[Asterisk-Users] Nat & Sip & Pain

Tue Sep 13 09:50:15 MST 2005

Hi Ray,

It would be great to find a solution which doesn't need modification of 
the firewall setup (like if it was a customers firewall rather than your 
own).

There is two things I'm wondering about: -

1) Can a "Outbound SIP Proxy" be a server out on the Internet (i.e. not 
in the local network this side of the NAT) and does that provide a way 
to make the SIP via NAT work?  *

2) Is STUN a workable solution.  There is no problem running a STUN 
server but can the far side of the STUN connection (Internet) talk with 
Asterisk and is this a way to make the SIP via NAT work? **

* I would have thought that an "Outbound Proxy" would need to be inside 
on the local network (a bastion host rather like a squid server for 
HTTP) but then I read the FWD documentation about setting the Outbound 
Proxy for a budgetone to make it work with NAT and their server - the 
Outbound Proxy they specified was out there on the Internet.

** I've read that Asterisk doesn't currently have STUN support but I'm 
not sure what that means exactly:  I'm not sure if that means "Asterisk 
doesn't have an STUN server built-in" or if it means "Asterisk is not 
compatible with an STUN server".

Thanks,

Derek

razza wrote:

>Derek,
>You said - 
>Needless to say when I don't have any NAT settings on the SIP phone I 
>don't get any registration with the * server (this confuses me too - I'm
>
>not sure why I only get registration when I set the * server to be the 
>outbound proxy?  Maybe its because the SIP phone sends its local IP in 
>the RTP packets?).
>
>SIP is not NAT friendly (unlike IAX) and yes your device will try to
>send its local IP (in SIP packets), unless in the case of a budgetone
>phone you set the 'Use NAT IP' to your external IP addr. You will also
>have to NAT the public ip for the SIP port (5060?) and RTP ports
>(whatever) to your phones private IP.
>
>Must admit not tried it myself, but happy to jointly experiment if you
>like?
>
>_______________________________________________
>Ray
>
>_______________________________________________
>
>
>-----Original Message-----
>From: asterisk-users-bounces at lists.digium.com
>[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Derek
>Conniffe
>Sent: 13 September 2005 12:44
>To: Asterisk Users Mailing List - Non-Commercial Discussion
>Subject: [Asterisk-Users] Nat & Sip & Pain
>
>
>Hi everyone,
>
>I decided to have a look at SIP & NAT again and I've been at it for a 
>[quite a] few hours but typically nothing is working for me.  Actually 
>I'm not sure if SIP and NAT can ever work but some emails on this list 
>do suggest that someone has got it working, once, maybe.
>
>I'm experimenting with a ZyXEL 2000W [WiFi Sip phone] which supports 
>"Outbound Proxy", "STUN" and "Fake WAN Address on SIP and RTP".  I'm 
>using Netfilter (IPTables) on Linux as the Firewall at NAT gateway to 
>the Internet.
>
>I'm lacking knowledge in UDP, RTP and SIP - which doesn't help of
>course.
>
>In my experiments the only thing that seems to allow me to make a call 
>is to enter the [public Internet] IP address of my * server into the 
>"Outbound Proxy" setting in the SIP phone - then it registers and I can 
>make a call but no audio, either direction, is heard.
>
>I would have thought that the "Outbound Proxy" should be inside the NAT 
>gateway but then I read the settings for a Budgetone BEHIND nat on the 
>FWD webpage 
>(http://www.freeworlddialup.com/support/configuration_guide/configure_yo
>ur_fwd_certified_phone/grandstream_budgetone/outbound_proxy) 
>where they suggest that the Outbound Proxy should be an external 
>Internet public proxy server ?
>
>Then I was reading about STUN and what a nice sounding solution it is - 
>so I downloaded and installed the Vivida STUN server - compilation & 
>installation was nice and easy and I set the STUN primary IP address & 
>port into the SIP phones STUN servers settings.  I could see that the 
>SIP phone communicated with the STUN server (lots of stuff about mapping
>
>between my local NAT gateway's public IP address and the secondary IP 
>address of the STUN server)... but no registration or [apparent] 
>communication with the * server.
>
>I didn't try to do anything with the "Fake WAN address.." settings or 
>try to redirect incoming UDP ports from the firewall to the SIP phone 
>because I'm trying to see if its possible to setup a deploy-anywhere SIP
>
>phone solution.
>
>Needless to say when I don't have any NAT settings on the SIP phone I 
>don't get any registration with the * server (this confuses me too - I'm
>
>not sure why I only get registration when I set the * server to be the 
>outbound proxy?  Maybe its because the SIP phone sends its local IP in 
>the RTP packets?).
>
>Does anyone know how to get NAT & SIP working where the SIP phone is 
>behind a NAT server talking to a publicly accessible * server?
>
>Thanks for any help!
>
>When I run FWD's "netcheck" on my local PC (also behind the NAT) I get: 
>Internet Connection: Connected, Direct/NAT: Using NAT, NAT type: Port 
>Restricted Nat, NAT UPnP enabled: No, Local IP Address: 192.168.5.10, 
>WAN IP Address: XXX.XXX.XXX.XXX (public IP address), Port 5060: Blocked,
>
>port 5082: Blocked.
>
>
>[Maybe] useful Links that I've found on my Nat & SIP travels:-
>
>http://www.voip-info.org/wiki-Asterisk+SIP+NAT+solutions
>-------------------------------------------------------------
>Here VOIP INFO claim that "Asterisk as a SIP server outside nat, clients
>
>on the inside connecting to Asterisk" is "solved" with "with nat 
><tiki-index.php?page=Asterisk+sip+nat>=yes and qualify 
><tiki-index.php?page=Asterisk+sip+qualify>=xxx in sip.conf 
><tiki-index.php?page=Asterisk+config+sip.conf> for the client in most 
>cases. Some clients (X-lite) assist themselves by using STUN 
><tiki-index.php?page=STUN> and sending UDP keep-alive packets. Qualify 
><tiki-index.php?page=Asterisk+sip+qualify> sends keep-alive packets from
>
>Asterisk to the client on the inside." - however I can't get it to work
>
>http://www.asteriskguru.com/tutorials/sip_nat_oneway_or_no_audio_asteris
>k.html
>------------------------------------------------------------------------
>-----------
>Here there is some detail about the NAT= option in sip.conf and firewall
>
>NAT types plus some understandable diagrams of why SIP & NAT is so much 
>bother.
>
>http://www.voip-info.org/wiki-STUN
>--------------------------------------
>The VOIP INFO page about STUN - I don't think I learned much here - 
>except the link to the Vovida STUN server software
>
>Asterisk Users - Email from wehr at japet.com - 02/July/2005 23:49
>--------------------------------------------------------------------
>Thierry claims that you need to put special MASQUERADE POSTROUTING rules
>
>into iptables to make it NAT UDP properly - tried it but didn't work for
>me
>
>Asterisk Users - Email from p_kami at yahoo.com - 16/Aug/2005 10:29
>------------------------------------------------------------------------
>Kamran Ahmad sounds like someone who [might have] had SIP & NAT working 
>- until it wasn't working....
>
>
>
>BTW My Current SIP sip.conf entry that I'm using for testing (which 
>doesn't work of course!): -
>[0035314401789]
>context=PublicSip
>type=friend
>port=5060
>username=0035314401789
>password=XXXXXXXX
>callerId=0035314401789
>nat=route                        ; assume a NAT connection (note: route 
>doesn't seem to make any difference compared to "yes")
>qualify=yes                    ; keep-alive packets to keep NAT SIP open
>insecure=yes                        ; insecure and auth don't seem to 
>make things work any better/worse!
>auth=plaintext                      ;
>host=dynamic                    ; and with a dynamic IP address
>canreinvite=no                  ; always keep asterisk in the media path
>;dtmfmode=info                   ; could be inband ?
>dtmfmode=rfc2833                ; could be inband ? but doesn't matter -
>
>still NAT & SIP isn't working
>mailbox=10000 at default
>disallow=all
>;allow=ilbc
>;allow=ulaw
>allow=g729
>;allow=ulaw
>;allow=all
>
>
>  
>

-- 
Derek Conniffe
Rivertower Ltd
Ireland: (Freephone) 1800 719 400
Ireland: (Local) 01 244 9719
United Kingdom: 0870 068 2368
International: 00 353 1 244 9719
Derek Conniffe DDI: 01 201 0146 (International: 00 353 1 201 0146)
Derek Conniffe Mobile: 086 856 3823 (International: 00 353 86 856 3823)
Fax: 01 201 0085 (International: 00 353 1 201 0085)
Email: Derek at rivertower.ie
Web: http://www.rivertowerhosting.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: derek.vcf
Type: text/x-vcard
Size: 487 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20050913/73a66a25/derek.vcf