PJSIP Trunk and NAT

faqterson · January 15, 2025, 7:01am

Customer A is behind a Firewall (Firewall not managed by me)
Porta SIP is trunk destination. Porta SIP has said that the contact header needs to have the correct NAT IP address.

Porta is receiving the following SIP Trace:

INVITE sip:0123456789@sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPj95b0c590-1697-49b8-a0a7-5a974d2a32c2
From: "Test" <sip:27124502630@172.32.2.19>;tag=1da25406-0000-4fed-8bd0-71c2b5e9ee33
To: <sip:0123456789@sip.mydomain.com>
Contact: <sip:mytrunk@172.32.2.19:5060>

They are getting the SIP invite from the Firewall public IP address but the VIA: and Contact: header still have the private IP address of the Asterisk PBX.

My other customers where I have a Mikrotik Router with Source NAT with Action Masquerade both the VIA: and Contact: headers are being changed to the public IP address.

I need some assistance on what can be done on the firewall to resolve this or can I change any setting on the Trunk to set it to the public IP.

I have tried the following in the pjsip.conf file but it had no affect:

[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0:5062
external_media_address=1.1.1.1
external_signaling_address=1.1.1.1

PJSIP Registration:

transport=transport-udp-nat

jcolp · January 15, 2025, 9:30am

What does “pjsip show transport transport-udp-nat” actually show? What is the COMPLETE configuration? What is the COMPLETE SIP trace?

faqterson · January 15, 2025, 10:26am

We are moving to a new VOIP provider and they are using PortaOne. Per my understanding from the PortaOne technician, because the Contact Header includes a private IP address it’s not able to verify the PBX connection and then closes the call (30 second timer)

FYI. I am hiding IP, domains and numbers for privacy

pjsip show transport transport-udp-nat 

Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
==========================================================================================

Transport:  transport-udp-nat         udp      0      0  0.0.0.0:5062

 ParameterName              : ParameterValue
 ===========================================
 allow_reload               : false
 allow_wildcard_certs       : No
 async_operations           : 1
 bind                       : 0.0.0.0:5062
 ca_list_file               : 
 ca_list_path               : 
 cert_file                  : 
 cipher                     : 
 cos                        : 0
 domain                     : 
 external_media_address     : 1.1.1.1
 external_signaling_address : 1.1.1.1
 external_signaling_port    : 0
 local_net                  : 
 method                     : unspecified
 password                   : 
 priv_key_file              : 
 protocol                   : udp
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 0
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

I am making use of Real-time database:

+-------------+--------------------------+--------------------------------------+--------------+------------+-------------+---------------+----------------+----------------+--------------------------+--------------------------+-------------------+--------------+----------------------+------+-------------+
| id          | auth_rejection_permanent | client_uri                           | contact_user | expiration | max_retries | outbound_auth | outbound_proxy | retry_interval | forbidden_retry_interval | server_uri               | transport         | support_path | fatal_retry_interval | line | endpoint    |
+-------------+--------------------------+--------------------------------------+--------------+------------+-------------+---------------+----------------+----------------+--------------------------+--------------------------+-------------------+--------------+----------------------+------+-------------+
| 27123456789 | no                       | sip:27123456789@sip.mydomain.com     | 27123456789  |       NULL |         150 | 27123456789   | NULL           |             60 |                       60 | sip:sip.mydomain.com     | transport-udp-nat | NULL         |                  150 | yes  | 27123456789 |
+-------------+--------------------------+--------------------------------------+--------------+------------+-------------+---------------+----------------+----------------+--------------------------+--------------------------+-------------------+--------------+----------------------+------+-------------+

pjsip show registration 27123456789 

 <Registration/ServerURI..............................>  <Auth....................>  <Status.......>
==========================================================================================

 27123456789/sip:sip.mydomain.com                    27123456789                 Registered        (exp. 2184s)

 ParameterName            : ParameterValue
 ===============================================================
 auth_rejection_permanent : false
 client_uri               : sip:27123456789@sip.mydomain.com
 contact_header_params    : 
 contact_user             : 27123456789
 endpoint                 : 27123456789
 expiration               : 3600
 fatal_retry_interval     : 150
 forbidden_retry_interval : 60
 line                     : true
 max_random_initial_delay : 10
 max_retries              : 150
 outbound_auth            : 27123456789
 outbound_proxy           : 
 retry_interval           : 60
 security_mechanisms      : 
 security_negotiation     : no
 server_uri               : sip:sip.mydomain.com
 support_outbound         : no
 support_path             : false
 transport                : transport-udp-nat

SIP Invite sent to Porta:

<--- SIP read from UDP:1.1.1.1:5060 --->
INVITE sip:0123456789@sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPj95b0c590-1697-49b8-a0a7-5a974d2a32c2
From: "Test" <sip:27124502630@172.32.2.19>;tag=1da25406-0000-4fed-8bd0-71c2b5e9ee33
To: <sip:0123456789@sip.mydomain.com>
Contact: <sip:27123456789@172.32.2.19:5060>
Call-ID: e28c0892-44e9-4446-bd19-9028070043d1
CSeq: 26476 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Type: application/sdp
Content-Length:   304

v=0
o=- 939938733 939938733 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 16390 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

SIP Invite sent to Asterisk: (I suspect Asterisk it’s working because I am doing Username Authorization)

<--- SIP read from UDP:1.1.1.1:5060 --->
INVITE sip:0123456789@sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPjca094f6e-be6d-495f-b715-a706f1aaf723
From: "Test" <sip:27123456789@172.32.2.19>;tag=ba80506e-b1d4-469e-9280-3cbf0aa6ad7f
To: <sip:0123456789@sip.mydomain.com>
Contact: <sip:brolinkvc2@172.32.2.19:5060>
Call-ID: 7c690f65-ae8f-468d-b344-5933164e9143
CSeq: 27441 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Authorization: Digest username="mycustomer", realm="asterisk", nonce="20d0c2a2", uri="sip:0123456789@sip.mydomain.com:5060", response="920668d8asdqwe133d82f9126", algorithm=MD5
Content-Type: application/sdp
Content-Length: 304

v=0
o=- 269758977 269758977 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 18964 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

=======================

Just so I understand it correctly. Isn’t the transport important for SIP traffic received on the asterisk PBX?
By default I don’t use the NAT transport with external_media/signal.
This is my default transport-udp

pjsip show transport transport-udp 

Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
==========================================================================================

Transport:  transport-udp             udp      0    184  0.0.0.0:5060

 ParameterName              : ParameterValue
 ===========================================
 allow_reload               : false
 async_operations           : 1
 bind                       : 0.0.0.0:5060
 ca_list_file               : 
 ca_list_path               : 
 cert_file                  : 
 cipher                     : 
 cos                        : 0
 domain                     : 
 external_media_address     : 
 external_signaling_address : 
 external_signaling_port    : 0
 local_net                  : 
 method                     : unspecified
 password                   : 
 priv_key_file              : 
 protocol                   : udp
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 184
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

This is realtime trunk details behind Mikrotik Router I manage for a customer. This trunk connects to PortaOne with no problems:

I don’t allocate a transport any where on my trunk:

registration
+-------------+--------------------------+--------------------------------------+--------------+------------+-------------+---------------+----------------+----------------+--------------------------+--------------------------+---------------+--------------+----------------------+------+----------+
| id          | auth_rejection_permanent | client_uri                           | contact_user | expiration | max_retries | outbound_auth | outbound_proxy | retry_interval | forbidden_retry_interval | server_uri               | transport     | support_path | fatal_retry_interval | line | endpoint |
+-------------+--------------------------+--------------------------------------+--------------+------------+-------------+---------------+----------------+----------------+--------------------------+--------------------------+---------------+--------------+----------------------+------+----------+
| 27123456789 | NULL                     | sip:27123456789@sip.mydomain.com     | NULL         |       NULL |        NULL | 27123456789   | NULL           |             60 |                     NULL | sip:sip.mydomain.com     | NULL | NULL         |                 NULL | NULL | NULL     |
+-------------+--------------------------+--------------------------------------+--------------+------------+-------------+---------------+----------------+----------------+--------------------------+--------------------------+---------------+--------------+----------------------+------+----------+

identity
+-------------+-------------+----------------------+-------------+--------------+
| id          | endpoint    | match                | srv_lookups | match_header |
+-------------+-------------+----------------------+-------------+--------------+
| 27123456789 | 27123456789 | sip.mydomain.com | NULL        | NULL         |
+-------------+-------------+----------------------+-------------+--------------+

endpoint
+-------------+-----------+-------------+------+----------+----------+----------------+--------------+-----------------------+---------------------+-------------------------------+-----------------------------+-----------+------------------------+-------------+-------------+-------------+-----------+-------------+---------------+----------------+-----------------+----------+---------------+----------------+----------+-----------+---------------+--------+---------------------+----------+------------------+--------------+--------+---------------+------------------+-------------------+-----------+----------+------------------+-----------------+------------+--------------+------------------+--------------------+----------------------+------------+-----------+--------------+-----------------------+---------------+----------------+-----------+----------+---------------------+-------------------+--------------------+------------+----------------+-----------------+-----------+-------------+-----------+-----------+----------------+-------------+-----------+---------------+-------------+------------+----------------+------------------+-------------+--------------+--------------+------------+-------------+---------------+-----------------+---------+-----------+-----------+-----------------+-----------+------------------------------+-------------+---------------+-----------------+-----------------------------+----------------+-------------------+---------------+-------------+------------------+---------------------------+---------------------+------------------------------------+------+--------+------+--------------+----------------+-------------+-------------------+--------------------+--------------+----------------------+----------------------+----------+---------------+----------------------+----------------------------+-------------------+-------------------+--------+------------------+----------------------+--------+-------------------------+-------------------------+-----------------------------+------------------------------+----------------------+---------------------+------------------------+
| id          | transport | aors        | auth | context  | disallow | allow          | direct_media | connected_line_method | direct_media_method | direct_media_glare_mitigation | disable_direct_media_on_nat | dtmf_mode | external_media_address | force_rport | ice_support | identify_by | mailboxes | moh_suggest | outbound_auth | outbound_proxy | rewrite_contact | rtp_ipv6 | rtp_symmetric | send_diversion | send_pai | send_rpid | timers_min_se | timers | timers_sess_expires | callerid | callerid_privacy | callerid_tag | 100rel | aggregate_mwi | trust_id_inbound | trust_id_outbound | use_ptime | use_avpf | media_encryption | inband_progress | call_group | pickup_group | named_call_group | named_pickup_group | device_state_busy_at | fax_detect | t38_udptl | t38_udptl_ec | t38_udptl_maxdatagram | t38_udptl_nat | t38_udptl_ipv6 | tone_zone | language | one_touch_recording | record_on_feature | record_off_feature | rtp_engine | allow_transfer | allow_subscribe | sdp_owner | sdp_session | tos_audio | tos_video | sub_min_expiry | from_domain | from_user | mwi_from_user | dtls_verify | dtls_rekey | dtls_cert_file | dtls_private_key | dtls_cipher | dtls_ca_file | dtls_ca_path | dtls_setup | srtp_tag_32 | media_address | redirect_method | set_var | cos_audio | cos_video | message_context | force_avp | media_use_received_transport | accountcode | user_eq_phone | moh_passthrough | media_encryption_optimistic | rpid_immediate | g726_non_standard | rtp_keepalive | rtp_timeout | rtp_timeout_hold | bind_rtp_to_media_address | voicemail_extension | mwi_subscribe_replaces_unsolicited | deny | permit | acl  | contact_deny | contact_permit | contact_acl | subscribe_context | fax_detect_timeout | contact_user | preferred_codec_only | asymmetric_rtp_codec | rtcp_mux | allow_overlap | refer_blind_progress | notify_early_inuse_ringing | max_audio_streams | max_video_streams | webrtc | dtls_fingerprint | incoming_mwi_mailbox | bundle | dtls_auto_generate_cert | follow_early_media_fork | accept_multiple_sdp_answers | suppress_q850_reason_headers | trust_connected_line | send_connected_line | ignore_183_without_sdp |
+-------------+-----------+-------------+------+----------+----------+----------------+--------------+-----------------------+---------------------+-------------------------------+-----------------------------+-----------+------------------------+-------------+-------------+-------------+-----------+-------------+---------------+----------------+-----------------+----------+---------------+----------------+----------+-----------+---------------+--------+---------------------+----------+------------------+--------------+--------+---------------+------------------+-------------------+-----------+----------+------------------+-----------------+------------+--------------+------------------+--------------------+----------------------+------------+-----------+--------------+-----------------------+---------------+----------------+-----------+----------+---------------------+-------------------+--------------------+------------+----------------+-----------------+-----------+-------------+-----------+-----------+----------------+-------------+-----------+---------------+-------------+------------+----------------+------------------+-------------+--------------+--------------+------------+-------------+---------------+-----------------+---------+-----------+-----------+-----------------+-----------+------------------------------+-------------+---------------+-----------------+-----------------------------+----------------+-------------------+---------------+-------------+------------------+---------------------------+---------------------+------------------------------------+------+--------+------+--------------+----------------+-------------+-------------------+--------------------+--------------+----------------------+----------------------+----------+---------------+----------------------+----------------------------+-------------------+-------------------+--------+------------------+----------------------+--------+-------------------------+-------------------------+-----------------------------+------------------------------+----------------------+---------------------+------------------------+
| 27123456789 | NULL      | 27123456789 | NULL | external | all      | g729,ulaw,alaw | NULL         | NULL                  | NULL                | NULL                          | NULL                        | NULL      | NULL                   | NULL        | NULL        | NULL        | NULL      | NULL        | 27123456789   | NULL           | NULL            | NULL     | NULL          | NULL           | NULL     | NULL      |          NULL | NULL   |                NULL | NULL     | NULL             | NULL         | NULL   | NULL          | NULL             | NULL              | NULL      | NULL     | NULL             | NULL            | NULL       | NULL         | NULL             | NULL               |                 NULL | NULL       | NULL      | NULL         |                  NULL | NULL          | NULL           | NULL      | NULL     | NULL                | NULL              | NULL               | NULL       | NULL           | NULL            | NULL      | NULL        | ef        | NULL      |           NULL | NULL        | NULL      | NULL          | NULL        | NULL       | NULL           | NULL             | NULL        | NULL         | NULL         | NULL       | NULL        | NULL          | NULL            | NULL    |      NULL |      NULL | NULL            | NULL      | NULL                         | NULL        | NULL          | NULL            | NULL                        | NULL           | NULL              |            30 |          30 |              300 | NULL                      | NULL                | NULL                               | NULL | NULL   | NULL | NULL         | NULL           | NULL        | NULL              |               NULL | 27123456789  | NULL                 | NULL                 | NULL     | NULL          | NULL                 | NULL                       |              NULL |              NULL | no     | NULL             | NULL                 | NULL   | NULL                    | NULL                    | NULL                        | NULL                         | NULL                 | NULL                | NULL                   |
+-------------+-----------+-------------+------+----------+----------+----------------+--------------+-----------------------+---------------------+-------------------------------+-----------------------------+-----------+------------------------+-------------+-------------+-------------+-----------+-------------+---------------+----------------+-----------------+----------+---------------+----------------+----------+-----------+---------------+--------+---------------------+----------+------------------+--------------+--------+---------------+------------------+-------------------+-----------+----------+------------------+-----------------+------------+--------------+------------------+--------------------+----------------------+------------+-----------+--------------+-----------------------+---------------+----------------+-----------+----------+---------------------+-------------------+--------------------+------------+----------------+-----------------+-----------+-------------+-----------+-----------+----------------+-------------+-----------+---------------+-------------+------------+----------------+------------------+-------------+--------------+--------------+------------+-------------+---------------+-----------------+---------+-----------+-----------+-----------------+-----------+------------------------------+-------------+---------------+-----------------+-----------------------------+----------------+-------------------+---------------+-------------+------------------+---------------------------+---------------------+------------------------------------+------+--------+------+--------------+----------------+-------------+-------------------+--------------------+--------------+----------------------+----------------------+----------+---------------+----------------------+----------------------------+-------------------+-------------------+--------+------------------+----------------------+--------+-------------------------+-------------------------+-----------------------------+------------------------------+----------------------+---------------------+------------------------+

AOR
+-------------+-------------------------------+--------------------+-----------+--------------+--------------------+-----------------+-------------------+----------------------+--------------------+----------------+--------------+-----------------+---------------------+
| id          | contact                       | default_expiration | mailboxes | max_contacts | minimum_expiration | remove_existing | qualify_frequency | authenticate_qualify | maximum_expiration | outbound_proxy | support_path | qualify_timeout | voicemail_extension |
+-------------+-------------------------------+--------------------+-----------+--------------+--------------------+-----------------+-------------------+----------------------+--------------------+----------------+--------------+-----------------+---------------------+
| 27123456789 | sip:sip.mydomain.com:5060 |               NULL | NULL      |         NULL |               NULL | NULL            |                 5 | NULL                 |               NULL | NULL           | NULL         |               3 | NULL                |
+-------------+-------------------------------+--------------------+-----------+--------------+--------------------+-----------------+-------------------+----------------------+--------------------+----------------+--------------+-----------------+---------------------+

pjsip show registration 27123456789

 <Registration/ServerURI..............................>  <Auth..........>  <Status.......>
==========================================================================================

 27123456789/sip:sip.mydomain.com                    27123456789       Registered      

 ParameterName            : ParameterValue
 ===============================================================
 auth_rejection_permanent : false
 client_uri               : sip:27123456789@sip.mydomain.com
 contact_user             : 27123456789
 endpoint                 : 27123456789
 expiration               : 3600
 fatal_retry_interval     : 150
 forbidden_retry_interval : 60
 line                     : true
 max_retries              : 150
 outbound_auth            : 27123456789
 outbound_proxy           : 
 retry_interval           : 60
 server_uri               : sip:sip.mydomain.com
 support_path             : false
 transport                :

pjsip show endpoint 27123456789 

 Endpoint:  <Endpoint/CID.....................................>  <State.....>  <Channels.>
    I/OAuth:  <AuthId/UserName...........................................................>
        Aor:  <Aor............................................>  <MaxContact>
      Contact:  <Aor/ContactUri..........................> <Hash....> <Status> <RTT(ms)..>
  Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress..................>
   Identify:  <Identify/Endpoint.........................................................>
        Match:  <criteria.........................>
    Channel:  <ChannelId......................................>  <State.....>  <Time.....>
        Exten: <DialedExten...........>  CLCID: <ConnectedLineCID.......>
==========================================================================================

 Endpoint:  27123456789                                          Not in use    0 of inf
    OutAuth:  27123456789/27123456789
        Aor:  27123456789                                        0
      Contact:  27123456789/sip:sip.mydomain.com:5060  2914bd273f Avail        15.836
   Identify:  27123456789/27123456789
        Match: 1.1.1.1/32


 ParameterName                      : ParameterValue
 =========================================================
 100rel                             : yes
 accept_multiple_sdp_answers        : false
 accountcode                        : 
 acl                                : 
 aggregate_mwi                      : true
 allow                              : (g729|ulaw|alaw)
 allow_overlap                      : true
 allow_subscribe                    : true
 allow_transfer                     : true
 allow_unauthenticated_options      : false
 aors                               : 27123456789
 asymmetric_rtp_codec               : false
 auth                               : 
 bind_rtp_to_media_address          : false
 bundle                             : false
 call_group                         : 
 callerid                           : <unknown>
 callerid_privacy                   : allowed_not_screened
 callerid_tag                       : 
 connected_line_method              : invite
 contact_acl                        : 
 contact_user                       : 27123456789
 context                            : external
 cos_audio                          : 0
 cos_video                          : 0
 device_state_busy_at               : 0
 direct_media                       : true
 direct_media_glare_mitigation      : none
 direct_media_method                : invite
 disable_direct_media_on_nat        : false
 dtls_auto_generate_cert            : No
 dtls_ca_file                       : 
 dtls_ca_path                       : 
 dtls_cert_file                     : 
 dtls_cipher                        : 
 dtls_fingerprint                   : SHA-256
 dtls_private_key                   : 
 dtls_rekey                         : 0
 dtls_setup                         : active
 dtls_verify                        : No
 dtmf_mode                          : rfc4733
 fax_detect                         : false
 fax_detect_timeout                 : 0
 follow_early_media_fork            : true
 force_avp                          : false
 force_rport                        : true
 from_domain                        : 
 from_user                          : 
 g726_non_standard                  : false
 ice_support                        : false
 identify_by                        : username,ip
 ignore_183_without_sdp             : false
 inband_progress                    : false
 incoming_mwi_mailbox               : 
 language                           : 
 mailboxes                          : 
 max_audio_streams                  : 1
 max_video_streams                  : 1
 media_address                      : 
 media_encryption                   : no
 media_encryption_optimistic        : false
 media_use_received_transport       : false
 message_context                    : 
 moh_passthrough                    : false
 moh_suggest                        : default
 mwi_from_user                      : 
 mwi_subscribe_replaces_unsolicited : no
 named_call_group                   : 
 named_pickup_group                 : 
 notify_early_inuse_ringing         : false
 one_touch_recording                : false
 outbound_auth                      : 27123456789
 outbound_proxy                     : 
 pickup_group                       : 
 preferred_codec_only               : false
 record_off_feature                 : automixmon
 record_on_feature                  : automixmon
 refer_blind_progress               : true
 rewrite_contact                    : false
 rpid_immediate                     : false
 rtcp_mux                           : false
 rtp_engine                         : asterisk
 rtp_ipv6                           : false
 rtp_keepalive                      : 30
 rtp_symmetric                      : false
 rtp_timeout                        : 30
 rtp_timeout_hold                   : 300
 sdp_owner                          : -
 sdp_session                        : Asterisk
 send_connected_line                : yes
 send_diversion                     : true
 send_history_info                  : false
 send_pai                           : false
 send_rpid                          : false
 set_var                            : 
 srtp_tag_32                        : false
 stir_shaken                        : false
 sub_min_expiry                     : 0
 subscribe_context                  : 
 suppress_q850_reason_headers       : false
 t38_udptl                          : false
 t38_udptl_ec                       : none
 t38_udptl_ipv6                     : false
 t38_udptl_maxdatagram              : 0
 t38_udptl_nat                      : false
 timers                             : yes
 timers_min_se                      : 90
 timers_sess_expires                : 1800
 tone_zone                          : 
 tos_audio                          : 184
 tos_video                          : 0
 transport                          : 
 trust_connected_line               : yes
 trust_id_inbound                   : false
 trust_id_outbound                  : false
 use_avpf                           : false
 use_ptime                          : false
 user_eq_phone                      : false
 voicemail_extension                : 
 webrtc                             : no

This is the SIP trace for the this customer (from portaone) and the contact header does include the public IP address.

INVITE sip:0123456789@sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 1.1.1.1:5060;rport;branch=z9hG4bKPj95b0c590-1697-49b8-a0a7-5a974d2a32c2
From: "Test" <sip:27124502630@1.1.1.1>;tag=1da25406-0000-4fed-8bd0-71c2b5e9ee33
To: <sip:0123456789@sip.mydomain.com>
Contact: <sip:27123456789@1.1.1.1:5060>
Call-ID: e28c0892-44e9-4446-bd19-9028070043d1
CSeq: 26476 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Type: application/sdp
Content-Length:   304

v=0
o=- 939938733 939938733 IN IP4 1.1.1.1
s=Asterisk
c=IN IP4 1.1.1.1
t=0 0
m=audio 16390 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

jcolp · January 15, 2025, 10:32am

You’re showing a lot of different configurations and INVITEs, and it’s honestly really confusing on what is what. Just show the configuration, CLI output, and SIP trace for the NON-WORKING setup.

faqterson · January 15, 2025, 11:02am

It not going to help that I send the CLI output because the call gets processed.
Asterisk is processing the call and PortaOne is accepting the call but PortaOne disconnects the call after 30 seconds because of the contact header having the private IP address in it.

This is the Invite received on PortaOne:

<— SIP read from UDP:1.1.1.1:5060 —>
INVITE sip:0123456789@sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPj95b0c590-1697-49b8-a0a7-5a974d2a32c2
From: “Test” sip:27124502630@172.32.2.19;tag=1da25406-0000-4fed-8bd0-71c2b5e9ee33
To: sip:0123456789@sip.mydomain.com
Contact: sip:27123456789@172.32.2.19:5060
Call-ID: e28c0892-44e9-4446-bd19-9028070043d1
CSeq: 26476 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Type: application/sdp
Content-Length: 304

v=0
o=- 939938733 939938733 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 16390 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

The packet was received from a public IP, I have changed it to 1.1.1.1 for privacy.

The contact header I have marked in Bold. The contact header has the PBX private IP 172.32.2.19
PortaOne is saying because they can’t communicate with the private IP address they disconnect the call after 30 seconds.

Customer 1 firewall needs to change this private IP address to the public address in the Contact Header but it doesn’t.

Customer 2 that has my MikroTik firewall does change contact headers IP to the public IP address.

Conclusion: Customer 1 firewall is not changing the SIP Contact Header to the public IP address, why?

jcolp · January 15, 2025, 11:06am

Okay, if you don’t want to provide what I’ve asked for then I can’t help further.

faqterson · January 15, 2025, 11:38am

CLI Output with pjsip logger enabled:

    -- Executing [s@trunk:15] Dial("PJSIP/3268-0004c40e", "PJSIP/0123456789@mytrunk,300,TrU(connected,PJSIP/3268,1736940068,1736940067.601851)") in new stack
    -- Called PJSIP/0123456789@mytrunk
    
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  
<--- Transmitting SIP request (1026 bytes) to UDP:111.111.111.111:5060 --->
INVITE sip:0123456789@sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPj8dd429dc-a88f-4269-8abd-6297a2f9d8e2
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>
Contact: <sip:mytrunk@172.32.2.19:5060>
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4274 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Type: application/sdp
Content-Length:   306

v=0
o=- 1753095730 1753095730 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 16958 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

<--- Received SIP response (413 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 172.32.2.19:5060;received=1.1.1.1;rport=65477;branch=z9hG4bKPj8dd429dc-a88f-4269-8abd-6297a2f9d8e2
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4274 INVITE
Server: Mediant VE SBC/v.7.40A.500.781
Content-Length: 0


<--- Received SIP response (642 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 172.32.2.19:5060;received=1.1.1.1;rport=65477;branch=z9hG4bKPj8dd429dc-a88f-4269-8abd-6297a2f9d8e2
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>;tag=id6onk7.i
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4274 INVITE
Allow: INVITE, ACK, BYE, CANCEL, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
WWW-Authenticate: Digest realm="sip-5.Desktop_Network_Solutions",nonce="1736940068:2719a8221f50858150897edcadaeee017890c118"
Server: Mediant VE SBC/v.7.40A.500.781
Content-Length: 0


<--- Transmitting SIP request (439 bytes) to UDP:111.111.111.111:5060 --->
ACK sip:0123456789@sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPj8dd429dc-a88f-4269-8abd-6297a2f9d8e2
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>;tag=id6onk7.i
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4274 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Length:  0


<--- Transmitting SIP request (1267 bytes) to UDP:111.111.111.111:5060 --->
INVITE sip:0123456789@sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPj25ad0a67-fae2-4c9f-bdfc-4aeaed564e4d
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>
Contact: <sip:mytrunk@172.32.2.19:5060>
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4275 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Authorization: Digest username="mytrunk", realm="sip-5.Desktop_Network_Solutions", nonce="1736940068:2719a8221f50858150897edcadaeee017890c118", uri="sip:0123456789@sip.mydomain.com:5060", response="9acde13fac7ef67f2f9a84e03c877eee"
Content-Type: application/sdp
Content-Length:   306

v=0
o=- 1753095730 1753095730 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 16958 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

<--- Received SIP response (413 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 172.32.2.19:5060;received=1.1.1.1;rport=65477;branch=z9hG4bKPj25ad0a67-fae2-4c9f-bdfc-4aeaed564e4d
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4275 INVITE
Server: Mediant VE SBC/v.7.40A.500.781
Content-Length: 0
  
<--- Transmitting SIP request (437 bytes) to UDP:111.111.111.111:5060 --->
OPTIONS sip:sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPjdf1cf809-6179-4985-a2c7-90cfcf72d7ab
From: <sip:mytrunk@172.32.2.19>;tag=693208ed-100c-45e4-90a8-0969ee256f5f
To: <sip:sip.mydomain.com>
Contact: <sip:mytrunk@172.32.2.19:5060>
Call-ID: b555c484-876c-4042-8ad4-cb65248a1467
CSeq: 35625 OPTIONS
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Length:  0


<--- Received SIP response (433 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 172.32.2.19:5060;received=1.1.1.1;rport=65477;branch=z9hG4bKPjdf1cf809-6179-4985-a2c7-90cfcf72d7ab
From: <sip:mytrunk@172.32.2.19>;tag=693208ed-100c-45e4-90a8-0969ee256f5f
To: <sip:sip.mydomain.com>;tag=1c1319612991
Call-ID: b555c484-876c-4042-8ad4-cb65248a1467
CSeq: 35625 OPTIONS
Contact: <sip:111.111.111.111:5060>
Server: Mediant VE SBC/v.7.40A.500.781
Content-Length: 0

<--- Received SIP response (555 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 172.32.2.19:5060;received=1.1.1.1;rport=65477;branch=z9hG4bKPj25ad0a67-fae2-4c9f-bdfc-4aeaed564e4d
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>;tag=oyqqnwy.i
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4275 INVITE
Contact: <sip:111.111.111.111:5060>
Allow: INVITE, ACK, BYE, CANCEL, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS, UPDATE
Server: Mediant VE SBC/v.7.40A.500.781
Content-Length: 0


    -- PJSIP/mytrunk-0004c40f is ringing
  
<--- Transmitting SIP request (437 bytes) to UDP:111.111.111.111:5060 --->
OPTIONS sip:sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPj37225d07-ea2d-43f5-80ca-810f341aadce
From: <sip:mytrunk@172.32.2.19>;tag=61ac8185-ee7a-4502-b155-e073debcf4bb
To: <sip:sip.mydomain.com>
Contact: <sip:mytrunk@172.32.2.19:5060>
Call-ID: c4870f91-4ce2-4568-a856-2f4c4313d2c6
CSeq: 24979 OPTIONS
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Length:  0


<--- Received SIP response (431 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 172.32.2.19:5060;received=1.1.1.1;rport=65477;branch=z9hG4bKPj37225d07-ea2d-43f5-80ca-810f341aadce
From: <sip:mytrunk@172.32.2.19>;tag=61ac8185-ee7a-4502-b155-e073debcf4bb
To: <sip:sip.mydomain.com>;tag=1c38887495
Call-ID: c4870f91-4ce2-4568-a856-2f4c4313d2c6
CSeq: 24979 OPTIONS
Contact: <sip:111.111.111.111:5060>
Server: Mediant VE SBC/v.7.40A.500.781
Content-Length: 0


  == Manager 'admin' logged on from 127.0.0.1
<--- Received SIP response (827 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 172.32.2.19:5060;received=1.1.1.1;rport=65477;branch=z9hG4bKPj25ad0a67-fae2-4c9f-bdfc-4aeaed564e4d
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>;tag=oyqqnwy.i
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4275 INVITE
Contact: <sip:111.111.111.111:5060>
Supported: sdp-anat
Allow: INVITE, ACK, BYE, CANCEL, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS, UPDATE
Server: Mediant VE SBC/v.7.40A.500.781
Content-Type: application/sdp
Content-Length: 223

v=0
o=PortaSIP 815456375 670764911 IN IP4 111.111.111.111
s=-
c=IN IP4 111.111.111.111
t=0 0
m=audio 18056 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=sendonly

    -- Call on PJSIP/mytrunk-0004c40f placed on hold
<--- Transmitting SIP request (422 bytes) to UDP:111.111.111.111:5060 --->
ACK sip:111.111.111.111:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPja1311ea7-8360-436d-b0cf-dc52b37e79ef
From: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
To: <sip:0123456789@sip.mydomain.com>;tag=oyqqnwy.i
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 4275 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Length:  0

    -- Started music on hold, class 'default', on channel 'PJSIP/3268-0004c40e'
    -- PJSIP/mytrunk-0004c40f answered PJSIP/3268-0004c40e
    -- PJSIP/mytrunk-0004c40f Internal Gosub(connected,s,1(PJSIP/3268,1736940068,1736940067.601851)) start
    -- Executing [s@connected:1] Set("PJSIP/mytrunk-0004c40f", "AGENT=PJSIP/3268") in new stack
    -- Executing [s@connected:2] Set("PJSIP/mytrunk-0004c40f", "HOLDTIME=6") in new stack
    -- Executing [s@connected:3] System("PJSIP/mytrunk-0004c40f", "echo "1736940074|1736940067.601851|outbound|PJSIP/3268|CONNECT|6|1736940067.601851|6" >> /var/log/asterisk/queue_log") in new stack
    -- Executing [s@connected:4] Return("PJSIP/mytrunk-0004c40f", "") in new stack
    -- PJSIP/mytrunk-0004c40f Internal Gosub(connected,s,1(PJSIP/3268,1736940068,1736940067.601851)) complete GOSUB_RETVAL=
    -- Channel PJSIP/mytrunk-0004c40f joined 'simple_bridge' basic-bridge <41c04c14-1816-453f-a949-4873ed69a552>
    -- Channel PJSIP/3268-0004c40e joined 'simple_bridge' basic-bridge <41c04c14-1816-453f-a949-4873ed69a552>
  
<--- Received SIP request (876 bytes) from UDP:111.111.111.111:5060 --->
INVITE sip:mytrunk@172.32.2.19:5060 SIP/2.0
Via: SIP/2.0/UDP 111.111.111.111:5060;branch=z9hG4bKac567384517
Max-Forwards: 67
From: <sip:0123456789@sip.mydomain.com>;tag=oyqqnwy.i
To: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
CSeq: 1 INVITE
Contact: <sip:111.111.111.111:5060>
Supported: sdp-anat
Allow: INVITE, ACK, BYE, CANCEL, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS, UPDATE
User-Agent: Mediant VE SBC/v.7.40A.500.781
Content-Type: application/sdp
Content-Length: 223
h323-conf-id: 1407671545-4003417495-982982369-3557120545

v=0
o=PortaSIP 815456375 670764912 IN IP4 111.111.111.111
s=-
t=0 0
m=audio 18056 RTP/AVP 8 101
c=IN IP4 111.111.111.111
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=sendrecv

<--- Transmitting SIP response (863 bytes) to UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 111.111.111.111:5060;rport=5060;received=111.111.111.111;branch=z9hG4bKac567384517
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
From: <sip:0123456789@sip.mydomain.com>;tag=oyqqnwy.i
To: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
CSeq: 1 INVITE
Contact: <sip:mytrunk@172.32.2.19:5060>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Server: Asterisk PBX 20.8.1
Content-Type: application/sdp
Content-Length:   235

v=0
o=- 1753095730 1753095731 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 16958 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

<--- Transmitting SIP response (863 bytes) to UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 111.111.111.111:5060;rport=5060;received=111.111.111.111;branch=z9hG4bKac567384517
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
From: <sip:0123456789@sip.mydomain.com>;tag=oyqqnwy.i
To: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
CSeq: 1 INVITE
Contact: <sip:mytrunk@172.32.2.19:5060>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Server: Asterisk PBX 20.8.1
Content-Type: application/sdp
Content-Length:   235

v=0
o=- 1753095730 1753095731 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 16958 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

<--- Transmitting SIP response (863 bytes) to UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 111.111.111.111:5060;rport=5060;received=111.111.111.111;branch=z9hG4bKac567384517
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
From: <sip:0123456789@sip.mydomain.com>;tag=oyqqnwy.i
To: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
CSeq: 1 INVITE
Contact: <sip:mytrunk@172.32.2.19:5060>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Server: Asterisk PBX 20.8.1
Content-Type: application/sdp
Content-Length:   235

v=0
o=- 1753095730 1753095731 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 16958 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

<--- Transmitting SIP response (863 bytes) to UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 111.111.111.111:5060;rport=5060;received=111.111.111.111;branch=z9hG4bKac567384517
Call-ID: e9ef32b2-e4ea-4567-a40e-baed1914c4e3
From: <sip:0123456789@sip.mydomain.com>;tag=oyqqnwy.i
To: "Test" <sip:27123456789@172.32.2.19>;tag=d7b7509f-39d5-42c9-a19c-9a82b82dd18f
CSeq: 1 INVITE
Contact: <sip:mytrunk@172.32.2.19:5060>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, INFO, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Server: Asterisk PBX 20.8.1
Content-Type: application/sdp
Content-Length:   235

v=0
o=- 1753095730 1753095731 IN IP4 172.32.2.19
s=Asterisk
c=IN IP4 172.32.2.19
t=0 0
m=audio 16958 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:140
a=sendrecv

<--- Transmitting SIP request (436 bytes) to UDP:111.111.111.111:5060 --->
OPTIONS sip:sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 172.32.2.19:5060;rport;branch=z9hG4bKPjd4e16bd5-8f9b-40f8-9b0a-5b95a3138add
From: <sip:mytrunk@172.32.2.19>;tag=a30852ac-9332-4ea3-a386-5169acf7ce33
To: <sip:sip.mydomain.com>
Contact: <sip:mytrunk@172.32.2.19:5060>
Call-ID: cd30db11-f13e-447e-b397-4db92ce401ec
CSeq: 1303 OPTIONS
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Length:  0


<--- Received SIP response (432 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 172.32.2.19:5060;received=1.1.1.1;rport=65477;branch=z9hG4bKPjd4e16bd5-8f9b-40f8-9b0a-5b95a3138add
From: <sip:mytrunk@172.32.2.19>;tag=a30852ac-9332-4ea3-a386-5169acf7ce33
To: <sip:sip.mydomain.com>;tag=1c1337178905
Call-ID: cd30db11-f13e-447e-b397-4db92ce401ec
CSeq: 1303 OPTIONS
Contact: <sip:111.111.111.111:5060>
Server: Mediant VE SBC/v.7.40A.500.781
Content-Length: 0

Trunk Configuration:

pjsip show auth mytrunk 

  I/OAuth:  <AuthId/UserName.............................................................>
==========================================================================================

     Auth:  mytrunk/mytrunk

 ParameterName  : ParameterValue
 ===============================
 auth_type      : userpass
 md5_cred       : 
 nonce_lifetime : 32
 oauth_clientid : 
 oauth_secret   : 
 password       : mypassword
 realm          : 
 refresh_token  : 
 username       : mytrunk



pjsip show aor mytrunk 

      Aor:  <Aor..............................................>  <MaxContact>
    Contact:  <Aor/ContactUri............................> <Hash....> <Status> <RTT(ms)..>
==========================================================================================

      Aor:  mytrunk                                          0
    Contact:  mytrunk/sip:sip.mydomain.com:5060    2914bd273f Avail        13.006


 ParameterName        : ParameterValue
 ====================================================
 authenticate_qualify : false
 contact              : sip:sip.mydomain.com:5060
 default_expiration   : 3600
 mailboxes            : 
 max_contacts         : 0
 maximum_expiration   : 7200
 minimum_expiration   : 60
 outbound_proxy       : 
 qualify_frequency    : 5
 qualify_timeout      : 3.000000
 remove_existing      : false
 remove_unavailable   : false
 support_path         : false
 voicemail_extension  : 


pjsip show endpoint mytrunk 

 Endpoint:  <Endpoint/CID.....................................>  <State.....>  <Channels.>
    I/OAuth:  <AuthId/UserName...........................................................>
        Aor:  <Aor............................................>  <MaxContact>
      Contact:  <Aor/ContactUri..........................> <Hash....> <Status> <RTT(ms)..>
  Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress..................>
   Identify:  <Identify/Endpoint.........................................................>
        Match:  <criteria.........................>
    Channel:  <ChannelId......................................>  <State.....>  <Time.....>
        Exten: <DialedExten...........>  CLCID: <ConnectedLineCID.......>
==========================================================================================

 Endpoint:  mytrunk                                          Not in use    0 of inf
    OutAuth:  mytrunk/mytrunk
        Aor:  mytrunk                                        0
      Contact:  mytrunk/sip:sip.mydomain.com:5060  2914bd273f Avail        13.900
   Identify:  mytrunk/mytrunk
        Match: 111.111.111.111/32


 ParameterName                      : ParameterValue
 ===================================================================================================
 100rel                             : yes
 accept_multiple_sdp_answers        : false
 accountcode                        : 
 acl                                : 
 aggregate_mwi                      : true
 allow                              : (g729|ulaw|alaw)
 allow_overlap                      : true
 allow_subscribe                    : true
 allow_transfer                     : true
 allow_unauthenticated_options      : false
 aors                               : mytrunk
 asymmetric_rtp_codec               : false
 auth                               : 
 bind_rtp_to_media_address          : false
 bundle                             : false
 call_group                         : 
 callerid                           : <unknown>
 callerid_privacy                   : allowed_not_screened
 callerid_tag                       : 
 codec_prefs_incoming_answer        : prefer:pending, operation:intersect, keep:all, transcode:allow
 codec_prefs_incoming_offer         : prefer:pending, operation:intersect, keep:all, transcode:allow
 codec_prefs_outgoing_answer        : prefer:pending, operation:intersect, keep:all, transcode:allow
 codec_prefs_outgoing_offer         : prefer:pending, operation:union, keep:all, transcode:allow
 connected_line_method              : invite
 contact_acl                        : 
 contact_user                       : mytrunk
 context                            : external
 cos_audio                          : 0
 cos_video                          : 0
 device_state_busy_at               : 0
 direct_media                       : true
 direct_media_glare_mitigation      : none
 direct_media_method                : invite
 disable_direct_media_on_nat        : false
 dtls_auto_generate_cert            : No
 dtls_ca_file                       : 
 dtls_ca_path                       : 
 dtls_cert_file                     : 
 dtls_cipher                        : 
 dtls_fingerprint                   : SHA-256
 dtls_private_key                   : 
 dtls_rekey                         : 0
 dtls_setup                         : active
 dtls_verify                        : No
 dtmf_mode                          : rfc4733
 fax_detect                         : false
 fax_detect_timeout                 : 0
 follow_early_media_fork            : true
 force_avp                          : false
 force_rport                        : true
 from_domain                        : 
 from_user                          : 
 g726_non_standard                  : false
 geoloc_incoming_call_profile       : 
 geoloc_outgoing_call_profile       : 
 ice_support                        : false
 identify_by                        : username,ip
 ignore_183_without_sdp             : false
 inband_progress                    : false
 incoming_call_offer_pref           : local
 incoming_mwi_mailbox               : 
 language                           : 
 mailboxes                          : 
 max_audio_streams                  : 1
 max_video_streams                  : 1
 media_address                      : 
 media_encryption                   : no
 media_encryption_optimistic        : false
 media_use_received_transport       : false
 message_context                    : 
 moh_passthrough                    : false
 moh_suggest                        : default
 mwi_from_user                      : 
 mwi_subscribe_replaces_unsolicited : no
 named_call_group                   : 
 named_pickup_group                 : 
 notify_early_inuse_ringing         : false
 one_touch_recording                : false
 outbound_auth                      : mytrunk
 outbound_proxy                     : 
 outgoing_call_offer_pref           : remote_merge
 overlap_context                    : 
 pickup_group                       : 
 preferred_codec_only               : false
 record_off_feature                 : automixmon
 record_on_feature                  : automixmon
 refer_blind_progress               : true
 rewrite_contact                    : false
 rpid_immediate                     : false
 rtcp_mux                           : false
 rtp_engine                         : asterisk
 rtp_ipv6                           : false
 rtp_keepalive                      : 30
 rtp_symmetric                      : false
 rtp_timeout                        : 30
 rtp_timeout_hold                   : 300
 sdp_owner                          : -
 sdp_session                        : Asterisk
 security_mechanisms                : 
 security_negotiation               : no
 send_aoc                           : false
 send_connected_line                : yes
 send_diversion                     : true
 send_history_info                  : false
 send_pai                           : false
 send_rpid                          : false
 set_var                            : 
 srtp_tag_32                        : false
 stir_shaken                        : no
 stir_shaken_profile                : 
 sub_min_expiry                     : 0
 subscribe_context                  : 
 suppress_q850_reason_headers       : false
 t38_bind_udptl_to_media_address    : false
 t38_udptl                          : false
 t38_udptl_ec                       : none
 t38_udptl_ipv6                     : false
 t38_udptl_maxdatagram              : 0
 t38_udptl_nat                      : false
 timers                             : yes
 timers_min_se                      : 90
 timers_sess_expires                : 1800
 tone_zone                          : 
 tos_audio                          : 184
 tos_video                          : 0
 transport                          : 
 trust_connected_line               : yes
 trust_id_inbound                   : false
 trust_id_outbound                  : false
 use_avpf                           : false
 use_ptime                          : false
 user_eq_phone                      : false
 voicemail_extension                : 
 webrtc                             : no


pjsip show registration mytrunk 

 <Registration/ServerURI..............................>  <Auth....................>  <Status.......>
==========================================================================================

 mytrunk/sip:sip.mydomain.com                    mytrunk                 Registered        (exp. 3385s)

 ParameterName            : ParameterValue
 ===============================================================
 auth_rejection_permanent : false
 client_uri               : sip:mytrunk@sip.mydomain.com
 contact_header_params    : 
 contact_user             : mytrunk
 endpoint                 : mytrunk
 expiration               : 3600
 fatal_retry_interval     : 150
 forbidden_retry_interval : 60
 line                     : true
 max_random_initial_delay : 10
 max_retries              : 150
 outbound_auth            : mytrunk
 outbound_proxy           : 
 retry_interval           : 60
 security_mechanisms      : 
 security_negotiation     : no
 server_uri               : sip:sip.mydomain.com
 support_outbound         : no
 support_path             : false
 transport                : 


pjsip show identify mytrunk 

 Identify:  <Identify/Endpoint...........................................................>
      Match:  <criteria...........................>
==========================================================================================

 Identify:  mytrunk/mytrunk
      Match: 111.111.111.111/32


 ParameterName     : ParameterValue
 ==================================================
 endpoint          : mytrunk
 match             : 111.111.111.111/255.255.255.255
 match_header      : 
 match_request_uri : 
 srv_lookups       : true


pjsip show transport transport-udp 

Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
==========================================================================================

Transport:  transport-udp             udp      0    184  0.0.0.0:5060

 ParameterName               : ParameterValue
 ============================================
 allow_reload                : false
 allow_wildcard_certs        : No
 async_operations            : 1
 bind                        : 0.0.0.0:5060
 ca_list_file                : 
 ca_list_path                : 
 cert_file                   : 
 cipher                      : 
 cos                         : 0
 domain                      : 
 external_media_address      : 
 external_signaling_address  : 
 external_signaling_port     : 0
 local_net                   : 
 method                      : unspecified
 password                    : 
 priv_key_file               : 
 protocol                    : udp
 require_client_cert         : No
 symmetric_transport         : false
 tcp_keepalive_enable        : true
 tcp_keepalive_idle_time     : 30
 tcp_keepalive_interval_time : 1
 tcp_keepalive_probe_count   : 5
 tos                         : 184
 verify_client               : No
 verify_server               : No
 websocket_write_timeout     : 100

jcolp · January 15, 2025, 11:44am

There is no external_signaling_address and external_media_address in the “transport-udp” transport, as a result there would be no substitution of address information with public information. You would also commonly set local_net so that substitution doesn’t occur for local networks.

faqterson · January 15, 2025, 12:16pm

My understanding is that the external_signaling_address and external_media_address on relates to devices connecting from externally to my Asterisk PBX when it it behind NAT.
Exp:
SIP Phone (Register) → Home User Firewall → Customer Firewall → PBX Private IP

But this setup is different.
PBX Private (Register) → Customer Firewall → PortaOne SBC

I will give it ago again but the last time I tested it didn’t make a different.

jcolp · January 15, 2025, 12:19pm

It’s used to place a different IP address in the SIP signaling and SDP. If that’s what you want to do, that’s how you do it.

faqterson · January 15, 2025, 12:51pm

Looking at the SIP Options since the change the Contact Header does have the public IP address now:

<--- Transmitting SIP request (445 bytes) to UDP:111.111.111.111:5060 --->
OPTIONS sip:sip.mydomain.com:5060 SIP/2.0
Via: SIP/2.0/UDP 1.1.1.1:5062;rport;branch=z9hG4bKPj94892d14-356e-499f-8f3d-bbc99405df3e
From: <sip:mytrunk@172.32.2.19>;tag=39cc3783-51ee-4b2a-b1cc-1e5f2e30e214
To: <sip:sip.mydomain.com>
Contact: <sip:mytrunk@1.1.1.1:5062>
Call-ID: 234701dc-29c6-490f-8fbd-6c518194d8f7
CSeq: 32878 OPTIONS
Max-Forwards: 70
User-Agent: Asterisk PBX 20.8.1
Content-Length:  0


<--- Received SIP response (436 bytes) from UDP:111.111.111.111:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 1.1.1.1:5062;received=1.1.1.1;rport=65479;branch=z9hG4bKPj94892d14-356e-499f-8f3d-bbc99405df3e
From: <sip:mytrunk@172.32.2.19>;tag=39cc3783-51ee-4b2a-b1cc-1e5f2e30e214
To: <sip:sip.mydomain.com>;tag=1c999216076
Call-ID: 234701dc-29c6-490f-8fbd-6c518194d8f7
CSeq: 32878 OPTIONS
Contact: <sip:111.111.111.111:5060>
Server: Mediant VE SBC/v.7.40A.500.781
Content-Length: 0

Can external_signaling_address and external_media_address be FQDN or only an IP address?

I suspect this is going to be a problem if the customer needs to fail over to their second services provider on a new public IP address. (People that don’t do redundancy correctly)

jcolp · January 15, 2025, 12:52pm

A hostname can be provided, but it will resolve down to an IP address and if it changes a reload would be required.

Topic		Replies	Views
PJSIP NAT Issues Asterisk SIP	7	1097	January 31, 2020
PJSIP RTP Issues with NAT endpoints Asterisk Support	4	6552	June 20, 2016
PJSIP: Contact header format for inbound calls. One way audio inbound calls behind NAT. Asterisk SIP	2	281	July 2, 2021
PJSIP Asterisk and endpoints behind NAT Asterisk Endpoints	7	1880	October 25, 2023
Asterisk put his private ip however external_signaling_address is defined Asterisk SIP	7	2942	February 12, 2020

PJSIP Trunk and NAT

Related topics