Nat Traversal Questions


#1

I have been having lots of problems with multiple phones behind a NAT firewall connecting to my Asterisk box that is on a different WAN.

Here is a description:

<Sayson 480i> – – ((Interweb)) –

The problem is that I have 8 office phones and I am having a headache trying to get them to traverse Nat easily…

My Idea is this:

<Sayson 480i> – <Asterisk / Nic1> – – <Asterisk / Nic2> – ((Interweb))

Does anyone think if I put the 2 network cards in the Asterisk box that it will solve my problems??

My thought is that if all the phones are local, I won’t have NAT to worry about…

Can someone give me some ideas on how to accomplish this?? I have never ran Asterisk on the LAN…I always have my Asterisk box in my NOC on its own T1…My phones use another T1 with my LAN to get to it…It works, but its getting harder the more phones I add!!

Thanks!!!


#2

You’re correct to think that you won’t have any NAT problems if all your phones are on the LAN. If you can’t bring Asterisk in-house, maybe you can connect to your NOC via VPN and therefore appear to be on the same LAN.

I don’t quite understand the point of having 2 NICs on the Asterisk box. Do you need one of them to have a public IP address?


#3

Thanks a ton for the quick feedback. I appreciate the input.

I do need the Asterisk to have a public IP. I am currently using it as a hosted PBX for many clients and remote users. My office is growing and the NAT is slowing all my phone installs down.

Do you have any recommendations for putting in 2 nics? and if the Asterisk box is the only thing on the T1, how can I VPN to it? would I need an additional piece of hardware in front of it?

Thanks again for the input!


#4

if you want one nic to have the public ip and the other a private one, you’re going to need to bring the box into your location. this will solve your local office phone problem but create downtime for your remote customers. also, your asterisk box will presumably no longer have the wide bandwidth that the NOC provided. and then there are the security issues (surmountable but issues nonetheless) of having a machine with a public ip address on oyur LAN. if these are not issues then it should be fairly straightforward to place 2 nics in asterisk. you are able to have the service bind to all ip addresses that the box has. i haven’t done this but it should be easy.


#5

I have been working on this one phone for 5 hours! I am about to rip my hair out!!!

Please help…I got the phone to register 1 time…i made 2 phone calls and when I went back into the phone web config, I changed the register time back to the original 300s and it dropped…

Now all I get is 401 Unauthorized…

Sip read:
REGISTER sip:xxx.oceanlan.com:5060 SIP/2.0
Via: SIP/2.0/UDP 71.65.xx.xx:5070;branch=z9hG4bK1879d926e
Max-Forwards: 70
Content-Length: 0
To: 511 sip:511@
From: 511 sip:511@;tag=8daad825052e235
Call-ID: 01c8a7a4d53f26483240b51caf52c065@71.65.xx.xx
CSeq: 1424082876 REGISTER
Contact: 511 sip:511@71.65.xx.xx:5070;srcadr=192.168.1.123:5060;srcadr=192.168.1.123:5060;expires=300
Allow-Events: talk,hold,conference
Allow:NOTIFY,REFER,OPTIONS,INVITE,ACK,CANCEL,BYE,INFO
Expires: 300
User-Agent: Aastra 480i/1.3.0.1072 Brcm Callctrl/1.5.1.0 MxSF/v3.2.6.26

13 headers, 0 lines
Using latest request as basis request
Sending to 71.65.xx.xx : 5070 (NAT)
Transmitting (NAT):
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 71.65.112.38:5070;branch=z9hG4bK1879d926e;received=71.65.xx.xx;rport=5060
From: 511 sip:511@;tag=8daad825052e235
To: 511 sip:511@
Call-ID: 01c8a7a4d53f26483240b51caf52c065@71.65.xx.xx
CSeq: 1424082876 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: sip:511@66.93.xx.xx
Content-Length: 0

to 71.65.xx.xx:5060
Transmitting (NAT):
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 71.65.xx.xx:5070;branch=z9hG4bK1879d926e;received=71.65.xx.xx;rport=5060
From: 511 sip:511@;tag=8daad825052e235
To: 511 sip:511@;tag=as3e87dda3
Call-ID: 01c8a7a4d53f26483240b51caf52c065@71.65.xx.xx
CSeq: 1424082876 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: sip:511@66.93.xx.xx
WWW-Authenticate: Digest realm=“asterisk”, nonce="0bfff658"
Content-Length: 0

to 71.65.xx.xx:5060
Scheduling destruction of call '01c8a7a4d53f26483240b51caf52c065@71.65.xx.xx’ in 15000 ms
Destroying call '01c8a7a4d53f26483240b51caf52c065@71.65.xx.xx

Here is my Sip.conf:

[511]
username=511
type=friend
secret=511
record_out=On-Demand
record_in=On-Demand
qualify=no
port=5070
nat=yes
mailbox=511@default
host=dynamic
dtmfmode=rfc2833
context=from-internal
canreinvite=no
callerid=“oceanlan” <511>

Any Ideas???

:question: :question: :question:


#6

Did you bring the Asterisk box into the LAN as discussed? If so, you shouldn’t have nat=yes in sip.conf for your phone.


#7

I have built a local box that I intend to IAX trunk to the main unit. I am still having difficulties with my extentions on the AAstra/Sayson 480i phones…

Now I am getting 404 not found. It also tells me: Username/auth name mismatch

Here is a copy of my sip debug:

— (13 headers 0 lines)—
Using latest REGISTER request as basis request
Sending to 192.168.1.123 : 5060 (non-NAT)
Transmitting (no NAT) to 192.168.1.123:5060:
SIP/2.0 404 Not found
Via: SIP/2.0/UDP 192.168.1.123;branch=z9hG4bKb1b052499;received=192.168.1.123
From: 1000 sip:1000@;tag=a7312f666b8530e
To: 1000 sip:1000@;tag=as0837982b
Call-ID: 284dae5895d01987454e8193005dfbfb@192.168.1.123
CSeq: 1740842982 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Max-Forwards: 70
Contact: sip:1000@192.168.1.125
Content-Length: 0


Jan 19 11:56:40 NOTICE[2519]: chan_sip.c:10815 handle_request_register: Registration from ‘1000 sip:1000@’ failed for ‘192.168.1.123’ - Username/auth name mismatch
Scheduling destruction of call ‘284dae5895d01987454e8193005dfbfb@192.168.1.123’ in 15000 ms
Destroying call ‘284dae5895d01987454e8193005dfbfb@192.168.1.123’

Here is a copy of my sip_additional.conf for ext. 1000:

[1000]
username=1000
type=friend
secret=1000
record_out=Adhoc
record_in=Adhoc
qualify=no
port=5060
nat=never
mailbox=1000@device
host=dynamic
dtmfmode=rfc2833
context=from-internal
canreinvite=no
callerid=device <1000>

I have configured the phone with the web browser and I have tried the aastra.cfg and [mac].cfg.

Let me know if you have any ideas. I have Polycom phones that I can make work…I like these AAATRA’s and I have like 4 of them I want to make work.

Thanks in advance for the help!


#8

I found my problem…just thought I would let everyone know…

I had a jank MySQL load. I was missing some pieces that were needed for the phone to access the realtime database and register.

Thanks for the help! and Thanks zu @ irc.freenode.net!