Fwd: FW: [Asterisk-Users] SIP NAT question

[Paul Cheng]

Just in case other people on the list have this problem...

Begin forwarded message:

From: "George Lin" <[EMAIL PROTECTED]>
Date: Thu Aug 14, 2003  6:54:46  AM Europe/Budapest
To: "Paul Cheng" <[EMAIL PROTECTED]>
Subject: RE: FW: [Asterisk-Users] SIP NAT question
Dear Paul,

Thanks for the suggestion. It works now.

Thank you very much.

George Lin

-----Original Message-----
From: Paul Cheng [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 13, 2003 2:54 PM
To: George Lin
Subject: Re: FW: [Asterisk-Users] SIP NAT question
What kind of router do you have? That makes a huge difference!

Try the qualify first and the restart Asterisk and wait for the SIP UAs
to register. Then run Asterisk in command line (asterisk -vvvvcr) and
do a sip show peers. You should see each UA and then their status
(hopefully they say OK (x ms)).
Now try dial each extension to see if that worked.

If the problem still exists, then e-mail me again with your router type
and we can go from there.
On Wednesday, August 13, 2003, at 11:58  PM, George Lin wrote:

Dear Paul,

Thanks for the note. SO what should I configure the router at my 
office
router ??

I will add qualify=yes in each entry at sip.conf.

In our case, we already shutdown the firewall, only the NAT. for such
case,
what should we configure the router ? what is your experience with 
your
router ??

Thanks,

George Lin

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul Cheng
Sent: Wednesday, August 13, 2003 1:38 PM
To: [EMAIL PROTECTED]
Subject: Re: [Asterisk-Users] SIP NAT question
Hi George,

Do you have qualify=yes set in sip.conf for your phones?

When you check sip show peers, does it give you an OK (X ms) or does 
it
say UNREACHABLE or UNMONITORED?

If you enable qualify=yes or qualify=[some number] then Asterisk will
poll the SIP UA every once in a while to make sure it is still
reachable. This may or may not work. In some cases, if the UA doesn't
support the SIP OPTIONS correctly, it will come back and Asterisk will
think it is unreachable until it sends another register command. In
other cases, it helps keep the ports open on the firewall.
BTW, we have successfully tested NAT with multiple user agents as you
describe with pretty much plug and play with Linksys, SMC,
Shorewall/Linux and various other NAT router/fw devices with great
success. Thus far, we've only had problems with DrayTek routers
mangling the UDP packets. In those cases, the UAs registered
successfully and all inbound calls worked, but outbound calls did not
as the UDP/RTP streams weren't getting handled correctly by the 
router.
They have an updated firmware that solves this problem, but we haven't
finished testing it.

On Wednesday, August 13, 2003, at 09:25  PM, Adams, Gavin wrote:

From: George Lin [mailto:[EMAIL PROTECTED]

I want to deploy multiple SIPs phone in our office. And we have
shutdown
the
firewall at our office router(with ip 211.x.x.x). we have deployed
the
asterisk with IP 218.x.x.x.
All SIP phones have 192.x.x.x.
We have something similar George, * sits outside the firewall with a
registered IP address, the SIP phones sit behind the firewall with
172.16.x.x addresses.
When the SIP phone is power on, they are registered in the asterisk.
we
can
check at asterisk side by issueing "sip show peers", and all the
phones
are
associated with 211.x.x.x:port-number.
Sounds familiar. Question, do you hide all the phones behind a single
IP
address, or does each phone get a unique address? Also, what type of
firewall?
PRoblem:
Now some times the sip can receive call, and some time it cannot
recieve
call. When we dumping the sip log, and see that asterisk tried to
INVITE
the
specified SIP phone with the 211.x.x.x:port-number, and was failed
after 5
times. But the call orginated from SIP phone is always OK.
Yup, what we initially found. Basically, we started by attempting to
hide all the phones behind a single IP address. In this case, make
sure
you uniquely assign the control port (by default UDP 5060) to
something
different for each phone.
We use FireWall-1 (older version) that doesn't play nice with "hide
NAT". Basically, it would timeout UDP connections after 40 seconds of
no
activity. Not good unless you reduce the reregister time to something
crazy like 30 seconds. Check to see how your firewall/NAT device
handles
[P]NAT translation.
Questions are:

1. Does asterisk remember the mapping between 192.x.x.x AND
211.x.x.x:port-number ?
It shouldn't. It might see the 192.x.x.x address in the SIP
conversations, but even if it did, it would not be able to route the
packets back.
2. When a call to a sip phone, is it asterisk responsiblility to map
the
211.x.x.x:port-number to the 192.x.x.x, and send to the office 
router
? OR
it is the office router to remeber all the mapping between each sip
phone
192.x.x.x and 211.x.x.x:port-number, and asterisk juts sends the
211.x.x.x:port-number to the office router ??
Asterisk should attempt to contact the phone based upon the IP and
port
seen during a 'sip show peers'. Network device responsible for any 
and
all translations.

3. If it is the office router's responsiblity, what should we
configure
the
office router even there is no firewall???
Unsure about this, I'd focus more on the NAT device. Can you describe
the topology from the SIP phone to *?
Regards,

--- Gavin
_______________________________________________
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
_______________________________________________
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users