Vincent Delporte
2007-May-17 13:42 UTC
[asterisk-users] OK to have Asterisk and clients behind firewalls?
Hi To investigate the UNREACHABLE issue I'm having, I need to have confirmation that it's OK for the Asterisk server to be behind a NAT router, and also have clients elsewhere on the Net behind their own NAT router? I know that clients must use STUN to resolve their public IP and punch UDP holes in their firewall, but is there something special that must be done in the configuration of Asterisk so it knows it's living in a private network, behind a NAT router? And if someone knows of tools to investigate SIP issues, especially a text-based sniffer (no X available in the Asterisk live CD I'm using), I'm interested :-) Thank you. PS: FWIW, extension 203 (softphone) and 204 (IP phone) are both located on the same network and behind a NAT router, and both connect out to an Asterisk server somewhere on the Net behing its own NAT router: slast*CLI> sip show peers Name/username Host Dyn Nat ACL Port Status 204/204 82.237.x.y D 5060 UNREACHABLE 203/203 82.237.x.y D N 46838 OK (925 ms)
Gordon Henderson
2007-May-18 00:49 UTC
[asterisk-users] OK to have Asterisk and clients behind firewalls?
On Thu, 17 May 2007, Vincent Delporte wrote:> Hi > > To investigate the UNREACHABLE issue I'm having, I need to have > confirmation that it's OK for the Asterisk server to be behind a NAT router, > and also have clients elsewhere on the Net behind their own NAT router?Yes, it's OK...> I know that clients must use STUN to resolve their public IP and punch UDP > holes in their firewall, but is there something special that must be done in > the configuration of Asterisk so it knows it's living in a private network, > behind a NAT router?Yes. You need to do a few things. Firstly, you need the asterisk server on a static IP address on the inside, so make sure it doesn't get it's IP address from the local DHCP server. Next, you need to enable port-forwarding on your router. You need to forward port 5060 and 10000 through 20000 to the internal IP address of your asterisk box. Finally, you need to tell the asterisk box that it's on the inside of a NAT firewall. In sip.conf, you need 3 additional lines: nat=yes localnet=192.168.4.0/24 externip=1.2.3.4 You need to change localnet and externip to suit your network settings. It goes iwthout saying that you also need a static IP address on the internet connection that the asterisk server sits behind (but not for the phones) If using IAX then you just need to add port 4569 to the port forwarding rules on your firewall/router.> And if someone knows of tools to investigate SIP issues, especially a > text-based sniffer (no X available in the Asterisk live CD I'm using), I'm > interested :-)tcpdump is the basic tool, but tetheral (now called wireshark, but I don't know what it's text-mode version is called - maybe the same) You can also capture packets with tcpdump to a file, then analyse them with a GUI enabled sniffer on a differnt workstation afterwards if required.> PS: FWIW, extension 203 (softphone) and 204 (IP phone) are both located on > the same network and behind a NAT router, and both connect out to an Asterisk > server somewhere on the Net behing its own NAT router: > > slast*CLI> sip show peers > Name/username Host Dyn Nat ACL Port Status > 204/204 82.237.x.y D 5060 UNREACHABLE > 203/203 82.237.x.y D N 46838 OK (925 ms)I'd check the settings on the soft phone... Gordon