[asterisk-users] OK to have Asterisk and clients behind firewalls?

Gordon Henderson gordon+asterisk at drogon.net
Fri May 18 00:49:49 MST 2007 

On Thu, 17 May 2007, Vincent Delporte wrote:

> Hi
>
> 	To investigate the UNREACHABLE issue I'm having, I need to have 
> confirmation that it's OK for the Asterisk server to be behind a NAT router, 
> and also have clients elsewhere on the Net behind their own NAT router?

Yes, it's OK...

> I know that clients must use STUN to resolve their public IP and punch UDP 
> holes in their firewall, but is there something special that must be done in 
> the configuration of Asterisk so it knows it's living in a private network, 
> behind a NAT router?

Yes. You need to do a few things. Firstly, you need the asterisk server on 
a static IP address on the inside, so make sure it doesn't get it's IP 
address from the local DHCP server. Next, you need to enable 
port-forwarding on your router. You need to forward port 5060 and 10000 
through 20000 to the internal IP address of your asterisk box.

Finally, you need to tell the asterisk box that it's on the inside of a 
NAT firewall. In sip.conf, you need 3 additional lines:

   nat=yes
   localnet=192.168.4.0/24
   externip=1.2.3.4

You need to change localnet and externip to suit your network settings.

It goes iwthout saying that you also need a static IP address on the 
internet connection that the asterisk server sits behind (but not for the 
phones)

If using IAX then you just need to add port 4569 to the port forwarding 
rules on your firewall/router.

> And if someone knows of tools to investigate SIP issues, especially a 
> text-based sniffer (no X available in the Asterisk live CD I'm using), I'm 
> interested :-)

tcpdump is the basic tool, but tetheral (now called wireshark, but I don't 
know what it's text-mode version is called - maybe the same) You can also 
capture packets with tcpdump to a file, then analyse them with a GUI 
enabled sniffer on a differnt workstation afterwards if required.

> PS: FWIW, extension 203 (softphone) and 204 (IP phone) are both located on 
> the same network and behind a NAT router, and both connect out to an Asterisk 
> server somewhere on the Net behing its own NAT router:
>
> slast*CLI> sip show peers
> Name/username              Host            Dyn Nat ACL Port     Status
> 204/204                    82.237.x.y     D          5060     UNREACHABLE 
> 203/203                    82.237.x.y     D   N      46838    OK (925 ms)

I'd check the settings on the soft phone...


Gordon

More information about the asterisk-users mailing list