[Asterisk-Users] Asterisk configuration inside a DMZ w/SIP

[Brian D'Arcy]

Hello all,   I’m having a nightmare of a time trying to get stable results with SIP clients on Asterisk.  I can’t seem to find a configuration that works!  In our office, we run a Sonicwall Pro 200, which is a sip aware, stateful firewall.   Originally, I had configured Asterisk to run on the NAT side so that those within the office could connect easily, and those outside the office could connect via VPN.  However the VPN route is proving to be a little too latent for quality calls.  Even still, some people were able to receive audio, and others not.   After much reading about Asterisk and the problems inherent to NAT, I decided OK, I’ll just toss it on the DMZ with a public address, and let the clients themselves worry about addressing their NAT issues @ home, or wherever they might be.   So here I am, with Asterisk running on the DMZ with a public IP address, totally unfirewalled to the outside world and now I find that not only can I not connect (from the nat side of the same SIP aware firewall hosting the asterisk server), but clients on public IP’s, using no NAT at all, are either unable to connect, or are able to log in, but calls to any extension (whether they be sip extensions, voicemail, conference etc..) come up 408 timed out.    In every case, the message in the * CLI is reported as:   chan_sip.c:497 retrans_pkt: Maximum retries exceeded on call [EMAIL PROTECTED] for seqno 30841 (Response)   This to me would imply that for whatever reason, the packets from the Asterisk server are being blocked by the local firewall when it attempts to send them back to me.   This I can understand, because maybe I’m having NAT issues myself, however I get the *same* messages broadcast into the CLI when users on the public IP addresses attempt to connect in (unfirewalled).  I’ve checked and triple checked to make sure that the DMZ port is not firewalled in any way, so I’m a bit stumped.   After this rambling, I suppose the real question I’m asking here is, what is the most stable, preferred networking setup people tend to use when they are expecting to have SIP clients connecting both internally, and externally?   Incase everyone wants to know about my SIP configurations, I’m using disallow=all, and allow=ulaw ONLY. I’ve toyed with the nat=1/nat=yes settings, however they seem to have no real effect on the behavior of the clients.  I’ve been testing strictly with X-Lite, as it came recommended by a few folks in #Asterisk on irc.freenode.net.   [General] section from SIP.conf and an example SIP client entry:   [general] port=5060                       ; Port to bind to bindaddr=0.0.0.0                ; Address to bind SIP channel to ;externip = 216.9.32.42 ;localmask=255.255.254.0 ;localnet=192.168.0.0 context = default               ; Default context for incoming calls ;srvlookup = yes   [bdarcy] type=friend username=bdarcy secret=blah host=dynamic qualify=400 mailbox=3209 callerid="Brian D'Arcy" <3209> nat=1 disallow=all allow=ulaw   If anyone can provide any feedback on what works for you, or what’s recommended, it would be highly appreciated.   Thanks in advance.   Brian D'Arcy