[Asterisk-Users] SIP Behind NAT (sipgate.de)

Scott James Williamson scott at sjwilliamson.ca
Thu Feb 19 22:26:22 MST 2004 

Hello List,

Just thought I would post an update, I got asterisk to register with
sipgate.de.

I was wrong, it was my firewall (maybe).

Here is the way a normal nat under openbsd pf works:

    udp 192.168.1.100:5060 <- 24.102.192.227:(random port) <- 217.10.79.9:5060

but add this line to pf.conf before your main catch all nat line:

    nat on $ext_if inet proto udp from any port = 5060 to any -> ($ext_if) port 5060

this changes the nat behaviour to use choose a static port on the
firewall to originate the connection from. (reading man pages is good)

and you get this:

    udp 192.168.1.100:5060 <- 24.102.192.227:5060 <- 217.10.79.9:5060

Which makes sense, as they (sipgate.de) want to see, and reply to port
5060 on the asterisk machine. I guess x-lite is a bit of a smarter UA when it
comes to nat connections.

Anyway hope this helps someone!

Scott

Thursday, February 19, 2004, 2:23:00 PM, you wrote:

SJW> Hello Users,

SJW> I am attempting to create a sip connection in the following network:

Sipgate.de -->> Internet --> Gate --> Asterisk PBX --> Some Extension

SJW> Gate, the gateway and nat'ing firewall has sip udp (5060) traffic and
SJW> rtm udp (8000 to 8020) traffic forwarded to the asterisk pbx machine.
SJW> Both asterisk and x-lite are set to listen/use these port ranges.
SJW> (The forwards work, as X-lite works perfectly when forced to no
SJW> firewall ("Open IP") setting, simply writing the correct sip via: headers. I
SJW> tested it this morning by calling to a normal number in .de)

SJW> However, when I attempt to use asterisk to do the same thing, I get
SJW> some strange behaviour. I have attempted to use the following
SJW> different configurations of sip.conf:

SJW> I am using asterisk cvs version " v1-0_stable" and
SJW> chan_sip.c from cvs is verson 1.292.2.6.


SJW> config #1 (the nat config)

SJW> --snip--

SJW> [general]
SJW> port = 5060
SJW> bindaddr = 0.0.0.0
SJW> externip = gate.sjwilliamson.ca
SJW> localnet = 192.168.1.0
SJW> localmask = 255.255.255.0
SJW> context = local
SJW> nat=yes

register =>> xxx:xxx at sipgate.de/6464 ; 6464 is my internal extension

SJW> [sipgate]
SJW> type=friend
SJW> secret=xxx
SJW> username=xxx
SJW> host=sipgate.de
SJW> nat=yes

SJW> --end snip--

SJW> config #2 (the no-nat config)

SJW> --snip--

SJW> [general]
SJW> port = 5060
SJW> bindaddr = 0.0.0.0
SJW> ;externip = gate.sjwilliamson.ca
SJW> ;localnet = 192.168.1.0
SJW> ;localmask = 255.255.255.0
SJW> context = local
SJW> ;nat=yes

register =>> xxx:xxx at sipgate.de/6464 ; 6464 is my internal extension

SJW> [sipgate]
SJW> type=friend
SJW> secret=xxx
SJW> username=xxx
SJW> host=sipgate.de
SJW> ;nat=yes

SJW> --end snip--

SJW> What I find strage is:

SJW>      1. When using the no-nat config (2) asterisk is able to register
SJW>      with sipgate.de even though it sends out my internal address in
SJW>      the sip via header. However any sip invites are wrongly tagged
SJW>      with my internal ip address, and sipgate.de does not send me any
SJW>      audio, and the call times out (as it should). See following
SJW>      snippit:

SJW> --snip--
     
SJW> 11 headers, 0 lines
SJW> Reliably Transmitting:
SJW> REGISTER sip:sipgate.de SIP/2.0
SJW> Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK22fc46b2
SJW> From: <sip:8007163 at sipgate.de>;tag=as11899051
SJW> To: <sip:8007163 at sipgate.de>
SJW> Call-ID: 068cc5447a37ef1049b2625241fbc6f9 at 127.0.0.1
SJW> CSeq: 102 REGISTER
SJW> User-Agent: Asterisk PBX
SJW> Expires: 120
SJW> Contact: <sip:6464 at 192.168.1.100>
SJW> Event: registration
SJW> Content-length: 0

SJW>  (no NAT) to 217.10.79.9:5060


SJW> Sip read:

SJW> 0 headers, 0 lines


SJW> Sip read:
SJW> SIP/2.0 401 Unauthorized
SJW> Via: SIP/2.0/UDP
SJW> 192.168.1.100:5060;branch=z9hG4bK22fc46b2;rport=62600;received=24.102.192.227
SJW> From: <sip:8007163 at sipgate.de>;tag=as11899051
SJW> To:
SJW> <sip:8007163 at sipgate.de>;tag=b11cb9bb270104b49a99a995b8c68544.0784
SJW> Call-ID: 068cc5447a37ef1049b2625241fbc6f9 at 127.0.0.1
SJW> CSeq: 102 REGISTER
SJW> WWW-Authenticate: Digest realm="sipgate.de", nonce="x"
SJW> Server: Sip EXpress router (0.8.12 (i386/linux))
SJW> Content-Length: 0
SJW> Warning: 392 217.10.79.9:5060 "Noisy feedback tells: 
SJW> pid=14272 req_src_ip=24.102.192.227 req_src_port=62600
SJW> in_uri=sip:sipgate.de out_uri=sip:sipgate.de via_cnt==1"


SJW> 10 headers, 0 lines
SJW> 12 headers, 0 lines
SJW> Reliably Transmitting:
SJW> REGISTER sip:sipgate.de SIP/2.0
SJW> Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK22fc46b2
SJW> From: <sip:8007163 at sipgate.de>;tag=as11899051
SJW> To: <sip:8007163 at sipgate.de>
SJW> Call-ID: 068cc5447a37ef1049b2625241fbc6f9 at 127.0.0.1
SJW> CSeq: 103 REGISTER
SJW> User-Agent: Asterisk PBX
SJW> Authorization: Digest username="8007163", realm="sipgate.de",
SJW> algorithm="MD5", uri="sip:sipgate.de", nonce="x", response="x"
SJW> Expires: 120
SJW> Contact: <sip:6464 at 192.168.1.100>
SJW> Event: registration
SJW> Content-length: 0

SJW>  (no NAT) to 217.10.79.9:5060


SJW> Sip read:
SJW> SIP/2.0 200 OK
SJW> Via: SIP/2.0/UDP
SJW> 192.168.1.100:5060;branch=z9hG4bK22fc46b2;rport=62600;received=24.102.192.227
SJW> From: <sip:8007163 at sipgate.de>;tag=as11899051
SJW> To:
SJW> <sip:8007163 at sipgate.de>;tag=b11cb9bb270104b49a99a995b8c68544.0784
SJW> Call-ID: 068cc5447a37ef1049b2625241fbc6f9 at 127.0.0.1
SJW> CSeq: 103 REGISTER
SJW> Contact: <sip:8007163 at 24.102.192.227:5060>;q=0.00;expires=780
SJW> Contact: <sip:6464 at 24.102.192.227:62600>;q=0.00;expires=120
SJW> Server: Sip EXpress router (0.8.12 (i386/linux))
SJW> Content-Length: 0
SJW> Warning: 392 217.10.79.9:5060 "Noisy feedback tells: 
SJW> pid=14265 req_src_ip=24.102.192.227 req_src_port=62600
SJW> in_uri=sip:sipgate.de out_uri=sip:sipgate.de via_cnt==1"


SJW> 11 headers, 0 lines

SJW> --end snip--

SJW>    2. When I use the nat config (1) it gets even stranger. Asterisk
SJW>    cannot register with sipgate.de, even though the sip via header
SJW>    reflects my correct internet ip address. It attempts to re-transmit
SJW>    five times, with the interesting line "(no NAT) to
SJW>    217.10.79.9:5060".

SJW> --snip--
   
SJW> 11 headers, 0 lines
SJW> Reliably Transmitting:
SJW> REGISTER sip:sipgate.de SIP/2.0
SJW> Via: SIP/2.0/UDP 24.102.192.227:5060;branch=z9hG4bK1cd66717
SJW> From: <sip:8007163 at sipgate.de>;tag=as7c8d34b5
SJW> To: <sip:8007163 at sipgate.de>
SJW> Call-ID: 412221511a281b686d90c8256317744e at 127.0.0.1
SJW> CSeq: 102 REGISTER
SJW> User-Agent: Asterisk PBX
SJW> Expires: 120
SJW> Contact: <sip:6464 at 24.102.192.227>
SJW> Event: registration
SJW> Content-length: 0

SJW>  (no NAT) to 217.10.79.9:5060
SJW> Retransmitting #1 (no NAT):
SJW> REGISTER sip:sipgate.de SIP/2.0
SJW> Via: SIP/2.0/UDP 24.102.192.227:5060;branch=z9hG4bK2b457839
SJW> From: <sip:8007163 at sipgate.de>;tag=as06e7a197
SJW> To: <sip:8007163 at sipgate.de>
SJW> Call-ID: 412221511a281b686d90c8256317744e at 127.0.0.1
SJW> CSeq: 104 REGISTER
SJW> User-Agent: Asterisk PBX
SJW> Expires: 120
SJW> Contact: <sip:6464 at 24.102.192.227>
SJW> Event: registration
SJW> Content-length: 0

SJW> --end snip--

SJW> Why is there no response when asterisk includes the proper sip via
SJW> header? sipgate.de seems smart enough to tell me my internet ip
SJW> address when I send it the internal (192.168.1.100) one.

SJW> Any suggestions / comments? Should I up-/downgrade chan_sip.c from
SJW> cvs?

SJW> Thank you,

SJW> Scott Williamson
SJW> ----------------------------
SJW> FWD        : 253984
SJW> sipgate.de : (PSTN-prefix +49 0211) 8007163

More information about the asterisk-users mailing list