asterisk users - Apr 2004 - Asterisk configuration inside a DMZ w/SIP

Hello all,

 

I'm having a nightmare of a time trying to get stable results with SIP
clients on Asterisk.  I can't seem to find a configuration that works!
In our office, we run a Sonicwall Pro 200, which is a sip aware,
stateful firewall.

 

Originally, I had configured Asterisk to run on the NAT side so that
those within the office could connect easily, and those outside the
office could connect via VPN.  However the VPN route is proving to be a
little too latent for quality calls.  Even still, some people were able
to receive audio, and others not.

 

After much reading about Asterisk and the problems inherent to NAT, I
decided OK, I'll just toss it on the DMZ with a public address, and let
the clients themselves worry about addressing their NAT issues @ home,
or wherever they might be.

 

So here I am, with Asterisk running on the DMZ with a public IP address,
totally unfirewalled to the outside world and now I find that not only
can I not connect (from the nat side of the same SIP aware firewall
hosting the asterisk server), but clients on public IP's, using no NAT
at all, are either unable to connect, or are able to log in, but calls
to any extension (whether they be sip extensions, voicemail, conference
etc..) come up 408 timed out.  

 

In every case, the message in the * CLI is reported as:

 

chan_sip.c:497 retrans_pkt: Maximum retries exceeded on call
901468BB-92E8-4E0E-9DFD-3CDF1AFEF2AD@192.168.0.57 for seqno 30841
(Response)

 

This to me would imply that for whatever reason, the packets from the
Asterisk server are being blocked by the local firewall when it attempts
to send them back to me.   This I can understand, because maybe I'm
having NAT issues myself, however I get the *same* messages broadcast
into the CLI when users on the public IP addresses attempt to connect in
(unfirewalled).  I've checked and triple checked to make sure that the
DMZ port is not firewalled in any way, so I'm a bit stumped.

 

After this rambling, I suppose the real question I'm asking here is,
what is the most stable, preferred networking setup people tend to use
when they are expecting to have SIP clients connecting both internally,
and externally?

 

Incase everyone wants to know about my SIP configurations, I'm using
disallow=all, and allow=ulaw ONLY.

I've toyed with the nat=1/nat=yes settings, however they seem to have no
real effect on the behavior of the clients.  I've been testing strictly
with X-Lite, as it came recommended by a few folks in #Asterisk on
irc.freenode.net.

 

[General] section from SIP.conf and an example SIP client entry:

 

[general]

port=5060                       ; Port to bind to

bindaddr=0.0.0.0                ; Address to bind SIP channel to

;externip = 216.9.32.42

;localmask=255.255.254.0

;localnet=192.168.0.0

context = default               ; Default context for incoming calls

;srvlookup = yes

 

[bdarcy]

type=friend

username=bdarcy

secret=blah

host=dynamic

qualify=400

mailbox=3209

callerid="Brian D'Arcy" <3209>

nat=1

disallow=all

allow=ulaw

 

If anyone can provide any feedback on what works for you, or what's
recommended, it would be highly appreciated.

 

Thanks in advance.

 

Brian D'Arcy

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20040423/8718a8fd/attachment.htm

Brian D'Arcy wrote:
> Hello all,
> 
>  
> 
> I?m having a nightmare of a time trying to get stable results with SIP 
> clients on Asterisk.  I can?t seem to find a configuration that works!  
> In our office, we run a Sonicwall Pro 200, which is a sip aware, 
> stateful firewall.
> 
We've discovered that certain versions of the sonic wall products do 
strange things with SIP.   For example the TC170 with standard firmware 
works fine (Public Asterisk, Polycom IP600 behind the Sonic wall). 
Upgrade that box to the enhanced version and suddenly transfer and hold 
stop working.

It's not just SIP, either.  SNTP on the IP600 through the Sonic Wall 
gear changes the time by 10 hours.

These things have been reported to Sonic Wall, but no word on a patch.

-rb

Hi Russ,

Thanks for your feedback!  I hadn't received any other responses from
anyone, so I was starting to worry that I was one of the few having
these erratic issues.

I might ping Sonicwall, being a good customer and all, maybe I can get
some information out of them.  I've always liked using the sonicwall for
ease of use and administration (and reliability), since I'm overworked
as it is, but if I have to get rid of it to make this work, I'm not
against it.

On a side note, I tried IAX2 last night for the first time using
IAXPHONE.  HOLY CRAP I'M IMPRESSED!!!  Everything just *works*, period.
I might just use softphones until IAX hardphones are released and say
screw SIP.

If anyone else is having SIP nightmares and you have a flexible
deployment schedule, I highly recommend giving IAX a shot!!

Thanks again for the comments, Russ.

Brian D'Arcy

-----Original Message-----
From: asterisk-users-admin@lists.digium.com
[mailto:asterisk-users-admin@lists.digium.com] On Behalf Of Russ
Beaupre, P.E.
Sent: Saturday, April 24, 2004 5:32 AM
To: asterisk-users@lists.digium.com
Subject: Re: [Asterisk-Users] Asterisk configuration inside a DMZ w/SIP

Brian D'Arcy wrote:
> Hello all,
> 
>  
> 
> I'm having a nightmare of a time trying to get stable results with SIP
> clients on Asterisk.  I can't seem to find a configuration that works!
> In our office, we run a Sonicwall Pro 200, which is a sip aware, 
> stateful firewall.
> 
We've discovered that certain versions of the sonic wall products do 
strange things with SIP.   For example the TC170 with standard firmware 
works fine (Public Asterisk, Polycom IP600 behind the Sonic wall). 
Upgrade that box to the enhanced version and suddenly transfer and hold 
stop working.

It's not just SIP, either.  SNTP on the IP600 through the Sonic Wall 
gear changes the time by 10 hours.

These things have been reported to Sonic Wall, but no word on a patch.

-rb

_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users