My Asterisk box is installed in the DMZ of an IPCop firewall.
The RED interface of IPCop has a static public IP address, and all traffic directed to that address is forwarded to the PBX in the DMZ.
The IPCop also routes traffic from LAN (192.168.2.0) to DMZ (172.16.0.0), so Asterisk is reachable from LAN and Internet.
Generally speaking everything works fine, but I’m facing a strange problem when remote SIP clients aren’t NATted and have a public IP address, that is they are connected to Internet via a bridge/modem rather than behind a firewall/router: the audio is only one-way, from Asterisk to the client, although one of the parties (the remote client) has a public IP address. If the remote client is instead behind a router - and indeed there is a double NAT - , it perfectly works and the audio is two-ways.
The following are the non-working scenarios (call flow from left to right, ‘->’ is the audio direction):
[color=red]SIP UA (public IP) -> bridge[/color] -> Internet -> RED|IPCop|DMZ -> Asterisk/chan_zap -> PSTN -> U
[color=red]SIP UA (public IP) -> bridge[/color] -> Internet -> RED|IPCop|DMZ -> Asterisk/chan_sip -> SIP UA (inside LAN/outside LAN)
These ones are the working scenario (call flow from left to right, ‘<->’ means audio in both directions):
[color=blue]SIP UA (private IP) <-> router (public IP)[/color] <-> Internet <-> RED|IPCop|DMZ <-> Asterisk/chan_zap <-> PSTN <-> U
[color=blue]SIP UA (private IP) <-> router (public IP)[/color] <-> Internet <-> RED|IPCop|DMZ <-> Asterisk/chan_sip <-> SIP UA (inside LAN/outside LAN)
Here’s my sip.conf:
externip = xxx.xxx.xxx.xxx
;localnet=10.0.0.0/255.0.0.0 ; tried all combinations
For each SIP client:
I wonder at the fact that the most easy scenario is the only not working. Maybe a bug in Asterisk? Do I really have to prevent all remote clients from using a bridge and put them inside a private network class behind a router? Any idea, please? If it could help, I can supply tcpdump logs for traffic analysis.