[Asterisk-Users] Immortal SIP & NAT problem

Fri May 28 06:48:43 MST 2004

Ignace CARIA wrote:
> I know I know this subject have been The most written subject about VoIP
:-)

> If Asterisk is on a Public IP Address and a softphone behind the nat, 
> sip.conf must contains for this phone: nat=yes ....
And in most cases qualify=yes

The "nat=yes" makes asterisk don't trust the phone's information in
regards to the IP address it comes from and the IP address it want's
RTP sound to be sent to. Asterisk instead directs the signalling
and media to the address we receive the packets from. For RTP, we also
send the sound to the port we receive from (symmetric RTP).

Note: If you're using an outbound proxy (IX66, SER) this will not
work. Then it's the proxy's problem to sort out. IX66 is an
excellent choice for this. So if this is your network configuration,
don't turn on "nat=yes".

You will still need Symmetric RTP in most cases, so in chan_sip2
I've added a setting called symmetricrtp=yes that doesn't change
the behaviour in regards to where we send SIP signalling, but
change the behaviour of the media stream. I haven't gotten much
feedback on this addition, but have good use of it myself.

The "qualify=yes" sends out small packets to the client to measure the
round-trip time for sending UDP packets. This is actually quite nice data
to have, so you see how fast or slow link you have between the phone
and your Asterisk server. An effect of sending those packets is that
the NAT box keeps the session open, since we're actually communicating.
That way, the session will be open when we signal that there's an
incoming phone call. If the NAT doesn't get any keep-alive packets like
this, it will close for business and there's no way we can open a
call into the phone on the inside.

> Now if I want to configure my sipphone (X-Lite) placing behing the NAT, 
> it must have in "Domain/Realm" the external IP address?

No. Set Domain and realm to what it should be. Realm should match the
realm= setting in your sip.conf, which should be globally unique. Your
domain name or the hostname of the server is a good choice.

With X-lite, in most cases you don't need to do anything special for NAT
traversal. It has in itself an excellent support for NAT traversal,
so you don't have to turn on nat=yes. It also sends it's own NAT keep-alives,
so qualify= isn't needed.

But even if Xlite is a wizard, your NAT device may be a disgusting beast.
If Xlite doesn't work with your NAT, then change the status of "Send internal IP".

> If Asterisk is behind the NAT, sip.conf must have in [globals]
> 
> externip = <External IP address>
> localnet = < Internal NETWORK address>
> localmask = <mask of localnet>

These settings is only needed for Asterisk when Asterisk is behind a NAT,
registering with another SIP service provider on the outside.

I would love seeing a good document, but the myriad of settings in various
equipments and the behaviour av all different NAT's out there makes it
very hard. Luckily, more and more vendors are starting to understand how
STUN can help their equipment behave better. And new NAT boxes is better
at handling this, so in most cases NAT=yes or a smart device, like Xten Xlite,
with STUN support and some SIP header mangling magic, fixes this.

Xten Xlite is really good at supporting STUN and DNS srv, so if you have configured
your DNS right for your domain, clients will connect just by configuring
domain, username and password. It will find the proxy and your stun server
by looking up SRV records. It will figure out the workings of your NAT device
and send the right signalling to the proxy.

And no, I'm in no way affiliated with Xten Networks, inc. I'm just a happy
user of the software.

Ah, and of course, there is a good document with a lot of links on the topic
of SIP and NAT. On the wiki, of course :-)
/O