Re: [asterisk-users] SIP and NAT best practices since recent changes?
On 01/11/2012 12:09 PM, Bryant Zimmerman wrote: *From*: "Steve Davies" *Sent*: Wednesday, January 11, 2012 12:51 PM *To*: "Asterisk Users Mailing List - Non-Commercial Discussion" *Subject*: Re: [asterisk-users] SIP and NAT best practices since recent changes? On 11 January 2012 15:43, Kevin P. Fleming wrote: On 01/11/2012 05:29 AM, Steve Davies wrote: > > Hi, > > Since the recent update to the NAT configuration options and defaults > in chan_sip.so, I am interested in any SIP/NAT best practices advice. > > What I've always done in the past is: > > Global: nat=no > SIP handsets that are local: nat=no > SIP handsets that are remote: nat=yes > ITSP SIP trunks: nat=yes > > I will then set externip and localnet to reflect the local setup, > UNLESS there is a functional SIP ALG doing the work in the gateway > device. I make this statement because I've found one or two firewalls > where it is best to disable the SIP ALG, and one or two where it is > best to leave it enabled. > > The above always worked very well, but I now find my asterisk logs > being spammed with warnings containing lots of "!!" and I'd like to > know the best way to operate to achieve what I've always had while > following the new rules in order to be as secure as possible with > "clean" logs. I should add that we do not accept unsolicited > connections, and 99% of attempts to connect will be stopped at the > firewall. The simplest answer is to always use 'nat=yes' (or at least 'nat=force_rport' in recent versions of Asterisk that support it), until you come across a SIP endpoint that fails to work properly with that setting. If you do come across such an endpoint, try hard to get it to work with that setting; if you can't, then set 'nat=no' for that endpoint, and understand that the endpoint's name could be discoverable using the attack methods previously disclosed. If the endpoint's configuration is suitably locked down (permit/deny, for example) this may not be a concern for you. If it's not locked down (for example, if it has to register to your Asterisk server from random locations), then the next step would be to seriously consider requesting that the user of that endpoint consider switching to some other SIP endpoint. To date, the only endpoints that have been identified that do *not* work with Asterisk's 'rport' handling forced upon them are Cisco phones. Excellent. Thanks as always Kevin. (Why am I not surprised about Cisco!) Regards, Steve Steve I can't get my grandstream phones to work with force_rport behind a pfsense firewall. but yes and comedia work fine. That's rather strange, since 'yes' includes 'force_rport'. Can you describe what 'not work' means in this case? -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT best practices since recent changes?
From: "Steve Davies" Sent: Wednesday, January 11, 2012 12:51 PM To: "Asterisk Users Mailing List - Non-Commercial Discussion" Subject: Re: [asterisk-users] SIP and NAT best practices since recent changes? On 11 January 2012 15:43, Kevin P. Fleming wrote: > On 01/11/2012 05:29 AM, Steve Davies wrote: >> >> Hi, >> >> Since the recent update to the NAT configuration options and defaults >> in chan_sip.so, I am interested in any SIP/NAT best practices advice. >> >> What I've always done in the past is: >> >> Global: nat=no >> SIP handsets that are local: nat=no >> SIP handsets that are remote: nat=yes >> ITSP SIP trunks: nat=yes >> >> I will then set externip and localnet to reflect the local setup, >> UNLESS there is a functional SIP ALG doing the work in the gateway >> device. I make this statement because I've found one or two firewalls >> where it is best to disable the SIP ALG, and one or two where it is >> best to leave it enabled. >> >> The above always worked very well, but I now find my asterisk logs >> being spammed with warnings containing lots of "!!" and I'd like to >> know the best way to operate to achieve what I've always had while >> following the new rules in order to be as secure as possible with >> "clean" logs. I should add that we do not accept unsolicited >> connections, and 99% of attempts to connect will be stopped at the >> firewall. > > > The simplest answer is to always use 'nat=yes' (or at least > 'nat=force_rport' in recent versions of Asterisk that support it), until you > come across a SIP endpoint that fails to work properly with that setting. If > you do come across such an endpoint, try hard to get it to work with that > setting; if you can't, then set 'nat=no' for that endpoint, and understand > that the endpoint's name could be discoverable using the attack methods > previously disclosed. If the endpoint's configuration is suitably locked > down (permit/deny, for example) this may not be a concern for you. If it's > not locked down (for example, if it has to register to your Asterisk server > from random locations), then the next step would be to seriously consider > requesting that the user of that endpoint consider switching to some other > SIP endpoint. > > To date, the only endpoints that have been identified that do *not* work > with Asterisk's 'rport' handling forced upon them are Cisco phones. > Excellent. Thanks as always Kevin. (Why am I not surprised about Cisco!) Regards, Steve Steve I can't get my grandstream phones to work with force_rport behind a pfsense firewall. but yes and comedia work fine. Bryant -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT best practices since recent changes?
On 11 January 2012 15:43, Kevin P. Fleming wrote: > On 01/11/2012 05:29 AM, Steve Davies wrote: >> >> Hi, >> >> Since the recent update to the NAT configuration options and defaults >> in chan_sip.so, I am interested in any SIP/NAT best practices advice. >> >> What I've always done in the past is: >> >> Global: nat=no >> SIP handsets that are local: nat=no >> SIP handsets that are remote: nat=yes >> ITSP SIP trunks: nat=yes >> >> I will then set externip and localnet to reflect the local setup, >> UNLESS there is a functional SIP ALG doing the work in the gateway >> device. I make this statement because I've found one or two firewalls >> where it is best to disable the SIP ALG, and one or two where it is >> best to leave it enabled. >> >> The above always worked very well, but I now find my asterisk logs >> being spammed with warnings containing lots of "!!" and I'd like to >> know the best way to operate to achieve what I've always had while >> following the new rules in order to be as secure as possible with >> "clean" logs. I should add that we do not accept unsolicited >> connections, and 99% of attempts to connect will be stopped at the >> firewall. > > > The simplest answer is to always use 'nat=yes' (or at least > 'nat=force_rport' in recent versions of Asterisk that support it), until you > come across a SIP endpoint that fails to work properly with that setting. If > you do come across such an endpoint, try hard to get it to work with that > setting; if you can't, then set 'nat=no' for that endpoint, and understand > that the endpoint's name could be discoverable using the attack methods > previously disclosed. If the endpoint's configuration is suitably locked > down (permit/deny, for example) this may not be a concern for you. If it's > not locked down (for example, if it has to register to your Asterisk server > from random locations), then the next step would be to seriously consider > requesting that the user of that endpoint consider switching to some other > SIP endpoint. > > To date, the only endpoints that have been identified that do *not* work > with Asterisk's 'rport' handling forced upon them are Cisco phones. > Excellent. Thanks as always Kevin. (Why am I not surprised about Cisco!) Regards, Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT best practices since recent changes?
On 01/11/2012 05:29 AM, Steve Davies wrote: Hi, Since the recent update to the NAT configuration options and defaults in chan_sip.so, I am interested in any SIP/NAT best practices advice. What I've always done in the past is: Global: nat=no SIP handsets that are local: nat=no SIP handsets that are remote: nat=yes ITSP SIP trunks: nat=yes I will then set externip and localnet to reflect the local setup, UNLESS there is a functional SIP ALG doing the work in the gateway device. I make this statement because I've found one or two firewalls where it is best to disable the SIP ALG, and one or two where it is best to leave it enabled. The above always worked very well, but I now find my asterisk logs being spammed with warnings containing lots of "!!" and I'd like to know the best way to operate to achieve what I've always had while following the new rules in order to be as secure as possible with "clean" logs. I should add that we do not accept unsolicited connections, and 99% of attempts to connect will be stopped at the firewall. The simplest answer is to always use 'nat=yes' (or at least 'nat=force_rport' in recent versions of Asterisk that support it), until you come across a SIP endpoint that fails to work properly with that setting. If you do come across such an endpoint, try hard to get it to work with that setting; if you can't, then set 'nat=no' for that endpoint, and understand that the endpoint's name could be discoverable using the attack methods previously disclosed. If the endpoint's configuration is suitably locked down (permit/deny, for example) this may not be a concern for you. If it's not locked down (for example, if it has to register to your Asterisk server from random locations), then the next step would be to seriously consider requesting that the user of that endpoint consider switching to some other SIP endpoint. To date, the only endpoints that have been identified that do *not* work with Asterisk's 'rport' handling forced upon them are Cisco phones. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] SIP and NAT best practices since recent changes?
Hi, Since the recent update to the NAT configuration options and defaults in chan_sip.so, I am interested in any SIP/NAT best practices advice. What I've always done in the past is: Global: nat=no SIP handsets that are local: nat=no SIP handsets that are remote: nat=yes ITSP SIP trunks: nat=yes I will then set externip and localnet to reflect the local setup, UNLESS there is a functional SIP ALG doing the work in the gateway device. I make this statement because I've found one or two firewalls where it is best to disable the SIP ALG, and one or two where it is best to leave it enabled. The above always worked very well, but I now find my asterisk logs being spammed with warnings containing lots of "!!" and I'd like to know the best way to operate to achieve what I've always had while following the new rules in order to be as secure as possible with "clean" logs. I should add that we do not accept unsolicited connections, and 99% of attempts to connect will be stopped at the firewall. Thanks, Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP AND NAT
Hello! What are the nat_sip modules you mention? When I set up a linux router some time ago and configured sip.conf with net=yes, everything went smoothly just like any other router. Elliot On Mon, Aug 3, 2009 at 8:45 PM, Gordon Henderson wrote: > On Mon, 3 Aug 2009, Ketema Harris wrote: > >> my questions are: What is the correct way(or resource to find a way) >> to get a linux firewall to work with SIP so that the NAT issue is not >> an issue ? > > Remove all SIP ALG/connection tracking modules and use old fashioned port > forwarding on the router and externip=xx.yy.z.qq, localnet= and nat=yes in > sip.conf in the asterisk box. > > That's what I do, anyway. > > Gordon > > > ___ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > AstriCon 2009 - October 13 - 15 Phoenix, Arizona > Register Now: http://www.astricon.net > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP AND NAT
On Mon, 3 Aug 2009, Ketema Harris wrote: > my questions are: What is the correct way(or resource to find a way) > to get a linux firewall to work with SIP so that the NAT issue is not > an issue ? Remove all SIP ALG/connection tracking modules and use old fashioned port forwarding on the router and externip=xx.yy.z.qq, localnet= and nat=yes in sip.conf in the asterisk box. That's what I do, anyway. Gordon ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP AND NAT
On Mon, 2009-08-03 at 13:29 -0400, Ketema Harris wrote: > I recently did a set up where I replaced a simple D-link home router > that was having trouble processing a T1's worth of bandwidth with a > linux machine running iptables. the kernel was 2.6.29-r5 and I chose > the SIP connection tracking modules from the menuconfig. > > Router worked fine for normal traffic, but I was unable to get the SIP > phones to work. Using ngrep it was plain to see that the although the > packets going out were reaching their destination the data inside the > sip headers all contained non routable IPs. I used lsmod and saw that > the following modules: > > nf_nat_sip 5084 0 > nf_nat 16400 3 nf_nat_sip,ipt_MASQUERADE,iptable_nat > nf_conntrack_ipv4 11912 3 iptable_nat,nf_nat > nf_defrag_ipv4 1788 1 nf_conntrack_ipv4 > > were loaded. I also googled and found the http://www.iptel.org/ > sipalg/ website, but since this seemed to be a little dated I assumed > the modules contained in the kernel source tree were newer and more > "reliable" > > my questions are: What is the correct way(or resource to find a way) > to get a linux firewall to work with SIP so that the NAT issue is not > an issue ? Not an area of great expertise for me. I would think nf_nat_sip would take care of it but I'm surprised to not see conntrack_sip. Here is what is running on our firewall (not that we do a lot with NAT'd sip but the little we've done seems to work): [r...@fw01 ~]# lsmod | grep sip ip_nat_sip 37313 0 ip_conntrack_sip 41745 1 ip_nat_sip ip_nat 52845 5 ip_nat_h323,ip_nat_irc,ip_nat_ftp,ip_nat_sip,iptable_nat ip_conntrack 91237 13 ip_nat_h323,ip_nat_irc,ip_nat_ftp,ip_nat_sip,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_sip,ip_conntrack_netbios_ns,xt_state,iptable_nat,ip_nat -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] SIP AND NAT
I recently did a set up where I replaced a simple D-link home router that was having trouble processing a T1's worth of bandwidth with a linux machine running iptables. the kernel was 2.6.29-r5 and I chose the SIP connection tracking modules from the menuconfig. Router worked fine for normal traffic, but I was unable to get the SIP phones to work. Using ngrep it was plain to see that the although the packets going out were reaching their destination the data inside the sip headers all contained non routable IPs. I used lsmod and saw that the following modules: nf_nat_sip 5084 0 nf_nat 16400 3 nf_nat_sip,ipt_MASQUERADE,iptable_nat nf_conntrack_ipv4 11912 3 iptable_nat,nf_nat nf_defrag_ipv4 1788 1 nf_conntrack_ipv4 were loaded. I also googled and found the http://www.iptel.org/ sipalg/ website, but since this seemed to be a little dated I assumed the modules contained in the kernel source tree were newer and more "reliable" my questions are: What is the correct way(or resource to find a way) to get a linux firewall to work with SIP so that the NAT issue is not an issue ? ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip and nat
Johanna NIRINA wrote: I'm using asterisk 1.4 . There is some sip clients is behind a NAT : the asterisk server can't send request to these client. I'm looking for a solution to solve that in the server (asterisk) side. (sorry for my english). thanks, johanna _ Découvrez Windows Live Spaces et créez votre site Web perso en quelques clics ! http://spaces.live.com/signup.aspx ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users Common solutions include stun or a combination of qualify=yes and/or nat=yes entries in sip.conf http://www.voip-info.org/wiki/view/Asterisk+sip+qualify -- Robin D. Rodriguez Systems Engineer Ifbyphone, Inc. Phone: (866) 250-1663 Fax: (847) 676-6553 [EMAIL PROTECTED] http://www.ifbyphone.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip and nat
I'm using asterisk 1.4 . There is some sip clients is behind a NAT : the asterisk server can't send request to these client. I'm looking for a solution to solve that in the server (asterisk) side. (sorry for my english). thanks, johanna _ Découvrez Windows Live Spaces et créez votre site Web perso en quelques clics ! http://spaces.live.com/signup.aspx ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip and nat
John, Client Behind a NAT should not be problem. What are your issues? If you post your scenario and more details about your problem only then some can help you better. Jai "Buy SIP DID at www.didforsale.com" On Wed, Oct 22, 2008 at 12:24 AM, Johanna NIRINA <[EMAIL PROTECTED]>wrote: > > hi there, > I 'm a newbie in "VOIP technologies" ; i 'm implementing asterisk and i 'm > wonder what is the best way to resolving "the Asterisk/NAT problem" : some > clients are behind a NAT. > anyone could help me? > thanks > > > johanna > > _ > Appelez vos amis de PC à PC -- C'EST GRATUIT > http://get.live.com/messenger/overview > ___ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] sip and nat
hi there, I 'm a newbie in "VOIP technologies" ; i 'm implementing asterisk and i 'm wonder what is the best way to resolving "the Asterisk/NAT problem" : some clients are behind a NAT. anyone could help me? thanks johanna _ Appelez vos amis de PC à PC -- C'EST GRATUIT http://get.live.com/messenger/overview ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] sip and nat
hi there, I 'm a newbie in "VOIP technologies" ; i 'm implementing asterisk and i 'm wonder what is the best way to resolving "the Asterisk/NAT problem" : some clients are behind a NAT. anyone could help me? thanks johanna _ Appelez vos amis de PC à PC -- C'EST GRATUIT http://get.live.com/messenger/overview ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP and NAT
Lincoln Zuljewic Silva a écrit : Hello all. I'm having a little problem here with NAT, and I already read a lot of documentation on web, but I still cant understand how to get asterisk and "external (on internet)" sip clients connected. So you have an Asterisk that is behind NAT, and you want to connect it to other NATted devices? Cheers, Jean-Michel. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
re: [asterisk-users] SIP and NAT
Could you please explain what the network configuration you want to try? it would be really helpful. you can be as simple as: SIPphone--> internet --> NAT--> asterisk or whatever your particular scenario is.Alyed Return-Path: <[EMAIL PROTECTED]> Mon Jul 31 11:43:16 2006Received: from digium-69-16-138-164.phx1.puregig.net [69.16.138.164] by mail11.webcontrolcenter.com with SMTP; Mon, 31 Jul 2006 11:43:16 -0700Received: from digium-69-16-138-164.phx1.puregig.net (localhost [127.0.0.1]) Hello all. I'm having a little problem here with NAT, and I already read a lot of documentation on web, but I still cant understand how to get asterisk and "external (on internet)" sip clients connected.Could anybody give me a tip ?ThanksLincoln___--Bandwidth and Colocation provided by Easynews.com --asterisk-users mailing listTo UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] SIP and NAT
Hello all. I'm having a little problem here with NAT, and I already read a lot of documentation on web, but I still cant understand how to get asterisk and "external (on internet)" sip clients connected. Could anybody give me a tip ? Thanks Lincoln ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
Apart of what everyone writes with the NAT=YES I would suggest using canreinvite=no as well as normally asterisk cans the reinvite and this might cause the audio not to get through the NAT and cause dead air for the users specially if the users are behind 2 seperate NAT servers eg. different private networks. By using canreinvite=no and nat=yes most of the NAT problems go away. In this scenario the example would look like this: [2201] user=blah secret=blah auth=blah allow=blah host=dynamic *nat=yes canreinvite=no* Mark Phillips wrote: Most often the simple addition of nat=yes in the relevant sip.conf stanza is all that's required to make a remote SIP phone work from behind a firewall. for example [2201] user=blah secret=blah auth=blah allow=blah host=dynamic nat=yes I've been running 4 remote SIP phones across the internet from my families houses all over the world in this manner. The only issues I get are those of bandwidth availability or rather occasional lack of it. Hosted PBX's are no different. The hosting service should be providing a similar mechanism (although it might not be Asterisk based). Mark, G7LTT/KC2ENI Randolph, NJ http://www.g7ltt.com Michaël Gaudette wrote: Thanks Moises. I was kind of hoping that, at least if I hosted my Asterisk server somewhere where there was no NAT for the * box that the SIP phones wouldn't create any issues. How do you people with Hosted PBX handle the deployment of SIP phones behind NAT firewalls? Is it just elbow grease and configuring every single phone for the customer, or is there a way? Mike you can redirect the ports of the router as well. Or you can configure your SIP phone to use a STUN server. Please read in voip-info.org about SIP NAT, there are good suggestions. regards On 1/20/06, Michakl Gaudette <[EMAIL PROTECTED]> wrote: Hello, I'm a bit new to SIP, and I've set up a SIP line with Asterisk and my wholesale provider. That worked, fine. I ahd to open up the ports on my router, forward them to the correct box, again fine. Now, if I get one of my customers to connect his SIP phone to my Asterisk box, and HE'S behind a NAT firewall, does he have to go through the same process, or is it just the Asterisk box that needs to translate the SIP and RTP port? In other words: if my SIP phone is behind a Linksys router, do I need to configure the Router for any reason? Mike ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP and NAT - best practices?
Leo Ann Boon <> wrote on Sunday, 22 January 2006 4:32 PM: > Trevor G. Hammonds wrote: > >> While I have not used siproxd, I have read a bit about it. From my >> understanding of the docs, the local SIP agents register to siproxd, >> but siproxd does not register to Asterisk. So the calls will >> traverse >> the NAT properly, but features like MWI will not work in this >> scenario. Also, this would be pure SIP URL dialling (e.g. >> [EMAIL PROTECTED]) as opposed to traditional telephone dialling >> (e.g. 1-213-555-8080). >> >> Please correct me if I am wrong, because I would really like to be >> (in this case). :-) >> >> > The docs are a little confusing. Look in the FAQ section: What types > of operation does siproxd support? > Here's the text. > >> 1) Siproxd as outbound proxy: >> - Configure your local client to register with some 3rd party >>service like Sipphone, FWD, Sipgate or any other. >> - Configure your local client to use siproxd as OUTBOUND PROXY >> >> Note: In this case, the local client does NOT register with >> siproxd but only with the external SIP restration service. The >> only condition is that siproxd needs to stay in the path of >> communication, therefore the local client must be configured as >> to use an OUTBOUND PROXY. >> > That's all you need to do. All your clients will still register to > Asterisk through siproxd, siproxd will take care of rewritting the > SIP headers to differentiate requests for each client. > > Leo Thank you, Leo! This is exactly what I need. I am going to play around with that really soon. Trevor ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
Trevor G. Hammonds wrote: While I have not used siproxd, I have read a bit about it. From my understanding of the docs, the local SIP agents register to siproxd, but siproxd does not register to Asterisk. So the calls will traverse the NAT properly, but features like MWI will not work in this scenario. Also, this would be pure SIP URL dialling (e.g. [EMAIL PROTECTED]) as opposed to traditional telephone dialling (e.g. 1-213-555-8080). Please correct me if I am wrong, because I would really like to be (in this case). :-) The docs are a little confusing. Look in the FAQ section: What types of operation does siproxd support? Here's the text. 1) Siproxd as outbound proxy: - Configure your local client to register with some 3rd party service like Sipphone, FWD, Sipgate or any other. - Configure your local client to use siproxd as OUTBOUND PROXY Note: In this case, the local client does NOT register with siproxd but only with the external SIP restration service. The only condition is that siproxd needs to stay in the path of communication, therefore the local client must be configured as to use an OUTBOUND PROXY. That's all you need to do. All your clients will still register to Asterisk through siproxd, siproxd will take care of rewritting the SIP headers to differentiate requests for each client. Leo ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP and NAT - best practices?
Leo Ann Boon wrote on Saturday, 21 January 2006 6:21 PM: > Trevor G. Hammonds wrote: > >> How about when you have four or five SIP devices at a single >> location? Do you manually assign each phone a separate port and add >> firewall/router rules? I am looking for an inexpensive device or >> method that will allow this happen automatically. Rather than going >> that route, my current solution is to put an Asterisk server at the >> client's location to handle the SIP clients and do an outbound >> trunked IAX connection back to the main server. >> >> > Use an outbound proxy either a stanadlone appliance like ix-66 or you > can build one using Siproxd running on your Linux gateway. > http://siproxd.sourceforge.net/ > > There's a WIP port of siproxd to OpenWRT so you can run it on a > Linksys WRT54G. While I have not used siproxd, I have read a bit about it. From my understanding of the docs, the local SIP agents register to siproxd, but siproxd does not register to Asterisk. So the calls will traverse the NAT properly, but features like MWI will not work in this scenario. Also, this would be pure SIP URL dialling (e.g. [EMAIL PROTECTED]) as opposed to traditional telephone dialling (e.g. 1-213-555-8080). Please correct me if I am wrong, because I would really like to be (in this case). :-) Sincerely, Trevor Hammonds ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
I thing, that configuring nat device/firewall at consumer site isn't always possible, thus simplest (but not optimal) way is to configure phone in sip.conf as nat=yes & canreinvite=no, this should work in most cases even if multiple phones are behind same nat, like adsl router. disadvatage is, that rtp stream will go always through asterisk server (even for calls between phones in same location-behind same nat/fw). so, as I ask before, if is planned in asterisk development to make "canreinvite" function more flexible, e.g. possibility specify that for call, e.g. inside one context, to do reinvite and for other calls (between different contexts) don't do reinvite ... PJ ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
Trevor G. Hammonds wrote: How about when you have four or five SIP devices at a single location? Do you manually assign each phone a separate port and add firewall/router rules? I am looking for an inexpensive device or method that will allow this happen automatically. Rather than going that route, my current solution is to put an Asterisk server at the client's location to handle the SIP clients and do an outbound trunked IAX connection back to the main server. Use an outbound proxy either a stanadlone appliance like ix-66 or you can build one using Siproxd running on your Linux gateway. http://siproxd.sourceforge.net/ There's a WIP port of siproxd to OpenWRT so you can run it on a Linksys WRT54G. ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] SIP and NAT - best practices?
How about when you have four or five SIP devices at a single location? Do you manually assign each phone a separate port and add firewall/router rules? I am looking for an inexpensive device or method that will allow this happen automatically. Rather than going that route, my current solution is to put an Asterisk server at the client's location to handle the SIP clients and do an outbound trunked IAX connection back to the main server. Sincerely, Trevor Hammonds Mark Phillips wrote on Saturday, 21 January 2006 12:36 PM: > Most often the simple addition of nat=yes in the relevant sip.conf > stanza is all that's required to make a remote SIP phone work from > behind a firewall. > > for example > > [2201] > user=blah > secret=blah > auth=blah > allow=blah > host=dynamic > nat=yes > > I've been running 4 remote SIP phones across the internet from my > families houses all over the world in this manner. The only issues I > get are those of bandwidth availability or rather occasional lack of > it. > > Hosted PBX's are no different. The hosting service should be > providing a similar mechanism (although it might not be Asterisk > based). > > Mark, G7LTT/KC2ENI > Randolph, NJ > http://www.g7ltt.com > > > Michaël Gaudette wrote: >> Thanks Moises. I was kind of hoping that, at least if I hosted my >> Asterisk server somewhere where there was no NAT for the * box that >> the SIP phones wouldn't create any issues. >> >> How do you people with Hosted PBX handle the deployment of SIP phones >> behind NAT firewalls? Is it just elbow grease and configuring every >> single phone for the customer, or is there a way? >> >> Mike >> >> >> >> you can redirect the ports of the router as well. Or you can >> configure your SIP phone to use a STUN server. Please read in >> voip-info.org about SIP NAT, there are good suggestions. >> >> regards >> >> On 1/20/06, Michakl Gaudette <[EMAIL PROTECTED]> wrote: >> >>> Hello, >>> >>> I'm a bit new to SIP, and I've set up a SIP line with Asterisk and >>> my wholesale provider. That worked, fine. I ahd to open up the >>> ports on my router, forward them to the correct box, again fine. >>> >>> Now, if I get one of my customers to connect his SIP phone to my >>> Asterisk box, and HE'S behind a NAT firewall, does he have to go >>> through the same process, or is it just the Asterisk box that needs >>> to translate the SIP >> >> and >> >>> RTP port? >>> >>> In other words: if my SIP phone is behind a Linksys router, do I >>> need to configure the Router for any reason? >>> >>> Mike ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - best practices?
Most often the simple addition of nat=yes in the relevant sip.conf stanza is all that's required to make a remote SIP phone work from behind a firewall. for example [2201] user=blah secret=blah auth=blah allow=blah host=dynamic nat=yes I've been running 4 remote SIP phones across the internet from my families houses all over the world in this manner. The only issues I get are those of bandwidth availability or rather occasional lack of it. Hosted PBX's are no different. The hosting service should be providing a similar mechanism (although it might not be Asterisk based). Mark, G7LTT/KC2ENI Randolph, NJ http://www.g7ltt.com Michaël Gaudette wrote: Thanks Moises. I was kind of hoping that, at least if I hosted my Asterisk server somewhere where there was no NAT for the * box that the SIP phones wouldn't create any issues. How do you people with Hosted PBX handle the deployment of SIP phones behind NAT firewalls? Is it just elbow grease and configuring every single phone for the customer, or is there a way? Mike you can redirect the ports of the router as well. Or you can configure your SIP phone to use a STUN server. Please read in voip-info.org about SIP NAT, there are good suggestions. regards On 1/20/06, Michakl Gaudette <[EMAIL PROTECTED]> wrote: Hello, I'm a bit new to SIP, and I've set up a SIP line with Asterisk and my wholesale provider. That worked, fine. I ahd to open up the ports on my router, forward them to the correct box, again fine. Now, if I get one of my customers to connect his SIP phone to my Asterisk box, and HE'S behind a NAT firewall, does he have to go through the same process, or is it just the Asterisk box that needs to translate the SIP and RTP port? In other words: if my SIP phone is behind a Linksys router, do I need to configure the Router for any reason? Mike ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT - best practices?
Thanks Moises. I was kind of hoping that, at least if I hosted my Asterisk server somewhere where there was no NAT for the * box that the SIP phones wouldn't create any issues. How do you people with Hosted PBX handle the deployment of SIP phones behind NAT firewalls? Is it just elbow grease and configuring every single phone for the customer, or is there a way? Mike you can redirect the ports of the router as well. Or you can configure your SIP phone to use a STUN server. Please read in voip-info.org about SIP NAT, there are good suggestions. regards On 1/20/06, Michakl Gaudette <[EMAIL PROTECTED]> wrote: > Hello, > > I'm a bit new to SIP, and I've set up a SIP line with Asterisk and my > wholesale provider. That worked, fine. I ahd to open up the ports on my > router, forward them to the correct box, again fine. > > Now, if I get one of my customers to connect his SIP phone to my Asterisk > box, and HE'S behind a NAT firewall, does he have to go through the same > process, or is it just the Asterisk box that needs to translate the SIP and > RTP port? > > In other words: if my SIP phone is behind a Linksys router, do I need to > configure the Router for any reason? > > Mike ___ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT problems "imagine that :) "
> each vendor for rtp. Cisco uses one range, xlite another, asterisk > another, etc, etc. Mapping the sip port (udp 5060) is easy; mapping > the rtp ports and using the proper nat statements (possibly at both > the phone location and asterisk location) tends to be difficult. Then X-Lite can be told in network settings to start at 1 which is the base for unmodified asterisk RTP. I did that, use X-Lite on 5061 and it works perfectly with double NAT ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT problems "imagine that :) "
> Seriously, I've tried to read everything I could find (& search for) on > voip-info.org and other sites about this problem, but have been unsuccesful. > > Equipment: > xten lite > X100P > Whitebox linux running Asterisk / AMP > D-Link DI-804HV (VPN router) > > I have installed another DI-804HV at a second location and created a tunnel. > For the computers behind that unit, everything works fine throught x-lite. > However, for any people (ie Family members) that I'm trying to connect to my > system that aren't going through a tunnel, it isn't working. > > Symptoms: > > They show up in "Sip Show Peers" however the NAT column is stating "N" > I can call them and they can hear me fine, but I can't here them. > > I'm thinking this has to do with RTP, but not sure. > > In the router I have the following setup under "Virtual Server": > SIP TCP/UDP 5060 > IAX TCP/UDP 4569 > KS1 UDP 5004 > RTP1 UDP 5000 > SIP3 UDP 5036 > SIP4 UDP 2727 > > In the firewall section I've said to allow UDP on -20001 to go to the > asterisk server > It looks like this in the firewall rules; > Source *,* Dest *,192.168.x.x UDP,-20001 > > Also on those extensions that are coming from an external source I've added > the externip attribute in the form of > > externip="my_dynamic_domain_name_attached_to_my_ip" > > here's one of the extensions: > > [254] > username=254 > type=friend > secret=*** > port=5060 > nat=yes > mailbox=254 > host=dynamic > dtmfmode=rfc2833 > context=from-sip-external > canreinvite=no > callerid="Scott Knight" <254> > externip=my.dyndns.org Yes, your problem is rtp and probably a lack of understanding it. There have been at least hundreds of postings regarding nat issues in the last 18 months, and some reference data in the wiki. The bottom line is that sip and rtp use different udp ports, and the exact udp ports in use are choosen from a range that is specified by each vendor for rtp. Cisco uses one range, xlite another, asterisk another, etc, etc. Mapping the sip port (udp 5060) is easy; mapping the rtp ports and using the proper nat statements (possibly at both the phone location and asterisk location) tends to be difficult. Then when you add unusual implementations of nat functions into the mix, it becomes even more difficult to find a working config (eg, not all nat boxes operate the same). Using something like Ethereal to observe what each device is trying to use (both in front of and behind nat boxes) will help understand what each box is trying to do in terms of both IP addresses and udp port numbers. The rtp port range as noted above is specified by each vendor, and in many cases can be modified to some other predetermined prot range. For example, asterisk uses udp ports 10,000 to 20,000 as specified in rtp.conf. Cisco 7960's use udp ports 16,384 to 32,766 as specified in SIPDefault.cnf, while if I remember correctly xlite uses something like 8,000 to 8,050 (or whatever). The easiest nat & sip implementation are those where asterisk has a registered IP address and the phones are behind a nat box. The most difficult implementation is when both asterisk and remote phones are both behind their own nat boxes. You'll want to research the use of nat statements in your sip.conf config files, and the nat support provided by each of your remote sip phones. But, ethereal will help point to the issue. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT problems "imagine that :) "
Hi all, Seriously, I've tried to read everything I could find (& search for) on voip-info.org and other sites about this problem, but have been unsuccesful. Equipment: xten lite X100P Whitebox linux running Asterisk / AMP D-Link DI-804HV (VPN router) I have installed another DI-804HV at a second location and created a tunnel. For the computers behind that unit, everything works fine throught x-lite. However, for any people (ie Family members) that I'm trying to connect to my system that aren't going through a tunnel, it isn't working. Symptoms: They show up in "Sip Show Peers" however the NAT column is stating "N" I can call them and they can hear me fine, but I can't here them. I'm thinking this has to do with RTP, but not sure. In the router I have the following setup under "Virtual Server": SIP TCP/UDP 5060 IAX TCP/UDP 4569 KS1 UDP 5004 RTP1 UDP 5000 SIP3 UDP 5036 SIP4 UDP 2727 In the firewall section I've said to allow UDP on -20001 to go to the asterisk server It looks like this in the firewall rules; Source *,* Dest *,192.168.x.x UDP,-20001 Also on those extensions that are coming from an external source I've added the externip attribute in the form of externip="my_dynamic_domain_name_attached_to_my_ip" here's one of the extensions: [254] username=254 type=friend secret=*** port=5060 nat=yes mailbox=254 host=dynamic dtmfmode=rfc2833 context=from-sip-external canreinvite=no callerid="Scott Knight" <254> externip=my.dyndns.org Any suggestions would be greatly appreciated Cheers! ken ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] sip and nat not working in 1.0.2
I was testing 1.0.2 with one phone behind a nat. I have it also setup in the sip.conf for nat=yes, but after the phone has registered with asterisk and you look at 'sip show peers' is shows the sip phone Nat=no Has anyone experienced this problem?? ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT: try, try again.
...and to solve another problem, there's my suggestion on support for outbound SIP proxy. http://bugs.digium.com/bug_view_page.php?bug_id=359 There are corporate networks that use a "SIP proxy proxy" as an ALG, application layer gateway, for all outbound and inbound SIP traffic in the DMZ. This should work in conjunction with netmask/STUN - if host does not belong to my network send SIP transaction to outbound proxy else send SIP transaction to host done This cleverness may cause problems with inside networks consisting of several networks with different netmasks and complicated routing... I believe outbound proxy should be configured on a host by host basis for sip clients/peers as well as an "default" outbound proxy to use in other situations. In order to support SIP URL dialling, we have to use a netmask/STUN solution to sort out if the SIP proxy we're trying to reach is ourself, someone on the inside or someone on the outside of our NAT. /O ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT: try, try again.
In response to the SIP and NAT discussion, I have updated the ticket on the subject that seemed to be getting the most attention: #104. There are enough clueful people here that perhaps someone can come up with a patch that handles NAT in the elegant way that I describe in the bugnotes, as I am but a mere integrator who has limited C skills. In the absence of such a patch being offered, we await William Waites' patch and disclaimer which will at least be more sufficient than the current externip= method. Those with an interest in the discussion of how Asterisk should handle being put behind a NAT should direct their attention to: http://bugs.digium.com/bug_view_page.php?bug_id=104 JT ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT traversal
Hi All, i found an article that explains SIP NAT woes. http://www.sipcenter.com/files/SIPNATtraversal.pdf It is a great read for all people in the mailing list that have problems with SIP when * is behind NAT or when there is NAT between asterisk and a SIP phone. Serge _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - more
On Fri, 21 Mar 2003, Mark Spencer wrote: > have you tried nat=1 in your friend declaration? I notice in your dump it > says "non-NAT" > I´m in the same situation, trying to debug an ATA 186 behing a NAT. And i´m stuck with "SIP/2.0 407 Proxy Authentication Required" debug messages. Does anyone have any hints on thisone? It would also be nice if someone could post a working ATA186 config. This would help against stupid mistakes in that end. But back to the NAT/No-NAT issue. What exactly is the difference protocolwise inbetween the two of them? /Chris ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - more
Thanks -- I didn't realize that needed to be set. It works now, but there's a horrible echo on the sip client side. (I dont know about the other side, as I havent called any humans yet :) I don't, however, hear an echo when I call voicemail or such .. so I'm assuming it's something with the bridging? I didn't know of any echo cans that need to be enabled for sip - are there? The PSTN line its connecting out on has echocan and whenbridged enabled. Here's an example of one of the pstns, they're all built the same, using an Adtran 750 channel bank with current firmware (actually, the last release, which was considered the most stable by most): context => pstn1 signalling => fxs_ks amaflags => documentation echocancel=yes echocancelwhenbridged=yes adsi=yes channel => 17 Ideas? Thanks At 09:53 PM 3/21/2003 -0600, you wrote: have you tried nat=1 in your friend declaration? I notice in your dump it says "non-NAT" Mark On Fri, 21 Mar 2003, denon wrote: > Oh, and yes, the * is current as of a few days ago .. so it should have > that new SIP code mark was working on a while back. > > Thanks > > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] SIP and NAT - more
have you tried nat=1 in your friend declaration? I notice in your dump it says "non-NAT" Mark On Fri, 21 Mar 2003, denon wrote: > Oh, and yes, the * is current as of a few days ago .. so it should have > that new SIP code mark was working on a while back. > > Thanks > > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT - more
Oh, and yes, the * is current as of a few days ago .. so it should have that new SIP code mark was working on a while back. Thanks ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] SIP and NAT
I'm having some problems getting an ATA186 behind NAT working. When I had it on the same subnet as the Asterisk server, it worked fine. Now Ive taken the ATA on the road with me, and it's behind a Dlink router+firewall, doing NAT. I pick it up, hear a dialtone .. the firewall on the asterisk side presently has everything open to this subnet, so I know that's not really an issue. (what needs to be open, though?) Here's what the * server is giving me in SIP debug, though: 9 headers, 0 lines Interface is eth0 IP Address is 1.0.0.1 Using latest request as basis request Sending to 192.168.0.150 : 5060 (non-NAT) Transmitting (no NAT): SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 192.168.0.150:5060 From: sip:[EMAIL PROTECTED] To: sip:[EMAIL PROTECTED];tag=6b5fab60 Call-ID: [EMAIL PROTECTED] CSeq: 1 REGISTER User-Agent: Asterisk PBX Contact: Content-Length: 0 Suggestions? (IPs have been changed to protect the innocent) Thanks for any help you can give -- I was sort of relying on using this while I'm on the road. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users