[Asterisk-Users] iax2 & nat

Rich Adamson radamson at routers.com
Wed Mar 30 03:57:17 MST 2005 

> > > Is it possible to have 2 (working) iax2 phones behind port restriced nat?
> 
> Interesting you ask, since I just had an incident concerning this. I
> have an IAXy and got an IAX hardphone which I tested at home behind
> the same NAT. Using IAX soft clients before in this situation, they
> would work, but the hardphone had a lot of trouble being "reachable"
> and was shown at port 1024 while all other peers were listed on the
> correct 4569. Putting that same hardphone in the DMZ (which I've never
> gotten to work before with say, SIP phones) made it work normally.
> 
> It also seems that while the IAXy will work with qualify=300, none of
> the IAX phones I've tested so far will be reachable if qualify is
> used. I've wondered why this is, in case anyone has the answer? My
> guess is that qualify uses a message that these phones don't answer.

Whether two or more iax phones work behind a nat is highly dependent
on exactly how the nat box handles data flows that initiate on the
same udp port. Not all nat boxes function the same.

Example: two iax phones behind an inexpensive nat box. Both iax phones
use a source and destination port of udp 4569, and each iax phone has
its own internal IP address.

When internal iax phone #1 contacts an external asterisk box, that
udp session will oftentimes use udp 4569 for both the source and destination
ports. The packet leaving the nat box will have a source IP address of
the external nat interface.

When internal iax phone #2 attempts the same thing, the nat box already
knows (via its internal tables) that source and destination ports 4569
are in use (with the outside IP address), and will remap the source udp
port to something else (eg, 1024 or higher). There are some cheep nat
boxes that mess that map process up.)

Assuming the nat box mapped these two correctly, both iax phones should
be registered. However, both are using udp, and udp is a connectionless
protocol. When the nat box maps those ports, it also starts a timer that
will be used to "time out" those table entries. The timeout value can be
as small as a minute or two, or as long as no timeout (drop the oldest
entries when the table becomes full).

If you think about how many times your pc goes to the internet to resolve
dns entries (for all pc access, whether its a phone or web surfing), 
those dns entries (also using udp) will become a rather large number.
If the nat box has limited internal memory resources, the manufacturer
will likely have a rather small timeout value that could actually be in
seconds.

Now, what is going to happen to your iax phones when the nat box decides
to drop the table map entries? (Ans: no more communications.)

Some nat boxes will let you configure the udp map timeout values while
others won't even publish their default values. And in some cases, the
manufacturer will change their unpublished default value from one
version of firmware to another.

The 'qualify' statement was intended (as one purpose) to pulse the 
remote phone and keep the nat table entries from timing out. That
usually works just fine "if" the iax phone uses the register method.

If the iax phone does not use the register method (and you have the
* iax definitions in terms of 'peer' and 'user'), you're likely to have
a nat box problem. Why? Because asterisk will attempt to contact both
iax phones by sending udp packets to the same nat address using udp
port 4569. The nat box won't know what to do with that pkt.

The work around to that is to statically map 4569 to one phone and 
map 4570 to the second phone (in the nat box). Then in the * config,
ensure your dialplan uses the same port numbers to reach each phone.

If you've followed along thus far, then what happens when the iax phone
sends an arbitrary pkt (of any type) to asterisk? The nat box will
likely get in the middle again and map that outgoing pkt to yet
another port, and * may become rather confused.

Bottom line: when having problems with two or more phones behind a
nat box, you almost always have to use a packet sniffer on the inside
and outside of the nat box to "see" what that box is actually doing
to you. 

If the iax phones allow you to select a udp source port range that 
it will use, then set the range to different values for each phone.
E.g., iax phone #1 uses "source" udp ports 10,000 - 10,100, and
phone #2 uses ports 10,200 - 10,300, or something like that. Since
I don't use any iax phones, I don't have a clue if any of the common
ones provide such an option. 

You may also find that different iax phones will operate differently
using the same nat box. Its not uncommon for programmers to force the
use of udp port 4569 for _both_ the source and destination ports. 
Two instances of that kind of phone will likely cause the nat issues
noted above. If a different iax phone allows the source port to be
chosen by the system, there is a much smaller chance of having a nat
problem. (The small chance results when both phones happen to chose
the same source port and the nat box doesn't handle the duplicate
port number correctly.)

Hope that helps........

More information about the asterisk-users mailing list