Hi there, I have an X-Lite phone on my box and I'm trying to register it with a remote Asterisk box. Both the X-Lite and Asterisk are behind a NAT. I know it's a pain to do because of SIP not working well with NATs, but I know there are ways to do such a thing...moving the Asterisk box outside the NAT is not a possibility at the moment. One thing we tried was setting up a VPN, but I can't have the VPN server and a VPN client running on the same machine, because they use the same port (non-configurable). I can't set the VPN up on the Windows XP machine, because that only allows one user to be connected, and we need at least two. Any ideas? Thanks in advance, Ted
On Wed, 28 Jul 2004, programmer_ted wrote:> I have an X-Lite phone on my box and I'm trying to register it with a > remote Asterisk box. Both the X-Lite and Asterisk are behind a NAT. I > know it's a pain to do because of SIP not working well with NATs, but I > know there are ways to do such a thing...moving the Asterisk box outside > the NAT is not a possibility at the moment. One thing we tried wasmmm, a double-natted sip session. Now that's more fun than a person should be allowed to have in a single day. You didn't mention whether you have control over the NATs.. Everybody's favorite, port forwarding, may come to your rescue. It seems that x-lite always uses the same port for rtp (can't remember/find the number just now). Set the xp-side NAT to forward traffic on that port in to the xp box. You'd have to forward in the sip control port as well, I think. Then maybe do a similar thing on the * side (maybe you have to forward a large range of ports, 10000-20000 (?) on the * NAT?). I could be way off in the wrong ball field, though, so feel free to point out why this might not work. Greg
On Wed, 28 Jul 2004, programmer_ted wrote:> I have an X-Lite phone on my box and I'm trying > to register it with a remote Asterisk box. Both > the X-Lite and Asterisk are behind a NAT. > I know it's a pain to do because of SIP not > working well with NATs, but I know there > are ways to do such a thing...moving the > Asterisk box outside the NAT is not a > possibility at the moment.Then, how about the possibility to replace your NAT box with something like this ... http://www.coyotelinux.com/products.php?Product=wolverine It's a very easy set up. Once you've burned the install CD, it'll take you only about 2 mins to get a VPN server up and running. The web based admin interface is the best I have seen on any firewall or VPN product across the entire industry and if you are so inclined, you can also edit the configuration directly via SSH - it's command compatible with Cisco's PIX firewalls, so if you or your network admin are familar with PIX, you'll feel at home with Wolverine right away. It supports both IPPTP and Psec, so whether your X-Lite is running on a Windoze box or a Mac, you'll be able to tunnel in without much effort on the client side as well. This will solve your NAT problem and do so *properly*. Any other SIP/NAT setup should not be considered a proper solution - those are dirty hacks that introduce more problems than they solve, just like NAT itself. So, if you want to do it right, your only two choices are - get rid of NAT; or - build a VPN Of course there are other ways of doing VPN, but Wolverine is by far the easiest way to set it up. It's based on OpenSwan, by the way. As a nice bonus, all your conversations will be secure from eavesdropping. rgds benjk -- Sunrise Telephone Systems Ltd 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Shibuya-ku, Tokyo, Japan __________________________________________________ GANBARE! NIPPON! Yahoo! JAPAN JOC OFFICIAL INTERNET PORTAL SITE http://mail.ganbare-nippon.yahoo.co.jp/
> -----Original Message----- > From: asterisk-users-admin@lists.digium.com > [mailto:asterisk-users-admin@lists.digium.com] On Behalf Of > programmer_ted > Sent: Wednesday, July 28, 2004 8:29 PM > To: asterisk-users@lists.digium.com > Subject: [Asterisk-Users] X-Lite to Asterisk through NAT? > > Hi there, > > I have an X-Lite phone on my box and I'm trying to register it with a > remote Asterisk box. Both the X-Lite and Asterisk are behind > a NAT. I > know it's a pain to do because of SIP not working well with > NATs, but I > know there are ways to do such a thing...moving the Asterisk > box outside > the NAT is not a possibility at the moment. One thing we tried was > setting up a VPN, but I can't have the VPN server and a VPN client > running on the same machine, because they use the same port > (non-configurable). I can't set the VPN up on the Windows XP > machine, > because that only allows one user to be connected, and we > need at least two. > > Any ideas? > > Thanks in advance, > TedHi Ted. I managed to get it to work today. These are steps I took. On my firewall I port forwarded 5060, 10000-11000 UDP to the internal Asterisk box. In the sip.conf file I made these changes: nat=yes externip = public.ip.address On the X-lite phone I pointed the SIP Proxy to the public.ip.address that was set above in the sip.conf file. Good Luck. Geoff
Florin Andrei wrote:>OpenVPN > >http://openvpn.sourceforge.net/ > >I used it to replace traditional IPSec-based VPNs, >it runs circles around them.that's an opinion. Without going into the details of how IP over SSL runs counter to the self tuning features of TCP/IP let's just say that IP over SSL tunneling is not unlike NAT in that it is not really the right thing to do, but many people do it anyway simply because if all you have is a hammer, everything looks like a nail. If you have to encrypt a data stream on a per socket basis, by all means, use SSL, that's what it was designed for, that's what it is good at. But if you have to encapsulate IP traffic, then SSL is not the right tool. Just because you can doesn't necessarily mean you should do it. Besides, we were talking about ease of setup of Wolverine versus other IPsec implementations and you say OpenVPN runs circles around traditional solutions. Now, I don't know if you meant to include Wolverine in those "traditional solutions" but since you obviously never used Wolverine, you are hardly in a position to make any judgement. As for the original poster "ted_programmer", you can contact me offlist if you wish and tell me a bit more about your setup and I will see if I can devise a *proper* VPN solution for you (within your constraint of not having to dedicate another box). rgds benjk -- Sunrise Telephone Systems Ltd 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Shibuya-ku, Tokyo, Japan __________________________________________________ GANBARE! NIPPON! Yahoo! JAPAN JOC OFFICIAL INTERNET PORTAL SITE http://mail.ganbare-nippon.yahoo.co.jp/