[asterisk-users] Asterisk and several clients behind NAT
Alex Balashov
abalashov at evaristesys.com
Tue Jul 14 05:33:15 CDT 2009
jonas kellens wrote:
> Is it possible to have several clients behind NAT to register to an
> Asterisk-server with a public IP-address ?
>
> When Asterisk receives an incoming call, how will it know @ which
> private IP-address the client is reachable ?
>
> I guess it is impossible for Asterisk to directly contact the private
> client behind the NAT ?! Or to distinguish between the private clients ?!
>
> Is there an easy solution to this ? How does hosted IP-PBX services work
> then ?!
Yes, this problem has a solution. The NAT gateway creates a UDP state
mapping between internal source ports and external source (and
destination, since most user agents are symmetrical nowadays) ports.
The NAT gateway then allocates different external UDP ports for
different "connections" being tracked in this manner.
Consider, for example, two phones - 192.168.1.10 and 192.168.1.11 -
registering to an outside SIP UAS through a NAT gateway whose public
address is 67.194.23.55. The NAT gateway maps the source ports in a
random or pseudorandom manner akin to:
192.168.1.10:5060 --> 67.194.23.55:32947
192.168.1.11:5060 --> 67.194.23.55:47948
If far-end NAT traversal is enabled on the UAS (in the case of Asterisk,
that's nat=yes in sip.conf), the Contact URI supplied in the REGISTER
message is ignored and the actual "received" IP and port on the network
and transport layer is used in its place. The latter is what is stored
as the contact binding.
Later, a call comes in and the UAS maps it back to 67.194.23.55:47948 or
32947 depending on which registrant it is destined to go to.
This scenario is not without its problems. Some user agents do not
behave symmetrically. Some firewall/NAT router ALGs (application layer
gateways) break this process, though they mean well and try to be
helpful. But by far the most pressing problem is that many NAT gateways
rather quickly age the temporary state information (internal:external
UDP port mapping) out after a relatively short period of inactivity.
That is why many far-end NAT traversal approaches implement a policy of
periodically "pinging" the stored ("received") contact with some sort of
message that causes a bidirectional exchange of communication, and
therefore causes the NAT gateway to reset its expiration timer for that
"connection" state. In Asterisk, the OPTIONS messages generated when
the qualify=yes option is enabled in sip.conf fulfill this function.
Hope that helps,
--
Alex Balashov
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
More information about the asterisk-users
mailing list