[asterisk-users] Cisco 7971 behind NAT

Darryl Dunkin ddunkin at netos.net
Mon Nov 16 22:39:14 CST 2009


You need to enable SIP transformations on the firewall, the packets will
have to be dynamically re-written to handle multiple Cisco phones of
these models. Be sure 'nat=no' is set in sip.conf for the phones as
well, or Asterisk will reply to the incorrect ports (source instead of
the mangled contact header).

In this case, you'll need to compile in the SIP connection tracking/NAT
bits in the kernel, they should be able to mangle the packets
appropriately. I have never tested this, as all my deployments have
hardware firewalls with SIP support built-in.

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Luki
Sent: Monday, November 16, 2009 20:30
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] Cisco 7971 behind NAT

Hi all,

does anyone have any luck using a Cisco 7971 (SIP) behind NAT with two
different accounts on the same server (i.e. two different extensions)?
I am using Cisco-CP7971G-GE/8.3.0 and asterisk V1.4.something.

The phone sends SIP packets from a high-numbered UDP port but expects
a reply on port 5060. Fine, I do some magic with iptables to rewrite
the packets (which limits me to one phone at that location, unless I'm
mistaken). Incoming calls work fine on both accounts, but outgoing
calls work only from the most recently registered account (the order
is random due to timing) since both appear to asterisk as IP:5060. An
outgoing call from the other account is rejected with an
authentication mismatch, which makes sense. Asterisk matches the most
recently registered peer by IP/port and if the user name differs, it
complains, even if the password is the same for both accounts.

So, is this the worst SIP implementation ever in those Cisco 7971's or
am I doing something very wrong here? Technically even without NAT
this confusion would occur as both accounts use IP:5060 so Asterisk
cannot tell them apart during the initial peer matching stage. Of
course the source port the Cisco selects is different with every
dialog, so that doesn't help either.

Any input would be appreciated before I throw that phone out of the
window.

Thanks,
Luki

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list