Solved

Questions about Asterisk behind NAT

Posted on 2013-11-26
7
434 Views
Last Modified: 2014-02-26
The Asterisk/FreePBX server is in our data center behind our firewall. It's on a 10.10.40.0/24 network. Our telephones are at a remote site that has an IPSEC tunnel to the data center. These devices are on a 10.1.40.0/24 network.

Calls between the phones at the remote sites work. Calls from our remote site to an extension on our Asterisk server (Directory for example) do not work; calls via our SIP trunk provider configured on the Asterisk server also do not work - there is no audio.

I'm sure this is a beginner NAT issue; I'm looking for guidance on how to resolve.
0
Comment
Question by:hypervisor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 31

Expert Comment

by:Frosty555
ID: 39679718
Note that a site-to-site VPN is NOT a NAT. If your site-to-site has been done right you have equipment on both ends which is routing packets for the two local subnets meaning the endpoint and the PBX can communicate with each other directly using their IP addresses. A NAT is involved when you have a router connecting an external network (e.g. the Internet) to a local network, and there's port forwarding etc. configured.

More likely this is a firewall issue...

The Asterisk server uses port UDP 5060-5061 for regular SIP traffic, but the audio for each session is sent via a randomly selected RTP port, which by default is in the range of UDP 10000-20000. These ports must be opened in your firewall, forwarded through your NAT etc. accordingly. If you need to use a different range you can configure the RTP port range in /etc/asterisk/rtp.conf.  

Also, if you're Asterisk server is behind a NAT you should make sure your external IP address or hostname is specified in Asterisk using the "externhost", "externip" and "localnet", directives in your sip.conf. It's easier to configure this if you're using FreePBX as your GUI, you can simply go into Settings->Asterisk SIP Settings section and configure the NAT settings in there.

Finally, your endpoints themselves (In freepbx under Applications->Extensions), you need to configure if they are behind a NAT. If your endpoints/phones are on the other side of a router you should set NAT to "yes". Otherwise, leave it as "no".
0
 

Author Comment

by:hypervisor
ID: 39679735
Thanks for the response.

The phones are configured to connect to the Asterisk server on its LAN IP address (10.10.40.250) -- not on a WAN address.  The phones are behind a router on the private network VLAN (10.1.40.0/24) at our satellite office.

Do they need to be configured for NAT?  Based on what you wrote, I would assume not.
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 39679741
I'm assuming that even though your phones are behind a router, the site-to-site VPN is providing the routing between the PBX subnet and the phones subnet (e.g. Asterisk never actually has to use the external WAN IP address of the remote site where the phones are).

So I'd say if your PBX can communicate with the phones via their local 10.1.40.0/24 ip address, then NAT should be set to "no". Otherwise set it to "yes".

More information is here:
http://www.voip-info.org/wiki/view/Asterisk+sip+nat
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:hypervisor
ID: 39679746
NAT is set to no.

Any other ideas as to why things aren't working?
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 39679751
I'm still leaning in the direction of a firewall issue related to your RTP port range. You're sure that the endpoints can communicate with your PBX on the RTP port range 10000-20000?
0
 

Author Comment

by:hypervisor
ID: 39679757
I'm told the VLAN's at the two locations are "wide open".
0
 
LVL 15

Accepted Solution

by:
Phonebuff earned 500 total points
ID: 39681527
The phones are configured to connect to the Asterisk server on its LAN IP address (10.10.40.250) -- not on a WAN address.  The phones are behind a router on the private network VLAN (10.1.40.0/24) at our satellite office.

You need to ensure that the Localnet = has the appropriate settings both subnets, and that the asterisk server has a entry in the route table for this remote subnet, if the router / firewall supporting it is not the default..  

Externip = <Public Ip Address>
Localnet = 10.10.40.0/255.255.255.0
Localnet = 10.1.40.0/255.255.255.0


You can use MTR on the Asterisk box to check the route -- http://linux.die.net/man/8/mtr

==============================
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Shared number solutions 1 64
Failing ALG SIP test for new VoIP phone system 4 143
set url:tel to a website 3 119
replacing 2811 to ISR 4331 2 48
There are no good configuration guides for HP-H3C router to LYNC on the web. :( Big statement, but we havent been able to find one yet. We did find the following document useful, but the information was not enough to use H3C router for use as a L…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question