[Asterisk-Users] How do you handle NAT?

Geert Nijpels geert.nijpels at gmail.com
Tue Jun 28 15:35:20 MST 2005


On 6/28/05, Sebastian Silva <ssilva at gaussar.com> wrote:
> Hi everyone.
> 
> 1.  Asterisk as a SIP client behind nat, connecting to outside SIP Proxies:
> #1 works with a NAT-supporting proxy as SIP Express router as the
> outside proxy. (Get an account at IPtel.org and try!). Fails with Free
> World Dialup.
> 
> 2. Asterisk as a SIP client behind nat, connecting to inside SIP proxies:
> #2 Works- no NAT in between
> 
> 3. Asterisk as a SIP server behind nat, clients on the outside
> connecting to Asterisk:
> #3 Works with port forwarding and some header mangling magic
> 
> 4. Asterisk as a SIP server behind nat, clients on the inside connecting
> to Asterisk:
> #4 Works - no NAT in between
> 
> 5. Asterisk as a SIP client outside nat, connecting to outside SIP proxies:
> #5 is no problem. No NAT in the middle
> 
> 6. Asterisk as a SIP client outside nat, connecting to inside SIP proxies:
> #6 is a problem if no port forwarding is done, similar to 3 above.
> 
> 7. Asterisk as a SIP server outside nat, clients on the outside
> connecting to Asterisk:
> #7 is no problem. No NAT in the middle
> 
> 8. Asterisk as a SIP server outside nat, clients on the inside
> connecting to Asterisk:
> #8 is solved with nat=yes and qualify=xxx in sip.conf for the client in
> most cases. Some clients (X-lite) assist themselves by using STUN and
> sending UDP keep-alive packets. Qualify sends keep-alive packets from
> Asterisk to the client on the inside.
> 
> from wiki
> 
> Now, if you net to define a NAT, you have to set asterisk to
> "canreinvite=no", "qualify=yes" and "nat=1".
> 
> Also, INSTEAD of NAT, you can use a STUN server. To use a STUN server
> you should set asterisk to "canreinvite=no", "qualify=no" and "nat=0"
> (the STUN configuration is in your agents).
> 

You can use STUN instead of nat=yes (if the phone supports STUN
properly). However, our experience is that we also need qualify=yes to
prevent the phones becoming unreachable.

Geert

> hank wrote:
> > how easy is it to set up a stun server? with asterisk amd will this fix
> > part of the nat problem?
> > ----- Original Message ----- From: "Ray Van Dolson" <rayvd at digitalpath.net>
> > To: "Asterisk Users Mailing List - Non-Commercial Discussion"
> > <asterisk-users at lists.digium.com>
> > Sent: Tuesday, June 28, 2005 8:14 AM
> > Subject: Re: [Asterisk-Users] How do you handle NAT?
> >
> >
> >> We've been feeling our way along with the NAT stuff (using SIP) as well.
> >>
> >> At this point we are fairly small, so the keep-alive packets are not
> >> too bad.
> >> What type of user load are you at and what are the specs on your
> >> Asterisk box?
> >> I'm concerned we may run into this as well.
> >>
> >> We do have the luxury that each Sipura device we use is sitting behind
> >> its own
> >> NAT (a customer CPE).  So we can do port-forwarding and in combination
> >> with a
> >> STUN server (MyStun), things work quite well.  The only issues left to
> >> deal
> >> with are a lingering problem with ip_conntrack entries staying cached
> >> because
> >> of the "keep alive" packets due to qualify=yes after the CPE's IP address
> >> changes.
> >>
> >> Curious to hear other's setups as well.  I would *love* to start using
> >> the
> >> IAXy instead, but it has a couple shortcomings over the Sipura 2002's
> >> we're
> >> using now:
> >>
> >> - About $10/more
> >> - Only has one line (apparently two lines is a bit more of a selling
> >> point).
> >>
> >> Still trying to figure out a good way to make a case for the IAXy though.
> >>
> >> Ray
> >>
> >> On Tue, Jun 28, 2005 at 09:59:49AM -0500, Matthew Boehm wrote:
> >>
> >>> We are interested in how other people are handling NAT problems. We have
> >>> several customers all of which have some sort of firewall/NAT device at
> >>> their location. For simplicity sake, all customers' internal networks
> >>> are 192.168.*.*.
> >>>
> >>> Our asterisk box is on public IP not blocked by any FW/NAT.
> >>>
> >>> I use QUALIFY=yes on all our customers' phones and I feel that sending
> >>> out 80-something keep-alive packets is causing our box to crawl and
> >>> cause bad calls.
> >>>
> >>> Would SER be better in this case? Should I have phones register with SER
> >>> instead of with Asterisk?
> >>>
> >>> Thanks,
> >>> Matthew
> >>>
> >>> P.S. Yes, I have read stuff on NAT on the wiki. I'm more interested in
> >>> other real world, working, solutions.
> >>
> >> _______________________________________________
> >> Asterisk-Users mailing list
> >> Asterisk-Users at lists.digium.com
> >> http://lists.digium.com/mailman/listinfo/asterisk-users
> >> To UNSUBSCRIBE or update options visit:
> >>   http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> >
> > _______________________________________________
> > Asterisk-Users mailing list
> > Asterisk-Users at lists.digium.com
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> > To UNSUBSCRIBE or update options visit:
> >   http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> 
> --
> Sebastian Silva
> G R U P O  G A U S S
> Depto. Sistemas
> Av. Libertador 6250 4 piso
> Tl.: 4 706-2222 (int. 121)
> ssilva at gaussar.com
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>



More information about the asterisk-users mailing list