Thanks for responding.
I was referring to the SIP server interface defined with a non-routable class A (10.x.x.x) IP address for example. The PIX firewall is configured with a static NAT translation (12.x.x.x <--> 10.x.x.x) and an access control list which directs traffic destined for port 5060 outside global address to the NAT'ed inside address.
The problem I have is when UA1 sends an invite to UA2. After the proxy sends the invite to UA2 the "Record Route" address is the local IP address (10.x.x.x). In result, both UA1 and UA2 never receive a BYE message. Please help.
~Alan
-------------------------------------------------------------------------- | SER External | UA2 | UA1 | SER Internal | 12.xxx.xxx.xx | 192.168.215.103 | 151.xxx.xxx.xx | 10.181.0.35 | | | | |INVITE SDP | | | |------------------>| | | | | | | | 100 Trying| | | |<------------------| | | | | | | | 180 Ringing| | | |<------------------| | | | | | | | 200 Ok SDP| | | |<------------------| | | | |RTP | | | |------------------>| | | | | | | 200 Ok| | | |<------------------| | | | 200 Ok| | | |<------------------| | | | 200 Ok| | | |<------------------| | | | |RTP | | | |------------------>| | | |BYE | | | |-------------------------------------->| | |BYE | | | |-------------------------------------->| | |BYE | | | |-------------------------------------->|
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Michael Grigoni Sent: Thursday, May 11, 2006 3:50 AM To: serusers@lists.iptel.org Subject: Re: [Serusers] Running SER Server behind NAT
Alan wrote:
Is it possible to run SER SIP server behind a NAT? If so, what type of >
configuration changes am i looking at? My current scenario is as > follows.
Internet <-----> Pix (12.x.x.x translates to 10.x.x.x) <----> SIP Server
We have been running ser 0.8.99-dev19 (sparc/openbsd) for more than a year on NAT; our solution required ser to run on the NAT border router so that it could service the public net interfaces and the internal NAT'ed interfaces. We use rtpproxy on the same box. I have not actively watched the lists for any developments involving running it on a host only on a private ip space. I don't know of a ser port to run on the Pix. All external UAs so far have been on public ip addresses; we haven't yet dealt with the issue of external UAs behind NAT (perhaps a STUN solution would work, or a VPN where feasible).
Michael Grigoni Cybertheque Museum
_______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Alan wrote:
Thanks for responding.
I was referring to the SIP server interface defined with a non-routable class A (10.x.x.x) IP address for example. The PIX firewall is configured with a static NAT translation (12.x.x.x <--> 10.x.x.x) and an access control list which directs traffic destined for port 5060 outside global address to the NAT'ed inside address.
Indeed, the only workable solution we found is to run 'ser' on the 'nat router' itself, which in our case is a border router running OpenBSD on sparc. 'ser' is configured to listen on the router's public ip and on the internal (NAT'ed) private (RFC 1918) networks; we run 'rtpproxy' on the same host to handle the rtp payload with internal UAs which are clients on private (RFC 1918) addresses.
Our 'ser.cfg' is somewhat more complicated than is usual for a small network.
I have not really investigated using NAT-T in this scenario.
Regards,
Michael Grigoni Cybertheque Museum
Alan,
This may be obvious, but in addition to the static translate you need to turn on SIP fix-up in the PIX. Have you done this?
Leo P.
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Alan Sent: Thursday, May 11, 2006 10:20 AM To: 'Michael Grigoni'; serusers@lists.iptel.org Subject: RE: [Serusers] Running SER Server behind NAT
Thanks for responding.
I was referring to the SIP server interface defined with a non-routable class A (10.x.x.x) IP address for example. The PIX firewall is configured with a static NAT translation (12.x.x.x <--> 10.x.x.x) and an access control list which directs traffic destined for port 5060 outside global address to the NAT'ed inside address.
The problem I have is when UA1 sends an invite to UA2. After the proxy sends the invite to UA2 the "Record Route" address is the local IP address (10.x.x.x). In result, both UA1 and UA2 never receive a BYE message. Please help.
~Alan
-------------------------------------------------------------------------- | SER External | UA2 | UA1 | SER Internal | 12.xxx.xxx.xx | 192.168.215.103 | 151.xxx.xxx.xx | 10.181.0.35 | | | | |INVITE SDP | | | |------------------>| | | | | | | | 100 Trying| | | |<------------------| | | | | | | | 180 Ringing| | | |<------------------| | | | | | | | 200 Ok SDP| | | |<------------------| | | | |RTP | | | |------------------>| | | | | | | 200 Ok| | | |<------------------| | | | 200 Ok| | | |<------------------| | | | 200 Ok| | | |<------------------| | | | |RTP | | | |------------------>| | | |BYE | | | |-------------------------------------->| | |BYE | | | |-------------------------------------->| | |BYE | | | |-------------------------------------->|
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Michael Grigoni Sent: Thursday, May 11, 2006 3:50 AM To: serusers@lists.iptel.org Subject: Re: [Serusers] Running SER Server behind NAT
Alan wrote:
Is it possible to run SER SIP server behind a NAT? If so, what type of >
configuration changes am i looking at? My current scenario is as > follows.
Internet <-----> Pix (12.x.x.x translates to 10.x.x.x) <----> SIP Server
We have been running ser 0.8.99-dev19 (sparc/openbsd) for more than a year on NAT; our solution required ser to run on the NAT border router so that it could service the public net interfaces and the internal NAT'ed interfaces. We use rtpproxy on the same box. I have not actively watched the lists for any developments involving running it on a host only on a private ip space. I don't know of a ser port to run on the Pix. All external UAs so far have been on public ip addresses; we haven't yet dealt with the issue of external UAs behind NAT (perhaps a STUN solution would work, or a VPN where feasible).
Michael Grigoni Cybertheque Museum
_______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Leo,
I had SIP fix-up turned off and just re-enabled it on the PIX. This seems to help resolve the issue and in turn the SIP signaling is working correctly. Thanks so much!
~Alan
-----Original Message----- From: Leo [mailto:leo@ltcjp.com] Sent: Sunday, May 14, 2006 7:03 PM To: 'Alan' Cc: serusers@lists.iptel.org Subject: RE: [Serusers] Running SER Server behind NAT
Alan,
This may be obvious, but in addition to the static translate you need to turn on SIP fix-up in the PIX. Have you done this?
Leo P.
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Alan Sent: Thursday, May 11, 2006 10:20 AM To: 'Michael Grigoni'; serusers@lists.iptel.org Subject: RE: [Serusers] Running SER Server behind NAT
Thanks for responding.
I was referring to the SIP server interface defined with a non-routable class A (10.x.x.x) IP address for example. The PIX firewall is configured with a static NAT translation (12.x.x.x <--> 10.x.x.x) and an access control list which directs traffic destined for port 5060 outside global address to the NAT'ed inside address.
The problem I have is when UA1 sends an invite to UA2. After the proxy sends the invite to UA2 the "Record Route" address is the local IP address (10.x.x.x). In result, both UA1 and UA2 never receive a BYE message. Please help.
~Alan
-------------------------------------------------------------------------- | SER External | UA2 | UA1 | SER Internal | 12.xxx.xxx.xx | 192.168.215.103 | 151.xxx.xxx.xx | 10.181.0.35 | | | | |INVITE SDP | | | |------------------>| | | | | | | | 100 Trying| | | |<------------------| | | | | | | | 180 Ringing| | | |<------------------| | | | | | | | 200 Ok SDP| | | |<------------------| | | | |RTP | | | |------------------>| | | | | | | 200 Ok| | | |<------------------| | | | 200 Ok| | | |<------------------| | | | 200 Ok| | | |<------------------| | | | |RTP | | | |------------------>| | | |BYE | | | |-------------------------------------->| | |BYE | | | |-------------------------------------->| | |BYE | | | |-------------------------------------->|
-----Original Message----- From: serusers-bounces@iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Michael Grigoni Sent: Thursday, May 11, 2006 3:50 AM To: serusers@lists.iptel.org Subject: Re: [Serusers] Running SER Server behind NAT
Alan wrote:
Is it possible to run SER SIP server behind a NAT? If so, what type of >
configuration changes am i looking at? My current scenario is as > follows.
Internet <-----> Pix (12.x.x.x translates to 10.x.x.x) <----> SIP Server
We have been running ser 0.8.99-dev19 (sparc/openbsd) for more than a year on NAT; our solution required ser to run on the NAT border router so that it could service the public net interfaces and the internal NAT'ed interfaces. We use rtpproxy on the same box. I have not actively watched the lists for any developments involving running it on a host only on a private ip space. I don't know of a ser port to run on the Pix. All external UAs so far have been on public ip addresses; we haven't yet dealt with the issue of external UAs behind NAT (perhaps a STUN solution would work, or a VPN where feasible).
Michael Grigoni Cybertheque Museum
_______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Alan -
Leo -
Michael Grigoni