asterisk users - Jan 2005 - SIP and NAT problems "imagine that :) "

Hi all,

Seriously, I've tried to read everything I could find (& search for) on 
voip-info.org and other sites about this problem, but have been unsuccesful.

Equipment:
xten lite
X100P
Whitebox linux running Asterisk / AMP
D-Link DI-804HV (VPN router)

I have installed another DI-804HV at a second location and created a tunnel. 
For the computers behind that unit, everything works fine throught x-lite. 
However, for any people (ie Family members) that I'm trying to connect to my
system that aren't going through a tunnel, it isn't working.

Symptoms:

They show up in "Sip Show Peers" however the NAT column is stating
"N"
I can call them and they can hear me fine, but I can't here them.

I'm thinking this has to do with RTP, but not sure.

In the router I have the following setup under "Virtual Server":
SIP TCP/UDP 5060
IAX TCP/UDP 4569
KS1 UDP 5004
RTP1 UDP 5000
SIP3 UDP 5036
SIP4 UDP 2727

In the firewall section I've said to allow UDP on 9999-20001 to go to the 
asterisk server
It looks like this in the firewall rules;
Source *,* Dest *,192.168.x.x UDP,9999-20001

Also on those extensions that are coming from an external source I've added 
the externip attribute in the form of

externip="my_dynamic_domain_name_attached_to_my_ip"

here's one of the extensions:

[254]
username=254
type=friend
secret=*******
port=5060
nat=yes
mailbox=254
host=dynamic
dtmfmode=rfc2833
context=from-sip-external
canreinvite=no
callerid="Scott Knight" <254>
externip=my.dyndns.org

Any suggestions would be greatly appreciated

Cheers!
ken

> Seriously, I've tried to read everything I could find (& search
for) on
> voip-info.org and other sites about this problem, but have been
unsuccesful.
> 
> Equipment:
> xten lite
> X100P
> Whitebox linux running Asterisk / AMP
> D-Link DI-804HV (VPN router)
> 
> I have installed another DI-804HV at a second location and created a
tunnel.
> For the computers behind that unit, everything works fine throught x-lite. 
> However, for any people (ie Family members) that I'm trying to connect
to my
> system that aren't going through a tunnel, it isn't working.
> 
> Symptoms:
> 
> They show up in "Sip Show Peers" however the NAT column is
stating "N"
> I can call them and they can hear me fine, but I can't here them.
> 
> I'm thinking this has to do with RTP, but not sure.
> 
> In the router I have the following setup under "Virtual Server":
> SIP TCP/UDP 5060
> IAX TCP/UDP 4569
> KS1 UDP 5004
> RTP1 UDP 5000
> SIP3 UDP 5036
> SIP4 UDP 2727
> 
> In the firewall section I've said to allow UDP on 9999-20001 to go to
the
> asterisk server
> It looks like this in the firewall rules;
> Source *,* Dest *,192.168.x.x UDP,9999-20001
> 
> Also on those extensions that are coming from an external source I've
added
> the externip attribute in the form of
> 
> externip="my_dynamic_domain_name_attached_to_my_ip"
> 
> here's one of the extensions:
> 
> [254]
> username=254
> type=friend
> secret=*******
> port=5060
> nat=yes
> mailbox=254
> host=dynamic
> dtmfmode=rfc2833
> context=from-sip-external
> canreinvite=no
> callerid="Scott Knight" <254>
> externip=my.dyndns.org
Yes, your problem is rtp and probably a lack of understanding it. There
have been at least hundreds of postings regarding nat issues in the
last 18 months, and some reference data in the wiki.

The bottom line is that sip and rtp use different udp ports, and the
exact udp ports in use are choosen from a range that is specified by
each vendor for rtp. Cisco uses one range, xlite another, asterisk 
another, etc, etc. Mapping the sip port (udp 5060) is easy; mapping 
the rtp ports and using the proper nat statements (possibly at both 
the phone location and asterisk location) tends to be difficult. Then 
when you add unusual implementations of nat functions into the mix, 
it becomes even more difficult to find a working config (eg, not all
nat boxes operate the same).

Using something like Ethereal to observe what each device is trying to
use (both in front of and behind nat boxes) will help understand what
each box is trying to do in terms of both IP addresses and udp port
numbers.

The rtp port range as noted above is specified by each vendor, and in
many cases can be modified to some other predetermined prot range.
For example, asterisk uses udp ports 10,000 to 20,000 as specified
in rtp.conf. Cisco 7960's use udp ports 16,384 to 32,766 as specified
in SIPDefault.cnf, while if I remember correctly xlite uses something
like 8,000 to 8,050 (or whatever).

The easiest nat & sip implementation are those where asterisk has a 
registered IP address and the phones are behind a nat box. The most 
difficult implementation is when both asterisk and remote phones are 
both behind their own nat boxes.

You'll want to research the use of nat statements in your sip.conf
config files, and the nat support provided by each of your remote
sip phones. But, ethereal will help point to the issue.

> each vendor for rtp. Cisco uses one range, xlite another, asterisk
> another, etc, etc. Mapping the sip port (udp 5060) is easy; mapping
> the rtp ports and using the proper nat statements (possibly at both
> the phone location and asterisk location) tends to be difficult. Then
X-Lite can be told in network settings to start at 10000 which is the
base for unmodified asterisk RTP. I did that, use X-Lite on 5061 and
it works perfectly with double NAT