[Asterisk-Users] How do you handle NAT?

Matthew Boehm mboehm at cytelcom.com
Tue Jun 28 17:34:11 MST 2005 

Where is "Asterisk as a SIP server on the outside, SIP clients behind NAT
connecting to Asterisk" ?

Our Asterisk server is on public IP, no NAT. Right now we have 4 separate
customers, all of which are on T1s with some sort of firewall/NAT.

We have access to all 4 FW/NAT's. Would allowing full, unrestricted access
to our Asterisk's IP remove the need for qualify ?

-Matthew


> From: hank <hanksmith5 at gmail.com>
> Reply-To: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Date: Tue, 28 Jun 2005 15:46:29 -0700
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Subject: Re: [Asterisk-Users] How do you handle NAT?
> 
> I think my problem is numbrer 3 cause basicly my friend who is not on my
> router is trying to get connected to me but can't and I am the 1 that is
> behind a nat.
> thanks
> hank
> ----- Original Message -----
> From: "Sebastian Silva" <ssilva at gaussar.com>
> To: "Asterisk Users Mailing List - Non-Commercial Discussion"
> <asterisk-users at lists.digium.com>
> Sent: Tuesday, June 28, 2005 12:45 PM
> Subject: Re: [Asterisk-Users] How do you handle NAT?
> 
> 
>> Hi everyone.
>> 
>> 1.  Asterisk as a SIP client behind nat, connecting to outside SIP
>> Proxies:
>> #1 works with a NAT-supporting proxy as SIP Express router as the outside
>> proxy. (Get an account at IPtel.org and try!). Fails with Free World
>> Dialup.
>> 
>> 2. Asterisk as a SIP client behind nat, connecting to inside SIP proxies:
>> #2 Works- no NAT in between
>> 
>> 3. Asterisk as a SIP server behind nat, clients on the outside connecting
>> to Asterisk:
>> #3 Works with port forwarding and some header mangling magic
>> 
>> 4. Asterisk as a SIP server behind nat, clients on the inside connecting
>> to Asterisk:
>> #4 Works - no NAT in between
>> 
>> 5. Asterisk as a SIP client outside nat, connecting to outside SIP
>> proxies:
>> #5 is no problem. No NAT in the middle
>> 
>> 6. Asterisk as a SIP client outside nat, connecting to inside SIP proxies:
>> #6 is a problem if no port forwarding is done, similar to 3 above.
>> 
>> 7. Asterisk as a SIP server outside nat, clients on the outside connecting
>> to Asterisk:
>> #7 is no problem. No NAT in the middle
>> 
>> 8. Asterisk as a SIP server outside nat, clients on the inside connecting
>> to Asterisk:
>> #8 is solved with nat=yes and qualify=xxx in sip.conf for the client in
>> most cases. Some clients (X-lite) assist themselves by using STUN and
>> sending UDP keep-alive packets. Qualify sends keep-alive packets from
>> Asterisk to the client on the inside.
>> 
>> from wiki
>> 
>> Now, if you net to define a NAT, you have to set asterisk to
>> "canreinvite=no", "qualify=yes" and "nat=1".
>> 
>> Also, INSTEAD of NAT, you can use a STUN server. To use a STUN server you
>> should set asterisk to "canreinvite=no", "qualify=no" and "nat=0" (the
>> STUN configuration is in your agents).
>> 
>> Sebas
>> 
>> hank wrote:
>>> how easy is it to set up a stun server? with asterisk amd will this fix
>>> part of the nat problem?
>>> ----- Original Message ----- From: "Ray Van Dolson"
>>> <rayvd at digitalpath.net>
>>> To: "Asterisk Users Mailing List - Non-Commercial Discussion"
>>> <asterisk-users at lists.digium.com>
>>> Sent: Tuesday, June 28, 2005 8:14 AM
>>> Subject: Re: [Asterisk-Users] How do you handle NAT?
>>> 
>>> 
>>>> We've been feeling our way along with the NAT stuff (using SIP) as well.
>>>> 
>>>> At this point we are fairly small, so the keep-alive packets are not too
>>>> bad.
>>>> What type of user load are you at and what are the specs on your
>>>> Asterisk box?
>>>> I'm concerned we may run into this as well.
>>>> 
>>>> We do have the luxury that each Sipura device we use is sitting behind
>>>> its own
>>>> NAT (a customer CPE).  So we can do port-forwarding and in combination
>>>> with a
>>>> STUN server (MyStun), things work quite well.  The only issues left to
>>>> deal
>>>> with are a lingering problem with ip_conntrack entries staying cached
>>>> because
>>>> of the "keep alive" packets due to qualify=yes after the CPE's IP
>>>> address
>>>> changes.
>>>> 
>>>> Curious to hear other's setups as well.  I would *love* to start using
>>>> the
>>>> IAXy instead, but it has a couple shortcomings over the Sipura 2002's
>>>> we're
>>>> using now:
>>>> 
>>>> - About $10/more
>>>> - Only has one line (apparently two lines is a bit more of a selling
>>>> point).
>>>> 
>>>> Still trying to figure out a good way to make a case for the IAXy
>>>> though.
>>>> 
>>>> Ray
>>>> 
>>>> On Tue, Jun 28, 2005 at 09:59:49AM -0500, Matthew Boehm wrote:
>>>> 
>>>>> We are interested in how other people are handling NAT problems. We
>>>>> have
>>>>> several customers all of which have some sort of firewall/NAT device at
>>>>> their location. For simplicity sake, all customers' internal networks
>>>>> are 192.168.*.*.
>>>>> 
>>>>> Our asterisk box is on public IP not blocked by any FW/NAT.
>>>>> 
>>>>> I use QUALIFY=yes on all our customers' phones and I feel that sending
>>>>> out 80-something keep-alive packets is causing our box to crawl and
>>>>> cause bad calls.
>>>>> 
>>>>> Would SER be better in this case? Should I have phones register with
>>>>> SER
>>>>> instead of with Asterisk?
>>>>> 
>>>>> Thanks,
>>>>> Matthew
>>>>> 
>>>>> P.S. Yes, I have read stuff on NAT on the wiki. I'm more interested in
>>>>> other real world, working, solutions.
>>>> 
>>>> _______________________________________________
>>>> Asterisk-Users mailing list
>>>> Asterisk-Users at lists.digium.com
>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>> To UNSUBSCRIBE or update options visit:
>>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>> 
>>> 
>>> _______________________________________________
>>> Asterisk-Users mailing list
>>> Asterisk-Users at lists.digium.com
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>> To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>> 
>> 
>> -- 
>> Sebastian Silva
>> G R U P O  G A U S S
>> Depto. Sistemas
>> Av. Libertador 6250 4 piso
>> Tl.: 4 706-2222 (int. 121)
>> ssilva at gaussar.com
>> _______________________________________________
>> Asterisk-Users mailing list
>> Asterisk-Users at lists.digium.com
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list