[asterisk-users] More detalis: Re: SIP URI question and NATs

Robert Moskowitz rgm at htt-consult.com
Fri Jan 11 10:04:49 CST 2008


OK.  I will continue this thread.  I have learned a lot through a lot of 
tcpdumps.  So I am top posting so new understanding does not get hidden.

Senario:

Asterisk publicly addressed behind a firewall.  Two different firewalls 
available:  Linksys WRT54G running sveasoft and Centos using Netfilter 
configured with Shorewall.  Both firewalls have the same IP addresses, 
switching them is a matter of switching cables.  With Linksys, I have 
turned NAT off, but still needed to define the *box as the dmzbox.

Problem:

inbound calls work with Linksys not with Netfilter (no voice).

Observation 1:

With Linksys, the INVITE for inbound calls have redirect information.  
The RTP flow goes to the different Broadvoice server.  With Netfilter, 
the INVITE lacks this additional information.  The RTP flow goes to the 
Broadvoice server * is registered to, and that box replys with an ICMP 
port not available.

Observation 2:

The REGISTER coming from * has Contact: Phone#@foo.com.  Linksys alters 
this to Phone#@foo.com:5060.  In fact it alters many SDP values to add 
the port number (this was determined by tcpdumps on both sides of the 
Linksys box).  Of course the Netfilers box does NOT mangle.  Further 
looking at the INVITEs, this port number information seems to be important.

Conclusion:

Broadvoice is NOT acting properly with only Phone#@foo.com, it needs 
Phone#@foo.com:5060.

Next step:

How do I get * to directly include the port number?  I tried nat=yes, 
but this did not make a difference.

Johansson Olle E wrote:
> 10 jan 2008 kl. 15.24 skrev Robert Moskowitz:
>
>   
>> I am seeing slight differences in URIs.
>>
>> In the case where things work, the URI is user at sip.foo.com  where it
>> does not work is user at sip.foo.com:5060
>>
>> In the first case I suspect that Asterisk did something, perhaps at
>> startup, where it 'decided' it was behind a firewall, so let the
>> firewall do the port mapping.
>>
>> In the second case I suspect whatever Asterisk was doing at startup
>> indicated it was wide open so it supplies the 5060 port number.
>>
>> Is Asterisk doing any discovery at startup?
>>
>>     
> First, don't start a new mail in an old thread. Thanks.
>
> Your mail doesn't have enough information on what goes wrong and where,
> so there is little I can say to help you. There's no information about  
> how
> you are using the SIP uri in Asterisk.
>
> In general, if there's a port number attached to the domain part in a  
> URI,
> this indicates that the domain name is actually a host and that a SIP  
> device should
> *not* lookup any SRV records.
>
> /O
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
>   



More information about the asterisk-users mailing list