[asterisk-users] Asterisk both behind a NAT and outside at the same time

Tue Oct 31 01:26:59 MST 2006

I've read a lot of the descriptions of handling NAT with Asterisk,
and the use of both the nat and canreinvite flags.  I am very
familiar with Sip and NAT but have not seen an answer to the following
question.

My Asterisk server runs on a machine with two ethernets.  One is
an external net, with exposed IP addresses.   The other is an internal
net with natted IP addresses.   Thus the server has two addresses. 

The server is _not_ the NAT gateway.  That's a linksys box which has
its own external IP to gateway traffic from the internal natwork.

The phones are on the internal NATwork.   Asterisk talks to them over
it.   Outside peers, such as SIP termination providers etc. talk
to the Asterisk server via its outside address, which is as you
would expect.

However, from time to time I get the famous one-way audio because
Asterisk has decided to do a native bridge between a natted SIP
phone and an external SIP peer.   It sends the internal IP of
the SIP phone in the SDP and of course the outside service can't
send packets to that.

I could just turn off reinvites on the internal phones, but this
would cause them to route all traffic through the asterisk box,
even on internal calls between phones on the same ethernet, which
seems foolish to me.   I don't want to turn off reinvites to the
external peers -- if a call comes in from a SIP originator for example,
and is send back out to a SIP terminator (call forwarding) I want
a native bridge for sure.    (Handling the internal traffic is not
so much of a burden though sometimes I hear latency because of it, but
routing external traffic through the asterisk box is a bad thing.)

So what I want is for Asterisk to use native bridges when connecting
two channels behind the NAT, or two channels on the real internet, but
not to do so when connecting an internal and external channel.

It should be able to see the IP addresses, and know the difference between
natted and external ones and know they can't talk to one another.
(The ICE protocol would handle this someday.)

Is IAX smarter about this?

Of course I might even want to get smarter about this.  Is it possible,
typically by configuring stun in the phones, to have them be aware of their
external IP and tell Asterisk about it?  With a full cone NAT, it would
work to do a native bridge between the internal and external devices
so long as the external device is given the right address and port of
the NAT box, not the internal address of the phone.   However, we don't
want to do this on internal to internal calls -- many NATs can't hairpin.

I would think this would be a common situation (though perhaps more
commonly the asterisk server IS the firewall/NAT.)   Is there a
solution that does the right thing most of the time?