Thus far I've been lucky enough to only have minimal SIP+NAT+Firewalling
combination deployments. Even so, I'll put out my thoughts and hopefully
not get my foot stuck into my mouth too far. :-) Based on my understanding
and research the reason this sort of problem comes up so often, and is more
difficult than it should be to resolve for some, is that there are really
multiple spots where the problem may be depending on:
- the capabilities (e.g. SIP awareness) of the intermediate NAT and
firewall devices (and whether these capabilities are enabled)
- the security policies on the intermediate firewall devices
- the NAT configuration of the intermediate NAT devices, such as
PAT/One-to-Many versus Static/One-to-One (which will impact ports used)
- the support for and availability of a STUN server for the endpoint
devices to use
- the default endpoint STUN configuration (in my experience it's not
that uncommon to see a public/pseudo-public vendor STUN server
pre-configured in a SIP device, including software phones, without the
administrator even being aware. This can result in, some posted working
for someone else without anyone realizing that the default configuration was
part of the solution, albeit stealthy. This makes it difficult to compare
exactly what you are doing to someone else unless nearly everything is
exactly the same, including the endpoint device vendors/firmware versions:
AKA: "This is all I did and it just worked, not sure what is so different
about your situation")
- the extern* IP settings within Asterisk sip.conf
- the RTP port range settings in Asterisk rtp.conf
- the ability to and actual settings of the RTP port ranges in the
endpoint devices
- the intentional or inadvertent attempt to use reinvites when the two
endpoints don't actually have a direct path to each other, which creates
problems even after connectivity problems have been resolved between the
remote endpoint and opposing Asterisk server
- misconfiguration of localnet in Asterisk sip.conf
- The presence or lack thereof of nat=yes in Asterisk sip.conf
- The presence or lack thereof of insecure=port in Asterisk sip.conf
- The (sometimes) incompatible requirement to use DHCP (and
dynamically assigned) addresses for one or both endpoint devices in a
situation where pre-defined inbound port mapping will be necessary (you
can't map an inbound port through the NAT device to an endpoint IP that
keeps changing, at least not with most firewalls)
- The use of dynamic _public_ IP addresses on both sides, which may
require a variation on Asterisk extern* sip.conf settings
- The understandable oversight that comes when configuring RTP ports
on endpoints (and Asterisk) where ports technically _outside_ (though
deterministic) the configured range may be implicitly used
(whether security policies and NAT is being done on the same or distinct
devices doesn't really change the situation fundamentally and the solution
can readily be adapted to whatever once you grasp the essentials of what is
going on).
As a result, possible remedies -- when researched on-line -- tend to
confuse one more than help sometimes. Since they seem to suggest "This
worked for me -- change this and you'll be all set". When they don't, it's
easy to get frustrated. This is about the time when I discover that having
a better understanding of what the situation really is and then
intentionally deciding exactly what I want to happen is a more solid
approach. That way I can wrap my head around all the configuration knobs
and know just which ones are applicable to me -- and reverse engineer the
supposedly working configurations that other folks post to better apply them
to my own situation. Personally I usually arrive at this point because I
made an assumption previously that something would be simpler than it
actually is. With SIP, don't assume it'll deploy cleanly without hassle
in any environment except for a nice clean true end-to-end path (i.e. no
NAT, no firewalling).
Oh, and if all else fails, a sniffer (Wireshark, highly recommended) will
rarely fail to enlighten. At least that has become the case since I've
started to get more into the nitty gritty of SIP/RTP signaling and media
sessions.
With that in mind, I've found the following URL to be one of a the more
pragmatic and clueful descriptions of a more typical -- and extreme --
scenario where firewalling and NAT are being done within the "local"
networks of both end-points. The described scenario also includes one side
not being administratively under the same control as the other (read through
all sections, 1-7, to get the full picture). Combined with some Google'd
up tutorials on SIP, it'll prepare you much better for attacking your
particular situation:
http://www.fridu.org/index.php?option=com_content&task=category§ionid=6&id=27&Itemid=55
Here are some other thoughts/queries to go over:
In what direction is the audio working/not working? This will suggest at
which side you should be looking deeper.
What do your m0n0 logs show? Is anything unexpected being blocked between
the two end-points?
Are logs available for the NAT/firewall on the other side? Is anything
unexpected being blocked there?
What are the chances you can pop Wireshark onto one side of the other (or
both, preferrably) of the firewall?
(the latest version of Wireshark has a nifty SIP and RTP analyzer/grapher
built in, incidentally)
The following may be useful if you haven't seen it already:
http://www.voip-info.org/wiki/view/Asterisk+SIP+NAT+solutions
Are re-invites disabled?
Is insecure=port set?
This thread may be helpful (albeit also an example of "it works for me, not
sure why it doesn't for you" difficult to compare scenarios):
http://m0n0.ch/wall/list/?action=show_threads&actionargs[]=200604#%2Farchive%2F262%2F78
-jr
On Dec 20, 2007 7:50 PM, Kevin Kiely <[EMAIL PROTECTED]> wrote:
> I am having one way audio issues with an Astlinux behind nat.
>
> My application is a local astlinux box behind a nat router with phones
> registering locally and also remote phones behind nats to register with
the
> local astlinux box. I am having audio issues with this config. I have
tried
> several nat routers including a monowall router. I forwarded ports 5060
and
> the rtp ports, the respective nat=yes settings as well as optioned the
> externip and localnet settings in asterisk.
>
> I have had this working in the past and I wanted to know if anyone is
using
> this application and what has worked for them. Any chance of using
monowall
> as the local and remote NAT router? Any chance of using a additional
> astlinux box as the NAT routers with port forwarding?
--
Grover Beach, California, USA
http://blog.joshrichards.org [EMAIL PROTECTED] +1 (805)
471-6923
http://www.linkedin.com/in/joshrichards
Supporting these causes: Water.org, Kiva.org & RoomToRead.org
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to [EMAIL
PROTECTED]
