Re: [Asterisk-Users] More NAT questions -- SOLVED
Hi, all Got it to work finally. Thanks to all. Had to add [general] externip=xxx.xxx.xxx.xxx ;ip address of your nat firewall (public ip) localnet=192.168.0.0/24; the local subnet where the asterisk box is Actually, I had 'externip' before, but I have added 'localnet' one. I also had to do port forwarding on the NAT near to PHONE 2 to pass port 5060 to the phone. This is needed if you ever want to call this phone. I can e-mail my sip.conf to anyone who is interested. Rudolf - Original Message - From: Julian J. M. [EMAIL PROTECTED] To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Sent: Thursday, March 03, 2005 4:11 AM Subject: Re: [Asterisk-Users] More NAT questions In you asterisk sip.conf: [general] externip=xxx.xxx.xxx.xxx ;ip address of your nat firewall (public ip) localnet=192.168.0.0/24; the local subnet where the asterisk box is If you don't externip, externip will never be used, because asterisk won't know WHEN to use it. Also, define canreinvite=no in your sip phones sections, as was suggested above. Julian J. M. On Wed, 2 Mar 2005 23:26:56 +1100, Rudolf Ladyzhenskii [EMAIL PROTECTED] wrote: Hi, all Still trying to get NAT working. I have following setup: PHONE 1 -- * BOX | NAT/Firewall | | NAT/Firewall | | PHONE 2 Firewall next to phone 2 has all ports open. Firewall next to Asterisk has open ports 5060 and 1:2. All of those are forwarded to Asterisk box. Both phones succesfully register with Asterisk. (I had to add NAT=yes to configuration of PHONE 2 in sip.conf to get this far). Now, problems: I can place a call from PHONE2 to PHONE1, but sound path is not established. Calls from PHONE1 to PHONE2 can not be placed at all. (I assume that this is because port 5060 is not forwarded to the phone at NAT/Firewall, but more on it later). Looking at SIP debug info, Asterisk tries to use local address of PHONE2 instead of its public IP. As a result, no info can be sent to it. I have tried to install SIPROXD on the NAT/Firewall close to Asterisk box, but this did not help. Now, we have tried to use one of the commercial VoIP service at PHONE2 location. We had to use their phone and it worked just fine without any alterations to NAT/Firewall device. I am pretty sure that they use SIP, so they did resolve the problem somehow. Sorry, there is no technical info available on this service. Did anyone succeeded in doing this setup? I know, IAX is a better way, but I can not setup many Asterisk boxes. Basically, I am doing it for a friend. He is working for a small medical company. They have number of offices that are not open every day and offices are too small to put Asterisk box in each one. There will be 1-3 IP phones in each office, except central one. Central one will need Asterisk, the rest should be on their own. Any help is greatly appreciated. Thanks, Rudolf ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] More NAT questions
Still trying to get NAT working. I have following setup: PHONE 1 -- * BOX | NAT/Firewall | | NAT/Firewall | | PHONE 2 Firewall next to phone 2 has all ports open. Firewall next to Asterisk has open ports 5060 and 1:2. All of those are forwarded to Asterisk box. Both phones succesfully register with Asterisk. (I had to add NAT=yes to configuration of PHONE 2 in sip.conf to get this far). Now, problems: I can place a call from PHONE2 to PHONE1, but sound path is not established. Calls from PHONE1 to PHONE2 can not be placed at all. (I assume that this is because port 5060 is not forwarded to the phone at NAT/Firewall, but more on it later). Looking at SIP debug info, Asterisk tries to use local address of PHONE2 instead of its public IP. As a result, no info can be sent to it. I have tried to install SIPROXD on the NAT/Firewall close to Asterisk box, but this did not help. Now, we have tried to use one of the commercial VoIP service at PHONE2 location. We had to use their phone and it worked just fine without any alterations to NAT/Firewall device. I am pretty sure that they use SIP, so they did resolve the problem somehow. Sorry, there is no technical info available on this service. Did anyone succeeded in doing this setup? I know, IAX is a better way, but I can not setup many Asterisk boxes. Basically, I am doing it for a friend. He is working for a small medical company. They have number of offices that are not open every day and offices are too small to put Asterisk box in each one. There will be 1-3 IP phones in each office, except central one. Central one will need Asterisk, the rest should be on their own. As you have already noted, trying to implement this with two nat boxes is very difficult and in some cases impossible. The only way to know for sure what is happening is to use a packet analyzer (eg, ethereal) to observe the packets on the inside and outside of each nat box. Keep in mind that no all nat boxes operate the same way; there are major differences even though we tend to characterize nat boxes as all the same. The rtp ports used for voice (1:2 in your example) vary by phone type. Cisco uses a different range of ports, Xten another range, Grandsteam yet another. The ports you have listed are what asterisk uses and are probably not the same ports as what your remote phones use. Therefore, the exact ports that you need to open are dependent upon exactly which phones you deploy, and on well you understand the handshaking that goes on end-to-end when establishing a sip call. Likewise, not all phones operate the same from behind a nat box. The snom phones happen to be very good in terms of discovering where it sits in the end-to-end picture, while other phones are either very poor or don't handle nat well at all. Since you didn't mention what type of phones you use, there's no way to guess at what might be happening. Even if you post the phone type, its not going to be of much use to the rest of us since we don't know the type of nat box in use. You also might find (later) that not all nat boxes support multiple phones behind a nat box. Eg, if one phone is made to work and its in use, the second phone behind that nat box will probably fail. Some folks have been successful with multiple phones while many others have not, and most do not know why. You might be able to discover the nat problems by tracing packets (with ethereal) from inside and outside that asterisk nat box, but I'd have to guess you'll have less then a 50% chance of seeing the issues without traces from inside the nat box at the phone location also. You really need a clear understanding of the exact IP addresses and port numbers from each location to know how to solve the problem. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] More NAT questions
Still trying to get NAT working. Try adding a canreinvite=no. Nabeel ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] More NAT questions
In you asterisk sip.conf: [general] externip=xxx.xxx.xxx.xxx ;ip address of your nat firewall (public ip) localnet=192.168.0.0/24; the local subnet where the asterisk box is If you don't externip, externip will never be used, because asterisk won't know WHEN to use it. Also, define canreinvite=no in your sip phones sections, as was suggested above. Julian J. M. On Wed, 2 Mar 2005 23:26:56 +1100, Rudolf Ladyzhenskii [EMAIL PROTECTED] wrote: Hi, all Still trying to get NAT working. I have following setup: PHONE 1 -- * BOX | NAT/Firewall | | NAT/Firewall | | PHONE 2 Firewall next to phone 2 has all ports open. Firewall next to Asterisk has open ports 5060 and 1:2. All of those are forwarded to Asterisk box. Both phones succesfully register with Asterisk. (I had to add NAT=yes to configuration of PHONE 2 in sip.conf to get this far). Now, problems: I can place a call from PHONE2 to PHONE1, but sound path is not established. Calls from PHONE1 to PHONE2 can not be placed at all. (I assume that this is because port 5060 is not forwarded to the phone at NAT/Firewall, but more on it later). Looking at SIP debug info, Asterisk tries to use local address of PHONE2 instead of its public IP. As a result, no info can be sent to it. I have tried to install SIPROXD on the NAT/Firewall close to Asterisk box, but this did not help. Now, we have tried to use one of the commercial VoIP service at PHONE2 location. We had to use their phone and it worked just fine without any alterations to NAT/Firewall device. I am pretty sure that they use SIP, so they did resolve the problem somehow. Sorry, there is no technical info available on this service. Did anyone succeeded in doing this setup? I know, IAX is a better way, but I can not setup many Asterisk boxes. Basically, I am doing it for a friend. He is working for a small medical company. They have number of offices that are not open every day and offices are too small to put Asterisk box in each one. There will be 1-3 IP phones in each office, except central one. Central one will need Asterisk, the rest should be on their own. Any help is greatly appreciated. Thanks, Rudolf ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] More NAT questions
The rtp ports used for voice (1:2 in your example) vary by phone type. Cisco uses a different range of ports, Xten another range, Grandsteam yet another. The ports you have listed are what asterisk uses and are probably not the same ports as what your remote phones use. Therefore, the exact ports that you need to open are dependent upon exactly which phones you deploy, and on well you understand the handshaking that goes on end-to-end when establishing a sip call. Yes. And if you want to stay with asterisk at 1, you can tell Grandstream and X-Lite to use those, I have no experience with the others. I use this and port forwarding to go between two locations, both of which have Linksys consumer NAT routers. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: RE: [Asterisk-Users] More NAT questions
Thanks, I have tried that, but forgot to mention. No luck. Rudolf Nabeel Jafferali [EMAIL PROTECTED] wrote: Still trying to get NAT working. Try adding a canreinvite=no. Nabeel ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: Re: [Asterisk-Users] More NAT questions
IThanks for reply. I have inserted my comments in your reply. As you have already noted, trying to implement this with two nat boxes is very difficult and in some cases impossible. The only way to know for sure what is happening is to use a packet analyzer (eg, ethereal) to observe the packets on the inside and outside of each nat box. Keep in mind that no all nat boxes operate the same way; there are major differences even though we tend to characterize nat boxes as all the same. The rtp ports used for voice (1:2 in your example) vary by phone type. Cisco uses a different range of ports, Xten another range, Grandsteam yet another. The ports you have listed are what asterisk uses and are probably not the same ports as what your remote phones use. Therefore, the exact ports that you need to open are dependent upon exactly which phones you deploy, and on well you understand the handshaking that goes on end-to-end when establishing a sip call. I am using Polycom phones. Ports 1-2 are specified in the rtp.conf. Same phone worked just fines when used on same subnet. Likewise, not all phones operate the same from behind a nat box. The snom phones happen to be very good in terms of discovering where it sits in the end-to-end picture, while other phones are either very poor or don't handle nat well at all. Since you didn't mention what type of phones you use, there's no way to guess at what might be happening. Even if you post the phone type, its not going to be of much use to the rest of us since we don't know the type of nat box in use. NAT box on the Asterisk side is a Linux running RedHat 9 and iptables. NAT box on the PHONE 2 end is a D-Link router. Default configuration is used. You also might find (later) that not all nat boxes support multiple phones behind a nat box. Eg, if one phone is made to work and its in use, the second phone behind that nat box will probably fail. Some folks have been successful with multiple phones while many others have not, and most do not know why. Yes, this is my concern too, but this is something I will worry about later. At the moment I want single phone to operate. You might be able to discover the nat problems by tracing packets (with ethereal) from inside and outside that asterisk nat box, but I'd have to guess you'll have less then a 50% chance of seeing the issues without traces from inside the nat box at the phone location also. You really need a clear understanding of the exact IP addresses and port numbers from each location to know how to solve the problem. Well, it seem strange that when trying to place a call, Asterisk uses correct address fro the PHONE 2 (public IP of the NAT device on the other end). And incoming registration is fine too. The problems start when actual SIP traffic is passed through. Asterisk uses local IP address in this case. It seems that it picks up addresses from IP packets and forgets about phone being behind the NAT device. This is judging only by SIP debug info Asterisk gives me. Rudolf ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: Re: [Asterisk-Users] More NAT questions
I have used externip. Could it cause a problem if internal and extarnal networks use same IP range? Both of the are class C networks and are 192.168.1.x (this is a pretty common choice for addresses)? But then again, Astersik should interpret incoming traffic as something that came in from external public IP, not extract just the local IP address from the SIP packet. Am I right? Rudolf Julian J. M. [EMAIL PROTECTED] wrote: In you asterisk sip.conf: [general] externip=xxx.xxx.xxx.xxx ;ip address of your nat firewall (public ip) localnet=192.168.0.0/24; the local subnet where the asterisk box is If you don't externip, externip will never be used, because asterisk won't know WHEN to use it. Also, define canreinvite=no in your sip phones sections, as was suggested above. Julian J. M. On Wed, 2 Mar 2005 23:26:56 +1100, Rudolf Ladyzhenskii [EMAIL PROTECTED] wrote: Hi, all Still trying to get NAT working. I have following setup: PHONE 1 -- * BOX | NAT/Firewall | | NAT/Firewall | | PHONE 2 Firewall next to phone 2 has all ports open. Firewall next to Asterisk has open ports 5060 and 1:2. All of those are forwarded to Asterisk box. Both phones succesfully register with Asterisk. (I had to add NAT=yes to configuration of PHONE 2 in sip.conf to get this far). Now, problems: I can place a call from PHONE2 to PHONE1, but sound path is not established. Calls from PHONE1 to PHONE2 can not be placed at all. (I assume that this is because port 5060 is not forwarded to the phone at NAT/Firewall, but more on it later). Looking at SIP debug info, Asterisk tries to use local address of PHONE2 instead of its public IP. As a result, no info can be sent to it. I have tried to install SIPROXD on the NAT/Firewall close to Asterisk box, but this did not help. Now, we have tried to use one of the commercial VoIP service at PHONE2 location. We had to use their phone and it worked just fine without any alterations to NAT/Firewall device. I am pretty sure that they use SIP, so they did resolve the problem somehow. Sorry, there is no technical info available on this service. Did anyone succeeded in doing this setup? I know, IAX is a better way, but I can not setup many Asterisk boxes. Basically, I am doing it for a friend. He is working for a small medical company. They have number of offices that are not open every day and offices are too small to put Asterisk box in each one. There will be 1-3 IP phones in each office, except central one. Central one will need Asterisk, the rest should be on their own. Any help is greatly appreciated. Thanks, Rudolf ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users