[Asterisk-Users] NAT, Asterisk and SIP service provider (sipgate.de)

Scott James Williamson scott at sjwilliamson.ca
Wed Mar 3 09:53:06 MST 2004 

Hello Oliver,

okay, this was not easy and will make a long e-mail that I will also CC
to the list. I will answer in English because it is my native language.
I lived in Germany for 2.5 years and can speak German okay,
however I will spare you all of the declination failures that I make
on a regular basis.

I have an OpenBSD NAT'ting firewall allowing asterisk to talk to
sipgate.de with outgoing calls working nicely, incoming is untested
but should work.

sipgate.de is provides their services using SIP, and asterisk can be a
SIP client, you probably know this. SIP service providers setup their
systems to support "normal" SIP clients and you need to make you
asterisk and firewall (the "and firewall" bit is perhaps the most
important) appear to be a normal SIP client at the UDP port level.

SIP uses UDP port 5060 as its call setup/control port and some UDP
ports for its RTP media stream. The RTP media stream ports are set in
the asterisk control file rtp.conf.

I analyzed the traffic at the port level using xten's x-lite SIP
client talking to sipgate and discovered that the firewall setup is
very important. If you use NAT, standard procedure is to take outgoing
connections and translate them using some "random high port" as the source
port. so:

SIP Client  <------------>  NAT Firewall <-------------> sipgate.de
int ip : UDP 5060   NAT to: ext ip UDP 645035    sipgate.de UDP 5060

The NAT firewall then keeps this config and expects to route info back
from sipgate to the internal SIP client on UDP port 645035. However
sipgate and the RFC think that SIP clients should accept info on UDP
port 5060 so it sends info back to (ext ip) UDP port 5060 and the
firewall may route this but it is not part of the same connection and
so it seems to get lost somehow.

What needs to be done is to tell the firewall to route all connections
on UDP 5060 out using UDP port 5060. in OpenBSD the pf.conf extries
look like this:

/etc/pf.conf:

# outgoing UDP port 5060 connections use source port 5060 on firewall
nat on $ext_if inet proto udp from any port = 5060 to any -> ($ext_if) port 5060

# incomming UDP port 5060 connections should go to my asterisk server
rdr pass on $ext_if proto udp from any to ($ext_if) port 5060 -> $voip_box

#RTP MEDIA STREAM redirect.
rdr pass on $ext_if proto udp from any to any port 9999:20001 -> $voip_box port 9999:20001


When this works, and keep in mind that this is for OpenBSD (I am not
sure if linux can do this), then asterisk setup is as follows:

/etc/asterisk/sip.conf

[general]
port = 5060                     ; Port to bind to
bindaddr = 0.0.0.0              ; Address to bind to
externip = xxx.sjwilliamson.ca
localnet = 192.168.1.0         ; Internal NETWORK address
localmask = 255.255.255.0      ; Internal netmask
nat = yes

register => 8007163:xxxx at sipgate.de/8007163

[sipgate]
secret=xxx
username=8007163
fromuser=8007163
fromdomain=sipgate.net
type=friend
host=sipgate.de
nat=yes
;qualify=yes
dtmfmode=rfc2833
canreinvite=no
context=in-sipgate


/etc/asterisk/rtp.conf - this is stock

;
; RTP Configuration
;
[general]
;
; RTP start and RTP end configure start and end addresses
;
rtpstart=10000
rtpend=20000


/etc/asterisk/extensions.conf

;outgoing sipgate calls
[sipgatede]
exten => _0049.,1,SetCallerID(4921158007163)
exten => _0049.,2,SetCIDName(Scott Williamson)
exten => _0049.,3,Dial(SIP/0${EXTEN:4}@sipgate,30)
exten => _0049.,4,Playback(the-party-you-are-calling)
exten => _0049.,5,Playback(is-curntly-unavail)
exten => _0049.,6,Hangup
exten => _0049.,104,Playback(the-party-you-are-calling)
exten => _0049.,105,Playback(is-curntly-busy)
exten => _0049.,106,Wait,3
exten => _0049.,107,Hangup

;incomming sipgate calls
[in-sipgate]
exten => 8007163,1,Macro(stdexten,1234,${PHONE1})

Incomming calls in the context [in-sipgate] need to have an extension
that is the same as your sipgate number. And you need to register with
this also.

Good luck, and remember that in this case the firewall config is the
most important, second is the extension / sipgate number in the
registration and in the context [in-sipgate].

Also, "show sip registry" at the asterisk console will show if you
have registered with sipgate. They seem to go offline sometimes, and I
do not know why. I consider this to be normal, as this happens to
other SIP accounts that I have.

Scott Williamson

P.S. Maybe you can try calling me over sipgate @ +49 211 58 00 71 63 to test and
see if incoming calls work.

-- 
Best regards,
 Scott                            mailto:scott at sjwilliamson.ca

 -------------------------------------------------------
|    Toronto  |  +1  416 xxx xxxx     |  PSTN           |
|-------------|-----------------------|-----------------|
| Düsseldorf  |  +49 211 58 00 71 63  |  International  |
|     London  |  +44 20  71 27 63 82  |  PSTN & ENUM    |
|-------------|-----------------------|-----------------|
|        FWD  |  25 39 84             |  VOIP           |
|     iaxTel  |  1 700 839 8593       |                 |
 -------------------------------------------------------

More information about the asterisk-users mailing list