[Asterisk-Users] More NAT questions

rudolfl at optusnet.com.au rudolfl at optusnet.com.au
Wed Mar 2 14:52:15 MST 2005 

IThanks for reply.

I have inserted my comments in your reply.


> 
> As you have already noted, trying to implement this with two nat boxes 
> is
> very difficult and in some cases impossible.
> 
> The only way to know for sure what is happening is to use a packet 
> analyzer
> (eg, ethereal) to observe the packets on the inside and outside of each 
> nat
> box. Keep in mind that no all nat boxes operate the same way; there are 
> major
> differences even though we tend to characterize nat boxes as all the 
> same.
> 
> The rtp ports used for voice (10000:20000 in your example) vary by 
> phone type.
> Cisco uses a different range of ports, Xten another range, Grandsteam 
> yet
> another. The ports you have listed are what asterisk uses and are 
> probably
> not the same ports as what your remote phones use. Therefore, the exact 
> ports
> that you need to open are dependent upon exactly which phones you 
> deploy,
> and on well you understand the handshaking that goes on end-to-end when
> establishing a sip call.

I am using Polycom phones. Ports 10000-20000 are specified in the rtp.conf. Same
phone worked just fines when used on same subnet.


> 
> Likewise, not all phones operate the same from behind a nat box. The 
> snom
> phones happen to be very good in terms of discovering where it sits in 
> the
> end-to-end picture, while other phones are either very poor or don't 
> handle
> nat well at all. Since you didn't mention what type of phones you use, 
> there's
> no way to guess at what might be happening. Even if you post the phone 
> type,
> its not going to be of much use to the rest of us since we don't know 
> the
> type of nat box in use.
> 

NAT box on the Asterisk side is a Linux running RedHat 9 and iptables.
NAT box on the PHONE 2 end is a D-Link router. Default configuration is used.

> You also might find (later) that not all nat boxes support multiple 
> phones
> behind a nat box. Eg, if one phone is made to work and its in use, the 
> second
> phone behind that nat box will probably fail. Some folks have been 
> successful
> with multiple phones while many others have not, and most do not know 
> why.

Yes, this is my concern too, but this is something I will worry about later. At the
moment I want single phone to operate.

> 
> You might be able to discover the nat problems by tracing packets (with
> ethereal) from inside and outside that asterisk nat box, but I'd have 
> to guess
> you'll have less then a 50% chance of seeing the issues without traces 
> from
> inside the nat box at the phone location also. You really need a clear
> understanding of the exact IP addresses and port numbers from "each" 
> location
> to know how to solve the problem.

Well, it seem strange that when trying to place a call, Asterisk uses correct
address fro the PHONE 2 (public IP of the NAT device on the other end). And incoming
registration is fine too. 
The problems start when actual SIP traffic is passed through. Asterisk uses local IP
address  in this case. It seems that it picks up addresses from IP packets and
"forgets" about phone being behind the NAT device.

This is judging only by SIP debug info Asterisk gives me.

Rudolf

More information about the asterisk-users mailing list