcy at akiva.com
Fri Apr 23 14:29:42 MST 2004 

Hello all,

 

I'm having a nightmare of a time trying to get stable results with SIP
clients on Asterisk.  I can't seem to find a configuration that works!
In our office, we run a Sonicwall Pro 200, which is a sip aware,
stateful firewall.

 

Originally, I had configured Asterisk to run on the NAT side so that
those within the office could connect easily, and those outside the
office could connect via VPN.  However the VPN route is proving to be a
little too latent for quality calls.  Even still, some people were able
to receive audio, and others not.

 

After much reading about Asterisk and the problems inherent to NAT, I
decided OK, I'll just toss it on the DMZ with a public address, and let
the clients themselves worry about addressing their NAT issues @ home,
or wherever they might be.

 

So here I am, with Asterisk running on the DMZ with a public IP address,
totally unfirewalled to the outside world and now I find that not only
can I not connect (from the nat side of the same SIP aware firewall
hosting the asterisk server), but clients on public IP's, using no NAT
at all, are either unable to connect, or are able to log in, but calls
to any extension (whether they be sip extensions, voicemail, conference
etc..) come up 408 timed out.  

 

In every case, the message in the * CLI is reported as:

 

chan_sip.c:497 retrans_pkt: Maximum retries exceeded on call
901468BB-92E8-4E0E-9DFD-3CDF1AFEF2AD at 192.168.0.57 for seqno 30841
(Response)

 

This to me would imply that for whatever reason, the packets from the
Asterisk server are being blocked by the local firewall when it attempts
to send them back to me.   This I can understand, because maybe I'm
having NAT issues myself, however I get the *same* messages broadcast
into the CLI when users on the public IP addresses attempt to connect in
(unfirewalled).  I've checked and triple checked to make sure that the
DMZ port is not firewalled in any way, so I'm a bit stumped.

 

After this rambling, I suppose the real question I'm asking here is,
what is the most stable, preferred networking setup people tend to use
when they are expecting to have SIP clients connecting both internally,
and externally?

 

Incase everyone wants to know about my SIP configurations, I'm using
disallow=all, and allow=ulaw ONLY.

I've toyed with the nat=1/nat=yes settings, however they seem to have no
real effect on the behavior of the clients.  I've been testing strictly
with X-Lite, as it came recommended by a few folks in #Asterisk on
irc.freenode.net.

 

[General] section from SIP.conf and an example SIP client entry:

 

[general]

port=5060                       ; Port to bind to

bindaddr=0.0.0.0                ; Address to bind SIP channel to

;externip = 216.9.32.42

;localmask=255.255.254.0

;localnet=192.168.0.0

context = default               ; Default context for incoming calls

;srvlookup = yes

 

[bdarcy]

type=friend

username=bdarcy

secret=blah

host=dynamic

qualify=400

mailbox=3209

callerid="Brian D'Arcy" <3209>

nat=1

disallow=all

allow=ulaw

 

If anyone can provide any feedback on what works for you, or what's
recommended, it would be highly appreciated.

 

Thanks in advance.

 

Brian D'Arcy

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040423/8718a8fd/attachment.htm

More information about the asterisk-users mailing list