double nat sip with asterisk
rene — Tue, 03/09/2010 - 20:21
This config works by port forwarding RTP traffic to the asterisk and ATA on both ends. From what I've seen SIP does not handle RTP traffic well with double NAT when port forwarding of RTP it not used.
I've got the following network topology. The far left is an asterisk box I terminate all my VOIP calls through. The far right is my ATA and desk phone, a sipura spa2000.
This is how I do double nat sip with asterisk.
On the asterisk end far left, sip.conf has this in the general section
externip=198.51.100.100
localnet=10.20.20.0/255.255.255.0
localnet=10.20.20.0/255.255.255.0
For the account I have for my ATA to authenticate I have this
[sipura]
nat=yes
canreinvite=yes
nat=yes
canreinvite=yes
In rtp.conf I lock RTP traffic to ports 10000 through to 10100
rtpstart=10000
rtpend=10100
rtpend=10100
On the far left Linux router I port forward the following
ingress port 5060/udp on 198.51.100.100 to port 5060/udp on 10.20.20.2
ingress ports 10000-10100/udp on 198.51.100.100 to ports 10000-10100/udp on 10.20.20.2
ingress ports 10000-10100/udp on 198.51.100.100 to ports 10000-10100/udp on 10.20.20.2
Now over to the right side which is my office. On the far right dsl router I port forward the following
ingress ports 10000-10100/udp on 203.0.113.100 to ports 10000-10100/udp on 192.168.100.100
The dsl router allows me to add static routes. 192.168.100.0/24 is routed via 10.10.10.2 on the dsl router. Another way I could of done this was to add the 10.10.10.2 to a DMZ (which most dsl routers support) and then port forward 10000-10100/udp to 192.168.100.100 on the linux router.
Within the Sipura config I lock RTP traffic to ports 10000-10100/udp
