Asterisk + Phones behind different Nat Firewalls

Home » Asterisk Users » Asterisk + Phones behind different Nat Firewalls
Asterisk Users 8 Comments


I have a doubt (basic i guess, but not for me). I have an escenario where
customer site has Asterisk PBX behind Nat/firewall with private IP address
and sone phones also; BUT there are some other phones on different sites
and of course behind its nat/firewalls; with IAX i have no problem, but
customer wants to use SIP phones and there is no way to put IP public
address for the Asterisk Server.

What do you recommend? Any advice?

Many thanks in advance

8 thoughts on - Asterisk + Phones behind different Nat Firewalls

  • What router(s) are in use?

    Did you disable any SIP/VoIP “helpers” or ALGs they may have?

  • Well you have to tell asterisk what’s the external ip of the nat else its never gone work
    Look at externip and localnet

  • Ok understood. The signaling wont be a problem, but not the same with rtp
    as it uses randomly ports. The idea is to have an intermediary who could
    delivers both ports and ping them to both sides to keep nating open on
    routers, this is what i do with rtp proxy within opensips.

    But in this case no OpenSIPS. The router are Comtrend and linksys.

    Are you sure that works for you with the same environment as mine? Its just
    that im trying to understand it technically (sdp headers + sip headers) and
    i do not understand how the rtp will reach both phones on different nat

    The routers does not have ALG.
    El 26/04/2012 23:19, escribió:

  • The asterisk side has to have the router ports 5060 and 10000-20000 forwarded to asterisk these are the standard ports but you could cut way down on the rtp ports in rtp.conf then you have to tell asterisk what’s the external ip of your nat and most of the times this should work today no problem lots of us here have it working that way (of course you have to take care of security fail2ban etc )
    On the phone side you might have to use stun but it depends on the firewall also you should set the phone to send a nat keep alive each 30 seconds (asterisk also sends a options packet to keep the nat open but doesn’t always work ok )

  • Thanks,

    But if i open rtp ports from 10000-20000 how would you ping ports from both
    sides to not loose rtp or having one way audio if the ports are choosen
    randomly between 10.000-20.000 in every call?

    The keep alive works for signalling (Asterisks sends Options to the
    contact), but not for RTP. For RTP i think it is mandatory to have an STUN
    server ir RTP proxy. Right?
    El 27/04/2012 12:15, escribió:

  • Here’s one specific environment:

    Asterisk > Sonicwall 240 (NAT) > ISP router (no NAT) > Internet > Airport
    Extreme (NAT) > Linksys SPA 942

    Works just fine. We have dozens of similar implementations with other
    routers, but never use junk routers or off-brand stuff on the server side.