- About VoIP
- What is VoIP and what it can do for you
- Introduction to VoIP (video)
- Why should you switch to VoIP services?
- Analog Telephony
- Digital Telephony
- What is SIP?
- How to start with VoIP telephony
- Web based VoIP
- How to choose a right VoIP provider?
- Wi-Fi network and VoIP
- VoIP Codecs
- Free sip account
- Confidential calls
- VPN: UDP or TCP?
- Mobile VoIP
- VoIP on your mobile
- Asterisk IP-PBX
- Who we are?
- How to start
- Free SIP account
- Configs
Asterisk SIP Media NAT
Synopsis: SIP signalling and voice media take independent IP routes. Furthermore the up and down streams are independently routed. The voice media is transported over RTP. One port is used for the upstream and another port, for downstream. Due to that mode of operation, the IP back route cannot be learned from the incoming route, as it was done for the SIP signaling.
By tradition these RTP ports are taken in sequence and many SIP Phone configuration software will only ask for one port (expecting that you will enter an even port value) and will silently configure the next odd port for the up stream.
Originally SIP was not designed for NAT
, so you need to read carefully your SIP phone documentation to know what will be done from your entered values.
SIP protocol has no concept of master /slave, we will use that side of the protocol to force the SIP Phone and Asterisk to select ports in two independent pre-defined ranges that we will smartly NAT. As stated before, SIP software will most likely silently assume the use of odd and even port. As this is outside of our control, so we will stupidly NAT both odd and even RTP ports to cover our back and be sure to route the right one. We will get the help of a STUN service to achieve an adequate IP routing.
Ports configuration on Asterisk side
Configure Asterisk to select ports known to be open for incoming traffic on the remote firewall. Any open port range of at least two ports will do. The AOL ports are very useful because they are likely to be open (port 5190-5193).
The range span will limit the number of simultaneous communication channels that you can achieve. In the reality of a home based Asterisk server this should not be an issue. In any case the low upstream bandwidth of an ADSL or cable modem services (typical 512 Kbps to 2 Mbit/s down) will not let you run more than a few phone calls in parallel. If you are lucky and you have good Internet connection (for example FFTB with true 30 or even 80 Mbit/s Ethernet as I do) you shouldn’t be limited.
The RTP port configuration is done by modifying the file /etc/asterisk/rtp.conf
[general]
rtpstart=5190
rtpend=5192
Note that Asterisk will silently use the port 5193 when rtpend is given as 5192.
by default you will see 10000 as rtpstart and 20000 as rtpend. On Cisco devices (like modern Cisco SRP and even old ATA-186 hardware) typical rtp range set as follows:
RTP Port Min = 16384 (by default)
RTP Port Max = 16482 (by default)
Minimum port number for RTP transmission and reception. The RTP Port Min and RTP Port Max parameters should define a range that contains at least 4 even number ports, such as 100–106. Maximum port number for RTP transmission and reception.
SIP phone / VoIP or GSM gateway / IP phone side:
Each SIP phone/device configuration is different. On the Gigaset 450 IP, the RTP ports can be configured by the Web interface. The use of random RTP port must be deactivated.
As we have no control of the mapping of the RTP port inside our domain and the public Internet and we cannot rely on a traffic in the other direction to establish the route (media opposite to signaling uses different paths for up- and down- streams) we must activate the STUN service which will be used by the SIP phone to publish port number that will be visible from the outside and will map with the configured port. STUN server uses by default the port 3478 which needs to be open. If you SIP phone does not support the STUN service, it will not work.
NAT configuration – Local Site
You simply need to configure your broadband gateway to redirect the traffic coming from the RTP port configured on your SIP phone on the A1 interface toward the same port on your A2 interface. Remember to forward the even and the odd port numbers.
Then open your firewall 1st and 2nd level for the same port range. If your Asterisk server is not set with your 2nd level firewall, you need to add a extra NAT rule to push the traffic to your Asterisk server IP address on your home LAN.
NAT configuration – Remote Site
You simply need to configure your broadband gateway to redirect the traffic coming from the RTP port configured in Asterisk to the same port on your SIP phone. Remember to forward the even and the odd port number. If you have followed my previous advise, the remote SIP phone should have a fixed IP address (not a DHCP allocated) what make the NAT stable over power cycle.
If you use a consumer gateway (e.g. Linksys) , activating a NAT for a port range opens the firewall at the same time.
Note : The proposed trick only works because we deactivate the SIP ReInvite functionality and force the SIP communication (Signaling and Media streams) to keep going through the Asterisk server. You must set ReInvite to NO.
canreinvite=no
in the sip.conf of the peers/users you working with
One Response to Asterisk SIP Media NAT
Leave a Reply
You must be logged in to post a comment.
Cool article, thanks.