RE: [Asterisk-Users] Suggestion re: SIP/NAT/*
I'm finding out more information on this mod/hack as well. A mini-asterisk box sounds intriguing. It's the perfect gateway between an internal phones and the PSTN. At the very least, I'm modding one for QOS in regards to VOIP, DHCP that assigns a TFTP server (for Cisco 79xx phones) and a TFTP server for the Cisco 79xx config files. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Capouch Sent: Saturday, October 30, 2004 3:12 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* Steve Totaro wrote: I think he meant something along the lines of what some people are trying to do with the Linksys wrt54g. Have the router not only forward the packets but actually speak the language and be able translate for internal SIP clients. A mini asterisk box. ___ Speaking of which, I have looked around on the Wiki for any information about running asterisk on the WRT boxen. I find it referred to, but no details. I know Jeremy McNamara was doing some work on this. Is there a group, list., etc., I could tap into? Thx. B. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
Michael Giagnocavo wrote: I think his point is that for a commercial rollout (say, a VSP), IAX is not practical for all clients right now. It's not strange to have a personal preference that is technically better but not commercially viable. That's not an insult, just how things are sometimes. Maybe if there were some ~$70 NAT router/gateway/bridge/UPnP/etc./etc. devices that supported IAX, this'd change. Sorry what are you wanting the NAT router/gateway/bridge/UPnP/etc./etc. devices to support about IAX exactly? It does not require any mad packet mangling like SIP does. -- Cheers, Matt Riddell ___ http://www.sineapps.com/news.php (Daily Asterisk News - html) http://www.sineapps.com/rssfeed.php (Daily Asterisk News - rss) ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
Exactly. - Original Message - From: Michael Giagnocavo [EMAIL PROTECTED] To: 'Asterisk Users Mailing List - Non-Commercial Discussion' [EMAIL PROTECTED] Sent: Friday, October 29, 2004 10:56 PM Subject: RE: [Asterisk-Users] Suggestion re: SIP/NAT/* I think his point is that for a commercial rollout (say, a VSP), IAX is not practical for all clients right now. It's not strange to have a personal preference that is technically better but not commercially viable. That's not an insult, just how things are sometimes. Maybe if there were some ~$70 NAT router/gateway/bridge/UPnP/etc./etc. devices that supported IAX, this'd change. -Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Critchfield Sent: Friday, October 29, 2004 8:02 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* On Fri, 2004-10-29 at 21:53 -0400, Steve Totaro wrote: Probably since there are so many SIP devices out there now and only a couple IAX. In the future it is an awsome replacement. So you would rather drive a '70s pinto instead of a Bugatti because there are more 70's fire bomb pintos? - Original Message - From: Matt Riddell [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion [EMAIL PROTECTED] Sent: Friday, October 29, 2004 7:57 PM Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* --SNIP ALL-- IAX is no adequate replacement option for SIP either. --SNIP ALL-- What?! How on earth could you come to that conclusion?! -- Steven Critchfield [EMAIL PROTECTED] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
- Original Message - From: Matt Riddell [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion [EMAIL PROTECTED] Sent: Saturday, October 30, 2004 6:18 AM Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* Michael Giagnocavo wrote: I think his point is that for a commercial rollout (say, a VSP), IAX is not practical for all clients right now. It's not strange to have a personal preference that is technically better but not commercially viable. That's not an insult, just how things are sometimes. Maybe if there were some ~$70 NAT router/gateway/bridge/UPnP/etc./etc. devices that supported IAX, this'd change. Sorry what are you wanting the NAT router/gateway/bridge/UPnP/etc./etc. devices to support about IAX exactly? It does not require any mad packet mangling like SIP does. -- Cheers, Matt Riddell I think he meant something along the lines of what some people are trying to do with the Linksys wrt54g. Have the router not only forward the packets but actually speak the language and be able translate for internal SIP clients. A mini asterisk box. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
On Thu, 28 Oct 2004 14:45:46 -0600, Ryan Courtnage [EMAIL PROTECTED] wrote: Yep, you can do this, just requires some port forwarding and special considerations in sip.conf. You are missing the point. There is no *solution* to SIP NAT traversal. All there is are *workarounds*, otherwise known as bad and rather dangerous hacks. Whether it works or not is highly dependent on external factors that you don't usually control. It also depends on the type of NAT/PAT your router is using, ie the router's particular NAT/PAT implementation. The fact remains that SIP NAT traversal setups are highly insecure and unreliable. Consider this to be the equivalent of locking your apartment with duct tape. It may work for you, but you wouldn't recommend it to anyone else UNLESS you wish them harm. Now, this is valid for single NAT situations and it is even more valid for double NAT situations. If you want to do this properly without duct tape, then you will have the three choices I mentioned: - If you must use SIP, don't use NAT - If you must use NAT, use IAX - If you must use both SIP and NAT, build a tunnel Anything else is improper and unprofessional. rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
NONSENSE Benjamin on Asterisk Mailing Lists wrote: On Thu, 28 Oct 2004 14:45:46 -0600, Ryan Courtnage [EMAIL PROTECTED] wrote: Yep, you can do this, just requires some port forwarding and special considerations in sip.conf. You are missing the point. There is no *solution* to SIP NAT traversal. All there is are *workarounds*, otherwise known as bad and rather dangerous hacks. Whether it works or not is highly dependent on external factors that you don't usually control. It also depends on the type of NAT/PAT your router is using, ie the router's particular NAT/PAT implementation. The fact remains that SIP NAT traversal setups are highly insecure and unreliable. Consider this to be the equivalent of locking your apartment with duct tape. It may work for you, but you wouldn't recommend it to anyone else UNLESS you wish them harm. Now, this is valid for single NAT situations and it is even more valid for double NAT situations. If you want to do this properly without duct tape, then you will have the three choices I mentioned: - If you must use SIP, don't use NAT - If you must use NAT, use IAX - If you must use both SIP and NAT, build a tunnel Anything else is improper and unprofessional. rgds benjk ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Suggestion re: SIP/NAT/*
Karl Are you saying it is nonsense that there difficulties using Asterisk and SIP behind a NAT server. Or are you saying it is nonsense that SIP and NAT are dangerous together? Bill Seddon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Brose Sent: October 29, 2004 5:49 PM To: Benjamin on Asterisk Mailing Lists; Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* NONSENSE Benjamin on Asterisk Mailing Lists wrote: On Thu, 28 Oct 2004 14:45:46 -0600, Ryan Courtnage [EMAIL PROTECTED] wrote: Yep, you can do this, just requires some port forwarding and special considerations in sip.conf. You are missing the point. There is no *solution* to SIP NAT traversal. All there is are *workarounds*, otherwise known as bad and rather dangerous hacks. Whether it works or not is highly dependent on external factors that you don't usually control. It also depends on the type of NAT/PAT your router is using, ie the router's particular NAT/PAT implementation. The fact remains that SIP NAT traversal setups are highly insecure and unreliable. Consider this to be the equivalent of locking your apartment with duct tape. It may work for you, but you wouldn't recommend it to anyone else UNLESS you wish them harm. Now, this is valid for single NAT situations and it is even more valid for double NAT situations. If you want to do this properly without duct tape, then you will have the three choices I mentioned: - If you must use SIP, don't use NAT - If you must use NAT, use IAX - If you must use both SIP and NAT, build a tunnel Anything else is improper and unprofessional. rgds benjk ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
Also karl, what are you basing your statement on ? *g On Fri, 29 Oct 2004 18:01:50 +0100, Bill Seddon [EMAIL PROTECTED] wrote: Karl Are you saying it is nonsense that there difficulties using Asterisk and SIP behind a NAT server. Or are you saying it is nonsense that SIP and NAT are dangerous together? Bill Seddon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Brose Sent: October 29, 2004 5:49 PM To: Benjamin on Asterisk Mailing Lists; Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* NONSENSE Benjamin on Asterisk Mailing Lists wrote: On Thu, 28 Oct 2004 14:45:46 -0600, Ryan Courtnage [EMAIL PROTECTED] wrote: Yep, you can do this, just requires some port forwarding and special considerations in sip.conf. You are missing the point. There is no *solution* to SIP NAT traversal. All there is are *workarounds*, otherwise known as bad and rather dangerous hacks. Whether it works or not is highly dependent on external factors that you don't usually control. It also depends on the type of NAT/PAT your router is using, ie the router's particular NAT/PAT implementation. The fact remains that SIP NAT traversal setups are highly insecure and unreliable. Consider this to be the equivalent of locking your apartment with duct tape. It may work for you, but you wouldn't recommend it to anyone else UNLESS you wish them harm. Now, this is valid for single NAT situations and it is even more valid for double NAT situations. If you want to do this properly without duct tape, then you will have the three choices I mentioned: - If you must use SIP, don't use NAT - If you must use NAT, use IAX - If you must use both SIP and NAT, build a tunnel Anything else is improper and unprofessional. rgds benjk ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Michael Bielicki ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
I would agree that it is not good to suggest or impliment a solution that is not a Best Practice unless it is a last resort. - Original Message - From: Bill Seddon [EMAIL PROTECTED] To: 'Asterisk Users Mailing List - Non-Commercial Discussion' [EMAIL PROTECTED] Sent: Friday, October 29, 2004 1:01 PM Subject: RE: [Asterisk-Users] Suggestion re: SIP/NAT/* Karl Are you saying it is nonsense that there difficulties using Asterisk and SIP behind a NAT server. Or are you saying it is nonsense that SIP and NAT are dangerous together? Bill Seddon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Brose Sent: October 29, 2004 5:49 PM To: Benjamin on Asterisk Mailing Lists; Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* NONSENSE Benjamin on Asterisk Mailing Lists wrote: On Thu, 28 Oct 2004 14:45:46 -0600, Ryan Courtnage [EMAIL PROTECTED] wrote: Yep, you can do this, just requires some port forwarding and special considerations in sip.conf. You are missing the point. There is no *solution* to SIP NAT traversal. All there is are *workarounds*, otherwise known as bad and rather dangerous hacks. Whether it works or not is highly dependent on external factors that you don't usually control. It also depends on the type of NAT/PAT your router is using, ie the router's particular NAT/PAT implementation. The fact remains that SIP NAT traversal setups are highly insecure and unreliable. Consider this to be the equivalent of locking your apartment with duct tape. It may work for you, but you wouldn't recommend it to anyone else UNLESS you wish them harm. Now, this is valid for single NAT situations and it is even more valid for double NAT situations. If you want to do this properly without duct tape, then you will have the three choices I mentioned: - If you must use SIP, don't use NAT - If you must use NAT, use IAX - If you must use both SIP and NAT, build a tunnel Anything else is improper and unprofessional. rgds benjk ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
All there is are *workarounds*, otherwise known as bad and rather dangerous hacks. Whether it works or not is highly dependent on external factors that you don't usually control. It also depends on the type of NAT/PAT your router is using, ie the router's particular NAT/PAT implementation. So be it! From a practical standpoint, if you want to have NAT routers on both sides and you accept all this scary stuff, port forwarding will do the job. On a concrete level, it depends on exactly what you need to protect.. If this is an asterisk box that you are watching daily and it is otherwise secured (lthings like sendmail not accepting ANY mail from the outside, minimal accounts and running services, etc) and you really need to do this, it works beyond the shadow of a doubt - may have been doing it for many months. On the client side, I'm not sure what the risk is to say a SIP phone that has 5060 and some rtp ports forwarded to it. Maybe someone can come in and list the threats to both ends of a double NAT setup? I'm sure hundreds of us would be very interested in this! ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
Thanks to everyone for your input. I've chosen to register my * server with FWD's IAX service, and have my remote SIP users register as FWD clients. I think this will solve my biggest problems, and give me the added benefit of having voice mail available if my * server is offline. - Original Message From: Benjamin on Asterisk Mailing Lists [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED], Asterisk Users Mailing List - Non-Commercial Discussion [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* Date: 29/10/04 14:30 On Thu, 28 Oct 2004 14:45:46 -0600, Ryan Courtnage lt;[EMAIL PROTECTED]gt; wrote: gt; Yep, you can do this, just requires some port forwarding and special gt; considerations in sip.conf. You are missing the point. There is no *solution* to SIP NAT traversal. All there is are *workarounds*, otherwise known as bad and rather dangerous hacks. Whether it works or not is highly dependent on external factors that you don't usually control. It also depends on the type of NAT/PAT your router is using, ie the router's particular NAT/PAT implementation. The fact remains that SIP NAT traversal setups are highly insecure and unreliable. Consider this to be the equivalent of locking your apartment with duct tape. It may work for you, but you wouldn't recommend it to anyone else UNLESS you wish them harm. Now, this is valid for single NAT situations and it is even more valid for double NAT situations. If you want to do this properly without duct tape, then you will have the three choices I mentioned: - If you must use SIP, don't use NAT - If you must use NAT, use IAX - If you must use both SIP and NAT, build a tunnel Anything else is improper and unprofessional. rgds benjk ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
On the client side, I'm not sure what the risk is to say a SIP phone that has 5060 and some rtp ports forwarded to it. Maybe someone can come in and list the threats to both ends of a double NAT setup? I'm sure hundreds of us would be very interested in this! Here is a simple example. A user with a home office has a Cisco ATA-186 for SIP communication with his company's * PBX. 1. He puts the ATA in the DMZ, because he isn't sure what he has to forward, or he intentionally forwards port 80, so the office staff can administer the box. It has a strong password, so he doesn't worry. 2. His firmware has the Password Disclosure Vulnerability, see http://www.cisco.com/warp/public/707/ata186-password-disclosure.shtml 3. Attacker accesses configuration web page on device. 4A. Attacker modifies configuration to send calls through his proxy, listens in on calls. Or, 4B. Attacker downloads new firmware into ATA from his site, installing LAN packet sniffer. In another case, a user has a SIP phone that polls a server for configuration updates via TFTP, but lacks strong encryption. Attacker sends forged UDP packets in response to (assumed) TFTP request, downloads malicious config. There are lots more. --Stewart ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
- Original Message - From: Stewart Nelson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 3:51 PM Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* On the client side, I'm not sure what the risk is to say a SIP phone that has 5060 and some rtp ports forwarded to it. Maybe someone can come in and list the threats to both ends of a double NAT setup? I'm sure hundreds of us would be very interested in this! Here is a simple example. A user with a home office has a Cisco ATA-186 for SIP communication with his company's * PBX. 1. He puts the ATA in the DMZ, because he isn't sure what he has to forward, or he intentionally forwards port 80, so the office staff can administer the box. It has a strong password, so he doesn't worry. 2. His firmware has the Password Disclosure Vulnerability, see http://www.cisco.com/warp/public/707/ata186-password-disclosure.shtml 3. Attacker accesses configuration web page on device. 4A. Attacker modifies configuration to send calls through his proxy, listens in on calls. Or, 4B. Attacker downloads new firmware into ATA from his site, installing LAN packet sniffer. In another case, a user has a SIP phone that polls a server for configuration updates via TFTP, but lacks strong encryption. Attacker sends forged UDP packets in response to (assumed) TFTP request, downloads malicious config. There are lots more. If he/she puts it on the DMZ or opens port 80 then its his/her fault. Your example does not fit into the scope of the senario. what the risk is to say a SIP phone that has 5060 and some rtp ports forwarded to it. Maybe someone can come in and list the threats to both ends of a double NAT setup? I'm sure hundreds of us would be very interested in this! ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
Express Router) can serve the size of a metropolitan area easily with a regular PC or so. BTW, to fix Asterisk SIP and RTP requires quite a bit of surgery, but will be included in a STUN package (among other goodies often requested/complained about on the list) One of the best papers on this subject, SIP traversal across NATs can be found at the SIEMENS site: http://mysip.ch/sub_furtherinformation/sub_nat/doc/sip_architecture_with_nat_v1.0.pdf Steve Totaro wrote: I would agree that it is not good to suggest or impliment a solution that is not a Best Practice unless it is a last resort. - Original Message - From: Bill Seddon [EMAIL PROTECTED] To: 'Asterisk Users Mailing List - Non-Commercial Discussion' [EMAIL PROTECTED] Sent: Friday, October 29, 2004 1:01 PM Subject: RE: [Asterisk-Users] Suggestion re: SIP/NAT/* Karl Are you saying it is nonsense that there difficulties using Asterisk and SIP behind a NAT server. Or are you saying it is nonsense that SIP and NAT are dangerous together? Bill Seddon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Brose Sent: October 29, 2004 5:49 PM To: Benjamin on Asterisk Mailing Lists; Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* NONSENSE Benjamin on Asterisk Mailing Lists wrote: On Thu, 28 Oct 2004 14:45:46 -0600, Ryan Courtnage [EMAIL PROTECTED] wrote: Yep, you can do this, just requires some port forwarding and special considerations in sip.conf. You are missing the point. There is no *solution* to SIP NAT traversal. All there is are *workarounds*, otherwise known as bad and rather dangerous hacks. Whether it works or not is highly dependent on external factors that you don't usually control. It also depends on the type of NAT/PAT your router is using, ie the router's particular NAT/PAT implementation. The fact remains that SIP NAT traversal setups are highly insecure and unreliable. Consider this to be the equivalent of locking your apartment with duct tape. It may work for you, but you wouldn't recommend it to anyone else UNLESS you wish them harm. Now, this is valid for single NAT situations and it is even more valid for double NAT situations. If you want to do this properly without duct tape, then you will have the three choices I mentioned: - If you must use SIP, don't use NAT - If you must use NAT, use IAX - If you must use both SIP and NAT, build a tunnel Anything else is improper and unprofessional. rgds benjk ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
--SNIP ALL-- IAX is no adequate replacement option for SIP either. --SNIP ALL-- What?! How on earth could you come to that conclusion?! -- Cheers, Matt Riddell ___ http://www.sineapps.com/news.php (Daily Asterisk News - html) http://www.sineapps.com/rssfeed.php (Daily Asterisk News - rss) ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
Probably since there are so many SIP devices out there now and only a couple IAX. In the future it is an awsome replacement. - Original Message - From: Matt Riddell [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion [EMAIL PROTECTED] Sent: Friday, October 29, 2004 7:57 PM Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* --SNIP ALL-- IAX is no adequate replacement option for SIP either. --SNIP ALL-- What?! How on earth could you come to that conclusion?! -- Cheers, Matt Riddell ___ http://www.sineapps.com/news.php (Daily Asterisk News - html) http://www.sineapps.com/rssfeed.php (Daily Asterisk News - rss) ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
On Fri, 2004-10-29 at 21:53 -0400, Steve Totaro wrote: Probably since there are so many SIP devices out there now and only a couple IAX. In the future it is an awsome replacement. So you would rather drive a '70s pinto instead of a Bugatti because there are more 70's fire bomb pintos? - Original Message - From: Matt Riddell [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion [EMAIL PROTECTED] Sent: Friday, October 29, 2004 7:57 PM Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* --SNIP ALL-- IAX is no adequate replacement option for SIP either. --SNIP ALL-- What?! How on earth could you come to that conclusion?! -- Steven Critchfield [EMAIL PROTECTED] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Suggestion re: SIP/NAT/*
I think his point is that for a commercial rollout (say, a VSP), IAX is not practical for all clients right now. It's not strange to have a personal preference that is technically better but not commercially viable. That's not an insult, just how things are sometimes. Maybe if there were some ~$70 NAT router/gateway/bridge/UPnP/etc./etc. devices that supported IAX, this'd change. -Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Critchfield Sent: Friday, October 29, 2004 8:02 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* On Fri, 2004-10-29 at 21:53 -0400, Steve Totaro wrote: Probably since there are so many SIP devices out there now and only a couple IAX. In the future it is an awsome replacement. So you would rather drive a '70s pinto instead of a Bugatti because there are more 70's fire bomb pintos? - Original Message - From: Matt Riddell [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion [EMAIL PROTECTED] Sent: Friday, October 29, 2004 7:57 PM Subject: Re: [Asterisk-Users] Suggestion re: SIP/NAT/* --SNIP ALL-- IAX is no adequate replacement option for SIP either. --SNIP ALL-- What?! How on earth could you come to that conclusion?! -- Steven Critchfield [EMAIL PROTECTED] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
On Thu, 28 Oct 2004 14:00:46 -0400, Richard Branham [EMAIL PROTECTED] wrote: I'm attempting to set up an Asterisk server with clients as follows: SIP Client 1 (HT 286) === NAT === Internet === NAT === * Server === SIP Client (HT 286) 2 Double NAT ?! You may as well try to find a cure for cancer. Here is my advice ... - If you must use SIP, don't use NAT - If you must use NAT, use IAX - If you must use both SIP and NAT, build a tunnel Anything else is either not going to work at all, or it will be the equivalent of building a house using cardboard and duct tape: messy and unreliable. rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Suggestion re: SIP/NAT/*
On Thu, 2004-28-10 at 14:00 -0400, Richard Branham wrote: I'm attempting to set up an Asterisk server with clients as follows: SIP Client 1 (HT 286) === NAT === Internet === NAT === * Server === SIP Client (HT 286) 2 Yep, you can do this, just requires some port forwarding and special considerations in sip.conf. Here are the details on my setup: - Asterisk has a private IP behind my OFFICE router (ie: NATted). - The SIP client has a private IP behind my HOME router (ie: NATted). I'm doing this _without_ the use of STUN or proxy servers. Here's how it works: - Asterisk's firewall forwards 5060 udp and 1-2 udp to * - The SIP client's firewall forwards 5060 udp and 1-2 udp to the SIP client - The SIP client has no special settings, just the external IP of Asterisk's firewall for the SIP Server. - sip.conf contains NAT=YES for this particular client - ensure sip.conf's [general] section contains: bindaddr = 0.0.0.0 externip = external ip localnet = 255.255.255.0 -- localnet setting is very important! Works great - I've never had an issue. Cheers, Ryan The crux of the matter is this: I have a client behind a NAT trying to connect to an * behind a NAT. I'm looking for suggestions on how best to tackle the problem. Although I'd prefer to have Client 1 connect directly to my * server, it's acceptable for Client 1 to connect to another service (FWD, etc.) and have my * server register with the service as well if necessary. I have the option of disabling NAT or putting some equipment into a DMZ. Can you offer some suggestions for what my network topology should look like to get Client 1 connected to my * server? Thanks, Richard ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
