Private IP being shown to public server from behind NAT

princevegeta · June 27, 2012, 12:24pm

We provide hosted PBX solutions to our customers. Right now we have a customer that has intermittent issues of hearing no audio on handsets. We just go and tinker witht he handset, but eventually end up restarting the phone. Which is snom 821

When dialling a cell phone and call is answered, no audio can be heard in either direction.

Our pbx has the public IP 10.10.10.10, and the cusomter has Public IP On their router 6.6.6.6. Their phones are on the private subnet 172.16.207.

When i do sip show peers, i see thier host IP for the extensions as their public router IP.

arsing /etc/asterisk/extconfig.conf Name/username Host Dyn Nat ACL Port Status 9999/9999 (Unspecified) D N 0 UNKNOWN 9998/9998 (Unspecified) D N 0 UNKNOWN 1036/1036 6.6.6.6 D N 40448 OK (110 ms) 1035/1035 (Unspecified) D N 0 UNKNOWN 1034/1034 6.6.6.6 D N 41536 OK (103 ms) 1033/1033 6.6.6.6 D N 41792 OK (103 ms) 1032/1032 6.6.6.6 D N 42304 OK (102 ms) 1031/1031 6.6.6.6 D N 41600 OK (103 ms) 1030/1030 6.6.6.6 D N 41280 OK (107 ms) 1029/1029 6.6.6.6 D N 41984 OK (141 ms) 1028/1028 6.6.6.6 D N 41856 OK (103 ms) 1027/1027 (Unspecified) D N 0 UNKNOWN 1026/1026 6.6.6.6 D N 37504 OK (106 ms) 1024/1024 6.6.6.6 D N 41344 OK (103 ms) 1023/1023 6.6.6.6 D N 41024 OK (103 ms) 1021/1021 6.6.6.6 D N 41408 OK (103 ms) 1020/1020 6.6.6.6 D N 41920 OK (106 ms) 1019/1019 6.6.6.6 D N 41728 OK (103 ms) 1018/1018 6.6.6.6 D N 39424 OK (107 ms) 1017/1017 6.6.6.6 D N 41088 OK (102 ms) 1016/1016 6.6.6.6 D N 40960 OK (103 ms)

when i do sip show channels i sometimes see their private IP addresses.

Parsing /etc/asterisk/extconfig.conf Peer User/ANR Call ID Seq (Tx/Rx) Format Hold Last Message 6.6.6.6 (None) 061283f164e 00102/00000 0x0 (nothing) No Init: OPTIONS 6.6.6.6 1028 666e693a0df 00102/00000 0x4 (ulaw) No Init: INVITE 6.6.6.6 1028 307a433423a 00101/00000 0x0 (nothing) No 172.16.207.102 (None) 4c70263ceca 00101/03908 0x0 (nothing) No Rx: REGISTER 172.16.207.72 (None) fd70263c489 00101/03894 0x0 (nothing) No Rx: REGISTER

Could this somehow be related to why sometimes handsets do not get any kind of audio? Some NAT settings on their router ?

We do not manage their IT, but they want us to tell them what it is that they need to do to fix the problem.

Any suggestions are welcome. Thanks

leemason · June 27, 2012, 2:27pm

Are all phones using the standard SIP 5060/UDP setting?

tomdemoor · June 27, 2012, 7:51pm

Is in sip.conf
directmedia set to no? (directmedia=no)

and the extensions have nat=yes in their configuration i guess?

leemason · June 28, 2012, 8:58am

But is the sip port for each phone set to 5060? If this has been changed it should be in the sip.conf or an include file under the section for each individual phone.

david55 · June 28, 2012, 10:52am

The problem, as described, is at the remote end. If intended to work from behind NAT, either the phone should be NAT aware (as Asterisk is), or the remote NAT device should be SIP aware.

The only thing that Asterisk can do about it is to ignore the misinformation it is receiving in the SIP protocol, and use the actual packet addresses, which is what nat=yes is intended to do, but you really need to fix the remote end.

princevegeta · June 28, 2012, 2:49pm

default port 5060 is being used. That is why calls do get established, only no audio can be heard. So i am thinking there is something wrong on the RTP side of things, so could be NAT issue.

[quote]Is in sip.conf
directmedia set to no? (directmedia=no)[/quote]

No, i do not have the directmendia option in my sip.conf at all. I am using asterisk 1.4, so that is equivilant to canreinvite. Which i have set to no.

below is the extract fom sip.conf with 2 extensions. The rest of the extensions follow in the same manner.

[code][general]
bindaddr=0.0.0.0
bindport=5060
context=invalid-context
allowguest=no
rtptimeout=60
mohsuggest=default
mohinterpret=default
limitonpeers=yes
defaultexpirey=3600
maxexpirey=7200
disallow=all
allow=ulaw
allow=alaw

[1000]
accountcode=1000
type=friend
dtmfmode=rfc2833
context=default
nat=yes
canreinvite=no
qualify=2000
host=dynamic
callingpres=allowed_passed_screen
mailbox=1000@default
callgroup=2
pickupgroup=2
username=1000
secret=1000password1000
disallow=all
allow=ulaw
allow=alaw
allow=g729
callerid=1000 <1000>
subscribecontext=hints
call-limit=64

[1001]
accountcode=1001
type=friend
dtmfmode=rfc2833
context=default
nat=yes
canreinvite=no
qualify=2000
host=dynamic
callingpres=allowed_passed_screen
mailbox=1001@default
callgroup=2
pickupgroup=2
username=1001
secret=1001password1001
disallow=all
allow=ulaw
allow=alaw
allow=g729
callerid=1001 <1001>
subscribecontext=hints
call-limit=64[/code]

By that do you mean the problem is int he client’s office on their handsets ?

as you can see from the extract of the sip.conf, nat=yes has been set.

The handsets are snom 821. I have found out the router they are using is a draytek vigor 2920n. This Draytek i think does NAT traversal by default. Could this be causign the problem?

the snom handset only offers the following options of NAT, which are not configured at the moment since I do not need it when i am testing from my office.

Offer ICE
Stun server
Stun interval
Keep alive

below is a little SIP trace run on the asterisk server for a few seconds. You will notice that the asterisk server see’s the extension internal IP address.

[code]-- SIP read from 6.6.6.6:37504 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bK0eb8fa4d;rport=5060
From: “asterisk” sip:asterisk@10.10.10.10;tag=as6ad2eaa1
To: sip:1026@172.16.207.26:3072;line=ynuph7rs
Call-ID: 002d46013c9775f61b8564894d645b42@10.10.10.10
CSeq: 102 OPTIONS
Contact: sip:1026@172.16.207.26:3072;line=ynuph7rs;reg-id=1
User-Agent: snom821/8.4.20
Accept-Language: en
Accept: application/sdp
Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE
Allow-Events: talk, hold, refer, call-info
Supported: timer, 100rel, replaces, from-change
Content-Length: 0

<------------->
— (14 headers 0 lines) —
Really destroying SIP dialog ‘002d46013c9775f61b8564894d645b42@10.10.10.10’ Method: OPTIONS

<— SIP read from 6.6.6.6:41408 —>
BYE sip:07904565555@10.10.10.10 SIP/2.0
Via: SIP/2.0/UDP 172.16.207.87:3072;branch=z9hG4bK-5gjqsjuqspta;rport
From: “1021” sip:1021@10.10.10.10;tag=c09mnbocvj
To: sip:07904567609@10.10.10.10;user=phone;tag=as777b102e
Call-ID: e669423cd369-hfhfbw3cq4dv
CSeq: 3 BYE
Max-Forwards: 70
Contact: sip:1021@172.16.207.87:3072;line=vzw01zs5;reg-id=1
User-Agent: snom821/8.4.20
RTP-RxStat: Total_Rx_Pkts=1354,Rx_Pkts=1354,Rx_Pkts_Lost=21,Remote_Rx_Pkts_Lost=4
RTP-TxStat: Total_Tx_Pkts=1437,Tx_Pkts=1437,Remote_Tx_Pkts=1252
Content-Length: 0

<------------->
— (12 headers 0 lines) —
Sending to 172.16.207.87 : 3072 (no NAT)

<— Transmitting (no NAT) to 172.16.207.87:3072 —>
SIP/2.0 481 Call leg/transaction does not exist
Via: SIP/2.0/UDP 172.16.207.87:3072;branch=z9hG4bK-5gjqsjuqspta;received=6.6.6.6;rport=41408
From: “1021” sip:1021@10.10.10.10;tag=c09mnbocvj
To: sip:07904565555@10.10.10.10;user=phone;tag=as777b102e
Call-ID: e669423cd369-hfhfbw3cq4dv
CSeq: 3 BYE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Content-Length: 0

<------------>

<— SIP read from 6.6.6.6:40896 —>
BYE sip:07861661864@10.10.10.10 SIP/2.0
Via: SIP/2.0/UDP 172.16.207.79:3072;branch=z9hG4bK-qni7y61fa07e;rport
From: “1005” sip:1005@10.10.10.10;tag=vu6rga6ecv
To: sip:07861665555@10.10.10.10;user=phone;tag=as312a4dc3
Call-ID: 497b4b3cf8cc-cujvycv4q55o
CSeq: 3 BYE
Max-Forwards: 70
Contact: sip:1005@172.16.207.79:3072;line=qpdqnzr9;reg-id=1
User-Agent: snom821/8.4.20
RTP-RxStat: Total_Rx_Pkts=3032,Rx_Pkts=3032,Rx_Pkts_Lost=45,Remote_Rx_Pkts_Lost=21
RTP-TxStat: Total_Tx_Pkts=3139,Tx_Pkts=3139,Remote_Tx_Pkts=3002
Content-Length: 0

<------------->
— (12 headers 0 lines) —
Sending to 6.6.6.6 : 40896 (NAT)

<— Transmitting (NAT) to 6.6.6.6:40896 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 172.16.207.79:3072;branch=z9hG4bK-qni7y61fa07e;received=6.6.6.6;rport=40896
From: “1005” sip:1005@10.10.10.10;tag=vu6rga6ecv
To: sip:07861665555@10.10.10.10;user=phone;tag=as312a4dc3
Call-ID: 497b4b3cf8cc-cujvycv4q55o
CSeq: 3 BYE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Content-Length: 0
[/code]

thanks

david55 · June 28, 2012, 2:57pm

The local address is being reflected by the remote side, not originated by it.

The trace doesn’t include any outgoing requests, which would be the interesting cases.

Your sip.conf has no NAT enabling options (nat=yes is a work round for broken NAT at the remote side, not one to enable NAT on the local system). You need at least some of externhost, externip, stunaddr and localnets.

princevegeta · June 28, 2012, 3:19pm

Why would I need an externhost or extenip option in my sip.conf ? The asterisk server has the public IP 10.10.10.10. It is not behind any kind of NAT. Or am i not understanding you correctly ?

It is the handsets that are behind NAT, logging into the asterisk server at 10.10.10.10.

david55 · June 28, 2012, 3:22pm

10.0.0.0/8 is NOT a public address.

If you are going to munge addresses, do not munge public addresses into non-routable ones.

princevegeta · June 28, 2012, 3:27pm

OK. My bad in putting 10.10.10.10.

I just replaced my real Public IP address with some dummy IP for security reasons. put a private one in without thinking.

But the asterisk does have public IP directly configured on it.