How to Make Asterisk 11 behind NAT works

Hi Guys,

I have Asterisk behind NAT, internal sets of phones, works just fine but any external phone wont work, the phone register with no issue but not sound. I searched all over the net but no matter what I try, it wont work. My setup gain:

Asterisk----------->FW-------------->Internet<--------------FW<--------------My external phone.

My Env, Asterisk 11 on ubuntu 12.04 with private IP and my sip phones are X-lite and Cisco 7940.

Any help greatly appreciated.

Regards,

Aldulaimi

;----------------------------------------- NAT SUPPORT ------------------------
;
; WARNING: SIP operation behind a NAT is tricky and you really need
; to read and understand well the following section.
;
; When Asterisk is behind a NAT device, the “local” address (and port) that
; a socket is bound to has different values when seen from the inside or
; from the outside of the NATted network. Unfortunately this address must
; be communicated to the outside (e.g. in SIP and SDP messages), and in
; order to determine the correct value Asterisk needs to know:
;
; + whether it is talking to someone “inside” or “outside” of the NATted network.
; This is configured by assigning the “localnet” parameter with a list
; of network addresses that are considered “inside” of the NATted network.
; IF LOCALNET IS NOT SET, THE EXTERNAL ADDRESS WILL NOT BE SET CORRECTLY.
; Multiple entries are allowed, e.g. a reasonable set is the following:
;
; localnet=192.168.0.0/255.255.0.0 ; RFC 1918 addresses
; localnet=10.0.0.0/255.0.0.0 ; Also RFC1918
; localnet=172.16.0.0/12 ; Another RFC1918 with CIDR notation
; localnet=169.254.0.0/255.255.0.0 ; Zero conf local network
;
; + the “externally visible” address and port number to be used when talking
; to a host outside the NAT. This information is derived by one of the
; following (mutually exclusive) config file parameters:
;
; a. “externaddr = hostname[:port]” specifies a static address[:port] to
; be used in SIP and SDP messages.
; The hostname is looked up only once, when [re]loading sip.conf .
; If a port number is not present, use the port specified in the “udpbindaddr”
; (which is not guaranteed to work correctly, because a NAT box might remap the
; port number as well as the address).
; This approach can be useful if you have a NAT device where you can
; configure the mapping statically. Examples:
;
; externaddr = 12.34.56.78 ; use this address.
; externaddr = 12.34.56.78:9900 ; use this address and port.

; In addition to the above, Asterisk has an additional “nat” parameter to
; address NAT-related issues in incoming SIP or media sessions.
; In particular, depending on the 'nat= ’ settings described below, Asterisk
; may override the address/port information specified in the SIP/SDP messages,
; and use the information (sender address) supplied by the network stack instead.
; However, this is only useful if the external traffic can reach us.
; The following settings are allowed (both globally and in individual sections):
;
; nat = no ; Do no special NAT handling other than RFC3581
; nat = force_rport ; Pretend there was an rport parameter even if there wasn’t
; nat = comedia ; Send media to the port Asterisk received it from regardless
; ; of where the SDP says to send it.
; nat = auto_force_rport ; Set the force_rport option if Asterisk detects NAT (default)
; nat = auto_comedia ; Set the comedia option if Asterisk detects NAT

the option of localnet and externaddr are specified on the general section fo the sip.conf file

read the svn.digium.com/svn/asterisk/trun … onf.sample

Hi,

Many thanks for your kind reply. I’ve been trying what you’ve sent me many times with no luck. may be the combinations I’m using not right, if I post my basic sip.conf file, would you mind to have a look and tell me where I’m going wrong.

Regards,

Aldulaimi

OK

You also need to provide the configuration of both firewalls.

Have you checked that all the rules are in place to forward RTP in both directions?

Hi,

All the required ports " RTP and SIP" are open.

Hi,

As I said, my config files sip.conf and extensions.conf are basic, just to make sure the setup works, registration and audio. Please note, my external IP and secret are represented in X.

<<<<<<<<<<<<<<<sip.conf>>>>>>>>>>>>>>>>>>>
[general]
context=unauthenticated
allowguest=no
srvlookup=no

udpbindaddr=0.0.0.0
tcpenable=no
externalip=XXX.XXX.XXX.XXX
localnet=192.168.0.0/24
nat=force_rport,comedia

externrefresh=60
directmedia=no
registertimeout=15
registerattempts=0
bindport=5061
canreinvite=no

office-phone
type=friend
context=LocalSets
host=dynamic

dtmfmode=RFC2833
disallow=all
;allow=g722
allow=alaw
allow=ulaw

Remote-Phone
type=friend
context=RemoteSets
host=dynamic
qualify=yes
dtmfmode=RFC2833
disallow=all
;allow=g722
allow=alaw
allow=ulaw

Soft-Jassem
secret=XXXXXXX
description=Exten 108

001B541401EC
secret=XXXXXXX
description=Exten 109

<<<<<<<<<<<<Extensions.conf>>>>>>>>>>>>>>>>>>>

[LocalSets]
exten => 108,1,Dial(SIP/Soft-Jassem)
include => RemoteSets

[RemoteSets]
exten => 109,1,Dial(SIP/001B541401EC)
include => LocalSets

exten => 99,1,Answer()
same => n,Playback(hello-world)
same => n,Hangup()

Regards,

Aldulaimi

run the command rtp set debug on and check the ip address for incoming and outgoing traffic when making a call with a remote extension.

Hi,

I’ll assume the following:
1-My conf files are ok
2-I should not worry about running sip set debug on, as I have no issue with phones registration.

I’ll run the rtp set debug on. Any idea what do I need to look at, any particular pattern I should look for?

Thanks for your help.

You will have an input similar to this
Got RTP packet from 204.11.192.170:54158 (type 00, seq 055477, ts 2965542282, len 000160)
Sent RTP packet to 186.7.229.219:18018 (type 00, seq 006467, ts 2965542280, len 000160)

Here you can verify if you have any rtp traffic, and if so , you can see if the traffic is route to the correct ip address.

Hi,

I’ve made internal test " 2 internal soft phones" with which I have no issue:

Sent RTP P2P packet to 192.168.0.253:53182 (type 08, len 000160)
Sent RTP P2P packet to 192.168.0.250:52490 (type 08, len 000160)

I can see, they are using the IPs as I expected, direct talk between the 2 phones. One question, the ports her in use are 53182 and 52490 are way outside the range that I opened in my firewall which is 10000-20000, could it be that’s the reason, why my external phone wont communicate audio?

Please note, once I’m ready, will test the external set and monitor the RTP traffics and let you know.

I guess RTP port are between 5000-31000 UDP, please open that port range and reload your asterisk config

Hi,
In this packet:

192.168.0.253:53182<----- this is the rtp port, correct? Again, this is much higher than 30,000.

Is it a good idea to use rtp.conf and explicitly use 10000-20000?

svn.digium.com/svn/asterisk/trun … onf.sample

Hi,

Once I get hold of remote set, will test and let you know.

Hi,

From what I understand, the rtp range 10000-20000, these are the number of ports and not ports number, ie how many ports are need to make the audio work.

Example:
Let’s assume to make a one phone call, 10 rtp ports are needed, then to make 1000 calls we will need 10000 ports and to make 2000 calls a 20000 ports are needed. Please correct if I’m wrong.

They are the range of numbers (highest and lowest) used by the Asterisk end. Asterisk has no control over the remote end, so you should either configure at that end, or unrestrict the outbound port number range.

Hi Ambiorixg,

I’ve tried the remote setup, and I’ve noticed couple of things:

I can call the remote phone, answer and no audio, but when I dial from the remote phone, get a message on the phone says exten bla bla not available, it does not connect to my local phone and hangup.

According to rtp debug, my local phone send rtp packet to the remote phone but I do not see the reply.

Example:
Sent RTP P2P packet to 10.0.0.24:52980 (type 08, len 000160)
Sent RTP P2P packet to 10.0.0.24:52980 (type 08, len 000160)

Any thoughts?

PS- I should thanks David as well

Hi Guys,

Please ignore what I mentioned in my last post; I can not make a call from the remote set to the local one, it was an issue with the soft phone setup. So I can make call either way but again the same old story no sound.

David,

Would please give example on what to do on the firewall. It’s meant to be straightforward, open ports and point them to the asterisk server IP address. Do I need to bother about the firewall where my sip phone are located?

Your help greatly appreciated.

PS- I’ve done tcpdump which captured the traffic between local sip phone and another remote one, if you need please let me know.