[Asterisk-Users] Firewall traversal anomalies - AJA
Rich Adamson
radamson at routers.com
Tue Dec 7 08:53:32 MST 2004
> I'm trying to setup a Cisco ATA 186 which has a public IP address but
> sits behind a firewall and connects to an Asterisk server with a NAT IP
> address sitting behind a BSD firewall. The Cisco registers with the
> Asterisk server without any problems, and I can place calls without any
> problems and the phone on the other end rings correctly. However, I
> cannot hear anything through the Cisco after the connection is made.
> Where should I begin looking for the problem?
>
> This is the sip.conf entry for the Cisco:
> [6184341501]
> callerid="GlobalEyes" <6184341501>
> canreinvite=no
> context=from-internal
> dtmfmode=rfc2833
> host=dynamic
> mailbox=xxxxx
> nat=yes
> port=5060
> secret=xxx
> type=friend
> username=xxxxx
> allow=all
You've picked _the_ most difficult of all configurations to get working
(two nat's).
You will likely hear about as many opinions about that on this list
as their are active list members.
There is no way for anyone to truly help you with this config unless
you use a packet sniffer at various points to see exactly what is
happening with the rtp port numbers and ip addresses. The reason for
stating that is there are far too many variations in exactly how
each firewall/nat box implements the nat function, and about as many
variations in terms of what you are allowed to configured on each
vendor's firewall.
The bottom line is that you've apparently successfully map'ed the
sip udp 5060 ports, but the voice is transported on rtp ports that
are dynamically selected at the time the call is set up. If you look
in /etc/asterisk/rtp.conf you'll see where asterisk selects from a
large range of udp ports (for the rtp session). Each phone manufacturer
has chosen their own range of rtp ports, and I've not seen two vendors
actually use the same range. (Some phone vendors allow you to change
that range while others don't.)
So, when asterisk (as one example) begins the rtp setup (for audio),
it might select udp port 12345, the phone might select 23456. If the
nat boxes don't allow those two ports through (or if the nat box
decides to map those ports to some other ports), the rtp session will
never be established. Thus no audio.
Even if you told us the exact model's of nat boxes you have installed,
it won't do any good unless by chance someone in this world happens
to have your exact same configuration. Not likely. So, _you_ really
need to use a packet sniffer on both sides of your asterisk nat box
and on both sides of your ata186 nat box to "see" what each of those
boxes are doing to you.
More information about the asterisk-users
mailing list