[Asterisk-Users] Asterisk behind LinkSys NAT Routing

Clif Jones ctjones at earthlink.net
Tue Nov 4 05:25:39 MST 2003 

This looks to me like the approach that Pingtel took for NAT.  I think 
it is a good option to
have but having STUN as an additional option is really what we want.  
You can find an
implementation of a STUN library and apps at www.vovida.org.  The 
External IP approach
has some flaws and can be a pain to configure for people that do not 
know what is actually
being done with this data.  I will try to explain this since I have to 
test this stuff on vendor phones
every day...

SIP is a text-based protocol which means that address information is 
embedded in each SIP
message as "text".  Unfortunately, most routers, etc. do not have a SIP 
ALG so the address
information in the UDP or TCP connections get corrected through the NAT 
function, the payload
which in this case is SIP and SDP (RTP setup messages) do not get 
translated.  The other end
of the call outside your private network sees your private IP addresses 
and cannot route to them.
External IP basically says "put this address in the SIP and SDP messages 
instead of my private address".
The problem here is that if your lease is up on your ISP connection and 
the renew gives you another
address, you're out of business until you update your settings.  The 
other thing is, you must port forward
your SIP port (usually 5060) and every incoming RTP/RTCP port pairs from 
the NAT router to Asterisk.
STUN is pretty simple and works well.  This feature actually queries a 
STUN server on the public side
and askes what does your external IP and port look like.  It also 
determines the level of IP security that
your are using. (Read the RFC on STUN, it is usefull)  You don't have to 
port forward anything because
STUN enabled devices take advantage of the ALG in most firewalls that 
maps incoming traffic back
to the app (Asterisk in this case) if the packets arrive at the same 
address/port that packets just went
out.  If the connection is idle for more than a set number of seconds, 
the mapping is automatically deleted.
This is why you see the devices "pinging" each other every so often.  
This allows an incoming call to reach
the SIP port.
Having BOTH External IP and STUN would give us the greatest flexibility 
because if we didn't have
a STUN server on the other end we could manually set it.

Martin Pycko wrote:

>It's new. It prevents asterisk from putting the private IP in the messages
>that asterisk sends with SIP.
>
>Martin
>
>On Mon, 3 Nov 2003, WipeOut wrote:
>
>  
>
>>Martin Pycko wrote:
>>
>>    
>>
>>>You can port forward the 5060 SIP port and use externip keyword in
>>>sip.conf to have it working behind a NAT.
>>>
>>>Martin
>>>
>>>
>>>
>>>      
>>>
>>Martin,
>>
>>Is "externip" and new parameter??
>>
>>Does it do a similar thing for the server as what "nat=yes" does for the
>>phone?
>>
>>Later..
>>
>>_______________________________________________
>>Asterisk-Users mailing list
>>Asterisk-Users at lists.digium.com
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>    
>>
>
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
>  
>

More information about the asterisk-users mailing list