[asterisk-users] SIP and NAT best practices since recent changes?
Hi, Since the recent update to the NAT configuration options and defaults in chan_sip.so, I am interested in any SIP/NAT best practices advice. What I've always done in the past is: Global: nat=no SIP handsets that are local: nat=no SIP handsets that are remote: nat=yes ITSP SIP trunks: nat=yes I will then set externip and localnet to reflect the local setup, UNLESS there is a functional SIP ALG doing the work in the gateway device. I make this statement because I've found one or two firewalls where it is best to disable the SIP ALG, and one or two where it is best to leave it enabled. The above always worked very well, but I now find my asterisk logs being spammed with warnings containing lots of !! and I'd like to know the best way to operate to achieve what I've always had while following the new rules in order to be as secure as possible with clean logs. I should add that we do not accept unsolicited connections, and 99% of attempts to connect will be stopped at the firewall. Thanks, Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT best practices since recent changes?
On 01/11/2012 05:29 AM, Steve Davies wrote: Hi, Since the recent update to the NAT configuration options and defaults in chan_sip.so, I am interested in any SIP/NAT best practices advice. What I've always done in the past is: Global: nat=no SIP handsets that are local: nat=no SIP handsets that are remote: nat=yes ITSP SIP trunks: nat=yes I will then set externip and localnet to reflect the local setup, UNLESS there is a functional SIP ALG doing the work in the gateway device. I make this statement because I've found one or two firewalls where it is best to disable the SIP ALG, and one or two where it is best to leave it enabled. The above always worked very well, but I now find my asterisk logs being spammed with warnings containing lots of !! and I'd like to know the best way to operate to achieve what I've always had while following the new rules in order to be as secure as possible with clean logs. I should add that we do not accept unsolicited connections, and 99% of attempts to connect will be stopped at the firewall. The simplest answer is to always use 'nat=yes' (or at least 'nat=force_rport' in recent versions of Asterisk that support it), until you come across a SIP endpoint that fails to work properly with that setting. If you do come across such an endpoint, try hard to get it to work with that setting; if you can't, then set 'nat=no' for that endpoint, and understand that the endpoint's name could be discoverable using the attack methods previously disclosed. If the endpoint's configuration is suitably locked down (permit/deny, for example) this may not be a concern for you. If it's not locked down (for example, if it has to register to your Asterisk server from random locations), then the next step would be to seriously consider requesting that the user of that endpoint consider switching to some other SIP endpoint. To date, the only endpoints that have been identified that do *not* work with Asterisk's 'rport' handling forced upon them are Cisco phones. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT best practices since recent changes?
On 11 January 2012 15:43, Kevin P. Fleming kpflem...@digium.com wrote: On 01/11/2012 05:29 AM, Steve Davies wrote: Hi, Since the recent update to the NAT configuration options and defaults in chan_sip.so, I am interested in any SIP/NAT best practices advice. What I've always done in the past is: Global: nat=no SIP handsets that are local: nat=no SIP handsets that are remote: nat=yes ITSP SIP trunks: nat=yes I will then set externip and localnet to reflect the local setup, UNLESS there is a functional SIP ALG doing the work in the gateway device. I make this statement because I've found one or two firewalls where it is best to disable the SIP ALG, and one or two where it is best to leave it enabled. The above always worked very well, but I now find my asterisk logs being spammed with warnings containing lots of !! and I'd like to know the best way to operate to achieve what I've always had while following the new rules in order to be as secure as possible with clean logs. I should add that we do not accept unsolicited connections, and 99% of attempts to connect will be stopped at the firewall. The simplest answer is to always use 'nat=yes' (or at least 'nat=force_rport' in recent versions of Asterisk that support it), until you come across a SIP endpoint that fails to work properly with that setting. If you do come across such an endpoint, try hard to get it to work with that setting; if you can't, then set 'nat=no' for that endpoint, and understand that the endpoint's name could be discoverable using the attack methods previously disclosed. If the endpoint's configuration is suitably locked down (permit/deny, for example) this may not be a concern for you. If it's not locked down (for example, if it has to register to your Asterisk server from random locations), then the next step would be to seriously consider requesting that the user of that endpoint consider switching to some other SIP endpoint. To date, the only endpoints that have been identified that do *not* work with Asterisk's 'rport' handling forced upon them are Cisco phones. Excellent. Thanks as always Kevin. (Why am I not surprised about Cisco!) Regards, Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT best practices since recent changes?
From: Steve Davies davies...@gmail.com Sent: Wednesday, January 11, 2012 12:51 PM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] SIP and NAT best practices since recent changes? On 11 January 2012 15:43, Kevin P. Fleming kpflem...@digium.com wrote: On 01/11/2012 05:29 AM, Steve Davies wrote: Hi, Since the recent update to the NAT configuration options and defaults in chan_sip.so, I am interested in any SIP/NAT best practices advice. What I've always done in the past is: Global: nat=no SIP handsets that are local: nat=no SIP handsets that are remote: nat=yes ITSP SIP trunks: nat=yes I will then set externip and localnet to reflect the local setup, UNLESS there is a functional SIP ALG doing the work in the gateway device. I make this statement because I've found one or two firewalls where it is best to disable the SIP ALG, and one or two where it is best to leave it enabled. The above always worked very well, but I now find my asterisk logs being spammed with warnings containing lots of !! and I'd like to know the best way to operate to achieve what I've always had while following the new rules in order to be as secure as possible with clean logs. I should add that we do not accept unsolicited connections, and 99% of attempts to connect will be stopped at the firewall. The simplest answer is to always use 'nat=yes' (or at least 'nat=force_rport' in recent versions of Asterisk that support it), until you come across a SIP endpoint that fails to work properly with that setting. If you do come across such an endpoint, try hard to get it to work with that setting; if you can't, then set 'nat=no' for that endpoint, and understand that the endpoint's name could be discoverable using the attack methods previously disclosed. If the endpoint's configuration is suitably locked down (permit/deny, for example) this may not be a concern for you. If it's not locked down (for example, if it has to register to your Asterisk server from random locations), then the next step would be to seriously consider requesting that the user of that endpoint consider switching to some other SIP endpoint. To date, the only endpoints that have been identified that do *not* work with Asterisk's 'rport' handling forced upon them are Cisco phones. Excellent. Thanks as always Kevin. (Why am I not surprised about Cisco!) Regards, Steve Steve I can't get my grandstream phones to work with force_rport behind a pfsense firewall. but yes and comedia work fine. Bryant -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT best practices since recent changes?
On 01/11/2012 12:09 PM, Bryant Zimmerman wrote: *From*: Steve Davies davies...@gmail.com *Sent*: Wednesday, January 11, 2012 12:51 PM *To*: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com *Subject*: Re: [asterisk-users] SIP and NAT best practices since recent changes? On 11 January 2012 15:43, Kevin P. Fleming kpflem...@digium.com wrote: On 01/11/2012 05:29 AM, Steve Davies wrote: Hi, Since the recent update to the NAT configuration options and defaults in chan_sip.so, I am interested in any SIP/NAT best practices advice. What I've always done in the past is: Global: nat=no SIP handsets that are local: nat=no SIP handsets that are remote: nat=yes ITSP SIP trunks: nat=yes I will then set externip and localnet to reflect the local setup, UNLESS there is a functional SIP ALG doing the work in the gateway device. I make this statement because I've found one or two firewalls where it is best to disable the SIP ALG, and one or two where it is best to leave it enabled. The above always worked very well, but I now find my asterisk logs being spammed with warnings containing lots of !! and I'd like to know the best way to operate to achieve what I've always had while following the new rules in order to be as secure as possible with clean logs. I should add that we do not accept unsolicited connections, and 99% of attempts to connect will be stopped at the firewall. The simplest answer is to always use 'nat=yes' (or at least 'nat=force_rport' in recent versions of Asterisk that support it), until you come across a SIP endpoint that fails to work properly with that setting. If you do come across such an endpoint, try hard to get it to work with that setting; if you can't, then set 'nat=no' for that endpoint, and understand that the endpoint's name could be discoverable using the attack methods previously disclosed. If the endpoint's configuration is suitably locked down (permit/deny, for example) this may not be a concern for you. If it's not locked down (for example, if it has to register to your Asterisk server from random locations), then the next step would be to seriously consider requesting that the user of that endpoint consider switching to some other SIP endpoint. To date, the only endpoints that have been identified that do *not* work with Asterisk's 'rport' handling forced upon them are Cisco phones. Excellent. Thanks as always Kevin. (Why am I not surprised about Cisco!) Regards, Steve Steve I can't get my grandstream phones to work with force_rport behind a pfsense firewall. but yes and comedia work fine. That's rather strange, since 'yes' includes 'force_rport'. Can you describe what 'not work' means in this case? -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP AND NAT
Hello! What are the nat_sip modules you mention? When I set up a linux router some time ago and configured sip.conf with net=yes, everything went smoothly just like any other router. Elliot On Mon, Aug 3, 2009 at 8:45 PM, Gordon Hendersongordon+aster...@drogon.net wrote: On Mon, 3 Aug 2009, Ketema Harris wrote: my questions are: What is the correct way(or resource to find a way) to get a linux firewall to work with SIP so that the NAT issue is not an issue ? Remove all SIP ALG/connection tracking modules and use old fashioned port forwarding on the router and externip=xx.yy.z.qq, localnet= and nat=yes in sip.conf in the asterisk box. That's what I do, anyway. Gordon ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] SIP AND NAT
I recently did a set up where I replaced a simple D-link home router that was having trouble processing a T1's worth of bandwidth with a linux machine running iptables. the kernel was 2.6.29-r5 and I chose the SIP connection tracking modules from the menuconfig. Router worked fine for normal traffic, but I was unable to get the SIP phones to work. Using ngrep it was plain to see that the although the packets going out were reaching their destination the data inside the sip headers all contained non routable IPs. I used lsmod and saw that the following modules: nf_nat_sip 5084 0 nf_nat 16400 3 nf_nat_sip,ipt_MASQUERADE,iptable_nat nf_conntrack_ipv4 11912 3 iptable_nat,nf_nat nf_defrag_ipv4 1788 1 nf_conntrack_ipv4 were loaded. I also googled and found the http://www.iptel.org/ sipalg/ website, but since this seemed to be a little dated I assumed the modules contained in the kernel source tree were newer and more reliable my questions are: What is the correct way(or resource to find a way) to get a linux firewall to work with SIP so that the NAT issue is not an issue ? ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP AND NAT
On Mon, 2009-08-03 at 13:29 -0400, Ketema Harris wrote: I recently did a set up where I replaced a simple D-link home router that was having trouble processing a T1's worth of bandwidth with a linux machine running iptables. the kernel was 2.6.29-r5 and I chose the SIP connection tracking modules from the menuconfig. Router worked fine for normal traffic, but I was unable to get the SIP phones to work. Using ngrep it was plain to see that the although the packets going out were reaching their destination the data inside the sip headers all contained non routable IPs. I used lsmod and saw that the following modules: nf_nat_sip 5084 0 nf_nat 16400 3 nf_nat_sip,ipt_MASQUERADE,iptable_nat nf_conntrack_ipv4 11912 3 iptable_nat,nf_nat nf_defrag_ipv4 1788 1 nf_conntrack_ipv4 were loaded. I also googled and found the http://www.iptel.org/ sipalg/ website, but since this seemed to be a little dated I assumed the modules contained in the kernel source tree were newer and more reliable my questions are: What is the correct way(or resource to find a way) to get a linux firewall to work with SIP so that the NAT issue is not an issue ? snip Not an area of great expertise for me. I would think nf_nat_sip would take care of it but I'm surprised to not see conntrack_sip. Here is what is running on our firewall (not that we do a lot with NAT'd sip but the little we've done seems to work): [r...@fw01 ~]# lsmod | grep sip ip_nat_sip 37313 0 ip_conntrack_sip 41745 1 ip_nat_sip ip_nat 52845 5 ip_nat_h323,ip_nat_irc,ip_nat_ftp,ip_nat_sip,iptable_nat ip_conntrack 91237 13 ip_nat_h323,ip_nat_irc,ip_nat_ftp,ip_nat_sip,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_sip,ip_conntrack_netbios_ns,xt_state,iptable_nat,ip_nat -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP AND NAT
On Mon, 3 Aug 2009, Ketema Harris wrote: my questions are: What is the correct way(or resource to find a way) to get a linux firewall to work with SIP so that the NAT issue is not an issue ? Remove all SIP ALG/connection tracking modules and use old fashioned port forwarding on the router and externip=xx.yy.z.qq, localnet= and nat=yes in sip.conf in the asterisk box. That's what I do, anyway. Gordon ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] sip and nat
hi there, I 'm a newbie in VOIP technologies ; i 'm implementing asterisk and i 'm wonder what is the best way to resolving the Asterisk/NAT problem : some clients are behind a NAT. anyone could help me? thanks johanna _ Appelez vos amis de PC à PC -- C'EST GRATUIT http://get.live.com/messenger/overview ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] sip and nat
hi there, I 'm a newbie in VOIP technologies ; i 'm implementing asterisk and i 'm wonder what is the best way to resolving the Asterisk/NAT problem : some clients are behind a NAT. anyone could help me? thanks johanna _ Appelez vos amis de PC à PC -- C'EST GRATUIT http://get.live.com/messenger/overview ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip and nat
John, Client Behind a NAT should not be problem. What are your issues? If you post your scenario and more details about your problem only then some can help you better. Jai Buy SIP DID at www.didforsale.com On Wed, Oct 22, 2008 at 12:24 AM, Johanna NIRINA [EMAIL PROTECTED]wrote: hi there, I 'm a newbie in VOIP technologies ; i 'm implementing asterisk and i 'm wonder what is the best way to resolving the Asterisk/NAT problem : some clients are behind a NAT. anyone could help me? thanks johanna _ Appelez vos amis de PC à PC -- C'EST GRATUIT http://get.live.com/messenger/overview ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip and nat
I'm using asterisk 1.4 . There is some sip clients is behind a NAT : the asterisk server can't send request to these client. I'm looking for a solution to solve that in the server (asterisk) side. (sorry for my english). thanks, johanna _ Découvrez Windows Live Spaces et créez votre site Web perso en quelques clics ! http://spaces.live.com/signup.aspx ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip and nat
Johanna NIRINA wrote: I'm using asterisk 1.4 . There is some sip clients is behind a NAT : the asterisk server can't send request to these client. I'm looking for a solution to solve that in the server (asterisk) side. (sorry for my english). thanks, johanna _ Découvrez Windows Live Spaces et créez votre site Web perso en quelques clics ! http://spaces.live.com/signup.aspx ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users Common solutions include stun or a combination of qualify=yes and/or nat=yes entries in sip.conf http://www.voip-info.org/wiki/view/Asterisk+sip+qualify -- Robin D. Rodriguez Systems Engineer Ifbyphone, Inc. Phone: (866) 250-1663 Fax: (847) 676-6553 [EMAIL PROTECTED] http://www.ifbyphone.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP/RTP Nat problem, can't solute it.
Still i cannot resolve this issue, please anyone can help me with this? Thanks in advance -- _ Facundo Agustin Barrera -- www.openlabs.com.ar Let the penguins do the work - Buenos Aires - Argentina _ ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] SIP/RTP Nat problem, can't solute it.
Dear list: I have the typical one way audio problem, as far as i know it's a nating problem, my hosts inside my lan can call to outside internet hosts, but can't listen a thing, i read a lot about sip and rtp and protocols and the problem it seems to be with NAT, this is the config i put on my sip.conf file about nat: externhost=sip.server.com.ar my server name on the internet localnet=192.168.5.0/255.255.0.0 my LAN nat=yes canreinvite=yes And this are the ports i opened on my firewall script iptables -A INPUT -p udp -m udp --dport 8766:35000 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 5004:5082 -j ACCEPT But still can't hear a thing from an outside call, any hel will be appreciate Thanks a lot -- _ Facundo Agustin Barrera -- www.openlabs.com.ar Let the penguins do the work - Buenos Aires - Argentina _ ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP/RTP Nat problem, can't solute it.
Change To canreinvite=no On 1/6/07, Facundo Barrera - GMail [EMAIL PROTECTED] wrote: Dear list: I have the typical one way audio problem, as far as i know it's a nating problem, my hosts inside my lan can call to outside internet hosts, but can't listen a thing, i read a lot about sip and rtp and protocols and the problem it seems to be with NAT, this is the config i put on my sip.conf file about nat: externhost=sip.server.com.ar my server name on the internet localnet=192.168.5.0/255.255.0.0 my LAN nat=yes canreinvite=yes And this are the ports i opened on my firewall script iptables -A INPUT -p udp -m udp --dport 8766:35000 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 5004:5082 -j ACCEPT But still can't hear a thing from an outside call, any hel will be appreciate Thanks a lot -- _ Facundo Agustin Barrera -- www.openlabs.com.ar Let the penguins do the work - Buenos Aires - Argentina _ ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP/RTP Nat problem, can't solute it.
NAT changes address of the packet, but does not go inside of the SIP packet itself. And SIP packet contains address as well. If you look at debug output, you will see that SIP packets have remote host local address in them, not the public IP as one would expect. At least this is the problem I have. Basically one needs some software to NAT the addresses inside of SIP packets. STUN server is one alternative. I am about to put one in. Rudolf On 1/7/07, C F [EMAIL PROTECTED] wrote: Change To canreinvite=no On 1/6/07, Facundo Barrera - GMail [EMAIL PROTECTED] wrote: Dear list: I have the typical one way audio problem, as far as i know it's a nating problem, my hosts inside my lan can call to outside internet hosts, but can't listen a thing, i read a lot about sip and rtp and protocols and the problem it seems to be with NAT, this is the config i put on my sip.conf file about nat: externhost=sip.server.com.ar my server name on the internet localnet=192.168.5.0/255.255.0.0 my LAN nat=yes canreinvite=yes And this are the ports i opened on my firewall script iptables -A INPUT -p udp -m udp --dport 8766:35000 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 5004:5082 -j ACCEPT But still can't hear a thing from an outside call, any hel will be appreciate Thanks a lot -- _ Facundo Agustin Barrera -- www.openlabs.com.ar Let the penguins do the work - Buenos Aires - Argentina _ ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP/RTP Nat problem, can't solute it.
Isn't that what externhost=sip.server.com.ar my server name on the internet localnet=192.168.5.0/255.255.0.0 my LAN is supposed to do? Bob... Rudolf Ladyzhenskii wrote: NAT changes address of the packet, but does not go inside of the SIP packet itself. And SIP packet contains address as well. If you look at debug output, you will see that SIP packets have remote host local address in them, not the public IP as one would expect. At least this is the problem I have. Basically one needs some software to NAT the addresses inside of SIP packets. STUN server is one alternative. I am about to put one in. Rudolf On 1/7/07, C F [EMAIL PROTECTED] wrote: Change To canreinvite=no On 1/6/07, Facundo Barrera - GMail [EMAIL PROTECTED] wrote: Dear list: I have the typical one way audio problem, as far as i know it's a nating problem, my hosts inside my lan can call to outside internet hosts, but can't listen a thing, i read a lot about sip and rtp and protocols and the problem it seems to be with NAT, this is the config i put on my sip.conf file about nat: externhost=sip.server.com.ar my server name on the internet localnet=192.168.5.0/255.255.0.0 my LAN nat=yes canreinvite=yes And this are the ports i opened on my firewall script iptables -A INPUT -p udp -m udp --dport 8766:35000 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 5004:5082 -j ACCEPT But still can't hear a thing from an outside call, any hel will be appreciate Thanks a lot -- _ Facundo Agustin Barrera -- www.openlabs.com.ar Let the penguins do the work - Buenos Aires - Argentina _ ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP/RTP Nat problem, can't solute it.
Thanks for the answers , tried canreinvite=no , but still cannot listen any soung from the outside, any other idea?? Thanks in advance -- _ Facundo Agustin Barrera -- www.openlabs.com.ar Let the penguins do the work - Buenos Aires - Argentina _ ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] SIP and NAT
Hello all. I'm having a little problem here with NAT, and I already read a lot of documentation on web, but I still cant understand how to get asterisk and external (on internet) sip clients connected. Could anybody give me a tip ? Thanks Lincoln ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
re: [asterisk-users] SIP and NAT
Could you please explain what the network configuration you want to try? it would be really helpful. you can be as simple as: SIPphone-- internet -- NAT-- asterisk or whatever your particular scenario is.Alyed Return-Path: [EMAIL PROTECTED] Mon Jul 31 11:43:16 2006Received: from digium-69-16-138-164.phx1.puregig.net [69.16.138.164] by mail11.webcontrolcenter.com with SMTP; Mon, 31 Jul 2006 11:43:16 -0700Received: from digium-69-16-138-164.phx1.puregig.net (localhost [127.0.0.1]) Hello all. I'm having a little problem here with NAT, and I already read a lot of documentation on web, but I still cant understand how to get asterisk and "external (on internet)" sip clients connected.Could anybody give me a tip ?ThanksLincoln___--Bandwidth and Colocation provided by Easynews.com --asterisk-users mailing listTo UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT
Lincoln Zuljewic Silva a écrit : Hello all. I'm having a little problem here with NAT, and I already read a lot of documentation on web, but I still cant understand how to get asterisk and external (on internet) sip clients connected. So you have an Asterisk that is behind NAT, and you want to connect it to other NATted devices? Cheers, Jean-Michel. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP w/NAT on Grandstream 496 and Call-Waiting
Hello All; I have a Grandstream 496 ATA and it is behind a NAT Router. The phone service works well, but it is setup to support Call-Waiting, which it does not do. When I am on the phone and someone calls, instead of getting a ring, they go straight to Voicemail with the busy message. I used Ethereal to watch what happens and I notice a SIP Redirect 3XX. Is this normal? Does anyone know if Call-Waiting will work behind a NAT router (with a Stun Server)? ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
Apart of what everyone writes with the NAT=YES I would suggest using canreinvite=no as well as normally asterisk cans the reinvite and this might cause the audio not to get through the NAT and cause dead air for the users specially if the users are behind 2 seperate NAT servers eg. different private networks. By using canreinvite=no and nat=yes most of the NAT problems go away. In this scenario the example would look like this: [2201] user=blah secret=blah auth=blah allow=blah host=dynamic *nat=yes canreinvite=no* Mark Phillips wrote: Most often the simple addition of nat=yes in the relevant sip.conf stanza is all that's required to make a remote SIP phone work from behind a firewall. for example [2201] user=blah secret=blah auth=blah allow=blah host=dynamic nat=yes I've been running 4 remote SIP phones across the internet from my families houses all over the world in this manner. The only issues I get are those of bandwidth availability or rather occasional lack of it. Hosted PBX's are no different. The hosting service should be providing a similar mechanism (although it might not be Asterisk based). Mark, G7LTT/KC2ENI Randolph, NJ http://www.g7ltt.com Michaël Gaudette wrote: Thanks Moises. I was kind of hoping that, at least if I hosted my Asterisk server somewhere where there was no NAT for the * box that the SIP phones wouldn't create any issues. How do you people with Hosted PBX handle the deployment of SIP phones behind NAT firewalls? Is it just elbow grease and configuring every single phone for the customer, or is there a way? Mike you can redirect the ports of the router as well. Or you can configure your SIP phone to use a STUN server. Please read in voip-info.org about SIP NAT, there are good suggestions. regards On 1/20/06, Michakl Gaudette [EMAIL PROTECTED] wrote: Hello, I'm a bit new to SIP, and I've set up a SIP line with Asterisk and my wholesale provider. That worked, fine. I ahd to open up the ports on my router, forward them to the correct box, again fine. Now, if I get one of my customers to connect his SIP phone to my Asterisk box, and HE'S behind a NAT firewall, does he have to go through the same process, or is it just the Asterisk box that needs to translate the SIP and RTP port? In other words: if my SIP phone is behind a Linksys router, do I need to configure the Router for any reason? Mike ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
I thing, that configuring nat device/firewall at consumer site isn't always possible, thus simplest (but not optimal) way is to configure phone in sip.conf as nat=yes canreinvite=no, this should work in most cases even if multiple phones are behind same nat, like adsl router. disadvatage is, that rtp stream will go always through asterisk server (even for calls between phones in same location-behind same nat/fw). so, as I ask before, if is planned in asterisk development to make canreinvite function more flexible, e.g. possibility specify that for call, e.g. inside one context, to do reinvite and for other calls (between different contexts) don't do reinvite ... PJ ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP and NAT - best practices?
Leo Ann Boon wrote on Saturday, 21 January 2006 6:21 PM: Trevor G. Hammonds wrote: How about when you have four or five SIP devices at a single location? Do you manually assign each phone a separate port and add firewall/router rules? I am looking for an inexpensive device or method that will allow this happen automatically. Rather than going that route, my current solution is to put an Asterisk server at the client's location to handle the SIP clients and do an outbound trunked IAX connection back to the main server. Use an outbound proxy either a stanadlone appliance like ix-66 or you can build one using Siproxd running on your Linux gateway. http://siproxd.sourceforge.net/ There's a WIP port of siproxd to OpenWRT so you can run it on a Linksys WRT54G. While I have not used siproxd, I have read a bit about it. From my understanding of the docs, the local SIP agents register to siproxd, but siproxd does not register to Asterisk. So the calls will traverse the NAT properly, but features like MWI will not work in this scenario. Also, this would be pure SIP URL dialling (e.g. [EMAIL PROTECTED]) as opposed to traditional telephone dialling (e.g. 1-213-555-8080). Please correct me if I am wrong, because I would really like to be (in this case). :-) Sincerely, Trevor Hammonds ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
Trevor G. Hammonds wrote: While I have not used siproxd, I have read a bit about it. From my understanding of the docs, the local SIP agents register to siproxd, but siproxd does not register to Asterisk. So the calls will traverse the NAT properly, but features like MWI will not work in this scenario. Also, this would be pure SIP URL dialling (e.g. [EMAIL PROTECTED]) as opposed to traditional telephone dialling (e.g. 1-213-555-8080). Please correct me if I am wrong, because I would really like to be (in this case). :-) The docs are a little confusing. Look in the FAQ section: What types of operation does siproxd support? Here's the text. 1) Siproxd as outbound proxy: - Configure your local client to register with some 3rd party service like Sipphone, FWD, Sipgate or any other. - Configure your local client to use siproxd as OUTBOUND PROXY Note: In this case, the local client does NOT register with siproxd but only with the external SIP restration service. The only condition is that siproxd needs to stay in the path of communication, therefore the local client must be configured as to use an OUTBOUND PROXY. That's all you need to do. All your clients will still register to Asterisk through siproxd, siproxd will take care of rewritting the SIP headers to differentiate requests for each client. Leo ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP and NAT - best practices?
Leo Ann Boon wrote on Sunday, 22 January 2006 4:32 PM: Trevor G. Hammonds wrote: While I have not used siproxd, I have read a bit about it. From my understanding of the docs, the local SIP agents register to siproxd, but siproxd does not register to Asterisk. So the calls will traverse the NAT properly, but features like MWI will not work in this scenario. Also, this would be pure SIP URL dialling (e.g. [EMAIL PROTECTED]) as opposed to traditional telephone dialling (e.g. 1-213-555-8080). Please correct me if I am wrong, because I would really like to be (in this case). :-) The docs are a little confusing. Look in the FAQ section: What types of operation does siproxd support? Here's the text. 1) Siproxd as outbound proxy: - Configure your local client to register with some 3rd party service like Sipphone, FWD, Sipgate or any other. - Configure your local client to use siproxd as OUTBOUND PROXY Note: In this case, the local client does NOT register with siproxd but only with the external SIP restration service. The only condition is that siproxd needs to stay in the path of communication, therefore the local client must be configured as to use an OUTBOUND PROXY. That's all you need to do. All your clients will still register to Asterisk through siproxd, siproxd will take care of rewritting the SIP headers to differentiate requests for each client. Leo Thank you, Leo! This is exactly what I need. I am going to play around with that really soon. Trevor ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT - best practices?
Thanks Moises. I was kind of hoping that, at least if I hosted my Asterisk server somewhere where there was no NAT for the * box that the SIP phones wouldn't create any issues. How do you people with Hosted PBX handle the deployment of SIP phones behind NAT firewalls? Is it just elbow grease and configuring every single phone for the customer, or is there a way? Mike you can redirect the ports of the router as well. Or you can configure your SIP phone to use a STUN server. Please read in voip-info.org about SIP NAT, there are good suggestions. regards On 1/20/06, Michakl Gaudette [EMAIL PROTECTED] wrote: Hello, I'm a bit new to SIP, and I've set up a SIP line with Asterisk and my wholesale provider. That worked, fine. I ahd to open up the ports on my router, forward them to the correct box, again fine. Now, if I get one of my customers to connect his SIP phone to my Asterisk box, and HE'S behind a NAT firewall, does he have to go through the same process, or is it just the Asterisk box that needs to translate the SIP and RTP port? In other words: if my SIP phone is behind a Linksys router, do I need to configure the Router for any reason? Mike ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
Most often the simple addition of nat=yes in the relevant sip.conf stanza is all that's required to make a remote SIP phone work from behind a firewall. for example [2201] user=blah secret=blah auth=blah allow=blah host=dynamic nat=yes I've been running 4 remote SIP phones across the internet from my families houses all over the world in this manner. The only issues I get are those of bandwidth availability or rather occasional lack of it. Hosted PBX's are no different. The hosting service should be providing a similar mechanism (although it might not be Asterisk based). Mark, G7LTT/KC2ENI Randolph, NJ http://www.g7ltt.com Michaël Gaudette wrote: Thanks Moises. I was kind of hoping that, at least if I hosted my Asterisk server somewhere where there was no NAT for the * box that the SIP phones wouldn't create any issues. How do you people with Hosted PBX handle the deployment of SIP phones behind NAT firewalls? Is it just elbow grease and configuring every single phone for the customer, or is there a way? Mike you can redirect the ports of the router as well. Or you can configure your SIP phone to use a STUN server. Please read in voip-info.org about SIP NAT, there are good suggestions. regards On 1/20/06, Michakl Gaudette [EMAIL PROTECTED] wrote: Hello, I'm a bit new to SIP, and I've set up a SIP line with Asterisk and my wholesale provider. That worked, fine. I ahd to open up the ports on my router, forward them to the correct box, again fine. Now, if I get one of my customers to connect his SIP phone to my Asterisk box, and HE'S behind a NAT firewall, does he have to go through the same process, or is it just the Asterisk box that needs to translate the SIP and RTP port? In other words: if my SIP phone is behind a Linksys router, do I need to configure the Router for any reason? Mike ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP and NAT - best practices?
How about when you have four or five SIP devices at a single location? Do you manually assign each phone a separate port and add firewall/router rules? I am looking for an inexpensive device or method that will allow this happen automatically. Rather than going that route, my current solution is to put an Asterisk server at the client's location to handle the SIP clients and do an outbound trunked IAX connection back to the main server. Sincerely, Trevor Hammonds Mark Phillips wrote on Saturday, 21 January 2006 12:36 PM: Most often the simple addition of nat=yes in the relevant sip.conf stanza is all that's required to make a remote SIP phone work from behind a firewall. for example [2201] user=blah secret=blah auth=blah allow=blah host=dynamic nat=yes I've been running 4 remote SIP phones across the internet from my families houses all over the world in this manner. The only issues I get are those of bandwidth availability or rather occasional lack of it. Hosted PBX's are no different. The hosting service should be providing a similar mechanism (although it might not be Asterisk based). Mark, G7LTT/KC2ENI Randolph, NJ http://www.g7ltt.com Michaël Gaudette wrote: Thanks Moises. I was kind of hoping that, at least if I hosted my Asterisk server somewhere where there was no NAT for the * box that the SIP phones wouldn't create any issues. How do you people with Hosted PBX handle the deployment of SIP phones behind NAT firewalls? Is it just elbow grease and configuring every single phone for the customer, or is there a way? Mike you can redirect the ports of the router as well. Or you can configure your SIP phone to use a STUN server. Please read in voip-info.org about SIP NAT, there are good suggestions. regards On 1/20/06, Michakl Gaudette [EMAIL PROTECTED] wrote: Hello, I'm a bit new to SIP, and I've set up a SIP line with Asterisk and my wholesale provider. That worked, fine. I ahd to open up the ports on my router, forward them to the correct box, again fine. Now, if I get one of my customers to connect his SIP phone to my Asterisk box, and HE'S behind a NAT firewall, does he have to go through the same process, or is it just the Asterisk box that needs to translate the SIP and RTP port? In other words: if my SIP phone is behind a Linksys router, do I need to configure the Router for any reason? Mike ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
Trevor G. Hammonds wrote: How about when you have four or five SIP devices at a single location? Do you manually assign each phone a separate port and add firewall/router rules? I am looking for an inexpensive device or method that will allow this happen automatically. Rather than going that route, my current solution is to put an Asterisk server at the client's location to handle the SIP clients and do an outbound trunked IAX connection back to the main server. Use an outbound proxy either a stanadlone appliance like ix-66 or you can build one using Siproxd running on your Linux gateway. http://siproxd.sourceforge.net/ There's a WIP port of siproxd to OpenWRT so you can run it on a Linksys WRT54G. ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] sip through nat problem
Hi everyone My problem is the following: I'm trying to make a call from a sip phone (SJphone) behind a Restricted Cone NAT towards and Asterisk behind another NAT (a freeBSD 3.3 using pf). By now I'm only trying to play a record set in the remote Asterisk. My soft phone registers without problems to the Asterisk but once the record starts to play I get a hangup. SJphone outputs "End reason: Unable to agree on media streams". I'm forwarding SIP and IAX ports from the remote NAT towards the Asterisk box (i've tryied it with IAX with no problems) using the following config in the remote NAT: /etc/pf.conf . # outgoing UDP port 5060 connections use source port 5060 on firewall nat on $ext_if inet proto udp from any port = 5060 to any - ($ext_if) port 5060 # Redirect all trafic from NAT:asterisk_port to 192.168.1.5:asterisk_port rdr on $ext_if inet proto { tcp, udp } from any to any port 4569 - 192.168.1.5 port 4569 rdr on $ext_if inet proto { tcp, udp } from any to $ext_if port 5060 - 192.168.1.5 port 5060 rdr on $ext_if inet proto { tcp , udp} from any to any port 1:2 - 192.168.1.5 port 1:2 # Let the Internet see our services pass in log-all quick on $ext_if inet proto { tcp, udp } from any to any port 4569 keep state pass in log-all quick on $ext_if inet proto { tcp, udp } from any to any port 5060 keep state . -- I think the problem might relay in this "pass in log-all" since once I commented the last line and the SJphone was unable to register, but I haven't found a way to set up a range using this "pass" command (it complains saying that the " : " is valid only with the "rdr " command) but I haven't found info explaining why I should (or shouldn't) use this "pass" command. My Asterisk config is: sip.conf [general] port=5060 externip = www.theip.net localnet = 192.168.1.0 localmask = 255.255.255.0 allow=all [user] nat=yes canreinvite=no host=dynamic extensions.conf exten = 400,1,Background(/var/lib/asterisk/sounds/myrecord) exten = 400,2,Hangup exten = 400,102,Hangup - Thanx a lot! ww6 ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT to pub Asterisk, best solution?
--- Blake Krone [EMAIL PROTECTED] wrote: What is the best solution? I dont want to have modify firewall's at all or do port fowarding. Ideally I would like a solution that with either a softphone or wireless hardphone one could connect via friends, family, or hotspots without reconfiguring their devices. What are people using? STUN? SER? Thanks in advance! This is my setup: http://samyantoun.50webs.com/asterisk/firewall/firewall.htm It works great, it's been up and running for the last year with couple of local extensions, couple of remote extensions within the same state and couple of remote extensions overseas. __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP behind NAT to pub Asterisk, best solution?
What is the best solution? I dont want to have modify firewall's at all or do port fowarding. Ideally I would like a solution that with either a softphone or wireless hardphone one could connect via friends, family, or hotspots without reconfiguring their devices. What are people using? STUN? SER? Thanks in advance! -blake ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT to pub Asterisk, best solution?
Mensaje citado por: Blake Krone [EMAIL PROTECTED]: What is the best solution? I dont want to have modify firewall\'s at all or do port fowarding. Ideally I would like a solution that with either a softphone or wireless hardphone one could connect via friends, family, or hotspots without reconfiguring their devices. What are people using? STUN? SER? Thanks in advance! -blake Give a try to the sip-helper for netfilter, and please let me know if this works for ya. Thanks. Christian. __ Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP x NAT
Hi All, I have a question for you: - "SIP doesn't work behind NAT very well" Do you agree with this sentence? regards César ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP x NAT
Hi All, I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? regards César ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP x NAT
César Davi Ávila do Nascimento wrote: Hi All, I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? Depends on the NAT/firewall in question, you can also alleviate some of these issues using STUN and sip proxing... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP x NAT
I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? Depends. Asterisk behind a nat box tends to be an implementation problem limited by the knowledge of the person doing the implementation and somewhat by the functionality implemented within the nat box. Sip phones behind a nat box (with asterisk on a registered IP address) tends to be rather easy, and how well it works depends a lot on how well the sip phone vendor implemented nat support. Both asterisk and sip phones behind different nat boxes tends to be the most difficult to implement and requires the greatest amount of knowledge/experience to implement. Again, depends a lot on the functionality provided in the nat boxes. The issue with sip is that session startup and control occurs across udp port 5060, and the two endpoints (* and phone) negotiate another set of udp ports for the rtp (voice) session. The choice of which rtp ports to use was left up to each sip phone vendor, so the udp port number in use could be anything from about 8000 (xlite) to something greater then 32,000. Some firewall/nat boxes will actually watch the sip rtp negotiation process by inspecting the contents of the sip packets, and open up the wanted ports. However, most cheap nat boxes don't do that, and leave it up to you to statically define/map the ports required. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP x NAT
Thanks a lot! Regards César - Original Message - From: Rich Adamson [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Sent: Monday, January 31, 2005 9:18 AM Subject: Re: [Asterisk-Users] SIP x NAT I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? Depends. Asterisk behind a nat box tends to be an implementation problem limited by the knowledge of the person doing the implementation and somewhat by the functionality implemented within the nat box. Sip phones behind a nat box (with asterisk on a registered IP address) tends to be rather easy, and how well it works depends a lot on how well the sip phone vendor implemented nat support. Both asterisk and sip phones behind different nat boxes tends to be the most difficult to implement and requires the greatest amount of knowledge/experience to implement. Again, depends a lot on the functionality provided in the nat boxes. The issue with sip is that session startup and control occurs across udp port 5060, and the two endpoints (* and phone) negotiate another set of udp ports for the rtp (voice) session. The choice of which rtp ports to use was left up to each sip phone vendor, so the udp port number in use could be anything from about 8000 (xlite) to something greater then 32,000. Some firewall/nat boxes will actually watch the sip rtp negotiation process by inspecting the contents of the sip packets, and open up the wanted ports. However, most cheap nat boxes don't do that, and leave it up to you to statically define/map the ports required. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP x NAT
I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? Complete and utter crap (if you assume a few things). SIP w/NAT works just fine if: Asterisk itself is not behind NAT You do not want to use SIP reinvites You use some form of NAT Keepalive* You use nat=yes in sip.conf Your NAT router is not SIP aware If your NAT router is SIP aware then you can 1) turn off it's SIP awareness and treat it like a dumb NAT router or 2) enable it's SIP awareness and turn off nat=yes in sip.conf. A SIP aware router might make reinvites work of both SIP clients have a SIP aware router. * You can keep your NAT alive by using a registration of 60 seconds on the NAT device, or use qualify=yes in sip.conf, or use the NAT Keepalive features of your SIP device. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP x NAT
I'll agree with that sentence. There are many times when even STUN and so on isn't going to help. In Guatemala, a lot of people end up with private IPs, behind two NATs, etc. I've seen them aggressively timeout connections, limit the range of ports available for NAT (to a ridiculously low number), etc. etc. We gave up on SIP and are now using IAX for our customer phones. -Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of César Davi Ávila do Nascimento Sent: Monday, January 31, 2005 5:56 AM To: Asterisk-Users@lists.digium.com Subject: [Asterisk-Users] SIP x NAT Hi All, I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? regards César ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP x NAT
The Juniper Networks security product line, Netscreen, has very robust SIP support with firewall and VPN. Chuck -Original Message- From: Michael Giagnocavo [EMAIL PROTECTED] To: 'Asterisk Users Mailing List - Non-Commercial Discussion' asterisk-users@lists.digium.com Date: Mon, 31 Jan 2005 09:50:31 -0600 Subject: RE: [Asterisk-Users] SIP x NAT I'll agree with that sentence. There are many times when even STUN and so on isn't going to help. In Guatemala, a lot of people end up with private IPs, behind two NATs, etc. I've seen them aggressively timeout connections, limit the range of ports available for NAT (to a ridiculously low number), etc. etc. We gave up on SIP and are now using IAX for our customer phones. -Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of César Davi Ávila do Nascimento Sent: Monday, January 31, 2005 5:56 AM To: Asterisk-Users@lists.digium.com Subject: [Asterisk-Users] SIP x NAT Hi All, I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? regards César ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP x NAT
Eric Wieling wrote: I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? Complete and utter crap (if you assume a few things). SIP w/NAT works just fine if: . . . . Hardly complete and utter crap when it has to be followed by a laundry list of exceptions. SIP and NAT are a challenge to manage, and SIP apologists shouldn't try to paper that over by pretending otherwise. Most of us who manage lots of Asterisk instances in heterogeneous real-world environments know that SIP woes come with the territory. SIP doesn't work behind NAT very well. B. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP x NAT
OK Great, well as soon as the ISPs in Guatemala rip out their existing SuperCheap equipment and put in Junipers, we'll be set. Meanwhile, SIP isn't near as close to Plug-n-Play as IAX2. Also, I don't think that having to buy special hardware/software just because a protocol doesnt work well is a good thing. Saying SIP and NAT work fine if ... defeats the purposes. I don't want any ifs, buts, or excepts. I'm going to have enough support dealing with people calling when the Internet connection to their house goes out, or when a pet eats their cable. I really don't want to be fielding calls when their network shifts and SIP suddenly stops working. -Michael -Original Message- From: Charles S. Antrim [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:57 AM To: Asterisk Users Mailing List - Non-Commercial Discussion; Michael Giagnocavo Subject: RE: [Asterisk-Users] SIP x NAT The Juniper Networks security product line, Netscreen, has very robust SIP support with firewall and VPN. Chuck -Original Message- From: Michael Giagnocavo [EMAIL PROTECTED] To: 'Asterisk Users Mailing List - Non-Commercial Discussion' asterisk-users@lists.digium.com Date: Mon, 31 Jan 2005 09:50:31 -0600 Subject: RE: [Asterisk-Users] SIP x NAT I'll agree with that sentence. There are many times when even STUN and so on isn't going to help. In Guatemala, a lot of people end up with private IPs, behind two NATs, etc. I've seen them aggressively timeout connections, limit the range of ports available for NAT (to a ridiculously low number), etc. etc. We gave up on SIP and are now using IAX for our customer phones. -Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of César Davi Ávila do Nascimento Sent: Monday, January 31, 2005 5:56 AM To: Asterisk-Users@lists.digium.com Subject: [Asterisk-Users] SIP x NAT Hi All, I have a question for you: - SIP doesn't work behind NAT very well Do you agree with this sentence? regards César ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT problems imagine that :)
each vendor for rtp. Cisco uses one range, xlite another, asterisk another, etc, etc. Mapping the sip port (udp 5060) is easy; mapping the rtp ports and using the proper nat statements (possibly at both the phone location and asterisk location) tends to be difficult. Then X-Lite can be told in network settings to start at 1 which is the base for unmodified asterisk RTP. I did that, use X-Lite on 5061 and it works perfectly with double NAT ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT problems imagine that :)
Hi all, Seriously, I've tried to read everything I could find ( search for) on voip-info.org and other sites about this problem, but have been unsuccesful. Equipment: xten lite X100P Whitebox linux running Asterisk / AMP D-Link DI-804HV (VPN router) I have installed another DI-804HV at a second location and created a tunnel. For the computers behind that unit, everything works fine throught x-lite. However, for any people (ie Family members) that I'm trying to connect to my system that aren't going through a tunnel, it isn't working. Symptoms: They show up in Sip Show Peers however the NAT column is stating N I can call them and they can hear me fine, but I can't here them. I'm thinking this has to do with RTP, but not sure. In the router I have the following setup under Virtual Server: SIP TCP/UDP 5060 IAX TCP/UDP 4569 KS1 UDP 5004 RTP1 UDP 5000 SIP3 UDP 5036 SIP4 UDP 2727 In the firewall section I've said to allow UDP on -20001 to go to the asterisk server It looks like this in the firewall rules; Source *,* Dest *,192.168.x.x UDP,-20001 Also on those extensions that are coming from an external source I've added the externip attribute in the form of externip=my_dynamic_domain_name_attached_to_my_ip here's one of the extensions: [254] username=254 type=friend secret=*** port=5060 nat=yes mailbox=254 host=dynamic dtmfmode=rfc2833 context=from-sip-external canreinvite=no callerid=Scott Knight 254 externip=my.dyndns.org Any suggestions would be greatly appreciated Cheers! ken ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT problems imagine that :)
Seriously, I've tried to read everything I could find ( search for) on voip-info.org and other sites about this problem, but have been unsuccesful. Equipment: xten lite X100P Whitebox linux running Asterisk / AMP D-Link DI-804HV (VPN router) I have installed another DI-804HV at a second location and created a tunnel. For the computers behind that unit, everything works fine throught x-lite. However, for any people (ie Family members) that I'm trying to connect to my system that aren't going through a tunnel, it isn't working. Symptoms: They show up in Sip Show Peers however the NAT column is stating N I can call them and they can hear me fine, but I can't here them. I'm thinking this has to do with RTP, but not sure. In the router I have the following setup under Virtual Server: SIP TCP/UDP 5060 IAX TCP/UDP 4569 KS1 UDP 5004 RTP1 UDP 5000 SIP3 UDP 5036 SIP4 UDP 2727 In the firewall section I've said to allow UDP on -20001 to go to the asterisk server It looks like this in the firewall rules; Source *,* Dest *,192.168.x.x UDP,-20001 Also on those extensions that are coming from an external source I've added the externip attribute in the form of externip=my_dynamic_domain_name_attached_to_my_ip here's one of the extensions: [254] username=254 type=friend secret=*** port=5060 nat=yes mailbox=254 host=dynamic dtmfmode=rfc2833 context=from-sip-external canreinvite=no callerid=Scott Knight 254 externip=my.dyndns.org Yes, your problem is rtp and probably a lack of understanding it. There have been at least hundreds of postings regarding nat issues in the last 18 months, and some reference data in the wiki. The bottom line is that sip and rtp use different udp ports, and the exact udp ports in use are choosen from a range that is specified by each vendor for rtp. Cisco uses one range, xlite another, asterisk another, etc, etc. Mapping the sip port (udp 5060) is easy; mapping the rtp ports and using the proper nat statements (possibly at both the phone location and asterisk location) tends to be difficult. Then when you add unusual implementations of nat functions into the mix, it becomes even more difficult to find a working config (eg, not all nat boxes operate the same). Using something like Ethereal to observe what each device is trying to use (both in front of and behind nat boxes) will help understand what each box is trying to do in terms of both IP addresses and udp port numbers. The rtp port range as noted above is specified by each vendor, and in many cases can be modified to some other predetermined prot range. For example, asterisk uses udp ports 10,000 to 20,000 as specified in rtp.conf. Cisco 7960's use udp ports 16,384 to 32,766 as specified in SIPDefault.cnf, while if I remember correctly xlite uses something like 8,000 to 8,050 (or whatever). The easiest nat sip implementation are those where asterisk has a registered IP address and the phones are behind a nat box. The most difficult implementation is when both asterisk and remote phones are both behind their own nat boxes. You'll want to research the use of nat statements in your sip.conf config files, and the nat support provided by each of your remote sip phones. But, ethereal will help point to the issue. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] sip and nat not working in 1.0.2
I was testing 1.0.2 with one phone behind a nat. I have it also setup in the sip.conf for nat=yes, but after the phone has registered with asterisk and you look at 'sip show peers' is shows the sip phone Nat=no Has anyone experienced this problem?? ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP over NAT
Assuming that getting H323 to work over NAT is almost really hard What is about having both SIP clients venid different NATs ¿ is it posible or as hard as H.323? Thanks! Marc. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP over NAT
SIP works fine behind NAT if you have externip, localnet localmask defined in sip.conf. I believe it was committed since 0.7.1. -Heison On Mon, Feb 23, 2004 at 08:51:23PM +0100, Marc Fargas wrote: Assuming that getting H323 to work over NAT is almost really hard? What is about having both SIP clients venid different NAT?s ? is it posible or as hard as H.323? Thanks! Marc. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP over NAT
do this in sip.conf [youruser] type=friend secret=adsds host=dynamic nat=yes qualify=yes and other paramters for your user. They key is nat=yes and qualify=yes. This assumes you have a real IP for your Asterisk server and you are trying to connect a SIP phone which is behind NAT. David - Original Message - From: Heison Chak [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 23, 2004 7:50 PM Subject: Re: [Asterisk-Users] SIP over NAT SIP works fine behind NAT if you have externip, localnet localmask defined in sip.conf. I believe it was committed since 0.7.1. -Heison On Mon, Feb 23, 2004 at 08:51:23PM +0100, Marc Fargas wrote: Assuming that getting H323 to work over NAT is almost really hard? What is about having both SIP clients venid different NAT?s ? is it posible or as hard as H.323? Thanks! Marc. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP Behind NAT (sipgate.de)
Hello Users, I am attempting to create a sip connection in the following network: Sipgate.de -- Internet -- Gate -- Asterisk PBX -- Some Extension Gate, the gateway and nat'ing firewall has sip udp (5060) traffic and rtm udp (8000 to 8020) traffic forwarded to the asterisk pbx machine. Both asterisk and x-lite are set to listen/use these port ranges. (The forwards work, as X-lite works perfectly when forced to no firewall (Open IP) setting, simply writing the correct sip via: headers. I tested it this morning by calling to a normal number in .de) However, when I attempt to use asterisk to do the same thing, I get some strange behaviour. I have attempted to use the following different configurations of sip.conf: I am using asterisk cvs version v1-0_stable and chan_sip.c from cvs is verson 1.292.2.6. config #1 (the nat config) --snip-- [general] port = 5060 bindaddr = 0.0.0.0 externip = gate.sjwilliamson.ca localnet = 192.168.1.0 localmask = 255.255.255.0 context = local nat=yes register = xxx:[EMAIL PROTECTED]/6464 ; 6464 is my internal extension [sipgate] type=friend secret=xxx username=xxx host=sipgate.de nat=yes --end snip-- config #2 (the no-nat config) --snip-- [general] port = 5060 bindaddr = 0.0.0.0 ;externip = gate.sjwilliamson.ca ;localnet = 192.168.1.0 ;localmask = 255.255.255.0 context = local ;nat=yes register = xxx:[EMAIL PROTECTED]/6464 ; 6464 is my internal extension [sipgate] type=friend secret=xxx username=xxx host=sipgate.de ;nat=yes --end snip-- What I find strage is: 1. When using the no-nat config (2) asterisk is able to register with sipgate.de even though it sends out my internal address in the sip via header. However any sip invites are wrongly tagged with my internal ip address, and sipgate.de does not send me any audio, and the call times out (as it should). See following snippit: --snip-- 11 headers, 0 lines Reliably Transmitting: REGISTER sip:sipgate.de SIP/2.0 Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK22fc46b2 From: sip:[EMAIL PROTECTED];tag=as11899051 To: sip:[EMAIL PROTECTED] Call-ID: [EMAIL PROTECTED] CSeq: 102 REGISTER User-Agent: Asterisk PBX Expires: 120 Contact: sip:[EMAIL PROTECTED] Event: registration Content-length: 0 (no NAT) to 217.10.79.9:5060 Sip read: 0 headers, 0 lines Sip read: SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK22fc46b2;rport=62600;received=24.102.192.227 From: sip:[EMAIL PROTECTED];tag=as11899051 To: sip:[EMAIL PROTECTED];tag=b11cb9bb270104b49a99a995b8c68544.0784 Call-ID: [EMAIL PROTECTED] CSeq: 102 REGISTER WWW-Authenticate: Digest realm=sipgate.de, nonce=x Server: Sip EXpress router (0.8.12 (i386/linux)) Content-Length: 0 Warning: 392 217.10.79.9:5060 Noisy feedback tells: pid=14272 req_src_ip=24.102.192.227 req_src_port=62600 in_uri=sip:sipgate.de out_uri=sip:sipgate.de via_cnt==1 10 headers, 0 lines 12 headers, 0 lines Reliably Transmitting: REGISTER sip:sipgate.de SIP/2.0 Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK22fc46b2 From: sip:[EMAIL PROTECTED];tag=as11899051 To: sip:[EMAIL PROTECTED] Call-ID: [EMAIL PROTECTED] CSeq: 103 REGISTER User-Agent: Asterisk PBX Authorization: Digest username=8007163, realm=sipgate.de, algorithm=MD5, uri=sip:sipgate.de, nonce=x, response=x Expires: 120 Contact: sip:[EMAIL PROTECTED] Event: registration Content-length: 0 (no NAT) to 217.10.79.9:5060 Sip read: SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK22fc46b2;rport=62600;received=24.102.192.227 From: sip:[EMAIL PROTECTED];tag=as11899051 To: sip:[EMAIL PROTECTED];tag=b11cb9bb270104b49a99a995b8c68544.0784 Call-ID: [EMAIL PROTECTED] CSeq: 103 REGISTER Contact: sip:[EMAIL PROTECTED]:5060;q=0.00;expires=780 Contact: sip:[EMAIL PROTECTED]:62600;q=0.00;expires=120 Server: Sip EXpress router (0.8.12 (i386/linux)) Content-Length: 0 Warning: 392 217.10.79.9:5060 Noisy feedback tells: pid=14265 req_src_ip=24.102.192.227 req_src_port=62600 in_uri=sip:sipgate.de out_uri=sip:sipgate.de via_cnt==1 11 headers, 0 lines --end snip-- 2. When I use the nat config (1) it gets even stranger. Asterisk cannot register with sipgate.de, even though the sip via header reflects my correct internet ip address. It attempts to re-transmit five times, with the interesting line (no NAT) to 217.10.79.9:5060. --snip-- 11 headers, 0 lines Reliably Transmitting: REGISTER sip:sipgate.de SIP/2.0 Via: SIP/2.0/UDP 24.102.192.227:5060;branch=z9hG4bK1cd66717 From: sip:[EMAIL PROTECTED];tag=as7c8d34b5 To: sip:[EMAIL PROTECTED] Call-ID: [EMAIL PROTECTED] CSeq: 102 REGISTER User-Agent: Asterisk PBX Expires: 120 Contact: sip:[EMAIL PROTECTED] Event: registration Content-length: 0 (no NAT) to 217.10.79.9:5060 Retransmitting #1 (no NAT): REGISTER sip:sipgate.de SIP/2.0 Via: SIP/2.0/UDP 24.102.192.227:5060;branch=z9hG4bK2b457839 From: sip:[EMAIL PROTECTED];tag=as06e7a197 To: sip:[EMAIL PROTECTED] Call-ID: [EMAIL PROTECTED] CSeq: 104 REGISTER
Re: [Asterisk-Users] SIP Behind NAT (sipgate.de)
Hello List, Just thought I would post an update, I got asterisk to register with sipgate.de. I was wrong, it was my firewall (maybe). Here is the way a normal nat under openbsd pf works: udp 192.168.1.100:5060 - 24.102.192.227:(random port) - 217.10.79.9:5060 but add this line to pf.conf before your main catch all nat line: nat on $ext_if inet proto udp from any port = 5060 to any - ($ext_if) port 5060 this changes the nat behaviour to use choose a static port on the firewall to originate the connection from. (reading man pages is good) and you get this: udp 192.168.1.100:5060 - 24.102.192.227:5060 - 217.10.79.9:5060 Which makes sense, as they (sipgate.de) want to see, and reply to port 5060 on the asterisk machine. I guess x-lite is a bit of a smarter UA when it comes to nat connections. Anyway hope this helps someone! Scott Thursday, February 19, 2004, 2:23:00 PM, you wrote: SJW Hello Users, SJW I am attempting to create a sip connection in the following network: Sipgate.de -- Internet -- Gate -- Asterisk PBX -- Some Extension SJW Gate, the gateway and nat'ing firewall has sip udp (5060) traffic and SJW rtm udp (8000 to 8020) traffic forwarded to the asterisk pbx machine. SJW Both asterisk and x-lite are set to listen/use these port ranges. SJW (The forwards work, as X-lite works perfectly when forced to no SJW firewall (Open IP) setting, simply writing the correct sip via: headers. I SJW tested it this morning by calling to a normal number in .de) SJW However, when I attempt to use asterisk to do the same thing, I get SJW some strange behaviour. I have attempted to use the following SJW different configurations of sip.conf: SJW I am using asterisk cvs version v1-0_stable and SJW chan_sip.c from cvs is verson 1.292.2.6. SJW config #1 (the nat config) SJW --snip-- SJW [general] SJW port = 5060 SJW bindaddr = 0.0.0.0 SJW externip = gate.sjwilliamson.ca SJW localnet = 192.168.1.0 SJW localmask = 255.255.255.0 SJW context = local SJW nat=yes register = xxx:[EMAIL PROTECTED]/6464 ; 6464 is my internal extension SJW [sipgate] SJW type=friend SJW secret=xxx SJW username=xxx SJW host=sipgate.de SJW nat=yes SJW --end snip-- SJW config #2 (the no-nat config) SJW --snip-- SJW [general] SJW port = 5060 SJW bindaddr = 0.0.0.0 SJW ;externip = gate.sjwilliamson.ca SJW ;localnet = 192.168.1.0 SJW ;localmask = 255.255.255.0 SJW context = local SJW ;nat=yes register = xxx:[EMAIL PROTECTED]/6464 ; 6464 is my internal extension SJW [sipgate] SJW type=friend SJW secret=xxx SJW username=xxx SJW host=sipgate.de SJW ;nat=yes SJW --end snip-- SJW What I find strage is: SJW 1. When using the no-nat config (2) asterisk is able to register SJW with sipgate.de even though it sends out my internal address in SJW the sip via header. However any sip invites are wrongly tagged SJW with my internal ip address, and sipgate.de does not send me any SJW audio, and the call times out (as it should). See following SJW snippit: SJW --snip-- SJW 11 headers, 0 lines SJW Reliably Transmitting: SJW REGISTER sip:sipgate.de SIP/2.0 SJW Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK22fc46b2 SJW From: sip:[EMAIL PROTECTED];tag=as11899051 SJW To: sip:[EMAIL PROTECTED] SJW Call-ID: [EMAIL PROTECTED] SJW CSeq: 102 REGISTER SJW User-Agent: Asterisk PBX SJW Expires: 120 SJW Contact: sip:[EMAIL PROTECTED] SJW Event: registration SJW Content-length: 0 SJW (no NAT) to 217.10.79.9:5060 SJW Sip read: SJW 0 headers, 0 lines SJW Sip read: SJW SIP/2.0 401 Unauthorized SJW Via: SIP/2.0/UDP SJW 192.168.1.100:5060;branch=z9hG4bK22fc46b2;rport=62600;received=24.102.192.227 SJW From: sip:[EMAIL PROTECTED];tag=as11899051 SJW To: SJW sip:[EMAIL PROTECTED];tag=b11cb9bb270104b49a99a995b8c68544.0784 SJW Call-ID: [EMAIL PROTECTED] SJW CSeq: 102 REGISTER SJW WWW-Authenticate: Digest realm=sipgate.de, nonce=x SJW Server: Sip EXpress router (0.8.12 (i386/linux)) SJW Content-Length: 0 SJW Warning: 392 217.10.79.9:5060 Noisy feedback tells: SJW pid=14272 req_src_ip=24.102.192.227 req_src_port=62600 SJW in_uri=sip:sipgate.de out_uri=sip:sipgate.de via_cnt==1 SJW 10 headers, 0 lines SJW 12 headers, 0 lines SJW Reliably Transmitting: SJW REGISTER sip:sipgate.de SIP/2.0 SJW Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK22fc46b2 SJW From: sip:[EMAIL PROTECTED];tag=as11899051 SJW To: sip:[EMAIL PROTECTED] SJW Call-ID: [EMAIL PROTECTED] SJW CSeq: 103 REGISTER SJW User-Agent: Asterisk PBX SJW Authorization: Digest username=8007163, realm=sipgate.de, SJW algorithm=MD5, uri=sip:sipgate.de, nonce=x, response=x SJW Expires: 120 SJW Contact: sip:[EMAIL PROTECTED] SJW Event: registration SJW Content-length: 0 SJW (no NAT) to 217.10.79.9:5060 SJW Sip read: SJW SIP/2.0 200 OK SJW Via: SIP/2.0/UDP SJW 192.168.1.100:5060;branch=z9hG4bK22fc46b2;rport=62600;received=24.102.192.227 SJW From: sip:[EMAIL PROTECTED];tag=as11899051 SJW To: SJW sip:[EMAIL
RE: [Asterisk-Users] SIP behind NAT - use of externip option
I've just recently got this working with asterisk 0.7.1. You also need to add values for: Localnet localmask to indicate the values that do not get externip set. However, this did not fully solve the problem for me. External phones would register just fine, but then I kept getting lots of retry failures. It appears that asterisk changes the Call-ID value between what is sent and what is stored internally! Once a phone registers I sip debug shows asterisk sending a NOTIFY message wit a Call-ID value using the externip address, however the 200 OK response back from the phone has a call id with the same random characters but has the localip address instead. I've currently solved this but removing the ip address from build_callid() until I try to see where asterisk gets this wrong. Has anyone else seen this? Having made this fix I now have SIP going NAT - NAT - asterisk. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Lidstone (Personal E-mail) Sent: 26 January 2004 18:31 To: [EMAIL PROTECTED] Subject: [Asterisk-Users] SIP behind NAT - use of externip option I am having difficulty configuring SIP behind NAT (using latest CVS). Using sip.conf: [general] port=5060 ; Port to bind to externip=ww.xx.yy.zz bindaddr=0.0.0.0 nat=yes register=[userid]:[EMAIL PROTECTED]/2000 [voiptalk.org] nat=yes externip=ww.xx.yy.zz type=friend secret=[password] nat=yes reinvite=no canreinvite=no I fail to register. SIP Debug gives: SIP Debugging Enabled Jan 26 18:20:04 NOTICE[9226]: chan_sip.c:3126 sip_reg_timeout: Registration for '[EMAIL PROTECTED]' timed out, trying again 11 headers, 0 lines Reliably Transmitting: REGISTER sip:voiptalk.org SIP/2.0 Via: SIP/2.0/UDP 192.168.0.89:5060;branch=z9hG4bK02c0373f From: sip:[EMAIL PROTECTED];tag=as5548d275 To: sip:[EMAIL PROTECTED] Call-ID: [EMAIL PROTECTED] CSeq: 103 REGISTER User-Agent: Asterisk PBX Expires: 120 Contact: sip:[EMAIL PROTECTED] Event: registration Content-length: 0 (no NAT) to 82.145.32.73:5060 Retransmitting #1 (no NAT): REGISTER sip:voiptalk.org SIP/2.0 Via: SIP/2.0/UDP 192.168.0.89:5060;branch=z9hG4bK02c0373f From: sip:[EMAIL PROTECTED];tag=as5548d275 To: sip:[EMAIL PROTECTED] Call-ID: [EMAIL PROTECTED] CSeq: 103 REGISTER User-Agent: Asterisk PBX Expires: 120 Contact: sip:[EMAIL PROTECTED] Event: registration Content-length: 0 to 82.145.32.73:5060 Retransmitting #2 (no NAT): ... as previous frame ... I would expect (perhaps wrongly?) that the externip would be reflected in the Via: header (it seems to be when I look at the traces from a SNOM 100 successfully registery with voiptalk behind the same firewall). And the (no NAT) comments in the debug trace also look suspicious, given the explicit nat=yes in the config. Any hints? I guess the externip might be in the wrong place or conflicting with one of my other options, but neither the docs don't seem to offer much by way of advice (I've checked the wiki, googled etc). Thanks Patrick ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/aster isk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP behind NAT: NAT'ted end has to talk first?
I am having problems in a couple of installations where I have SIP phones (both GS101 and ATA186) connecting to an asterisk box that has a public IP address, where the stations are behind NAT. I'm still testing to make sure I have all the permutations looked at, but from what I can tell, what is happening is that in situations where stations behind the NAT call out, no audio is passed until after the party on the PUBLIC side generates some audio. So that means if I call from the public side to one of the NAT boxes, I can't hear them answer. But when (while watching the console) I can see that the call has been bridged, I quickly hail them with a Hello, then the RTP stream starts going and everyone is happy. I have the exact same problem using iconnecthere when I call out (to the PSTN) from stations behind NAT: I see the call bridge on the console; my party answers but I don't hear it, nor do they hear me until I say something, and at that point the RTP stream starts up. This must be evidence of something wrong with the way the initial RTP stream is commenced when SIP stations are behind NAT. Does anyone know what's going on, or of course better, what I can do to rectify this? Thanks. B. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT: NAT'ted end has to talk first?
I am having problems in a couple of installations where I have SIP phones (both GS101 and ATA186) connecting to an asterisk box that has a public IP address, where the stations are behind NAT. I'm still testing to make sure I have all the permutations looked at, but from what I can tell, what is happening is that in situations where stations behind the NAT call out, no audio is passed until after the party on the PUBLIC side generates some audio. Not having any problems with a C7960 in the same type invironment. Been stable for over a month. Running Asterisk CVS-11/11/03-13:46:29 right now. Rich ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT: try, try again.
In response to the SIP and NAT discussion, I have updated the ticket on the subject that seemed to be getting the most attention: #104. There are enough clueful people here that perhaps someone can come up with a patch that handles NAT in the elegant way that I describe in the bugnotes, as I am but a mere integrator who has limited C skills. In the absence of such a patch being offered, we await William Waites' patch and disclaimer which will at least be more sufficient than the current externip= method. Those with an interest in the discussion of how Asterisk should handle being put behind a NAT should direct their attention to: http://bugs.digium.com/bug_view_page.php?bug_id=104 JT ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT: try, try again.
...and to solve another problem, there's my suggestion on support for outbound SIP proxy. http://bugs.digium.com/bug_view_page.php?bug_id=359 There are corporate networks that use a SIP proxy proxy as an ALG, application layer gateway, for all outbound and inbound SIP traffic in the DMZ. This should work in conjunction with netmask/STUN - if host does not belong to my network send SIP transaction to outbound proxy else send SIP transaction to host done This cleverness may cause problems with inside networks consisting of several networks with different netmasks and complicated routing... I believe outbound proxy should be configured on a host by host basis for sip clients/peers as well as an default outbound proxy to use in other situations. In order to support SIP URL dialling, we have to use a netmask/STUN solution to sort out if the SIP proxy we're trying to reach is ourself, someone on the inside or someone on the outside of our NAT. /O ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
Well, I happen to be one of those very specific cases... ;) and looks like will have experiment with it myself. Although I'd hate to re-invent the wheel. Checking e-mail this morning it looks like we have two independent fixes that both do what has been suggested in this thread. No need for a third except posibly a merge of the two. Would you care to elaborate? I don't see anything in asterisk-users, and no mention of SIP-behind-NAT in CVS changelog... maybe I should start subscribing to asterisk-dev Peter ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
Peter Zeltins wrote: Checking e-mail this morning it looks like we have two independent fixes that both do what has been suggested in this thread. No need for a third except posibly a merge of the two. Would you care to elaborate? I don't see anything in asterisk-users, and no mention of SIP-behind-NAT in CVS changelog... maybe I should start subscribing to asterisk-dev The patches mentioned can be found on the bugtracker http://bugs.digium.com /O ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html Any idea when these hacks will appear in CVS? We should all hope never. That's why you call it a hack because it works for only one very specific case and would break SIP under Astrisk for most people. It even breaks calls between Asterisk and local SIP phones. Now the trick is to write some code that desides if the trick is to be used or not for each call by comparing the IP address of Asterisk and the called SIP phone. You migh want to experiment with it and report results. Well, I happen to be one of those very specific cases... ;) and looks like will have experiment with it myself. Although I'd hate to re-invent the wheel. Peter ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Fwd: Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
--- Peter Zeltins [EMAIL PROTECTED] wrote: Well, I happen to be one of those very specific cases... ;) and looks like will have experiment with it myself. Although I'd hate to re-invent the wheel. Peter Checking e-mail this morning it looks like we have two independent fixes that both do what has been suggested in this thread. No need for a third except posibly a merge of the two. = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
That's for pointing out Walter Snel hack. Adding his two additional features would not be hard. http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html Any idea when these hacks will appear in CVS? Peter ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
Peter Zeltins wrote: That's for pointing out Walter Snel hack. Adding his two additional features would not be hard. http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html Any idea when these hacks will appear in CVS? Probably when they have been properly tested and approved Digium.. :) ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP behind NAT problem
Hello, my next problem is with SIP device behind NAT. First few seconds of the call are OK. Astrisk is sending the packets to the public IP address of the FW/NAT (62.152.224.3). But this change in 10 second and packets are send to the my public addres.(192.168.1.163). in the sip.conf for the phone(X-Lite) is [998] type=friend username=998 secret=pokus canreinvite=no host=dynamic dtmfmode=rfc2833 mailbox=998 nat=1 callerid=0650199802 Can anybody explain me, why the dest IP will change from public one to the private one ? best regards hudecof - CUT - DEBUG[540687]: File rtp.c, Line 388 (ast_rtp_read): RTP NAT: Using address 62.152.224.3:8000 DEBUG[540687]: File rtp.c, Line 942 (ast_rtp_raw_write): Difference is 4160, ms is 540 DEBUG[540687]: File rtp.c, Line 343 (ast_rtcp_read): RTP NAT: Using address 192.168.1.163:8001 DEBUG[540687]: File rtp.c, Line 388 (ast_rtp_read): RTP NAT: Using address 62.152.224.3:8000 DEBUG[540687]: File rtp.c, Line 942 (ast_rtp_raw_write): Difference is 6576, ms is 842 DEBUG[540687]: File rtp.c, Line 942 (ast_rtp_raw_write): Difference is 7848, ms is 1001 DEBUG[540687]: File rtp.c, Line 343 (ast_rtcp_read): RTP NAT: Using address 192.168.1.163:8001 DEBUG[540687]: File rtp.c, Line 343 (ast_rtcp_read): RTP NAT: Using address 192.168.1.163:8001 DEBUG[540687]: File rtp.c, Line 343 (ast_rtcp_read): RTP NAT: Using address 192.168.1.163:8001 - CUT - -- mail: [EMAIL PROTECTED] www: [http://www.postel.sk] cellular: [+421 02 50203166] icq: [99518783] gpg: [http://hudecof.net/data/hudecof.gpg] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT problem
Hi! First few seconds of the call are OK. Astrisk is sending the packets to the public IP address of the FW/NAT (62.152.224.3). But this change in 10 second and packets are send to the my public addres.(192.168.1.163). in the sip.conf for the phone(X-Lite) is I think you should check your X-Lite setup, look for Send internal IP yes/no and press F9 in X-Lite for debugging. Philipp ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
--- Peter Zeltins [EMAIL PROTECTED] wrote: That's for pointing out Walter Snel hack. Adding his two additional features would not be hard. http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html Any idea when these hacks will appear in CVS? We should all hope never. That's why you call it a hack because it works for only one very specific case and would break SIP under Astrisk for most people. It even breaks calls between Asterisk and local SIP phones. Now the trick is to write some code that desides if the trick is to be used or not for each call by comparing the IP address of Asterisk and the called SIP phone. You migh want to experiment with it and report results. = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
Well, my hosts hack-on-hack didn't work...internal clients could register with * using the hosts-hacked FQDN, and * could register with (for example) FWD and iconnecthere, but on calls in either direction, I only got a few seconds of audio, then silence (though debugging showed what looked like a continued normal SIP/RTP conversation), then it threw a 484 Address Incomplete status and disconnected. Would it be inappropriate to sponsor ($) a dev contest for the real (universal/not hardcoded) 'hack'? :) - Original message - From: Chris Albertson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Wed, 29 Oct 2003 09:13:31 -0800 (PST) Subject: Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients --- Peter Zeltins [EMAIL PROTECTED] wrote: That's for pointing out Walter Snel hack. Adding his two additional features would not be hard. http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html Any idea when these hacks will appear in CVS? We should all hope never. That's why you call it a hack because it works for only one very specific case and would break SIP under Astrisk for most people. It even breaks calls between Asterisk and local SIP phones. Now the trick is to write some code that desides if the trick is to be used or not for each call by comparing the IP address of Asterisk and the called SIP phone. You migh want to experiment with it and report results. = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
Hello everyone and welcome to my first post to the list! After studying for a couple of weeks, I finally built * for the first time last night, and of course had the same SIP-behind-NAT woes that plague all of us who use NATted connections. It was therefore with no small joy that I read the fix for that that Walter Snel proposed (q.v.: http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html). Since I currently have no zaptel hardware (though intend to get some within the week) and thus use soft (SIP) clients on the same internal network, the caveat that it would break internal SIP clients was, for me, a reason to not yet implement his fix. I was examining chan_sip.c, trying to think of a way to implement his 'Naturally it would be much better to make this behavior:', and while bemoaning my pathetic C skills, thought of another solution: -CUT HERE TO GET RIGHT TO THE POINT :P- 1) Somehow (I use dynamic DNS) get a FQDN to point to the IP of the outside of your NAT box; 2) Implement W Snel's hardcoding as in the above URL, using your chosen FQDN where, in his example, he has 213.84.4.39; 3) On any internal machine with a SIP client, add an entry to the hosts file that points your chosen FQDN to the * server's IP on the *internal* network. What do you all think? I won't have an opportunity to try to implement this until later this evening, but at that time will post a follow-up to let you know how it went. -Chris ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
Honestly I can't see all these NAT woes people speak of... I have * on a public ip .. sip.conf entries with nat=yes load em up.. and they work. So I have yet to see why everyone has SO MANY problems. bkw On Tue, 28 Oct 2003, Christopher Stephens wrote: Hello everyone and welcome to my first post to the list! After studying for a couple of weeks, I finally built * for the first time last night, and of course had the same SIP-behind-NAT woes that plague all of us who use NATted connections. It was therefore with no small joy that I read the fix for that that Walter Snel proposed (q.v.: http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html). Since I currently have no zaptel hardware (though intend to get some within the week) and thus use soft (SIP) clients on the same internal network, the caveat that it would break internal SIP clients was, for me, a reason to not yet implement his fix. I was examining chan_sip.c, trying to think of a way to implement his 'Naturally it would be much better to make this behavior:', and while bemoaning my pathetic C skills, thought of another solution: -CUT HERE TO GET RIGHT TO THE POINT :P- 1) Somehow (I use dynamic DNS) get a FQDN to point to the IP of the outside of your NAT box; 2) Implement W Snel's hardcoding as in the above URL, using your chosen FQDN where, in his example, he has 213.84.4.39; 3) On any internal machine with a SIP client, add an entry to the hosts file that points your chosen FQDN to the * server's IP on the *internal* network. What do you all think? I won't have an opportunity to try to implement this until later this evening, but at that time will post a follow-up to let you know how it went. -Chris ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP behind NAT, workaround to make W Snel's very welcome fix work both for inside *and* outside clients
That's for pointing out Walter Snel hack. Adding his two additional features would not be hard.http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html in sip.conf nat=1 means the _client_ that Asterisk is talking with is NAT'd. We could add a line like below to sip.conf asterisk_interal_network=network name or address/mask and a line like asterisk_external_addressFQN or ipaddress One hitch is DHCP. The asterisk_external_address could change at any time while Asterisk is running when the DHCP lease expires. For that reason I would set up a dynamic DNS service and use the FQN raher then numeric address. But if you have a fixed IP that could work too. inside the code you test for dest.sin_addr being within network name or address/mask Network name can be numeric address/mask or a network name for /etc/networks or the networks NIS map. Would this work? On Tue, 28 Oct 2003, Christopher Stephens wrote: Hello everyone and welcome to my first post to the list! After studying for a couple of weeks, I finally built * for the first time last night, and of course had the same SIP-behind-NAT woes that plague all of us who use NATted connections. It was therefore with no small joy that I read the fix for that that Walter Snel proposed (q.v.: http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html). Since I currently have no zaptel hardware (though intend to get some within the week) and thus use soft (SIP) clients on the same internal network, the caveat that it would break internal SIP clients was, for me, a reason to not yet implement his fix. I was examining chan_sip.c, trying to think of a way to implement his 'Naturally it would be much better to make this behavior:', and while bemoaning my pathetic C skills, thought of another solution: -CUT HERE TO GET RIGHT TO THE POINT :P- 1) Somehow (I use dynamic DNS) get a FQDN to point to the IP of the outside of your NAT box; 2) Implement W Snel's hardcoding as in the above URL, using your chosen FQDN where, in his example, he has 213.84.4.39; 3) On any internal machine with a SIP client, add an entry to the hosts file that points your chosen FQDN to the * server's IP on the *internal* network. What do you all think? I won't have an opportunity to try to implement this until later this evening, but at that time will post a follow-up to let you know how it went. -Chris ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP client-NAT-Asterisk-NAT-SIP client. only works with canreinvite=no.
Can anybody explain me what does canreinvite=yes really does? Not sure how technical an answer you want becasue it look slike you know whats going on but as I unterstand it canreinvite=no tells the UA that reinvite is not supported and so causes all the RTP traffic to be routed via the * server.. I played with many nat settings and port forwarding settings and it ended up that canreinvite=no was the solution to my problems as well.. the downside is that it requires more bandwidth at the central site but the plus side is that it works through NAT.. Any ideas on the client A to C (same LAN, same NAT box, unique outside IP, same * server)? Only thing that springs to mind is to install another * box internally and then use IAX to connect the internal * box to the external one.. then the internal phone will call each other without crossing the NAT.. Later.. -- __ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP client-NAT-Asterisk-NAT-SIP client. only works with canreinvite=no.
WipeOut . wrote: Any ideas on the client A to C (same LAN, same NAT box, unique outside IP, same * server)? Only thing that springs to mind is to install another * box internally and then use IAX to connect the internal * box to the external one.. then the internal phone will call each other without crossing the NAT.. It shouldn't be *too* hard to change Asterisk such that it allows reinvites for particular netmasks. If you can ensure that your NAT clients are on different subnets, for example, this might be possible. -- Alastair Maw [EMAIL PROTECTED] MX Telecom - Systems Analyst http://www.mxtelecom.com ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP client-NAT-Asterisk-NAT-SIP client. only works with canreinvite=no.
I have been trying to get SIP UA work with NAT but i have no been successful has any one got NATed ATA working(i.e an ATA witha private IP working with NAT). Asterisk registers the 192.168.0.3 Ip but no call go through at all, infact there is no log of any call made on asterisk console. can anyone please send me the sip.conf and ATA 186 configs of a NATed ATA to working with *. This what i have in my sip.conf [] type=friend username= transfer=yes nat=yes canreinvite=no context=myata host=dynamic permit=0.0.0.0/0.0.0.0 accountcode=mi100 ATA configs IP=192.168.0.3 staticRoute=192.168.0.2 mask=255.255.255.0 dhcp=0 GkorProxy= (*'s public IP) gateway= (*'s Public IP) outbound Proxy=(*'s public IP) NATIP= (host machine's Public IP) On Thu, 11 Sep 2003, Jose Ildefonso Camargo Tolosa wrote: Hi! I have this configuration: SIP client A - NAT box A (real external IP) - Asterisk server (real IP) - (real external IP) NAT box B - SIP client B The echo test form any of the clients to the asterisk server is working just fine, even without canreinvite=no. When I try to call from SIP client A to B, wihtout the canreinvite=no in the sip.conf, the call doesn't even ring. Then I add the canreinvite=no to BOTH clients on the sip.conf, it starts to work. The problem is that all voice data goes through my asterisk server, so the delay is longer. Also, this config doesn't work: SIP client A - NAT box A (real external IP, only one) - Asterisk server (real IP) SIP client C - NAT box A (real external IP, only one) - Asterisk server (real IP). When I try to call from A to C or C to A, the phone doesn't even ring, again, the echo test work just fine. SIP client A and SIP client C are in the same LAN, and both goes through NAT box A to the same asterisk server. In the case of clients A and C, the native bridge would be great, because it would save bandwith to both, my client, and me, and the voice delay would be almost nothing. My problem is: According to the data I got from the sip debug and the X-lite debug outputs, I don't see any reazon why the native bridge can't work, both clients gets different ports on the outside IP of the nat box, and that port is correctly recognized, and the reinvite packet is correctly sent. Can anybody explain me what does canreinvite=yes really does? Any ideas on the client A to C (same LAN, same NAT box, unique outside IP, same * server)? Thanks in advance, Sincerely, Ildefonso Camargo [EMAIL PROTECTED] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users -- Olaifa Augustine General Data Engineering Services Ltd 18b oshin road,kongi bodija p.o.box 29460, secretariate, ibadan. tel:- 234-2-8105156 ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT traversal
Hi All, i found an article that explains SIP NAT woes. http://www.sipcenter.com/files/SIPNATtraversal.pdf It is a great read for all people in the mailing list that have problems with SIP when * is behind NAT or when there is NAT between asterisk and a SIP phone. Serge _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - more
On Fri, 21 Mar 2003, Mark Spencer wrote: have you tried nat=1 in your friend declaration? I notice in your dump it says non-NAT I´m in the same situation, trying to debug an ATA 186 behing a NAT. And i´m stuck with SIP/2.0 407 Proxy Authentication Required debug messages. Does anyone have any hints on thisone? It would also be nice if someone could post a working ATA186 config. This would help against stupid mistakes in that end. But back to the NAT/No-NAT issue. What exactly is the difference protocolwise inbetween the two of them? /Chris ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT
I'm having some problems getting an ATA186 behind NAT working. When I had it on the same subnet as the Asterisk server, it worked fine. Now Ive taken the ATA on the road with me, and it's behind a Dlink router+firewall, doing NAT. I pick it up, hear a dialtone .. the firewall on the asterisk side presently has everything open to this subnet, so I know that's not really an issue. (what needs to be open, though?) Here's what the * server is giving me in SIP debug, though: 9 headers, 0 lines Interface is eth0 IP Address is 1.0.0.1 Using latest request as basis request Sending to 192.168.0.150 : 5060 (non-NAT) Transmitting (no NAT): SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 192.168.0.150:5060 From: sip:[EMAIL PROTECTED] To: sip:[EMAIL PROTECTED];tag=6b5fab60 Call-ID: [EMAIL PROTECTED] CSeq: 1 REGISTER User-Agent: Asterisk PBX Contact: sip:[EMAIL PROTECTED] Content-Length: 0 Suggestions? (IPs have been changed to protect the innocent) Thanks for any help you can give -- I was sort of relying on using this while I'm on the road. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT - more
Oh, and yes, the * is current as of a few days ago .. so it should have that new SIP code mark was working on a while back. Thanks ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - more
have you tried nat=1 in your friend declaration? I notice in your dump it says non-NAT Mark On Fri, 21 Mar 2003, denon wrote: Oh, and yes, the * is current as of a few days ago .. so it should have that new SIP code mark was working on a while back. Thanks ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - more
Thanks -- I didn't realize that needed to be set. It works now, but there's a horrible echo on the sip client side. (I dont know about the other side, as I havent called any humans yet :) I don't, however, hear an echo when I call voicemail or such .. so I'm assuming it's something with the bridging? I didn't know of any echo cans that need to be enabled for sip - are there? The PSTN line its connecting out on has echocan and whenbridged enabled. Here's an example of one of the pstns, they're all built the same, using an Adtran 750 channel bank with current firmware (actually, the last release, which was considered the most stable by most): context = pstn1 signalling = fxs_ks amaflags = documentation echocancel=yes echocancelwhenbridged=yes adsi=yes channel = 17 Ideas? Thanks At 09:53 PM 3/21/2003 -0600, you wrote: have you tried nat=1 in your friend declaration? I notice in your dump it says non-NAT Mark On Fri, 21 Mar 2003, denon wrote: Oh, and yes, the * is current as of a few days ago .. so it should have that new SIP code mark was working on a while back. Thanks ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users