Amit Nagpal
2008-Apr-03 17:40 UTC
[asterisk-users] NAT when outbound call leg is not a local subscriber?
Hi, I have been experimenting with NAT and Asterisk a bit now. Though I have made progress along the way, I have come across the following problem. I'll really appreciate if anyone can provide me any help or pointers. Thanks! Successful Scenario: ------------------- All sorts of NAT calls are successful with full two-way media when both end points are locally subscribed users. Problem Scenario: ---------------- UA-Local: Locally subscribed & registered user (configured in sip.conf) that is hidden behind NAT. UA-External: Some remote user hidden behind NAT, but registered with some publically accessible registrar/proxy. My Asterisk is also publically accessible (i.e. not hidden behind NAT) When UA-Local calls out UA-External, I only get one-way audio. Specifically, when I debugged using ethereal traces, I found that Asterisk is sending RTP packets to the private IP of UA-External and not to the corresponding NAT-mapped IP accessible to the outside world. So, UA-Local is able to hear UA-External, but UE-External can't hear UA-Local. It all works perfectly fine, if UA-External were to call UA-Local. Then I get full two-way media. The problem is only when Asterisk calls out a non-locally subscribed user. Brief Setup Background: ---------------------- UA1 at mydomain.com: user subscribed in sip.conf UA2 at mydomain.com: user subscribed in sip.conf UAE at external.com: some user actively registered with some domain external.com. I am using OpenSER as my external proxy for external.com and I have my DNS setup all right. Following scenario is working fine in my setup: UA1 <---> NAT <---> Asterisk <---> NAT <---> UA2. Calls go through perfectly fine - with two-way media - when initiated in either direction. Following scenario works fine when UAE calls out UA1. But when UA1 calls out UAE, I only get one-way audio, wherein only UA1 can hear UAE. UAE can't hear UA1, as Asterisk keeps sending RTP packets to the private address of UAE. UAE <--> (NAT + External-Proxy) <--> Asterisk <--> NAT <--> UA1 I am using iptable's MASQUERADE target for NAT, which by default implements a 'Port Restricted Cone NAT' as per STUN RFC's terminology. All my UAs are XLite-on-Windows. My Asterisk is running on Fedora Core 6. I have the following flags set in the [general] section of my sip.conf [general] nat=yes qualify=yes rtpkeepalive=60 rtptimeout=90 rtpholdtimeout=300 canreinvite=no context=sip_incoming (... among others ...) Following is the relevant portion of my extensions.conf [sip_incoming] exten => _.,1,GotoIf($[${SIPDOMAIN}=mydomain.com]?4) exten => _.,2,Dial(SIP/${EXTEN}@${SIPDOMAIN}) exten => _.,3,HangUp() exten => _.,4,Dial(SIP/${EXTEN}) exten => _.,5,HangUp() exten => h,1,HangUp() Am I doing something wrong? Or is there a bug in Asterisk, wherein, while calling out to non-locally subscribed users, it blindly trusts the notion of their IP address when it comes to RTP. Any help is highly appreciated. Regards, Amit.