| Summary: | ASTERISK-17358: SIP RTP with 2 UA and Asterisk all NATTED through a stateful (but not SIP aware) firewall | ||
| Reporter: | Diego Ercolani (dercol) | Labels: | |
| Date Opened: | 2011-02-06 08:38:36.000-0600 | Date Closed: | 2011-06-07 14:01:02 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Core/RTP |
| Versions: | 1.8.4 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | The situation I'm going to describe is a situation where 2 user agent are natted between a nat firewall, and Asterisk is also natted. canreinvite=no so the media stream is handled by asterisk. Asterisk is 1.8.2.1 B is one User Agent C is the other A is Asterisk B and C are registered to the asterisk with they public IP via STUN server B call C via the asterisk box. So on the port 5060 UDP, B send an INVITE to the asterisk (A) BOX with indication of the udp ports for the RTP stream of the UA (B), asterisk rings the endpoint C (the endpoint C is reacheable if the firewall that is natting endpoint C know about an active session on port 5060 between endpoint C and Asterisk A) When endpoint C answer, Asterisk try to start a RTP media session from Asterisk to endpoint B (with parameters included in the INVITE from endpoint B). The issue is that firewall doesn't know anything about the new session starting from A to B because from the firewall point of view is a new session coming from outside to the inside so it simply disallow it. The only manner Asterisk (A) can instance an RTP stream to endpoint B is that endpoint B firstly starts an RTP session to Asterisk, so UDP packets flowing from Asterisk to B are recognized by the firewall as RELATED to a request from the SIP UA endpoint. The question is: How it is possible to tell asterisk not to start the RTP connection to the B endpoint? (and even to the A endpoint that suffer for the same issue) but to force User agents to start the communication? | ||
| Comments: | By: Leif Madsen (lmadsen) 2011-02-07 11:20:07.000-0600 You could try directrtpmedia=yes but Asterisk is not a SIP proxy, and is thus going to try and setup communications between A -> Asterisk, and Asterisk -> B, and not to the end points directly. Also because both end points are behind NAT that might cause issues as well. By: Diego Ercolani (dercol) 2011-02-08 16:06:55.000-0600 Thankyou for your answer, really I want to keep asterisk on the media path so I like to have canreinvite=no. By: Leif Madsen (lmadsen) 2011-03-08 14:44:46.000-0600 I don't believe this topology is supported. You could gather additional information using the asterisk-users mailing list. Thanks! | ||