FW: [Asterisk-Users] Nat & Sip & Pain
Derek Conniffe
derek at rivertower.ie
Tue Sep 13 10:08:30 MST 2005
Hi Ray,
I was wondering if the "qualify" option is used [in sip.conf] to keep a
connection (from the SIP phone inside the firewall to the Asterisk
server outside the firewall) open then would the firewall not allow two
way communication without incoming port mapping/NAT (providing that the
SIP phone started "talking" first)?
I'm not sure about that - I'm being hopeful though :)
STUN would be very acceptable to me if it worked though ;)
Derek
razza wrote:
>Derek,
>I'm not an expert in these area's hence the offer to play, but in answer
>to your questions to the best of my ability -
>
>1. I don't see any reason the outbound proxy cant be in the public
>domain although this is where the NAT issues start kicking in
>(especially if you want incoming calls), depending on the number of
>clients behind the firewall you would have to do lots of port mapping
>etc. on the router/firewall, could be done but would be painful.
>2. Never played with a STUN server, sorry just another point to break in
>the chain?
>
>
>_______________________________________________
>Ray
>
>_______________________________________________
>
>
>-----Original Message-----
>From: Derek Conniffe [mailto:derek at rivertower.ie]
>Sent: 13 September 2005 17:50
>To: Asterisk Users Mailing List - Non-Commercial Discussion;
>rjames31 at btopenworld.com
>Subject: Re: [Asterisk-Users] Nat & Sip & Pain
>
>
>Hi Ray,
>
>It would be great to find a solution which doesn't need modification of
>the firewall setup (like if it was a customers firewall rather than your
>
>own).
>
>There is two things I'm wondering about: -
>
>1) Can a "Outbound SIP Proxy" be a server out on the Internet (i.e. not
>in the local network this side of the NAT) and does that provide a way
>to make the SIP via NAT work? *
>
>
>2) Is STUN a workable solution. There is no problem running a STUN
>server but can the far side of the STUN connection (Internet) talk with
>Asterisk and is this a way to make the SIP via NAT work? **
>
>* I would have thought that an "Outbound Proxy" would need to be inside
>on the local network (a bastion host rather like a squid server for
>HTTP) but then I read the FWD documentation about setting the Outbound
>Proxy for a budgetone to make it work with NAT and their server - the
>Outbound Proxy they specified was out there on the Internet.
>
>** I've read that Asterisk doesn't currently have STUN support but I'm
>not sure what that means exactly: I'm not sure if that means "Asterisk
>doesn't have an STUN server built-in" or if it means "Asterisk is not
>compatible with an STUN server".
>
>Thanks,
>
>Derek
>
>
>
>razza wrote:
>
>
>
>>Derek,
>>You said -
>>Needless to say when I don't have any NAT settings on the SIP phone I
>>don't get any registration with the * server (this confuses me too -
>>
>>
>I'm
>
>
>>not sure why I only get registration when I set the * server to be the
>>outbound proxy? Maybe its because the SIP phone sends its local IP in
>>the RTP packets?).
>>
>>SIP is not NAT friendly (unlike IAX) and yes your device will try to
>>send its local IP (in SIP packets), unless in the case of a budgetone
>>phone you set the 'Use NAT IP' to your external IP addr. You will also
>>have to NAT the public ip for the SIP port (5060?) and RTP ports
>>(whatever) to your phones private IP.
>>
>>Must admit not tried it myself, but happy to jointly experiment if you
>>like?
>>
>>_______________________________________________
>>Ray
>>
>>_______________________________________________
>>
>>
>>-----Original Message-----
>>From: asterisk-users-bounces at lists.digium.com
>>[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Derek
>>Conniffe
>>Sent: 13 September 2005 12:44
>>To: Asterisk Users Mailing List - Non-Commercial Discussion
>>Subject: [Asterisk-Users] Nat & Sip & Pain
>>
>>
>>Hi everyone,
>>
>>I decided to have a look at SIP & NAT again and I've been at it for a
>>[quite a] few hours but typically nothing is working for me. Actually
>>I'm not sure if SIP and NAT can ever work but some emails on this list
>>do suggest that someone has got it working, once, maybe.
>>
>>I'm experimenting with a ZyXEL 2000W [WiFi Sip phone] which supports
>>"Outbound Proxy", "STUN" and "Fake WAN Address on SIP and RTP". I'm
>>using Netfilter (IPTables) on Linux as the Firewall at NAT gateway to
>>the Internet.
>>
>>I'm lacking knowledge in UDP, RTP and SIP - which doesn't help of
>>course.
>>
>>In my experiments the only thing that seems to allow me to make a call
>>is to enter the [public Internet] IP address of my * server into the
>>"Outbound Proxy" setting in the SIP phone - then it registers and I can
>>
>>
>
>
>
>>make a call but no audio, either direction, is heard.
>>
>>I would have thought that the "Outbound Proxy" should be inside the NAT
>>gateway but then I read the settings for a Budgetone BEHIND nat on the
>>FWD webpage
>>(http://www.freeworlddialup.com/support/configuration_guide/configure_y
>>
>>
>o
>
>
>>ur_fwd_certified_phone/grandstream_budgetone/outbound_proxy)
>>where they suggest that the Outbound Proxy should be an external
>>Internet public proxy server ?
>>
>>Then I was reading about STUN and what a nice sounding solution it is -
>>so I downloaded and installed the Vivida STUN server - compilation &
>>installation was nice and easy and I set the STUN primary IP address &
>>port into the SIP phones STUN servers settings. I could see that the
>>SIP phone communicated with the STUN server (lots of stuff about
>>
>>
>mapping
>
>
>>between my local NAT gateway's public IP address and the secondary IP
>>address of the STUN server)... but no registration or [apparent]
>>communication with the * server.
>>
>>I didn't try to do anything with the "Fake WAN address.." settings or
>>try to redirect incoming UDP ports from the firewall to the SIP phone
>>because I'm trying to see if its possible to setup a deploy-anywhere
>>
>>
>SIP
>
>
>>phone solution.
>>
>>Needless to say when I don't have any NAT settings on the SIP phone I
>>don't get any registration with the * server (this confuses me too -
>>
>>
>I'm
>
>
>>not sure why I only get registration when I set the * server to be the
>>outbound proxy? Maybe its because the SIP phone sends its local IP in
>>the RTP packets?).
>>
>>Does anyone know how to get NAT & SIP working where the SIP phone is
>>behind a NAT server talking to a publicly accessible * server?
>>
>>Thanks for any help!
>>
>>When I run FWD's "netcheck" on my local PC (also behind the NAT) I get:
>>Internet Connection: Connected, Direct/NAT: Using NAT, NAT type: Port
>>Restricted Nat, NAT UPnP enabled: No, Local IP Address: 192.168.5.10,
>>WAN IP Address: XXX.XXX.XXX.XXX (public IP address), Port 5060:
>>
>>
>Blocked,
>
>
>>port 5082: Blocked.
>>
>>
>>[Maybe] useful Links that I've found on my Nat & SIP travels:-
>>
>>http://www.voip-info.org/wiki-Asterisk+SIP+NAT+solutions
>>-------------------------------------------------------------
>>Here VOIP INFO claim that "Asterisk as a SIP server outside nat,
>>clients
>>
>>on the inside connecting to Asterisk" is "solved" with "with nat
>><tiki-index.php?page=Asterisk+sip+nat>=yes and qualify
>><tiki-index.php?page=Asterisk+sip+qualify>=xxx in sip.conf
>><tiki-index.php?page=Asterisk+config+sip.conf> for the client in most
>>cases. Some clients (X-lite) assist themselves by using STUN
>><tiki-index.php?page=STUN> and sending UDP keep-alive packets. Qualify
>><tiki-index.php?page=Asterisk+sip+qualify> sends keep-alive packets
>>
>>
>from
>
>
>>Asterisk to the client on the inside." - however I can't get it to work
>>
>>http://www.asteriskguru.com/tutorials/sip_nat_oneway_or_no_audio_asteri
>>s
>>k.html
>>-----------------------------------------------------------------------
>>
>>
>-
>
>
>>-----------
>>Here there is some detail about the NAT= option in sip.conf and
>>
>>
>firewall
>
>
>>NAT types plus some understandable diagrams of why SIP & NAT is so much
>>bother.
>>
>>http://www.voip-info.org/wiki-STUN
>>--------------------------------------
>>The VOIP INFO page about STUN - I don't think I learned much here -
>>except the link to the Vovida STUN server software
>>
>>Asterisk Users - Email from wehr at japet.com - 02/July/2005 23:49
>>--------------------------------------------------------------------
>>Thierry claims that you need to put special MASQUERADE POSTROUTING
>>rules
>>
>>into iptables to make it NAT UDP properly - tried it but didn't work
>>for me
>>
>>Asterisk Users - Email from p_kami at yahoo.com - 16/Aug/2005 10:29
>>-----------------------------------------------------------------------
>>-
>>Kamran Ahmad sounds like someone who [might have] had SIP & NAT working
>>
>>
>
>
>
>>- until it wasn't working....
>>
>>
>>
>>BTW My Current SIP sip.conf entry that I'm using for testing (which
>>doesn't work of course!): -
>>[0035314401789]
>>context=PublicSip
>>type=friend
>>port=5060
>>username=0035314401789
>>password=XXXXXXXX
>>callerId=0035314401789
>>nat=route ; assume a NAT connection (note: route
>>
>>
>
>
>
>>doesn't seem to make any difference compared to "yes")
>>qualify=yes ; keep-alive packets to keep NAT SIP
>>
>>
>open
>
>
>>insecure=yes ; insecure and auth don't seem to
>>make things work any better/worse!
>>auth=plaintext ;
>>host=dynamic ; and with a dynamic IP address
>>canreinvite=no ; always keep asterisk in the media
>>
>>
>path
>
>
>>;dtmfmode=info ; could be inband ?
>>dtmfmode=rfc2833 ; could be inband ? but doesn't matter
>>
>>
>-
>
>
>>still NAT & SIP isn't working
>>mailbox=10000 at default
>>disallow=all
>>;allow=ilbc
>>;allow=ulaw
>>allow=g729
>>;allow=ulaw
>>;allow=all
>>
>>
>>
>>
>>
>>
>
>
>
>
--
Derek Conniffe
Rivertower Ltd
Ireland: (Freephone) 1800 719 400
Ireland: (Local) 01 244 9719
United Kingdom: 0870 068 2368
International: 00 353 1 244 9719
Derek Conniffe DDI: 01 201 0146 (International: 00 353 1 201 0146)
Derek Conniffe Mobile: 086 856 3823 (International: 00 353 86 856 3823)
Fax: 01 201 0085 (International: 00 353 1 201 0085)
Email: Derek at rivertower.ie
Web: http://www.rivertowerhosting.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: derek.vcf
Type: text/x-vcard
Size: 487 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20050913/d2dc595e/derek.vcf
More information about the asterisk-users
mailing list