<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2655.35">
<TITLE>RE: [Asterisk-Users] IAX peers and NAT</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT SIZE=2>> -----Original Message-----</FONT>
<BR><FONT SIZE=2>> From: WipeOut [<A HREF="mailto:wipe_out@onetel.com">mailto:wipe_out@onetel.com</A>] </FONT>
<BR><FONT SIZE=2>> Sent: Thursday, October 23, 2003 2:12 PM</FONT>
<BR><FONT SIZE=2>> To: asterisk-users@lists.digium.com</FONT>
<BR><FONT SIZE=2>> Subject: Re: [Asterisk-Users] IAX peers and NAT</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Olle E. Johansson wrote:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> > Help, I'm stuck. Lost in the woods.</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > I have one Asterisk running on FreeBSD outside on the Wild Internet.</FONT>
<BR><FONT SIZE=2>> > One on the safe inside, behind a NAT firewall.</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > The inside server registers with IAX to the outer one and can place </FONT>
<BR><FONT SIZE=2>> > calls.</FONT>
<BR><FONT SIZE=2>> > The outside one can't register to the one on the inside, since it </FONT>
<BR><FONT SIZE=2>> > can't be reached</FONT>
<BR><FONT SIZE=2>> > on the private network.</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > Now to my problem:</FONT>
<BR><FONT SIZE=2>> > * How do I dial from outside to the inside over the existing IAX </FONT>
<BR><FONT SIZE=2>> > connection?</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > When I dial from the outside to the inside by using the registred </FONT>
<BR><FONT SIZE=2>> > loginname like</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > exten => 1234,1,Dial(IAX/loginname/12345)</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > The outside server seems to dial the one on the inside, but I see </FONT>
<BR><FONT SIZE=2>> > nothing on the inside.</FONT>
<BR><FONT SIZE=2>> > The log on the outside mysteriously enough claims it can't </FONT>
<BR><FONT SIZE=2>> > authenticate to the inside</FONT>
<BR><FONT SIZE=2>> > server - but how do I authenticate, all authentication in </FONT>
<BR><FONT SIZE=2>> IAX is based </FONT>
<BR><FONT SIZE=2>> > on hostname</FONT>
<BR><FONT SIZE=2>> > or IP numbers...</FONT>
<BR><FONT SIZE=2>> > And even more mysteriously, the message in the logfile says</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > Oct 23 19:26:21 WARNING[137286656]: File chan_iax.c, Line 3838 </FONT>
<BR><FONT SIZE=2>> > (socket_read): I don't know how to authenticate </FONT>
<BR><FONT SIZE=2>> > methods=rsa;challenge=135582743;username=iaxtel to <nat ip #></FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > I can't find out where the username=iaxtel and methods=rsa </FONT>
<BR><FONT SIZE=2>> come from, </FONT>
<BR><FONT SIZE=2>> > have no such configuration for this</FONT>
<BR><FONT SIZE=2>> > session. The NAT IP # is the outside address of my firewall.</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > It is probably something basic that I've misunderstood. </FONT>
<BR><FONT SIZE=2>> Please tell me!</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > /Olle</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> You don't really need the outside one to register with the inside one </FONT>
<BR><FONT SIZE=2>> bacasue you can call it by the name its registering with..</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> But have to tell it where to connect to..</FONT>
<BR><FONT SIZE=2>> eg. exten => 1234,1,Dial(IAX/loginname:password@otherserver/12345)</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Where otherserver is the name you specified between the [] in </FONT>
<BR><FONT SIZE=2>> the peer </FONT>
<BR><FONT SIZE=2>> definition in you iax.conf..</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Hope that helps..</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Later..</FONT>
<BR><FONT SIZE=2>> </FONT>
</P>
<P><FONT SIZE=2>You'll also need to forward the IAX (udp 5036, or udp 4569 if you want to use IAX2) ports on the outside IP of your firewall to the IP address of your inside box. I do this with a Cisco PIX (static + acl), but I know that iptables and pf can also do this. Most firewalls can. Without this, packets from the outside can't make it to the inside box.</FONT></P>
<P><FONT SIZE=2>Randy Johnson</FONT>
</P>
</BODY>
</HTML>