[asterisk-users] Understanding NAT Traversal

Brian Candler B.Candler at pobox.com
Wed Oct 11 03:53:24 MST 2006 

On Tue, Oct 10, 2006 at 05:03:30PM -0400, hugolivude wrote:
>    I understand how sitting behind a NAT could cause problems for a SIP
>    UA.  The SIP UA would create SIP mesages using IP addresses from
>    inside the network (i.e. 192.#.#.# or 10.#.#.#) and these IP addresses
>    are of course unnavigable for the recipient.
>    What I don't get is why don't web browsers suffer the same problem?
>    A web brower behind a NAT sends an HTTP request much the same way as a
>    SIP UA might send an INVITE.

Kind of, except:

(1) HTTP runs over TCP, SIP runs over UDP. This is not in itself a major
    issue, because the NAT firewall will keep state open in both cases (so
    that inbound response packets are de-masqueraded back to the original
    host). But:

(2) All the web content (whether it be HTML, embedded images etc) is pulled
    back down the same TCP session as requested it in the first place.
    With a SIP phone, one UDP exchange performs the INVITE signalling, but
    a separate (unrelated at the IP layer) UDP exchange is used for the actual
    audio traffic.

(3) A web browser is not expected to receive inbound requests from a
    central server. A SIP client has to receive unsolicited INVITEs for
    inbound calls.

(4) The HTTP request does not include any IP addresses within the request or
    response. SIP headers and SDP bodies do: e.g.

        Contact: <sip:bob at 192.168.0.1>

    This information is invalid on the other side of a NAT, since these
    addresses are not reachable by the other party.

So SIP and NAT do not mix well. There are a host of half-baked solutions
which sometimes work and sometimes don't, because even the concept of NAT
itself is not well-defined, and NAT implementations differ widely (see RFC
3489 for the gorey details)

Probably the most nearly-baked solution is to use a SIP and RTP proxy, such
as siproxd, and give it a real public IP address. Roll on the day when all
NAT routers have this built in.

For more info see:

    * http://www.voip-info.org/wiki-NAT+and+VOIP
    * http://www.sipcenter.com/sip.nsf/html/WEBB5YN5GE/$FILE/SIPNATtraversal.pdf
    * http://siprouter.onsip.org/doc/gettingstarted/ch04s05.html

HTH,

Brian.

More information about the asterisk-users mailing list