[Asterisk-Users] More NAT questions
Rich Adamson
radamson at routers.com
Wed Mar 2 05:47:35 MST 2005
> Still trying to get NAT working.
>
> I have following setup:
>
> PHONE 1 ------ * BOX
> |
> NAT/Firewall
> |
> |
> NAT/Firewall
> |
> |
> PHONE 2
>
> Firewall next to phone 2 has all ports open.
> Firewall next to Asterisk has open ports 5060 and 10000:20000. All of those
> are forwarded to Asterisk box.
>
> Both phones succesfully register with Asterisk. (I had to add NAT=yes to
> configuration of PHONE 2 in sip.conf to get this far).
> Now, problems:
> I can place a call from PHONE2 to PHONE1, but sound path is not established.
> Calls from PHONE1 to PHONE2 can not be placed at all. (I assume that this is
> because port 5060 is not forwarded to the phone at NAT/Firewall, but more on
> it later).
>
> Looking at SIP debug info, Asterisk tries to use local address of PHONE2
> instead of its public IP. As a result, no info can be sent to it.
>
> I have tried to install SIPROXD on the NAT/Firewall close to Asterisk box,
> but this did not help.
>
> Now, we have tried to use one of the commercial VoIP service at PHONE2
> location. We had to use their phone and it worked just fine without any
> alterations to NAT/Firewall device. I am pretty sure that they use SIP, so
> they did resolve the problem somehow. Sorry, there is no technical info
> available on this service.
>
> Did anyone succeeded in doing this setup? I know, IAX is a better way, but I
> can not setup many Asterisk boxes.
>
> Basically, I am doing it for a friend. He is working for a small medical
> company. They have number of offices that are not open every day and offices
> are too small to put Asterisk box in each one. There will be 1-3 IP phones
> in each office, except central one. Central one will need Asterisk, the rest
> should be on their own.
As you have already noted, trying to implement this with two nat boxes is
very difficult and in some cases impossible.
The only way to know for sure what is happening is to use a packet analyzer
(eg, ethereal) to observe the packets on the inside and outside of each nat
box. Keep in mind that no all nat boxes operate the same way; there are major
differences even though we tend to characterize nat boxes as all the same.
The rtp ports used for voice (10000:20000 in your example) vary by phone type.
Cisco uses a different range of ports, Xten another range, Grandsteam yet
another. The ports you have listed are what asterisk uses and are probably
not the same ports as what your remote phones use. Therefore, the exact ports
that you need to open are dependent upon exactly which phones you deploy,
and on well you understand the handshaking that goes on end-to-end when
establishing a sip call.
Likewise, not all phones operate the same from behind a nat box. The snom
phones happen to be very good in terms of discovering where it sits in the
end-to-end picture, while other phones are either very poor or don't handle
nat well at all. Since you didn't mention what type of phones you use, there's
no way to guess at what might be happening. Even if you post the phone type,
its not going to be of much use to the rest of us since we don't know the
type of nat box in use.
You also might find (later) that not all nat boxes support multiple phones
behind a nat box. Eg, if one phone is made to work and its in use, the second
phone behind that nat box will probably fail. Some folks have been successful
with multiple phones while many others have not, and most do not know why.
You might be able to discover the nat problems by tracing packets (with
ethereal) from inside and outside that asterisk nat box, but I'd have to guess
you'll have less then a 50% chance of seeing the issues without traces from
inside the nat box at the phone location also. You really need a clear
understanding of the exact IP addresses and port numbers from "each" location
to know how to solve the problem.
More information about the asterisk-users
mailing list