[Asterisk-Users] SIP and symmetric NAT

Gunnar Schaller linux at nowin.de
Tue Oct 5 13:57:40 MST 2004


Hello,
I have a problem with a Grandstream being behind a symmetric nat. The
box which does the nat is a german "Fritz Box". This one does nat for
the internal network. In the internal network is a Granstream
BudgeTone 100. The nat router has a dial-up connection, so ip changes
on every dial-in.

|------------|            |------------|            |--------|
|Grandstream |------------|Fritz Box   |------------|Asterisk|
|------------|  internal  |(nat router)|  Internet  |--------|
                network   |------------|

The asterisk server is also a STUN server and has 2 public ip's
(needed by the STUN). I use this one:
http://sourceforge.net/projects/stun/

Description of symmetric NAT: http://www.voip-info.org/wiki-STUN
Grandstream FAQ: http://www.grandstream.com/FAQ.htm#Q18

The Grandstream FAQ says: "STUN does NOT work with symmetric NAT and
if your routers have built-in symmetric NAT, do not use STUN."
Anywhere in the changelog of firmware 1.0.5.7 I saw: "If a symmetric
NAT is detected, still use mapped IP:port instead of using private
IP."


The Grandstream can't register to asterisk. First it speaks
succesfully to the STUN. Then it sends SIP-messages to the asterisk.
Lets say the pakets come from port 22222 of the nat-router with ip
"1.1.1.1". But in the SIP-pakets the Grandstream tells the asterisk
his Port is 33333 at ip 1.1.1.1. Now asterisk thinks "ok, this client
is at port 33333 on ip 1.1.1.1" (content in SIP message), although the
Grandstream pakets in real came from port 22222. At this point
asterisk is to clever :o)
Asterisk tries to send SIP messages to port 33333, but fails. I made a
"sip debug" in asterisk console and a tcpdump, so I definitively saw
it in this way working.
Can anyone help me with this problem? I think there has to be STUN,
but the Grandstream FAQ says "no". Without the STUN it can't work.
The scenario works when the Grandstream registers to the german
www.sipgate.de, but I think there is a SER SIP proxy.

Thanks in advance,
Gunnar Schaller




More information about the asterisk-users mailing list