[asterisk-users] Asterisk both behind a NAT and outside at the same time

C F shmaltz at gmail.com
Tue Oct 31 07:13:14 MST 2006


Seems to me that you have a routing problem, asterisk should not know
how to send packets to an outside IP using the NATed network. Make
sure that the internal (NAT) interface doesn't have a gateway to it.

On 10/31/06, Brad Templeton <brad+aster at templetons.com> wrote:
>
> I've read a lot of the descriptions of handling NAT with Asterisk,
> and the use of both the nat and canreinvite flags.  I am very
> familiar with Sip and NAT but have not seen an answer to the following
> question.
>
>
> My Asterisk server runs on a machine with two ethernets.  One is
> an external net, with exposed IP addresses.   The other is an internal
> net with natted IP addresses.   Thus the server has two addresses.
>
> The server is _not_ the NAT gateway.  That's a linksys box which has
> its own external IP to gateway traffic from the internal natwork.
>
> The phones are on the internal NATwork.   Asterisk talks to them over
> it.   Outside peers, such as SIP termination providers etc. talk
> to the Asterisk server via its outside address, which is as you
> would expect.
>
> However, from time to time I get the famous one-way audio because
> Asterisk has decided to do a native bridge between a natted SIP
> phone and an external SIP peer.   It sends the internal IP of
> the SIP phone in the SDP and of course the outside service can't
> send packets to that.
>
> I could just turn off reinvites on the internal phones, but this
> would cause them to route all traffic through the asterisk box,
> even on internal calls between phones on the same ethernet, which
> seems foolish to me.   I don't want to turn off reinvites to the
> external peers -- if a call comes in from a SIP originator for example,
> and is send back out to a SIP terminator (call forwarding) I want
> a native bridge for sure.    (Handling the internal traffic is not
> so much of a burden though sometimes I hear latency because of it, but
> routing external traffic through the asterisk box is a bad thing.)
>
> So what I want is for Asterisk to use native bridges when connecting
> two channels behind the NAT, or two channels on the real internet, but
> not to do so when connecting an internal and external channel.
>
> It should be able to see the IP addresses, and know the difference between
> natted and external ones and know they can't talk to one another.
> (The ICE protocol would handle this someday.)
>
> Is IAX smarter about this?
>
> Of course I might even want to get smarter about this.  Is it possible,
> typically by configuring stun in the phones, to have them be aware of their
> external IP and tell Asterisk about it?  With a full cone NAT, it would
> work to do a native bridge between the internal and external devices
> so long as the external device is given the right address and port of
> the NAT box, not the internal address of the phone.   However, we don't
> want to do this on internal to internal calls -- many NATs can't hairpin.
>
>
> I would think this would be a common situation (though perhaps more
> commonly the asterisk server IS the firewall/NAT.)   Is there a
> solution that does the right thing most of the time?
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>


More information about the asterisk-users mailing list