[asterisk-users] Cisco 7970 behind NAT

[Evan P. Hall]

Jeremiah wrote:
> Does anyone have this working? I have a Cisco 7970 with the 8-0-2-SR1S
> firmware loaded on it. I can get the phone to register with * just
fine
> when I place my asterisk server on the same subnet and do no NAT. When
I
> give my asterisk server a static public IP and put the phone behind a
NAT
> to connect to the server registration fails. I turn on sip debugging
and
> see that the phone is trying to register but it gets 401 Unauthorized.
> The same phone config is being used with only modifications to the IPs
of
> the proxy and some NAT settings. I've adjusted NAT settings in two
places
> (phone config and sip.conf).

The problem is that the 7970 phones by default are listening for replies
to their register requests on port 5060.  Unfortunately, the phone sends
them out from random ports.  So, if you have nat=yes on the sip peer in
asterisk then the asterisk will send the reply to the port the request
came from and not 5060.

The only deployment we have done of these phones with NAT involved was
for 2 executives at a branch office.  In order to get the phones working
we had to set the XML configs for the phones to send the external IP
address of the firewall (you'll need a static IP for this to work) and
to request replies on a custom port other than 5060.  We then gave the
phones DHCP reservations so they would always get the same private IP
and mapped the custom sip ports through the firewall to each of the 2
phones.  The sip peers in asterisk then had nat=no.  Kind of a kludge
but since there were only two 7970 phones it was manageable.  The other
cisco phones don't seem to have this problem.

Perhaps somebody out there knows a way to make the 7970 phones accept
SIP responses back to the originating port.  I wasted several hours but
couldn't figure it out.

-Evan