[Asterisk-Users] IAX peers and NAT

Thu Oct 23 11:49:44 MST 2003

Johnson, Randy wrote:

> 
>  > -----Original Message-----
>  > From: WipeOut [mailto:wipe_out at onetel.com]
>  > Sent: Thursday, October 23, 2003 2:12 PM
>  > To: asterisk-users at lists.digium.com
>  > Subject: Re: [Asterisk-Users] IAX peers and NAT
>  >
>  >
>  > Olle E. Johansson wrote:
>  >
>  > > Help, I'm stuck. Lost in the woods.
>  > >
>  > > I have one Asterisk running on FreeBSD outside on the Wild Internet.
>  > > One on the safe inside, behind a NAT firewall.
>  > >
>  > > The inside server registers with IAX to the outer one and can place
>  > > calls.
>  > > The outside one can't register to the one on the inside, since it
>  > > can't be reached
>  > > on the private network.
>  > >
>  > > Now to my problem:
>  > > * How do I dial from outside to the inside over the existing IAX
>  > > connection?
>  > >
>  > > When I dial from the outside to the inside by using the registred
>  > > loginname like
>  > >
>  > >   exten => 1234,1,Dial(IAX/loginname/12345)
>  > >
>  > > The outside server seems to dial the one on the inside, but I see
>  > > nothing on the inside.
>  > > The log on the outside mysteriously enough claims it can't
>  > > authenticate to the inside
>  > > server - but how do I authenticate, all authentication in
>  > IAX is based
>  > > on hostname
>  > > or IP numbers...
>  > > And even more mysteriously, the message in the logfile says
>  > >
>  > > Oct 23 19:26:21 WARNING[137286656]: File chan_iax.c, Line 3838
>  > > (socket_read): I don't know how to authenticate
>  > > methods=rsa;challenge=135582743;username=iaxtel to <nat ip #>
>  > >
>  > > I can't find out where the username=iaxtel and methods=rsa
>  > come from,
>  > > have no such configuration for this
>  > > session. The NAT IP # is the outside address of my firewall.
>  > >
>  > > It is probably something basic that I've misunderstood.
>  > Please tell me!
>  > >
>  > > /Olle
>  > >
>  > You don't really need the outside one to register with the inside one
>  > bacasue you can call it by the name its registering with..
>  >
>  > But have to tell it where to connect to..
>  > eg. exten => 1234,1,Dial(IAX/loginname:password at otherserver/12345)
>  >
>  > Where otherserver is the name you specified between the [] in
>  > the peer
>  > definition in you iax.conf..
>  >
>  > Hope that helps..
>  >
>  > Later..
>  >
> 
> You'll also need to forward the IAX (udp 5036, or udp 4569 if you want 
> to use IAX2) ports on the outside IP of your firewall to the IP address 
> of your inside box.  I do this with a Cisco PIX (static + acl), but I 
> know that iptables and pf can also do this.  Most firewalls can.  
> Without this, packets from the outside can't make it to the inside box.

No, the idea with IAX is that I don't need port forwarding. IAXtel.com is able to
call my server through my NAT, since my server polls iaxtel.com. It's a nice feature
of the IAX protocol if the server on the inside registers on the outside.

What bothers me is that I can't configure my two servers as IAXTEL.COM works.

/O