[asterisk-users] No NAT, but firewall mangles Register SDP

[Robert Moskowitz]

Nailed it!

TCPdump on Trixbox 2.4 (Asterisk 1.4.17-1) going out and public side of 
firewall (Linksys WRT54G running Sveasoft)  Firewall is configued NOT to 
NAT (public addressing on internal network.

I stop asterisk (amportal stop).  wait 30 min to insure timeout.  Start 
both tcpdumps.  Start Asterisk (amportal start).  Get into Asterisk cli 
to insure registration was successful.  Stop everything.  Look at dumps 
with Wireshark.

It very first SIP packet is a REGISTER coming from TB heading for 
Broadvoice (Only a SIP extension and Broadvoice SIP trunk defined).   
The UDP ports are SRC=5060 DST=5060.  Length is different 5 bytes were 
added by the firewall, inside the SIP packet.

 From TB the Contact content is Phone#@IP#, while going out the firewall 
it is Phone#@IP#:5060

And this works.  For calling from Broadvoice into TB.

But if I run a firewall that does NOT mangle the SIP content it does NOT 
work.

sip.broadvoice.com is really a Proxy server, and the INVITE coming from 
it has content that directs the RTP server over to a different 
Broadvoice server.   That is when the Linksys box is there mangling the 
SIP content.  With the regular firewall, TB gets an INVITE without the 
redirect content and tries to set up the RTP call with their proxy 
server which ICMP rejects the RTP packets.

So.....

What do I do so that without a mangling firewall this works?

Is Broadvoice "broken" and can only work through a NAT?  Will simply 
adding NAT=yes result in the Phone#@IP#:5060 in the first place?

thank you all.