Solution to Asterisk behind NAT/Firewall

Your astersik server does not have to be on a public IP, DMZ, or other non-secure positions to be properly implemented. Presented here is one of the most effectively secure implementations of * behind NAT/firewall.

First make sure the linux firewall on your * server is disabled (you will have to rely on the router firewall or at least after everything is up and running you can re-enable the linux firewall and open each needed port). Then you set a static IP address on your * server. On your router NAT/firewall, forward SIP ports (UDP & TCP) 5060 - 5082 and RTP ports (UDP & TCP) 8000 - 20000 to your * server IP address (or 5000 - 31000 for both SIP and RTP).

For a dual NIC configuration, make sure you set eth0 as the NIC for the * WAN. This is usually the NIC that Linux uses to primarily run WAN with. If unsure check your router outbound log you will find the * primary NIC IP address going outbound to your ITSP, web browsing, or remote extension on port 5060 or whatever your VoIP ports are. If this is not done there will either be no audio, one way audio, or dropped calls as the RTP packets will be sent and received on the wrong NIC(s). IN OTHER WORDS, MAKE SURE YOU CONFIGURE YOUR * SERVER WAN NIC ON eth0 AND FORWARD ALL APLICABLE PORTS TO IT (eth0 IP address) and leave the default gateway field on eth1 NIC blank because it will be going online only through eth0.

Then edit the “rtpstart” value in rtp.conf - from rtpstart=10000 to rtpstart=8000 since 8000 is the default RTP port on x-lite softphones and some other phones, or you might totally change it to asterisk default values which are rtpstart=5000 and rtpend=31000, but you will have to also adjust the RTP (UDP & TCP) port forwarding (mentioned above) on your router NAT/firewall to reflect the same port range. Needless to say, if a remote * server is also behind NAT/firewall on the other end all the port ranges (TCP/UDP) mentioned above need to be opened likewise as here for bidirectionally flow of your VoIP traffic. IP phones or VoIP clients in general do not need any ports opened or forwarded to them. Also enter the same externip=xxx.xxx.xxx.xxx and localnet=xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx info from your sip.conf general settings into sip_nat.conf.

Then in sip.conf under the account authentication settings for each remote extension add nat=yes, and canreinvite=no . Make sure you save the new configurations in each edited file then run ‘reload’ on the asterisk CLI or stop and restart * again to comletely re-read all config files after the changes. This should get it working flawlessly, it did it for me after much research and troubleshooting. This should mark the end of NAT/firewall issues with asterisk. I would like to see confirmation postings from those that do implement this.
Thanx.

NOTE: For other protocols such as H.323, SCCP(Skiiny), MGCP, etc you just have to make sure on your router firewall/NAT you have their port numbers forwarded to your * server WAN interface and make sure the RTP ports (which carries the actual audio packets) in your rtp.conf is 5000 - 31000 (TCP/UDP) and also forwarded to * WAN interface as well.

Your WAN or externip address from your ISP is usually not permanent so in the case where it changes you will have to edit the “externip=” value in sip.conf general settings and sip_nat.conf to the new value or better yet you can have it automatically renewed by registering with dynamic DNS (dyndns) through your router (I know Linksys and some other routers have DynDNS in them) to receive a constantly updated domain name that will always resolve to whatever IP address is issued by your ISP to your network. Or another option for those with routers without inbuilt DynDNS is to use your dynamic IP address with no-ip.com; you set it just like DynDNS and download a dynamic update client (for windows, apple or linux) that you can install on your * or any box (that is always on) on your local network in general to update the no-ip.com pointer every 30 minutes or however often you want it. So all you need to do is use the domain name you get from no-ip.com or dyndns.org as your externip= on * so that it resolves that domain name to whatever dynamic IP address your ISP assigns to you at anytime.

For other protocols such as IAX, (IAX2 port is 4569. IAX port is 5036) on your router NAT/firewall you should forward ports (UDP & TCP) 4569 and/or 5036 to your asterisk server IP address.

Bottom line remains to make note of the needed and appropriate ports in your config files and have them forwarded on/by your router NAT/firewall to your * server IP address.

And to add, experiments performed just proved Fedora Core to be most compatible with * , as supported by Digium. So in order to cut down on problems and troubleshooting time there is always an option to try FC. REMEMBER, ALL PORT FORWARDINGS TO * SHOULD BE TO THE * SERVER WAN INTERFACE (THE * NIC PRIMARILY ASSIGNED TO WAN COMMUNICATION) AND THIS BY DEFAULT IS/SHOULD BE eth0. IN OTHER WORDS, MAKE SURE TO ASSIGN eth0 AS YOUR * WAN INTERFACE AND FORWARD ALL PORTS TO ITS IP ADDRESS AND LEAVE THE DEFAULT GATEWAY FIELD ON ETH1 BLANK BECAUSE IT WILL BE GOING ONLINE ONLY THROUGH ETH0.

rather than “SIP Port” you should say “UDP Port”.

on an A@H system, sip_nat.conf is included in sip.conf.

if you have dynamic ip, you might want to consider invoking a asterisk -r -x"sip reload" when your address changes.

Two questions; 1. You mean run the command ‘asterisk -r -x"sip reload’ in the asterisk CLI?
2. Do you know of any script or command that can automatically keep asterisk externip updated as it changes on the go?

no, in the CLI it would just be CLI > sip reload whereas the command above launches an asterisk console, executes “sip reload” then exits … all in your shell

i don’t know of anything, but if you’re using a dyndns updates, can’t you tack something onto the end of it to do this ? then reload sip settings in Asterisk.[/code][/quote]

I have been looking to use dydns but for the monthly charges. I have come across one that also has a free version though, the only thing is it won’t be something like sip.drwho.com it will look more like mydomain.theirdomain.com which is still ok, I guess.

You can transfer a domain to dyndns.com and use them (most routers with DDNS support them)
20.00 yr to have them do dyndns for domain…use a free 2 gig hotmail setup from Unlce Bill @ domains.live.com/ Use the MX record setup to complete the DDNS…

That’s gold!

New update on * dual NIC setup and dynamic IP setup just added to main post at the top.

It’s a good post, but it needs to be broken out into paragraphs as it crits as a wall of text right now.

Done!!

I have tried the proposed configuration but I still have problems with NAT support. I have the following scheme design:

Local users — AsteriskNOW Beta4 — NAT item — Internet — NAT ITEM — Users

–>I have included the following parameters in each account in the users.conf:
nat = yes
qualify = 3000

–> In sip.conf I have configured
nat = yes
canreinvite = nonat ;also tried no
port = 5060
bindaddr = 0.0.0.0
externip = xxx.xxx.xxx.xxx ; Public IP
localnet = 192.168.0.0/255.255.255.0 ; several lines with the IPs of the local nets

–> And in rtp.conf:
rtpstart=10000
rtpend=20000

A user outside the local network can call other users (both in the local network and in the Internet), but they can’t hear each other, there is no sound.
If a user outside calls the voicemail he can hear the voicemail menu, but after 20seconds the call is finished by Asterisk, this is what I get from Asterisk:
– Executing [85000@default:1] VoiceMailMain(“SIP/5060-083126d8”, “”) in new stack
– Playing ‘vm-login’ (language ‘en’)
[…]
[May 7 13:01:40] WARNING[4750]: chan_sip.c:1881 retrans_pkt: Maximum retries exceeded on transmission 1447a6-c0a80101-0-5@80.24.208.94 for seqno 1 (Critical Response)
[May 7 13:01:40] WARNING[4750]: chan_sip.c:1898 retrans_pkt: Hanging up call 1447a6-c0a80101-0-5@80.24.208.94 - no reply to our critical packet.
== Spawn extension (default, 85000, 1) exited non-zero on ‘SIP/5060-083126d8’

When analysign the call with Ethereal I discovered that the SIP messages are correctly interchanged between the user and Asterisk, but the RTP traffic from the useris destinated to the private IP address of Asterisk instead of to its public IP. I think that this is caused because the Asterisk sends a SIP/SDP Status: 200 OK, with session description message to the user and the Connection informations is “IN IP4 192.168.100.150” instead of “IN IP4 puclic.ip.of.asterisk”.

The debug log is attched. 192.168.100.150 is the private IP of Asterisk and !92.50.20.77 is hte privte IP of the VoIP user.

What should I configure to get this scheme work properly?

I will not bet a dime on AsteriskNow at this point, it should not even be made downloadable as of yet. I am not surprised it is not working. That thing hardly works. I and several others could not even log into it. So I would say to play with Asterisk 1.2.* (1.4.* is also still unstable) or Trixbox 2.2 instead. Or you may continue as you are doing so as to help report bugs. This settings have never failed on my Asterisk and Trixbox configurations.

Make sure you have your public IP address configured on eth0 and not eth1. Also check the settings in sip_nat.conf and the hosts file in /etc/. Also if you have a WAN domain name you have to enter it anywhere any conf file with externip= (instead of the IP address).

Running AsteriskNow 1.5ß2 is obviously resulting in a choice you have to make, when running Asterisk behind a NAT:

Make “internal” calls from remote extensions (from the outer side of your network) to other extensions
-> Remove semi-colon in front of “localnet=192.168.0.0/255.255.255.0” in sip_nat.conf

-OR-

Make calls longer than 15 seconds
-> Add semi-colon in front of “localnet=192.168.0.0/255.255.255.0” in sip_nat.conf