[Asterisk-Users] A solution for SIP and NAT

Andrew Radke andrew at radke.iig.com.au
Wed Jul 2 02:46:53 MST 2003 

Ok I guess it's time for me to weigh in on this since I started the 
whole thing and am the main developer of SaRP.

NAT and SIP _can_ work okay under very very restricted circumstance.
Multiple SIP UAs behind one NATed IP _can_ work okay with a very 
intelligent router/firewall.

BUT, not everyone can afford Cisco gear. Not everyone needs Cisco gear. 
A home user wanting to talk via a public network to an office SIP device 
does NOT need or want Cisco or other high end gear just so he can talk 
and also will still want to be able to talk to users on the net.

So now that I've presented my arguements I'm going to lay out some of 
the technical stuff. If you have a fancy SIP aware Cisco router at home 
between your two PCs and the Internet then apparently you can ignore all 
of this.

Example UA: X-Lite/X-Pro
   This UA will be sending RTP data from a different dynamic port to what
   it will receive on. This will not NAT no matter what you do since the
   incoming RTP data will never be associated with the outgoing data by
   your router. The outside user will get your audio but nothing will
   come back.

Example users: two people on one IP that want to be directly contactable
   The only way to do this is have every UA on a different forwarded port
   for each UA. i.e. sip:user1 at domain.com:5060, sip:user2 at domain.com:5061
   I want my sip url to be just like an email address, after all that's
   how they were designed. i.e. user1|user2|... at domain.com

Example security: hmmm....
   SIP breaks just about every security policy on the planet. What were
   the people thinking! I don't know any business (other than VoIP
   dedicated companies) that would allow SIP traffic directly in/out from
   a client PC! And Asterisk isn't much better. Not because there is
   anything wrong with it but because it is a big complex peice of
   software. You should ALWAYS have something sit in between it and an
   untrusted network. And while you're at it DON'T leak you internal
   network addresses/configuration to the outside world!

Okay, I can go on for quite a while longer. Let's just say that there is 
a lots of smarts in routers that can handle SIP but even with that 
you're not going to be able to do any of this except the first item.

Regards,

Andrew Radke

John Todd wrote:

> 
> You may be correct about the Via: header, but you're incorrect in the 
> concept as to how it relates to Asterisk, notably in your reversal of 
> what side of the transaction is putting data in the Via: header to make 
> SIP work correctly.
> 
> This is cluttering up the list.  Talk to me off line if you want a 
> better understanding of how NAT and SIP work with Cisco devices.
> 
> Again, for those of you who might be trying to figure out what the 
> result of this conversation is:  SIP clients behind NAT works fine in 
> both directions (incoming and outgoing calls), Asterisk makes it work, 
> it's not using STUN.  Cisco devices work especially well.
> 
> JT

More information about the asterisk-users mailing list