[Asterisk-Users] SIP and NAT problems "imagine that :) "

Sat Jan 8 09:50:33 MST 2005

> Seriously, I've tried to read everything I could find (& search for) on 
> voip-info.org and other sites about this problem, but have been unsuccesful.
> 
> Equipment:
> xten lite
> X100P
> Whitebox linux running Asterisk / AMP
> D-Link DI-804HV (VPN router)
> 
> I have installed another DI-804HV at a second location and created a tunnel. 
> For the computers behind that unit, everything works fine throught x-lite. 
> However, for any people (ie Family members) that I'm trying to connect to my 
> system that aren't going through a tunnel, it isn't working.
> 
> Symptoms:
> 
> They show up in "Sip Show Peers" however the NAT column is stating "N"
> I can call them and they can hear me fine, but I can't here them.
> 
> I'm thinking this has to do with RTP, but not sure.
> 
> In the router I have the following setup under "Virtual Server":
> SIP TCP/UDP 5060
> IAX TCP/UDP 4569
> KS1 UDP 5004
> RTP1 UDP 5000
> SIP3 UDP 5036
> SIP4 UDP 2727
> 
> In the firewall section I've said to allow UDP on 9999-20001 to go to the 
> asterisk server
> It looks like this in the firewall rules;
> Source *,* Dest *,192.168.x.x UDP,9999-20001
> 
> Also on those extensions that are coming from an external source I've added 
> the externip attribute in the form of
> 
> externip="my_dynamic_domain_name_attached_to_my_ip"
> 
> here's one of the extensions:
> 
> [254]
> username=254
> type=friend
> secret=*******
> port=5060
> nat=yes
> mailbox=254
> host=dynamic
> dtmfmode=rfc2833
> context=from-sip-external
> canreinvite=no
> callerid="Scott Knight" <254>
> externip=my.dyndns.org

Yes, your problem is rtp and probably a lack of understanding it. There
have been at least hundreds of postings regarding nat issues in the
last 18 months, and some reference data in the wiki.

The bottom line is that sip and rtp use different udp ports, and the
exact udp ports in use are choosen from a range that is specified by
each vendor for rtp. Cisco uses one range, xlite another, asterisk 
another, etc, etc. Mapping the sip port (udp 5060) is easy; mapping 
the rtp ports and using the proper nat statements (possibly at both 
the phone location and asterisk location) tends to be difficult. Then 
when you add unusual implementations of nat functions into the mix, 
it becomes even more difficult to find a working config (eg, not all
nat boxes operate the same).

Using something like Ethereal to observe what each device is trying to
use (both in front of and behind nat boxes) will help understand what
each box is trying to do in terms of both IP addresses and udp port
numbers.

The rtp port range as noted above is specified by each vendor, and in
many cases can be modified to some other predetermined prot range.
For example, asterisk uses udp ports 10,000 to 20,000 as specified
in rtp.conf. Cisco 7960's use udp ports 16,384 to 32,766 as specified
in SIPDefault.cnf, while if I remember correctly xlite uses something
like 8,000 to 8,050 (or whatever).

The easiest nat & sip implementation are those where asterisk has a 
registered IP address and the phones are behind a nat box. The most 
difficult implementation is when both asterisk and remote phones are 
both behind their own nat boxes.

You'll want to research the use of nat statements in your sip.conf
config files, and the nat support provided by each of your remote
sip phones. But, ethereal will help point to the issue.