Summary:ASTERISK-17358: SIP RTP with 2 UA and Asterisk all NATTED through a stateful (but not SIP aware) firewall
Reporter:Diego Ercolani (dercol)Labels:
Date Opened:2011-02-06 08:38:36.000-0600Date Closed:2011-06-07 14:01:02
Versions:1.8.4 Frequency of
Description:The situation I'm going to describe is a situation where 2 user agent are natted between a nat firewall, and Asterisk is also natted. canreinvite=no so the media stream is handled by asterisk. Asterisk is

B is one User Agent
C is the other
A is Asterisk

B and C are registered to the asterisk with they public IP via STUN server

B call C via the asterisk box.
So on the port 5060 UDP, B send an INVITE to the asterisk (A) BOX with indication of the udp ports for the RTP stream of the UA (B), asterisk rings the endpoint C (the endpoint C is reacheable if the firewall that is natting endpoint C know about an active session on port 5060 between endpoint C and Asterisk A)
When endpoint C answer, Asterisk try to start a RTP media session from Asterisk to endpoint B (with parameters included in the INVITE from endpoint B).
The issue is that firewall doesn't know anything about the new session starting from A to B because from the firewall point of view is a new session coming from outside to the inside so it simply disallow it. The only manner Asterisk (A) can instance an RTP stream to endpoint B is that endpoint B firstly starts an RTP session to Asterisk, so UDP packets flowing from Asterisk to B are recognized by the firewall as RELATED to a request from the SIP UA endpoint.
The question is:
How it is possible to tell asterisk not to start the RTP connection to the B endpoint? (and even to the A endpoint that suffer for the same issue) but to force User agents to start the communication?
Comments:By: Leif Madsen (lmadsen) 2011-02-07 11:20:07.000-0600

You could try directrtpmedia=yes but Asterisk is not a SIP proxy, and is thus going to try and setup communications between A -> Asterisk, and Asterisk -> B, and not to the end points directly.

Also because both end points are behind NAT that might cause issues as well.

By: Diego Ercolani (dercol) 2011-02-08 16:06:55.000-0600

Thankyou for your answer, really I want to keep asterisk on the media path so I like to have canreinvite=no.

By: Leif Madsen (lmadsen) 2011-03-08 14:44:46.000-0600

I don't believe this topology is supported. You could gather additional information using the asterisk-users mailing list. Thanks!