[Asterisk-Users] Sipura SPA2000 behind NAT

Carlos Alperin calperin at senecacom.net
Sat Jul 2 14:28:30 MST 2005


Guillermo,

I'm not very expert with iptables, but this is the issue:

I don't see the forwarding from the ip of the sipura box (& that should be
the only one to receive both UDP & RTP traffic on the 5060 & 16384 to 32767
ports. On the other hand, the Asterisk box is also in an fix ip, so the
traffic on UDP and the RTP only needs to be open between this two IP's.

If you don't get audio, it is because UDP packets are drop when they come
back to you from Asterisk, or from the other side of the call.

What I see is that your firewall looks to be open on all IP's, but doesn't 
Mean that is in the right ports.

Sorry if my advice is difuse, but as I said before, I'm not an expert on
iptables.

You can do an easy test, if you have an cheap Router as a Linksys or D-Link
You only need to forward the ports to the ip address of the Sipura box.

Is all that you need to make this work. 

Lamento no poder ser mas especifico.

Saludos

Carlos
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Guillermo
Salas M
Sent: Saturday, July 02, 2005 4:56 PM
To: asterisk-users at lists.digium.com
Subject: RE: [Asterisk-Users] Sipura SPA2000 behind NAT

Carlos,

Thank you for your fast response :) , this is the output of iptables -nL
on my linux box:

root at razametal:/home/guillermo # iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.0.0/24       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root at razametal:/home/guillermo # iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.0.0/24       0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


This is my very-small and simple firewall script:
root at razametal:/home/guillermo # cat /etc/init.d/firewall
# Cargar Modulos
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc

# Habilitar el forward
echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush
iptables -X
iptables -F
iptables -X -t nat
iptables -F -t nat

# Habilitar nat para 192.168.0.0/24
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
# Permitir el forward para 192.168.0.0/24
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT

# EOF


On Sat, 2005-07-02 at 16:39 -0400, Carlos Alperin wrote:
> Guillermo,
> 
> This is an issue with your router. Do you have open the ports 5060 for
SIP?
> Also, RTP needs to be open from 16384 to 32767.
> 
> Saludos,
> 
> Carlos Alperin
> Senior System Engineer 
> Seneca Communications, LLC
> calperin at senecacom.net
> 
> 
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Guillermo
> Salas M
> Sent: Saturday, July 02, 2005 4:13 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: [Asterisk-Users] Sipura SPA2000 behind NAT
> 
> Hi, I've one Sipura SPA2000 at home behind a linuxbox with two network
> adapters (eth0 for WAN and eth1 for LAN) doing NAT/DHCP:
> 
> 
> ___________ HOME _______________       ____OFFICE ____
> SPA2000     <---> Linux Box       <--> Asterisk Box
> 192.168.0.253    192.168.0.1 eth1      200.93.xxx.a
>                  200.93.xxx.b eth0
> 
> My problem is when I try to call to any trunk or extention I can the
> audio when the destination is ringing, but I can hear the voice of the
> person when it reponds. The person in the other side can hear me, but I
> can not hear anything from him. I can not hear the voice prompts for the
> voicemail (*98) or the operator voice, but can leave voice messages to
> other SIP devices and they can hear my messages.
> 
> This is my sip.conf
> [105]
> username=105
> type=friend
> secret=105
> qualify=no
> port=5060
> nat=yes
> mailbox=105 at default
> host=dynamic
> dtmfmode=rfc2833
> context=from-internal
> canreinvite=no
> callerid="Guilllermo Salas HOME" <105>
> 
> My ext on line 1 of the Sipura is 105, and is registred with the * box:
>     -- Registered SIP '105' at 200.93.220.27 port 5060 expires 3600
> 
> asterisk*CLI> sip show peer 105
> asterisk*CLI>
> 
>   * Name       : 105
>   Secret       : <Set>
>   MD5Secret    : <Not set>
>   Context      : from-internal
>   Language     : es
>   FromUser     :
>   FromDomain   :
>   Callgroup    :  (0)
>   Pickupgroup  :  (0)
>   Mailbox      : 105 at default
>   LastMsgsSent : 2
>   Dynamic      : Yes
>   Expire       : 4
>   Expiry       : 900
>   Insecure     : No
>   Nat          : Always
>   ACL          : No
>   CanReinvite  : No
>   PromiscRedir : No
>   DTMFmode     : rfc2833
>   LastMsg      : 0
>   ToHost       :
>   Addr->IP     : 200.93.xxx.xb Port 5060
>   Defaddr->IP  : 0.0.0.0 Port 5060
>   Username     : 105
>   Codecs       : 0xc011f (g723|gsm|ulaw|alaw|g726|g729|h261|h263)
>   Codec Order  : (g729|g723|gsm|g726|ulaw|alaw|h261|h263)
>   Status       : UNKNOWN
>   Useragent    :
>   Full Contact : sip:105 at 192.168.0.253:5060
> 
> And this is the output of sip debug peer 105 when I call to *98 (for
> voice messages):
> 
> asterisk*CLI> sip debug peer 105
> SIP Debugging Enabled for IP: 200.93.xxx.xb:5060
> 
> Sip read:
> NOTIFY sip:sip.mydomain.net SIP/2.0
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-67ea7370
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:sip.mydomain.net>
> Call-ID: a584ba93-53c0013c at 192.168.0.253
> CSeq: 4 NOTIFY
> Max-Forwards: 70
> Event: keep-alive
> User-Agent: Sipura/SPA2000-2.0.2
> Content-Length: 0
> 
> 
> 10 headers, 0 lines
> Transmitting (no NAT):
> SIP/2.0 200 OK
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-67ea7370
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:sip.mydomain.net>;tag=as038653dd
> Call-ID: a584ba93-53c0013c at 192.168.0.253
> CSeq: 4 NOTIFY
> User-Agent: Asterisk PBX
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> Contact:
> Content-Length: 0
> 
> 
>  to 200.93.xxx.xb:5060
> Destroying call 'a584ba93-53c0013c at 192.168.0.253'
> 
> asterisk*CLI>
> 
> Sip read:
> NOTIFY sip:sip.mydomain.net SIP/2.0
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-d386a279
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:sip.mydomain.net>
> Call-ID: a584ba93-53c0013c at 192.168.0.253
> CSeq: 6 NOTIFY
> Max-Forwards: 70
> Event: keep-alive
> User-Agent: Sipura/SPA2000-2.0.2
> Content-Length: 0
> 
> 
> 10 headers, 0 lines
> Transmitting (no NAT):
> SIP/2.0 200 OK
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-d386a279
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:sip.mydomain.net>;tag=as5099fa8f
> Call-ID: a584ba93-53c0013c at 192.168.0.253
> CSeq: 6 NOTIFY
> User-Agent: Asterisk PBX
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> Contact:
> Content-Length: 0
> 
> 
>  to 200.93.xxx.xb:5060
> Destroying call 'a584ba93-53c0013c at 192.168.0.253'
> asterisk*CLI>
> 
> 
> I dial *98 to get into the voice message system:
> 
> asterisk*CLI>
> 
> Sip read:
> ACK sip:*98 at sip.mydomain.net SIP/2.0
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-600583f3
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:*98 at sip.mydomain.net>;tag=as65eec750
> Call-ID: 636a9064-eba36dcb at 192.168.0.253
> CSeq: 101 ACK
> Max-Forwards: 70
> Contact: Guillermo Salas M <sip:105 at 192.168.0.253>
> User-Agent: Sipura/SPA2000-2.0.2
> Content-Length: 0
> 
> 
> 10 headers, 0 lines
> asterisk*CLI>
> 
> Sip read:
> INVITE sip:*98 at sip.mydomain.net SIP/2.0
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-ec22067b
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:*98 at sip.mydomain.net>
> Call-ID: 636a9064-eba36dcb at 192.168.0.253
> CSeq: 102 INVITE
> Max-Forwards: 70
> Proxy-Authorization: Digest
>
username="105",realm="asterisk",nonce="47a68adb",uri="sip:*98 at sip.mydomain.n
> et",algorithm=MD5,response="8e60f592df094f9b852a59544b9da384"
> Contact: Guillermo Salas M <sip:105 at 192.168.0.253>
> Expires: 240
> User-Agent: Sipura/SPA2000-2.0.2
> Content-Length: 422
> Content-Type: application/sdp
> 
> v=0
> o=- 12384 12384 IN IP4 192.168.0.253
> s=-
> c=IN IP4 192.168.0.253
> t=0 0
> m=audio 16468 RTP/AVP 4 0 2 8 18 96 97 98 100 101
> a=rtpmap:4 G723/8000
> a=rtpmap:0 PCMU/8000
> a=rtpmap:2 G726-32/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:18 G729a/8000
> a=rtpmap:96 G726-40/8000
> a=rtpmap:97 G726-24/8000
> a=rtpmap:98 G726-16/8000
> a=rtpmap:100 NSE/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-15
> a=ptime:30
> a=sendrecv
> 
> 13 headers, 19 lines
> Using latest request as basis request
> Sending to 192.168.0.253 : 5060 (NAT)
> Found user '105'
> Found RTP audio format 4
> Found RTP audio format 0
> Found RTP audio format 2
> Found RTP audio format 8
> Found RTP audio format 18
> Found RTP audio format 96
> Found RTP audio format 97
> Found RTP audio format 98
> Found RTP audio format 100
> Found RTP audio format 101
> Peer audio RTP is at port 192.168.0.253:16468
> Found description format G723
> Found description format PCMU
> Found description format G726-32
> Found description format PCMA
> Found description format G729a
> Found description format G726-40
> Found description format G726-24
> Found description format G726-16
> Found description format NSE
> Found description format telephone-event
> Capabilities: us - 0xc011f (g723|gsm|ulaw|alaw|g726|g729|h261|h263),
> peer - audio=0x51d (g723|ulaw|alaw|g726|g729|ilbc)/video=0x0 (nothing),
> combined - 0x11d (g723|ulaw|alaw|g726|g729)
> Non-codec capabilities: us - 0x1 (g723), peer - 0x1 (g723), combined -
> 0x1 (g723)
> Looking for *98 in from-internal
> list_route: hop: <sip:105 at 192.168.0.253>
> Transmitting (NAT):
> SIP/2.0 100 Trying
> Via: SIP/2.0/UDP
> 192.168.0.253;branch=z9hG4bK-ec22067b;received=200.93.xxx.xb;rport=5060
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:*98 at sip.mydomain.net>;tag=as58095e00
> Call-ID: 636a9064-eba36dcb at 192.168.0.253
> CSeq: 102 INVITE
> User-Agent: Asterisk PBX
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> Contact: <sip:*98 at 200.93.xxx.xa>
> Content-Length: 0
> 
> 
>  to 200.93.xxx.xb:5060
>     -- Executing Answer("SIP/105-6408", "") in new stack
> We're at 200.93.xxx.xa port 12436
> Video is at 200.93.xxx.xa port 16274
> Answering with preferred capability 0x100 (g729)
> Answering with preferred capability 0x1 (g723)
> Answering with preferred capability 0x2 (gsm)
> Answering with preferred capability 0x10 (g726)
> Answering with preferred capability 0x4 (ulaw)
> Answering with preferred capability 0x8 (alaw)
> Answering with preferred capability 0x40000 (h261)
> Answering with preferred capability 0x80000 (h263)
> Answering with non-codec capability 0x1 (telephone-event)
> Reliably Transmitting (NAT):
> SIP/2.0 200 OK
> Via: SIP/2.0/UDP
> 192.168.0.253;branch=z9hG4bK-ec22067b;received=200.93.xxx.xb;rport=5060
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:*98 at sip.mydomain.net>;tag=as58095e00
> Call-ID: 636a9064-eba36dcb at 192.168.0.253
> CSeq: 102 INVITE
> User-Agent: Asterisk PBX
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> Contact: <sip:*98 at 200.93.xxx.xa>
> Content-Type: application/sdp
> Content-Length: 340
> 
> v=0
> =root 7393 7393 IN IP4 200.93.xxx.xa
> s=session
> c=IN IP4 200.93.xxx.xa
> t=0 0
> m=audio 12436 RTP/AVP 18 4 3 2 0 8 101
> a=rtpmap:18 G729/8000
> a=rtpmap:4 G723/8000
> a=rtpmap:3 GSM/8000
> a=rtpmap:2 G726-32/8000
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-16
> a=silenceSupp:off - - - -
> 
>  to 200.93.xxx.xb:5060
>     -- Executing Wait("SIP/105-6408", "1") in new stack
> asterisk*CLI>
> 
> Sip read:
> ACK sip:*98 at 200.93.xxx.xa SIP/2.0
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-ec22067b
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:*98 at sip.mydomain.net>;tag=as58095e00
> Call-ID: 636a9064-eba36dcb at 192.168.0.253
> CSeq: 102 ACK
> Max-Forwards: 70
> Proxy-Authorization: Digest
>
username="105",realm="asterisk",nonce="47a68adb",uri="sip:*98 at sip.mydomain.n
> et",algorithm=MD5,response="74dd50faa2bb97fdb1a0fe6ce93489de"
> Contact: Guillermo Salas M <sip:105 at 192.168.0.253>
> User-Agent: Sipura/SPA2000-2.0.2
> Content-Length: 0
> 
> 
> 11 headers, 0 lines
>     -- Executing VoiceMailMain("SIP/105-6408", "default") in new stack
>     -- Playing 'vm-login' (language 'es')
> asterisk*CLI>
> 
> Sip read:
> NOTIFY sip:sip.mydomain.net SIP/2.0
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-8ecd1b3e
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:sip.mydomain.net>
> Call-ID: a584ba93-53c0013c at 192.168.0.253
> CSeq: 9 NOTIFY
> Max-Forwards: 70
> Event: keep-alive
> User-Agent: Sipura/SPA2000-2.0.2
> Content-Length: 0
> 
> 10 headers, 0 lines
> Transmitting (no NAT):
> SIP/2.0 200 OK
> Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-8ecd1b3e
> From: Guillermo Salas M <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> To: <sip:sip.mydomain.net>;tag=as45caf3ff
> Call-ID: a584ba93-53c0013c at 192.168.0.253
> CSeq: 9 NOTIFY
> User-Agent: Asterisk PBX
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> Contact:
> Content-Length: 0
> 
> 
>  to 200.93.xxx.xb:5060
> Destroying call 'a584ba93-53c0013c at 192.168.0.253'
>     -- No username but # key pressed. Using CID '105'
>     -- Playing 'vm-password' (language 'es')
>     -- Incorrect password '' for user '105' (context = <any>)
>     -- Playing 'vm-incorrect-mailbox' (language 'es')
> asterisk*CLI>
> 
> Any hint will be very appreciated,
> 
> 
> Regards,
> 
> 
> Guill3rm0
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list