Multiple SIP Devices at one location

My question involves routing the right calls to the correct SIP devices from an asterisk server, over a WAN.

In a typical firewall setup, you have to forward an open port to a specific device or host.  

So how would you setup multiple SIP devices on a network, if the firewall is forwarding SIP packets on port 5060 to one selected ip address?
Who is Participating?
denisdsr20Connect With a Mentor Commented:

I can suggest 2 solutions :
1) use a sip Proxy at each remote location it will manage NAT/PAT for each devices but it is heavy
2) use a different SIP port for each of your devices UA1 uses 5060, UA uses 5061, etc ... Then your rules on firewalls are rather simple

SR20 Service /France
Hi, Your question is not so clear, I will first try to clarify.

My understanding : your asterisk is behind a firewall and SIP devices (called UA = User Agent) are on the internet.

First of all each SIP device is supposed to Register on asterisk each send a SIP request to asterisk on port 5060, asterisk will grant the registration and remember the details of SIP device (IP, SIP ports, name, ...)

From your firewall you may allow incoming SIP request from the internet to be routed on asterisk box. You may allow any outgoing SIP request (from asterisk box / port 5060) to be deliver on the internet.

From SIP point of view it should be enough.

But the tricky part in VOIP is the RTP flow (UDP on dynamic ports in range mostly 20000 to 30000), these ports are negociated for each call and there is a RTP "channel" to send voice and another one to receive voice.

If these are not allowed to cross firewalls you may experience no voice at all or only "half way" audio (just send voice or just receive voice).

To solve this issue you need somewhere a RTP proxy, it will enhance the ability to cross firewall and manage NAT/PAT.
To manage RTP flow I may suggest to check out SER and rtproxy resource (google it, new name is openSIPS) For sure this part is the really difficult one in SIP over WAN architecture.

Remember you can divert the RTP from asterisk (using canreinvite=yes in sip.conf) it allows to connect RTP between 2 UA directly without any asterisk on the path.

Hope this help

SR20 Service / France

jkocklerAuthor Commented:
Thank you for the information, it was very informative but not quite what I was asking.

My SIP Peers (UA) or devices, are communicating perfectly over the internet to my Asterisk server.  I am able to hear audio both ways, etc.

In my current scenario I have only one sip peer ip phone, at each remote location.  

My question is about putting multiple sip ip phone peers at a remote location.  If I were to open port 5060 on the firewall at the remote location, how would the firewall pass sip data on port 5060 to multiple devices?  A typical firewall setup will only allow you to forward data through a specific port to ONE host.  So for example, in the firewall, you say port 5060 points to host  That only covers one device.  How do I get data on port 5060 to the other sip ip phones which host addresses are,,,,,,,,,,,,,  etc etc

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Kerem ERSOYPresidentCommented:
Another suggestion is talk to your IS and see if they have a plan which includes multiple IP addresses. Some ISP's have some plans such as they can assign 5 or 8 addresses not just one. This way you'll be able to register multiple devices assigning them 506 of other available addresses and your firewall will then reverse NAT these to your multiple gateways.
jkocklerAuthor Commented:
Thanks for the info!

How high can I go on the 5060, 5061, 5062, 5062 ports ?  Is there even a limit?
jkocklerAuthor Commented:
Also, I have another thread that pertains to this issue in a way, if you could check it out.
In the thread, asterisk is using 5061 to send data to one of my sip peers, instead of 5060.  I do not know why it is doing this.  I am concerned that if I use different ports for each of the sip peers at a remote location, that I may not have a choice as to what port asterisk sends the data to.  I had the sip peer communicating on 5060 and asterisk registered it fine on 5060 but when it sent back, it would use 5061 for some reason.

Kerem ERSOYPresidentCommented:
if you're using peer-to-per SIP you wont even need separate addresess since you manually configure them you can  easily specify to llok at wahat address and what port.
jkocklerAuthor Commented:
ok thanks.  And what is the max port number for SIP?  Could I for example use 5100?
denisdsr20Connect With a Mentor Commented:
Choose whatever you want if the requested port is available not used by any other process.

SR20 service/France
jkocklerAuthor Commented:
Ok, well now I am being told in another thread that Asterisk will only listen on 1 port.  I do not see how this is true if I am able to communicate with one of my peer devices on 5061, and my sip.conf shows bindport as 5060.
denisdsr20Connect With a Mentor Commented:
BindPort in asterisk says asterisk wait for incoming sip requests at default SIP port which is 5060.

But remember my previous post when I said the UA sends its registration detail it can say : I'm UA name=myName I can be contacted at IP =uaIP on port (let say 5061). That's it !

Then when asterisk need to send request to this UA it will send sip message at uaIP:5061 or whatever the UA set as contact details.

But asterisk may not be able to accept incoming on port different frkom its bindPort (5060).

To check what are the listen currently in use, at linux prompt enter "netstat -a|grep udp"
You should see something like :
udp 0 0 *:sip ......   (sip is 5060 in /etc/services)
if you do not see any *:5061 (or sip-tls) this means no process are bind to 5061 and no incoming toward this port will be accepted.

nociSoftware EngineerCommented:
If all talk goes trough asterisk, and you are running one
how can there be a problem.

My guess is that you also need to have asterisk switch the voice channel. (RTP)
And have internally all phones & equipment connect to asterisk.
you might need to set 'canreinvite=no' in the client profile to force asterisk to be in the middle.

Another way to skin this cat:
if you make a VPN tunnel between the sites, there is a NETWORK in beteen and not just two addresses. You can look into tunnel technology like IPSEC and stunnel. IPSEC should be prefered because it keeps the underlying assumption of  IP in tact and is not a udp/tcp over an encypted tcp link.
jkocklerAuthor Commented:
Thanks for all the help .  

I did find that I can specify ports directly for each peer in sip.conf.

The command is "port="

Anyone ever use that before?
What about


in sip.conf ?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.