Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
At 11/3/03 6:57 PM, Anthony Wood [EMAIL PROTECTED] wrote: Internals can use the IP address of the NAT box as the Asterisk Server IP and then it should work. This doesn't work on my NAT box, unfortunately. Devices behind the NAT can't connect to the public IP address and talk to other devices behind the NAT. Don't know why (cheapo NAT box, most likely; it's part of my DSL modem), but I believe this situation is fairly common. -- Robert L Mathews, Tiger Technologies http://www.tigertech.net/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
This looks to me like the approach that Pingtel took for NAT. I think it is a good option to have but having STUN as an additional option is really what we want. You can find an implementation of a STUN library and apps at www.vovida.org. The External IP approach has some flaws and can be a pain to configure for people that do not know what is actually being done with this data. I will try to explain this since I have to test this stuff on vendor phones every day... SIP is a text-based protocol which means that address information is embedded in each SIP message as text. Unfortunately, most routers, etc. do not have a SIP ALG so the address information in the UDP or TCP connections get corrected through the NAT function, the payload which in this case is SIP and SDP (RTP setup messages) do not get translated. The other end of the call outside your private network sees your private IP addresses and cannot route to them. External IP basically says put this address in the SIP and SDP messages instead of my private address. The problem here is that if your lease is up on your ISP connection and the renew gives you another address, you're out of business until you update your settings. The other thing is, you must port forward your SIP port (usually 5060) and every incoming RTP/RTCP port pairs from the NAT router to Asterisk. STUN is pretty simple and works well. This feature actually queries a STUN server on the public side and askes what does your external IP and port look like. It also determines the level of IP security that your are using. (Read the RFC on STUN, it is usefull) You don't have to port forward anything because STUN enabled devices take advantage of the ALG in most firewalls that maps incoming traffic back to the app (Asterisk in this case) if the packets arrive at the same address/port that packets just went out. If the connection is idle for more than a set number of seconds, the mapping is automatically deleted. This is why you see the devices pinging each other every so often. This allows an incoming call to reach the SIP port. Having BOTH External IP and STUN would give us the greatest flexibility because if we didn't have a STUN server on the other end we could manually set it. Martin Pycko wrote: It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Martin On Mon, 3 Nov 2003, WipeOut wrote: Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Robert Mann wrote: Problem I have is this. outside firewall (extension 2003) can call me inside firewall (extension 2000) and all is fine. If I call from inside firewall (extension 2000) to outside firewall (extension 2003) I hear no ringing and person at other end can pick up and I hear for maybe a half second then I go to voicemail. If I add another extension on the outside then communication between outside and outside through * is not possible at all. I know I can not be the only one who has tried to do this. Please any help would be greatly appreciated. Robert, You need to get Asterisk onto a public IP address.. Using the DMZ function on the router will not work.. If you search the archives you will see that it has been attempted many times.. The reason is not in the IP but in the SIP headers.. they will be sent out from the Asterisk server with the internal IP address of the server, this means that when the SIP UA reads the SIP message and responds it will respond to the incorrect IP address.. So the basic rules where NAT is involved are.. Asterisk server must always be on a public IP address.. SIP UA's can be behind NAT but need nat=yes, canreinvite=no and qualify=yes set in the phone configuration in sip.conf.. Hope that helps.. Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
WipeOut wrote: So the basic rules where NAT is involved are.. Asterisk server must always be on a public IP address.. You keep saying this, but it is not correct. I have several asterisk servers running behind NAT servers, and they function perfectly. I won't say configuring them was as easy as doing the ones on public IPs, but it is not impossible, just tricky. B. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Shoval Tom wrote: Isn't putting asterisk on the public IP network a bad idea? Is it a bad idea?, Not really if you take the right precautions..From how you described your setup you have connected your server directly to the internet anyway.. If you nominated you Asterisk box as the DMZ host in your router it effectively is directly on the internet.. if you havent secured the box itself I suggest you do.. :) What about security? This is somthing that you will need to take care of.. Of course some people's opinions on securing a PC is to not connect it to the internet at all, of course that is a little silly.. You will have to decied on the level of security you are happy with.. This is a topic that can be debated for days so I will not get into it any further than that.. And how will all us newbies make the linux box as secure as possible? The quickest way is to setup an IPTABLES firewall.. You will need ports 5060 and 1 to 2 open for a default Asterisk install using SIP only.. (NOTE: make sure you know how to activate and deactivate IPTABLES from a command line because while you are playing there is a good chance you will lock yourself out of the server from any remote PC and you can even break Xwindows running locally with a firewall..) Later.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WipeOut Sent: Monday, November 03, 2003 11:05 AM To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing Robert Mann wrote: Problem I have is this. outside firewall (extension 2003) can call me inside firewall (extension 2000) and all is fine. If I call from inside firewall (extension 2000) to outside firewall (extension 2003) I hear no ringing and person at other end can pick up and I hear for maybe a half second then I go to voicemail. If I add another extension on the outside then communication between outside and outside through * is not possible at all. I know I can not be the only one who has tried to do this. Please any help would be greatly appreciated. Robert, You need to get Asterisk onto a public IP address.. Using the DMZ function on the router will not work.. If you search the archives you will see that it has been attempted many times.. The reason is not in the IP but in the SIP headers.. they will be sent out from the Asterisk server with the internal IP address of the server, this means that when the SIP UA reads the SIP message and responds it will respond to the incorrect IP address.. So the basic rules where NAT is involved are.. Asterisk server must always be on a public IP address.. SIP UA's can be behind NAT but need nat=yes, canreinvite=no and qualify=yes set in the phone configuration in sip.conf.. Hope that helps.. Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
WipeOut wrote: Shoval Tom wrote: And how will all us newbies make the linux box as secure as possible? The quickest way is to setup an IPTABLES firewall.. You will need ports 5060 and 1 to 2 open for a default Asterisk install using SIP only.. Visit the Wiki page http://www.voip-info.org/tiki-index.php?page=Asterisk+security where you'll find some information about security in Asterisk. (And some missing pages, which I invite other mailing list readers to write!) There's a pointer on that page to a page with a suggested IPTABLES setup. And, as WipeOut stated, make sure you are aware of what you're doing when managing IPTABLES. Of course, no one else than Wipeout have locked himself from the system, no way, we're pro's ;-) hrmm Regards, /Olle ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Problem I have is this. outside firewall (extension 2003) can call me inside firewall (extension 2000) and all is fine. If I call from inside firewall (extension 2000) to outside firewall (extension 2003) I hear no ringing and person at other end can pick up and I hear for maybe a half second then I go to voicemail. If I add another extension on the outside then communication between outside and outside through * is not possible at all. I know I can not be the only one who has tried to do this. Please any help would be greatly appreciated. You need to get Asterisk onto a public IP address.. Using the DMZ function on the router will not work.. If you search the archives you will see that it has been attempted many times.. I don't believe a public IP address is required in this case. I've not actually tried * on a Linksys DMZ, however it appears that Linksys is exposing all tcp udp ports and only doing basic NAT. If that impression is true, it should work. The reason is not in the IP but in the SIP headers.. they will be sent out from the Asterisk server with the internal IP address of the server, this means that when the SIP UA reads the SIP message and responds it will respond to the incorrect IP address.. I don't think that is what keeping the original poster's system from working. The issue is one extension is configured for canreinvite=no and the other is canreinvite=yes. One extension believes all RTP must be passed through * while the other is attempting to negotiate a phone-to-phone RTP session, thus dropping the audio. There may be some exceptions somewhere, but asterisk located behind a nat box can work and others have done it. But, it really requires a basic understanding of how the sip protocol does call setup, the functions implemented in the sip phones, and the ability to see what each box is doing in order to set acceptable perameters in each. One of the key issues in making it work is an understanding that sip phones (not asterisk) initiates the majority of all actions. By that I mean: 1. sip phones must register with * on udp 5060, which is simple layer-3 functions that can be handled by 99% of all nat products. 2. sip phone to sip phone calls can be handled in two ways: a. canreinvite=no (all rtp traffic passes through asterisk on rtp udp ports that can be specified and properly handled by nat boxes) b. canreinvite=yes (allowing the two sip phones to negotiate the rtp channel without asterisk involvement) 3. In both 2a and 2b (for the original poster), the sip phones initiate the rtp negoitiation process and therefor asterisk does not have to rewrite the sip headers (only the sip phones). Asterisk already knows what the Internet address is of the remote sip phone because the sip phone told it (via it rewriting the header). The original poster should be able to get either 2a or 2b to work with the appropriate nat box mappings and sip configuration parameters. He can't expect it to work when you tell one sip phone to rtp one way and tell the second sip phone to do it different way. If the same original poster had indicated that 100 sip phones existed on the Internet and another 100 existed on his internal nat'ed network, then the answer to his question may be completely different. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
WARNING!!! (from bilbo.inter.net.il) The following message attachments were flagged by the antivirus scanner: Attachment [2.1] , scan failed: Internal error (0x11). Action taken: incomplete scan My asterisk server is inside my LAN. Our branch office is connected to here via VPN tunnel, traversing several FWs and VPN appliances. And we've been able to make sip to sip phone calls. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WipeOut Sent: Monday, November 03, 2003 1:41 PM To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing Shoval Tom wrote: Isn't putting asterisk on the public IP network a bad idea? Is it a bad idea?, Not really if you take the right precautions..From how you described your setup you have connected your server directly to the internet anyway.. If you nominated you Asterisk box as the DMZ host in your router it effectively is directly on the internet.. if you havent secured the box itself I suggest you do.. :) What about security? This is somthing that you will need to take care of.. Of course some people's opinions on securing a PC is to not connect it to the internet at all, of course that is a little silly.. You will have to decied on the level of security you are happy with.. This is a topic that can be debated for days so I will not get into it any further than that.. And how will all us newbies make the linux box as secure as possible? The quickest way is to setup an IPTABLES firewall.. You will need ports 5060 and 1 to 2 open for a default Asterisk install using SIP only.. (NOTE: make sure you know how to activate and deactivate IPTABLES from a command line because while you are playing there is a good chance you will lock yourself out of the server from any remote PC and you can even break Xwindows running locally with a firewall..) Later.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WipeOut Sent: Monday, November 03, 2003 11:05 AM To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing Robert Mann wrote: Problem I have is this. outside firewall (extension 2003) can call me inside firewall (extension 2000) and all is fine. If I call from inside firewall (extension 2000) to outside firewall (extension 2003) I hear no ringing and person at other end can pick up and I hear for maybe a half second then I go to voicemail. If I add another extension on the outside then communication between outside and outside through * is not possible at all. I know I can not be the only one who has tried to do this. Please any help would be greatly appreciated. Robert, You need to get Asterisk onto a public IP address.. Using the DMZ function on the router will not work.. If you search the archives you will see that it has been attempted many times.. The reason is not in the IP but in the SIP headers.. they will be sent out from the Asterisk server with the internal IP address of the server, this means that when the SIP UA reads the SIP message and responds it will respond to the incorrect IP address.. So the basic rules where NAT is involved are.. Asterisk server must always be on a public IP address.. SIP UA's can be behind NAT but need nat=yes, canreinvite=no and qualify=yes set in the phone configuration in sip.conf.. Hope that helps.. Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin On Mon, 3 Nov 2003, WipeOut wrote: Robert Mann wrote: Problem I have is this. outside firewall (extension 2003) can call me inside firewall (extension 2000) and all is fine. If I call from inside firewall (extension 2000) to outside firewall (extension 2003) I hear no ringing and person at other end can pick up and I hear for maybe a half second then I go to voicemail. If I add another extension on the outside then communication between outside and outside through * is not possible at all. I know I can not be the only one who has tried to do this. Please any help would be greatly appreciated. Robert, You need to get Asterisk onto a public IP address.. Using the DMZ function on the router will not work.. If you search the archives you will see that it has been attempted many times.. The reason is not in the IP but in the SIP headers.. they will be sent out from the Asterisk server with the internal IP address of the server, this means that when the SIP UA reads the SIP message and responds it will respond to the incorrect IP address.. So the basic rules where NAT is involved are.. Asterisk server must always be on a public IP address.. SIP UA's can be behind NAT but need nat=yes, canreinvite=no and qualify=yes set in the phone configuration in sip.conf.. Hope that helps.. Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Martin On Mon, 3 Nov 2003, WipeOut wrote: Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Hi! I don't think that is what keeping the original poster's system from working. The issue is one extension is configured for canreinvite=no and the other is canreinvite=yes. One extension believes all RTP must be passed through * while the other is attempting to negotiate a phone-to-phone RTP session, thus dropping the audio. Are you sure this is 100% correct? I have some doubts since: - you'd have to consider all possible connection permutations between all clients and then set canreinvite= accordingly, which doesn't sound like it makes much sense - sip.conf is for * only, the data are not seen or read by the SIP UA themselves. Thus it would appear that it is up to * to permit/not permit a reinvite between the two UAs So bascially from my understanding things work like this: Once one of the SIP call parties has a canreinvite=no it won't matter what the other party's setting looks like, RTP traffic will travel through * anyway. Am I wrong here? Philipp ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Hi! How to use that externip new parameter? Where in sip.conf and what is the format? thanks - Original Message - From: Martin Pycko [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 3:34 PM Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Martin On Mon, 3 Nov 2003, WipeOut wrote: Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin, Could you please explain the use of the new externip keyword. Is it a [general] keyword or something configurable for SIP host/peers/friends? Thank you! /Olle ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
According to the source, it goes in the general section of sip.conf: } else if (!strcasecmp(v-name, externip)) { if (!(hp = gethostbyname(v-value))) { ast_log(LOG_WARNING, Invalid address for externip keyword: %s\n, v-value); } else { memcpy(__ourip, hp-h_addr, sizeof(__ourip)); use_external_ip = 1; } Apparently, it expects the IP address that you want to use instead of the default (bindaddr, I guess?). Can someone tell me, does the second line that I quoted, with the gethostbyname function mean that it will accept a hostname instead of just an IP? This would be really really good for Dynamic IP users. Note: I'm not savy enough to figure out how often this variable is refreshed! This was taken from the CVS Viewer at: http://asterisk.espia-net.net/ chan_sip.c: http://asterisk.espia-net.net/horde/chora/co.php/asterisk/channels/chan_sip.c?login=2r=1.204 - Andrew Thompson - Original Message - From: Martin Pycko [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:34 PM Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Martin On Mon, 3 Nov 2003, WipeOut wrote: Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users [EMAIL PROTECTED])fjåËbú?jË^®+$ºÇ«
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Martin Pycko wrote: It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Hmmm. According to the sip.conf example: [general] externip = 200.201.202.203 :Address that we're going to put in SIP messages if we're behind a NAT Does this apply only for register= connections, where Asterisk acts as a client UA? Or all SIP Sessions? Can we apply this only on ONE register= connection, but not as a default? That would be done not in [general] but in a [hostname] section of sip.conf. /O ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Download the new code and see in asterisk/configs/sip.conf.sample It can't be easier than that. Martin On Mon, 3 Nov 2003, listas iPfone wrote: Hi! How to use that externip new parameter? Where in sip.conf and what is the format? thanks - Original Message - From: Martin Pycko [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 3:34 PM Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Martin On Mon, 3 Nov 2003, WipeOut wrote: Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
It's for setting asterisk box with SIP support behind a NAT. You need to do port redirection of eg. 5060 and then setup externip=ip_of_your_nat_gateway Martin On Mon, 3 Nov 2003, Andrew Thompson wrote: According to the source, it goes in the general section of sip.conf: } else if (!strcasecmp(v-name, externip)) { if (!(hp = gethostbyname(v-value))) { ast_log(LOG_WARNING, Invalid address for externip keyword: %s\n, v-value); } else { memcpy(__ourip, hp-h_addr, sizeof(__ourip)); use_external_ip = 1; } Apparently, it expects the IP address that you want to use instead of the default (bindaddr, I guess?). Can someone tell me, does the second line that I quoted, with the gethostbyname function mean that it will accept a hostname instead of just an IP? This would be really really good for Dynamic IP users. Note: I'm not savy enough to figure out how often this variable is refreshed! This was taken from the CVS Viewer at: http://asterisk.espia-net.net/ chan_sip.c: http://asterisk.espia-net.net/horde/chora/co.php/asterisk/channels/chan_sip.c?login=2r=1.204 - Andrew Thompson - Original Message - From: Martin Pycko [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:34 PM Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Martin On Mon, 3 Nov 2003, WipeOut wrote: Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ÿÿÿÀ²×«ÉÿRÇ«²f¢)à+-Ë^®+$ýK®ÏåËlýØ éÿr¡¶Úÿÿùb²Ûÿv(ºoÜ¢oæj)fjåËbú?jË^®+$þë ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
At 11/3/03 10:00 AM, Martin Pycko [EMAIL PROTECTED] wrote: Is externip and new parameter?? It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Does it take an IP address, like externip=1.2.3.4? And does it then force the SIP messages for that channel to use the externip value instead of the server's local IP address? If so, that's useful; it will help people who know in advance that a certain phone is on one side of a NAT or the other. However, it would be nicer still if it could fix the SIP messages only when necessary, using a subnet mask or STUN, as has been proposed. The reason is that hard-coding an IP address to use when communicating with a certain client means you can't have a phone in an office (on the same side of the NAT as Asterisk) during the day, then take the phone home at night (on the other side of the NAT) and have it work without changing sip.conf. -- Robert L Mathews, Tiger Technologies http://www.tigertech.net/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
It's not for phones, it's for asterisk behind a NAT. Martin On Mon, 3 Nov 2003, Robert L Mathews wrote: At 11/3/03 10:00 AM, Martin Pycko [EMAIL PROTECTED] wrote: Is externip and new parameter?? It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Does it take an IP address, like externip=1.2.3.4? And does it then force the SIP messages for that channel to use the externip value instead of the server's local IP address? If so, that's useful; it will help people who know in advance that a certain phone is on one side of a NAT or the other. However, it would be nicer still if it could fix the SIP messages only when necessary, using a subnet mask or STUN, as has been proposed. The reason is that hard-coding an IP address to use when communicating with a certain client means you can't have a phone in an office (on the same side of the NAT as Asterisk) during the day, then take the phone home at night (on the other side of the NAT) and have it work without changing sip.conf. -- Robert L Mathews, Tiger Technologies http://www.tigertech.net/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
--- Robert L Mathews [EMAIL PROTECTED] wrote: At 11/3/03 10:00 AM, Martin Pycko [EMAIL PROTECTED] wrote: Is externip and new parameter?? It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Does it take an IP address, like externip=1.2.3.4? And does it then force the SIP messages for that channel to use the externip value instead of the server's local IP address? If so, that's useful; it will help people who know in advance that a certain phone is on one side of a NAT or the other. However, it would be nicer still if it could fix the SIP messages only when necessary, using a subnet mask or STUN, as has been proposed. The reason is that hard-coding an IP address to use when communicating with a certain client means you can't have a phone in an office (on the same side of the NAT as Asterisk) during the day, then take the phone home at night (on the other side of the NAT) and have it work without changing sip.conf. Hasn't anyone simply _looked_ at the code? This sounds like the patch that was posted here to this mailing list last week. Did it make it into CVS already? Yes, STUN is the way to go. It can find out what your external IP address is and what kind of firewall you have. I'm currently trying to learn more about STUN and how it could be added into Astrisk. You certaily can't have Asterisk block and wait for a STUN server so I think STUN goes in a new thread. Who to do that? There seem to be enough examples already in Asterisk I'm reading these. The other problem is trying to contact the maintainer of the STUN library. So far my own post asking Who maintains this? is the only message I've seen on their list. Perhaps the answer is no one? = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
I'm replying to my own post because it is not clear. 1) STUN can find all the firewalls between Aterisk and whatever else. It can also find what your public IP address it. 2) THere is an easy to use opensource STUN library available but I'm not yet sure how acivly developed it is currently. It's e-mail list seems very inactive. 3) Suggestions please: Where is Asterisk should STUN code go? I figure not in any of the chan_*.c routines as NAT environment is global to all channels. You can't just do it once at startup either as the environment may be dynamic --- Chris Albertson [EMAIL PROTECTED] wrote: Hasn't anyone simply _looked_ at the code? This sounds like the patch that was posted here to this mailing list last week. Did it make it into CVS already? Yes, STUN is the way to go. It can find out what your external IP address is and what kind of firewall you have. I'm currently trying to learn more about STUN and how it could be added into Astrisk. You certaily can't have Asterisk block and wait for a STUN server so I think STUN goes in a new thread. Who to do that? There seem to be enough examples already in Asterisk I'm reading these. The other problem is trying to contact the maintainer of the STUN library. So far my own post asking Who maintains this? is the only message I've seen on their list. Perhaps the answer is no one? = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Will extern IP work if I had multiple phones connected behind NAT? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Pycko Sent: Monday, November 03, 2003 8:35 PM To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Martin On Mon, 3 Nov 2003, WipeOut wrote: Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Fwd: RE: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
MOD NOTE:Please kill/bounce my other email, it was accidental. I just pulled down the newest CVS and recompiled. FWD (free world dialup) works now from *, and I AM behind a NAT. I've nearly given up on the xten lite, iaxcomm sounds better. I'll be trying the other win app thats up-and-coming on the list later. It seems to have broken iptel, but that's not as important to me right now. Perhaps there could be some flag on the register line to turn the externip on or off. -- Andrew Thompson Quoting Martin Pycko [EMAIL PROTECTED]: It doesn't care about the phones. If you phones are behind nat use nat=yes for each defined account. Martin On Tue, 4 Nov 2003, Shoval Tom wrote: Will extern IP work if I had multiple phones connected behind NAT? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Pycko Sent: Monday, November 03, 2003 8:35 PM To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Martin On Mon, 3 Nov 2003, WipeOut wrote: Martin Pycko wrote: You can port forward the 5060 SIP port and use externip keyword in sip.conf to have it working behind a NAT. Martin Martin, Is externip and new parameter?? Does it do a similar thing for the server as what nat=yes does for the phone? Later.. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users - End forwarded message - ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
(B (B (BI've been using asterisk-0.5.0. (B (BI've been reading about the externip param (it (Blooks like it is only available in the lastest releases). (B (BCould someone tell me the version number (or tag) (Bto check out of CVS so I can get this functionality? (B (B(And, if its not too much trouble, could someone (Btell me the cvs command to check it out? I've already checked out (Bthe (Blatest release with cvs checkout asterisk but it (Bgives me a segmentation violationas soon as I make an incoming H.323 (Bconnection.) (B (BMy configuration is RedHat 9.0, (Bopenh323 1.12.2 (Bpwlib_1.5.2 (Bgnugk-2.0.6 (Band the 14 Oct 2003 version of ser. (B (BThanks, (B (B (BBill (B (B
RE: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
On Mon, 3 Nov 2003 17:10:10 -0600 (CST), Martin Pycko wrote It doesn't care about the phones. If you phones are behind nat use nat=yes for each defined account. The fix is incorrect. Asterisk chan_sip.c must distinguish between SIP peers that are behind the firewall (together with the *) and those that are on the outside. Either the configuration flag use_extern_ip must be specific to a peer, or it must be figured out in some other way. A global variable won't do since it creates a situation where either external or internal peers will work but not both. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
I don't think that is what keeping the original poster's system from working. The issue is one extension is configured for canreinvite=no and the other is canreinvite=yes. One extension believes all RTP must be passed through * while the other is attempting to negotiate a phone-to-phone RTP session, thus dropping the audio. Are you sure this is 100% correct? I have some doubts since: No, not sure at all as there isn't enough actual data in the original posters message to qualify the root-cause. - you'd have to consider all possible connection permutations between all clients and then set canreinvite= accordingly, which doesn't sound like it makes much sense Given the original data, the permutations is two extns, nothing more. One inside and one outside. - sip.conf is for * only, the data are not seen or read by the SIP UA themselves. Thus it would appear that it is up to * to permit/not permit a reinvite between the two UAs So bascially from my understanding things work like this: Once one of the SIP call parties has a canreinvite=no it won't matter what the other party's setting looks like, RTP traffic will travel through * anyway. Don't believe that understanding is correct. Assuming no parameters within the * sip.conf to suggest otherwise, when phone #1 calls phone #2 asterisk initiates the call by communicating with the caller (phone #1). The caller starts the RTP-port-negotiation process with phone #2. If phone #2 calls phone #1 and fails (which was the case stated by the poster based only on my memory, which could be wrong), the problem is pointing directly to the differences within the extn definitions in sip.conf. One phone is told to negotiate directly with the second phone (within asterisk), and the second phone is told not to negotitate the rtp channel within asterisk. Since the nat device is only one way communications, what fails? RTP. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
On Mon, Nov 03, 2003 at 09:46:40PM -0400, William Waites wrote: On Mon, 3 Nov 2003 17:10:10 -0600 (CST), Martin Pycko wrote It doesn't care about the phones. If you phones are behind nat use nat=yes for each defined account. The fix is incorrect. Asterisk chan_sip.c must distinguish between SIP peers that are behind the firewall (together with the *) and those that are on the outside. Either the configuration flag use_extern_ip must be specific to a peer, or it must be figured out in some other way. A global variable won't do since it creates a situation where either external or internal peers will work but not both. Internals can use the IP address of the NAT box as the Asterisk Server IP and then it should work. i.e. don't set your internal SIP UAs to connect to the internal IP address of the Asterisk Server. The fix allows asterisk to work together with the NAT box to appear to all concerned as if it has a real IP address. cheers, Woody ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Martin Pycko wrote: It's new. It prevents asterisk from putting the private IP in the messages that asterisk sends with SIP. Hmmm. According to the sip.conf example: [general] externip = 200.201.202.203 :Address that we're going to put in SIP messages if we're behind a NAT Does this apply only for register= connections, where Asterisk acts as a client UA? Or all SIP Sessions? Can we apply this only on ONE register= connection, but not as a default? That would be done not in [general] but in a [hostname] section of sip.conf. /O Indeed, sip.conf needs a major overhaul to handle this and quite a few other tricks that the more 'advanced' users require. See the thread I started some time ago that died out very quickly: http://www.mail-archive.com/[EMAIL PROTECTED]/msg01058.html JT ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
At 11/3/03 2:41 PM, Martin Pycko [EMAIL PROTECTED] wrote: It's not for phones, it's for asterisk behind a NAT. My apologies; I'm not making my question clear. I realize this option is for Asterisk behind a NAT, but of course Asterisk uses this parameter to talk to SIP clients (which I referred to, perhaps too specifically, as phones), and that's what I meant. In other words, Asterisk might be talking to SIP phones on either side of the NAT. A given SIP phone acting as an extension may be on the same private network as Asterisk, or it may be on the other side of the NAT (out on the public Internet, possibly even behind its own NAT on the other end). Imagine I have both Asterisk and a SIP phone on my local office network using private IP addresses, and I also have a second SIP phone that is in another location, at someone's home office on the public Internet. The externip=a.b.c.d doesn't help in this situation, because it forces Asterisk to use the external IP address in all cases, which breaks the functionality for local phones. That is, the new option presumably makes it possible to have *all* your SIP phones on the other side of the NAT from Asterisk, but you can't some phones on both sides. (Indeed, I just tried it, and using externip=something prevents SIP phones on the same private network as Asterisk from working.) In Bug ID 104, a patch was suggested that takes the netmask into effect and makes the right decision for phones on either side of the NAT. However, the code that was added for externip in the current CVS isn't that patch; it's just a way of giving me a choice of having SIP phones on the outside of the NAT working, or having SIP phones on the inside of the NAT working, but not both at the same time. I guess I'm curious why the hard-coded global option was used, because it doesn't really solve the problem in the general case. The whole trouble with NAT is that Asterisk may need to use a different IP address depending on the IP address of the SIP client it's communicating with, and that address needs to be determined on the fly. In a perfect word, this would all be handled by magic so it required no configuration (e.g., STUN), but the patch in 104 would at least allow phones on both sides of the NAT to work with a small amount of configuration, which isn't possible now with the CVS code. Thanks again for the hard work you're putting in to Asterisk! -- Robert L Mathews, Tiger Technologies http://www.tigertech.net/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
On Tue, 4 Nov 2003 13:00:44 +1100, Anthony Wood wrote Internals can use the IP address of the NAT box as the Asterisk Server IP and then it should work. i.e. don't set your internal SIP UAs to connect to the internal IP address of the Asterisk Server. The fix allows asterisk to work together with the NAT box to appear to all concerned as if it has a real IP address. That only true for some NAT implementations and configurations. It is not robust in general. It would require double the ipfilter configuration and double the traffic on my NetBSD gateway, for example. The patch I submitted last week addresses this problem. Cheers, -w ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
--- John Todd [EMAIL PROTECTED] wrote: I'm replying to my own post because it is not clear. 1) STUN can find all the firewalls between Aterisk and whatever else. It can also find what your public IP address it. Correct. 2) THere is an easy to use opensource STUN library available but I'm not yet sure how acivly developed it is currently. It's e-mail list seems very inactive. My perception of the STUN code is that it's fairly simple to understand, and that it just works, therefore there are few questions on a mature package that needs no additional features at this time. I could be wrong... The developers describe their work as alpha Perhaps that description needs updating but they've not done so yet. Current version is 0.8.3 But it dose look resonably complete and easy to use 3) Suggestions please: Where is Asterisk should STUN code go? I figure not in any of the chan_*.c routines as NAT environment is global to all channels. You can't just do it once at startup either as the environment may be dynamic I don't see why it wouldn't go into the respective channel configuration files, and into the applications that ran against those files. Perhaps reference some shared library, but I suspect that the configurations should be in each file independently, so each channel type can carry it's own data structures for internal/external IP address data (which you may want to be different on a channel-by-channel or even host-by-host basis.) What STUN tells you is the characteristics of a firewall. Hard to see how a firewall possibly not even under your control can chage on a per-channel basis. Possibly, I think we make a STUN module that any channel can call. The module contains a cache of stun results. I think this lets each channel look at different interfaces while reducing the global number of STUN querries. WHat I'm afraid of is the time. A call to the STUN library can take many seconds to return. You can't hang a channel waiting that long. The call to the stun lib should be asynchronus JT --- Chris Albertson [EMAIL PROTECTED] wrote: Hasn't anyone simply _looked_ at the code? This sounds like the patch that was posted here to this mailing list last week. Did it make it into CVS already? Yes, STUN is the way to go. It can find out what your external IP address is and what kind of firewall you have. I'm currently trying to learn more about STUN and how it could be added into Astrisk. You certaily can't have Asterisk block and wait for a STUN server so I think STUN goes in a new thread. Who to do that? There seem to be enough examples already in Asterisk I'm reading these. The other problem is trying to contact the maintainer of the STUN library. So far my own post asking Who maintains this? is the only message I've seen on their list. Perhaps the answer is no one? = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
In Bug ID 104, a patch was suggested that takes the netmask into effect and makes the right decision for phones on either side of the NAT. However, the code that was added for externip in the current CVS isn't that patch; it's just a way of giving me a choice of having SIP phones on the outside of the NAT working, or having SIP phones on the inside of the NAT working, but not both at the same time. There were two patches last wheek that did the right thing. and checked before stuffing in the external IP address. These were developed independently. Who ever put the code into CVS goofed if the subnet check was ommitted. Easy enough to fix your own prevate copy of chan_sip.c until things get put right. I guess I'm curious why the hard-coded global option was used, because it doesn't really solve the problem in the general case. The whole trouble with NAT is that Asterisk may need to use a different IP address depending on the IP address of the SIP client it's communicating with, I'm assuming the reason why is simply a cut and past goof up. STUN reduce the need for much manual configuration. The final fix will be to have chan_sip.c look at the results of a STUN query and then put the right stuff in the SIP packets, be that the external IP address or something else. Another very much needed fix to SIP is to allow Astrisk to use SIP proxys. Just this one thing would allow Asterisk to rout SIP via (say) SER. and SER can do magic with the headers and users a perl-like config file that alows complex SIP routing. = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
--- William Waites [EMAIL PROTECTED] wrote: snip That only true for some NAT implementations and configurations. It is not robust in general. It would require double the ipfilter configuration and double the traffic on my NetBSD gateway, for example. The patch I submitted last week addresses this problem. Did your patch make it to CVS? Sorry for being lazy and not looking. From the sounds of thing maybe only half the patch made it But I'm not at the right machine to look at present. = Chris Albertson Home: 310-376-1029 [EMAIL PROTECTED] Cell: 310-990-7550 Office: 310-336-5189 [EMAIL PROTECTED] KG6OMK __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
On Mon, 3 Nov 2003 19:33:36 -0800 (PST), Chris Albertson wrote Did your patch make it to CVS? Sorry for being lazy and not looking. From the sounds of thing maybe only half the patch made it But I'm not at the right machine to look at present. No, but it may have something to do with the corporate machinery churning out a faxed disclaimer -- I'm not sure if that's actually been done yet. The patch (against then current CVS -- there have been some other changes since then) is at http://lists.digium.com/pipermail/asterisk-dev/2003-October/002150.html -w ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
Robert, Try adding canreinvite=no to extn 2000 and reload asterisk. In your specific case, it needs to be on each sip.conf extn definition. Rich Problem I have is this. outside firewall (extension 2003) can call me inside firewall (extension 2000) and all is fine. If I call from inside firewall (extension 2000) to outside firewall (extension 2003) I hear no ringing and person at other end can pick up and I hear for maybe a half second then I go to voicemail. If I add another extension on the outside then communication between outside and outside through * is not possible at all. I know I can not be the only one who has tried to do this. Please any help would be greatly appreciated. My configuration. Asterisk Server -- Linux RedHat 9.0 Asterisk CVS Update - 11/02/03 around 10:00AM PT Zaptel CVS Update - 11/02/03 around 10:00AM PT LinkSys Router with Asterisk server set as DMZ host. Desktop Computer #1 --- Windows XP Xten X-Pro build 1082 Behind same LinkSys router. extension 2000 in asterisk Desktop Computer #2 --- Windows XP Xten X-Pro build 1082 Not behind any firewall. extension 2003 in asterisk sip.conf ; General definitions for the sip.conf file. [general] port = 5060 bindaddr = 0.0.0.0 allow = gsm context = bogon-calls ; Default any unknown calls ; [2000] type=friend username=2000 secret=grinch host=dynamic defaultip=192.168.1.210 context=trusted nat=yes qualify=1000 mailbox=2000 ; [2003] type=friend username=2003 secret=grinch host=dynamic context=normal nat=yes canreinvite=no mailbox=2003 extensions.conf [globals] ; Variables to VoIP extensions by name ROBERT=SIP/2000 [general] static=yes ; These two lines prevent the command-line interface writeprotect=yes ; from overwriting the config file. Leave them here. [bogon-calls] ; Bogus calls if they find there way in to the system without authorization some how. exten = _.,1,Congestion ; if someone accidentally finds there way here give them a fast busy. [stations] exten = 2000,1,Dial(SIP/2000,20) exten = 2000,2,Voicemail(u2000) exten = 2000,102,Voicemail(b2000) exten = 2000,103,Hangup ; exten = 2003,1,Dial(SIP/2003,20) exten = 2003,2,Voicemail(u2003) exten = 2003,102,Voicemail(b2003) exten = 2003,103,Hangup ; exten = 2997,1,VoicemailMain(2997) exten = 2998,1,VoicemailMain(2998) exten = 2999,1,VoicemailMain(${CALLERIDNUM}) ; ; Direct Dial. For those trusted to use the phone properly. [directdial] exten = 9,1,Dial(Zap/g1/${EXTEN:1}) exten = 9,2,Congestion include = international ; ; International calling code and prefix used for users trusted to make international calls. [international] exten = _9011.,1,Dial(Zap/g1/${EXTEN:1}) exten = _9011.,2,Congestion include = longdistance ; ; Long distance calling code and prefix used for users trusted to make long distance calls. [longdistance] exten = _91NXXNXX,1,Dial(Zap/g1/${EXTEN:1}) exten = _91NXXNXX,2,Congestion include = local ; ; Local calling code and prefix used for users trusted to make local calls. [local] exten = _9NXX,1,Dial(Zap/g1/${EXTEN:1}) exten = _9NXX,2,Congestion ; ; Trusted users from sip.conf who are able to fully use the phone. [trusted] include = stations include = directdial ; ; Normal users from sip.conf who are able to make local calls only. [normal] include = stations include = local ; ; Public area for people who are only allowed to make calls to other extensions [public] include = stations ; ; When someone calls the work line of XXX-XXX- they are directed through this. [inbound-work] exten = s,1,Zapateller(answer|nocallerid) exten = s,2,Dial(${ROBERT},20) exten = s,3,Voicemail(u2997) exten = s,4,Hangup exten = s,103,Voicemail(b2997) exten = s,104,Hangup ; ; When someone calls the home line of XXX-XXX- they are directed through this. [inbound-home] exten = s,1,Dial(${ROBERT},20) exten = s,2,Voicemail(u2998) exten = s,3,Hangup exten = s,102,Voicemail(b2998) exten = s,103,Hangup Robert ---End of Original Message- ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users