[Asterisk-Users] How do you handle NAT?

Sebastian Silva ssilva at gaussar.com
Tue Jun 28 12:45:30 MST 2005


Hi everyone.

1.  Asterisk as a SIP client behind nat, connecting to outside SIP Proxies:
#1 works with a NAT-supporting proxy as SIP Express router as the 
outside proxy. (Get an account at IPtel.org and try!). Fails with Free 
World Dialup.

2. Asterisk as a SIP client behind nat, connecting to inside SIP proxies:
#2 Works- no NAT in between

3. Asterisk as a SIP server behind nat, clients on the outside 
connecting to Asterisk:
#3 Works with port forwarding and some header mangling magic

4. Asterisk as a SIP server behind nat, clients on the inside connecting 
to Asterisk:
#4 Works - no NAT in between

5. Asterisk as a SIP client outside nat, connecting to outside SIP proxies:
#5 is no problem. No NAT in the middle

6. Asterisk as a SIP client outside nat, connecting to inside SIP proxies:
#6 is a problem if no port forwarding is done, similar to 3 above.

7. Asterisk as a SIP server outside nat, clients on the outside 
connecting to Asterisk:
#7 is no problem. No NAT in the middle

8. Asterisk as a SIP server outside nat, clients on the inside 
connecting to Asterisk:
#8 is solved with nat=yes and qualify=xxx in sip.conf for the client in 
most cases. Some clients (X-lite) assist themselves by using STUN and 
sending UDP keep-alive packets. Qualify sends keep-alive packets from 
Asterisk to the client on the inside.

from wiki

Now, if you net to define a NAT, you have to set asterisk to 
"canreinvite=no", "qualify=yes" and "nat=1".

Also, INSTEAD of NAT, you can use a STUN server. To use a STUN server 
you should set asterisk to "canreinvite=no", "qualify=no" and "nat=0" 
(the STUN configuration is in your agents).

Sebas

hank wrote:
> how easy is it to set up a stun server? with asterisk amd will this fix 
> part of the nat problem?
> ----- Original Message ----- From: "Ray Van Dolson" <rayvd at digitalpath.net>
> To: "Asterisk Users Mailing List - Non-Commercial Discussion" 
> <asterisk-users at lists.digium.com>
> Sent: Tuesday, June 28, 2005 8:14 AM
> Subject: Re: [Asterisk-Users] How do you handle NAT?
> 
> 
>> We've been feeling our way along with the NAT stuff (using SIP) as well.
>>
>> At this point we are fairly small, so the keep-alive packets are not 
>> too bad.
>> What type of user load are you at and what are the specs on your 
>> Asterisk box?
>> I'm concerned we may run into this as well.
>>
>> We do have the luxury that each Sipura device we use is sitting behind 
>> its own
>> NAT (a customer CPE).  So we can do port-forwarding and in combination 
>> with a
>> STUN server (MyStun), things work quite well.  The only issues left to 
>> deal
>> with are a lingering problem with ip_conntrack entries staying cached 
>> because
>> of the "keep alive" packets due to qualify=yes after the CPE's IP address
>> changes.
>>
>> Curious to hear other's setups as well.  I would *love* to start using 
>> the
>> IAXy instead, but it has a couple shortcomings over the Sipura 2002's 
>> we're
>> using now:
>>
>> - About $10/more
>> - Only has one line (apparently two lines is a bit more of a selling 
>> point).
>>
>> Still trying to figure out a good way to make a case for the IAXy though.
>>
>> Ray
>>
>> On Tue, Jun 28, 2005 at 09:59:49AM -0500, Matthew Boehm wrote:
>>
>>> We are interested in how other people are handling NAT problems. We have
>>> several customers all of which have some sort of firewall/NAT device at
>>> their location. For simplicity sake, all customers' internal networks
>>> are 192.168.*.*.
>>>
>>> Our asterisk box is on public IP not blocked by any FW/NAT.
>>>
>>> I use QUALIFY=yes on all our customers' phones and I feel that sending
>>> out 80-something keep-alive packets is causing our box to crawl and
>>> cause bad calls.
>>>
>>> Would SER be better in this case? Should I have phones register with SER
>>> instead of with Asterisk?
>>>
>>> Thanks,
>>> Matthew
>>>
>>> P.S. Yes, I have read stuff on NAT on the wiki. I'm more interested in
>>> other real world, working, solutions.
>>
>> _______________________________________________
>> Asterisk-Users mailing list
>> Asterisk-Users at lists.digium.com
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users 
> 
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
> 

-- 
Sebastian Silva
G R U P O  G A U S S
Depto. Sistemas
Av. Libertador 6250 4 piso
Tl.: 4 706-2222 (int. 121)
ssilva at gaussar.com



More information about the asterisk-users mailing list