Brian D'Arcy
2004-Apr-23 14:29 UTC
[Asterisk-Users] Asterisk configuration inside a DMZ w/SIP
Hello all, I'm having a nightmare of a time trying to get stable results with SIP clients on Asterisk. I can't seem to find a configuration that works! In our office, we run a Sonicwall Pro 200, which is a sip aware, stateful firewall. Originally, I had configured Asterisk to run on the NAT side so that those within the office could connect easily, and those outside the office could connect via VPN. However the VPN route is proving to be a little too latent for quality calls. Even still, some people were able to receive audio, and others not. After much reading about Asterisk and the problems inherent to NAT, I decided OK, I'll just toss it on the DMZ with a public address, and let the clients themselves worry about addressing their NAT issues @ home, or wherever they might be. So here I am, with Asterisk running on the DMZ with a public IP address, totally unfirewalled to the outside world and now I find that not only can I not connect (from the nat side of the same SIP aware firewall hosting the asterisk server), but clients on public IP's, using no NAT at all, are either unable to connect, or are able to log in, but calls to any extension (whether they be sip extensions, voicemail, conference etc..) come up 408 timed out. In every case, the message in the * CLI is reported as: chan_sip.c:497 retrans_pkt: Maximum retries exceeded on call 901468BB-92E8-4E0E-9DFD-3CDF1AFEF2AD@192.168.0.57 for seqno 30841 (Response) This to me would imply that for whatever reason, the packets from the Asterisk server are being blocked by the local firewall when it attempts to send them back to me. This I can understand, because maybe I'm having NAT issues myself, however I get the *same* messages broadcast into the CLI when users on the public IP addresses attempt to connect in (unfirewalled). I've checked and triple checked to make sure that the DMZ port is not firewalled in any way, so I'm a bit stumped. After this rambling, I suppose the real question I'm asking here is, what is the most stable, preferred networking setup people tend to use when they are expecting to have SIP clients connecting both internally, and externally? Incase everyone wants to know about my SIP configurations, I'm using disallow=all, and allow=ulaw ONLY. I've toyed with the nat=1/nat=yes settings, however they seem to have no real effect on the behavior of the clients. I've been testing strictly with X-Lite, as it came recommended by a few folks in #Asterisk on irc.freenode.net. [General] section from SIP.conf and an example SIP client entry: [general] port=5060 ; Port to bind to bindaddr=0.0.0.0 ; Address to bind SIP channel to ;externip = 216.9.32.42 ;localmask=255.255.254.0 ;localnet=192.168.0.0 context = default ; Default context for incoming calls ;srvlookup = yes [bdarcy] type=friend username=bdarcy secret=blah host=dynamic qualify=400 mailbox=3209 callerid="Brian D'Arcy" <3209> nat=1 disallow=all allow=ulaw If anyone can provide any feedback on what works for you, or what's recommended, it would be highly appreciated. Thanks in advance. Brian D'Arcy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040423/8718a8fd/attachment.htm
Russ Beaupre, P.E.
2004-Apr-24 05:31 UTC
[Asterisk-Users] Asterisk configuration inside a DMZ w/SIP
Brian D'Arcy wrote:> Hello all, > > > > I?m having a nightmare of a time trying to get stable results with SIP > clients on Asterisk. I can?t seem to find a configuration that works! > In our office, we run a Sonicwall Pro 200, which is a sip aware, > stateful firewall. >We've discovered that certain versions of the sonic wall products do strange things with SIP. For example the TC170 with standard firmware works fine (Public Asterisk, Polycom IP600 behind the Sonic wall). Upgrade that box to the enhanced version and suddenly transfer and hold stop working. It's not just SIP, either. SNTP on the IP600 through the Sonic Wall gear changes the time by 10 hours. These things have been reported to Sonic Wall, but no word on a patch. -rb
Brian D'Arcy
2004-Apr-24 10:39 UTC
[Asterisk-Users] Asterisk configuration inside a DMZ w/SIP
Hi Russ, Thanks for your feedback! I hadn't received any other responses from anyone, so I was starting to worry that I was one of the few having these erratic issues. I might ping Sonicwall, being a good customer and all, maybe I can get some information out of them. I've always liked using the sonicwall for ease of use and administration (and reliability), since I'm overworked as it is, but if I have to get rid of it to make this work, I'm not against it. On a side note, I tried IAX2 last night for the first time using IAXPHONE. HOLY CRAP I'M IMPRESSED!!! Everything just *works*, period. I might just use softphones until IAX hardphones are released and say screw SIP. If anyone else is having SIP nightmares and you have a flexible deployment schedule, I highly recommend giving IAX a shot!! Thanks again for the comments, Russ. Brian D'Arcy -----Original Message----- From: asterisk-users-admin@lists.digium.com [mailto:asterisk-users-admin@lists.digium.com] On Behalf Of Russ Beaupre, P.E. Sent: Saturday, April 24, 2004 5:32 AM To: asterisk-users@lists.digium.com Subject: Re: [Asterisk-Users] Asterisk configuration inside a DMZ w/SIP Brian D'Arcy wrote:> Hello all, > > > > I'm having a nightmare of a time trying to get stable results with SIP> clients on Asterisk. I can't seem to find a configuration that works!> In our office, we run a Sonicwall Pro 200, which is a sip aware, > stateful firewall. >We've discovered that certain versions of the sonic wall products do strange things with SIP. For example the TC170 with standard firmware works fine (Public Asterisk, Polycom IP600 behind the Sonic wall). Upgrade that box to the enhanced version and suddenly transfer and hold stop working. It's not just SIP, either. SNTP on the IP600 through the Sonic Wall gear changes the time by 10 hours. These things have been reported to Sonic Wall, but no word on a patch. -rb _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users