[Serusers] Problem with ATA186 and NAT (Linksys).

Tom Lowe tom at comprotech.com
Sat Jun 5 00:21:00 CEST 2004 

I actually tried that once, but I tried it again just to be sure.

My linksys is LAN side is 192.168.51.X.  So my Linksys is 192.168.51.1
and my ATA is 192.168.51.153.  I put 192.168.51.1 in the NATIP field.
It worked....so to prove that's the solution, I removed it, and it still
works.  So that's not the solution.

Out of curiosity, Can anyone say what this NATIP field actually
accomplishes?  Asterisk doesn't require you to populate that field with
anything.

My understanding of the mechanics behind NAT is that, if the router
receives a request for a port that is already mapped to another user, it
will assign a new port.  That's what was happening here.   5060 was
already mapped to another user (I believe a softphone on my PC), so it
used 15060.  

So, it sends to SER 5060 from 15060.  SER should respond to 15060 from
5060, Router will tranlate the 15060 to 5060 and deliver it to my ATA.
The problem was that SER was sending to 5060 instead of 15060.  

I suspect that the original mapping in the router expired, so now it's
using 5060 instead of 15060, which is allowing it to work.

So, to test this theory, I fired up XTEN on my PC.  Sure enough, it's
mapping another, but now, SER is responding with the proper port.   

I'm wondering if that section of code in my ser.cfg file that is calling
the nathelper commands if the originator is an ATA is actually causing
damage rather than fixing things?   (I got that code from someone else
who suposedly got this all working with ATA behind a NAT)  I'm going to
have to wait until this mapping times out again to try it back around
the other way.  

If anyone else has ideas, please let me know.  Otherwise, I'll report my
findings when things time out.

Thanks!

Tom



-----Original Message-----
From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] On
Behalf Of Gregory D. Burns
Sent: Friday, June 04, 2004 5:38 PM
To: serusers at lists.iptel.org
Subject: RE: [Serusers] Problem with ATA186 and NAT (Linksys).



What are you SIP setting in the ATA? You need your Firewall's IP in the
NATIP field. 

-Greg
-----Original Message-----
From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] On
Behalf Of Tom Lowe
Sent: Friday, June 04, 2004 2:11 PM
To: serusers at lists.iptel.org
Subject: [Serusers] Problem with ATA186 and NAT (Linksys).

SER version Sip EXpress router (0.8.12 (i386/linux))

Below is my ser.cfg file  (IP addresses changed, of course).  My
situation is pretty simple:

ATA186 --A--  Linksys router   --B-- Cable modem   --C--   SER

ATA sends out invite  with 5060 as src and dest.  (verified through
ethereal on lan segment A)
Linksys translates the 5060 to 15060   (verified at Lan segment C with
tethereal)
SER tries to respond with "Authorization required", but is sending the
respond to 5060 instead of 10560. Linksys receives the packet to 5060,
but isn't expecting it so it goes nowhere.

What the heck am I doing wrong?

FYI, This config produces the following entries in /var/log/messages:

Jun  4 16:38:03 VShost1 /usr/sbin/ser[4208]: Checking for ATA 
Jun  4 16:38:03 VShost1 /usr/sbin/ser[4208]: Cisco user agent detected -
fix contact 
Jun  4 16:38:03 VShost1 /usr/sbin/ser[4208]: Cisco user agent detected -
fix sdp 
Jun  4 16:38:03 VShost1 /usr/sbin/ser[4208]: ERROR: extract_mediaip: no
`c=' in SDP 
Jun  4 16:38:03 VShost1 /usr/sbin/ser[4214]: Checking for ATA 
Jun  4 16:38:03 VShost1 /usr/sbin/ser[4214]: Cisco user agent detected -
fix contact 
Jun  4 16:38:03 VShost1 /usr/sbin/ser[4214]: Cisco user agent detected -
fix sdp 
Jun  4 16:38:03 VShost1 /usr/sbin/ser[4214]: ERROR: extract_mediaip: no
`c=' in SDP 
Jun  4 16:38:04 VShost1 /usr/sbin/ser[4208]: Checking for ATA 
Jun  4 16:38:04 VShost1 /usr/sbin/ser[4208]: Cisco user agent detected -
fix contact 
Jun  4 16:38:04 VShost1 /usr/sbin/ser[4208]: Cisco user agent detected -
fix sdp 
Jun  4 16:38:04 VShost1 /usr/sbin/ser[4208]: ERROR: extract_mediaip: no
`c=' in SDP 
Jun  4 16:38:06 VShost1 /usr/sbin/ser[4214]: Checking for ATA 
Jun  4 16:38:06 VShost1 /usr/sbin/ser[4214]: Cisco user agent detected -
fix contact 
Jun  4 16:38:06 VShost1 /usr/sbin/ser[4214]: Cisco user agent detected -
fix sdp 
Jun  4 16:38:06 VShost1 /usr/sbin/ser[4214]: ERROR: extract_mediaip: no
`c=' in SDP 


Tom







#debug=3         # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=no        # (cmd line: -E)

/* Uncomment these lines to enter debugging mode 
debug=7
fork=no
log_stderror=yes
*/
debug=3

check_via=no    # (cmd. line: -v)
dns=no           # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
#port=5060
children=4
sip_warning=no
# FIFO
fifo="/tmp/ser_fifo"

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database
loadmodule "/usr/lib/ser/modules/mysql.so"

loadmodule "/usr/lib/ser/modules/sl.so"
loadmodule "/usr/lib/ser/modules/tm.so"
loadmodule "/usr/lib/ser/modules/rr.so"
loadmodule "/usr/lib/ser/modules/maxfwd.so"
loadmodule "/usr/lib/ser/modules/usrloc.so"
loadmodule "/usr/lib/ser/modules/registrar.so"
loadmodule "/usr/lib/ser/modules/acc.so"
# NAT Helper
loadmodule "/usr/lib/ser/modules/nathelper.so"
# Module that allows search
loadmodule "/usr/lib/ser/modules/textops.so"

# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/lib/ser/modules/auth.so"
loadmodule "/usr/lib/ser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# -- usrloc params --

#modparam("usrloc", "db_mode",   0)

# Uncomment this if you want to use SQL database 
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2) # Access to the DB -- leave default for
now
#modparam("auth_db","db_url","sql://ser:MySQLPW@DomainBLA-BLA/ser")




# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this
config), 
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")

#
# Accounting
#
modparam("acc","log_level",1)
modparam("acc","log_flag",1)
#modparam("acc","db_flag",1)
#modparam("acc","failed_transactions",1)

# -- rr params --
# add value to ;lr param to make some broken UAs happy modparam("rr",
"enable_full_lr", 1)

# NAT pinging
modparam("nathelper","natping_interval",60)

# -------------------------  request routing logic -------------------

# main routing logic

route{

        # initial sanity checks -- messages with
        # max_forwards==0, or excessively long requests
        if (!mf_process_maxfwd_header("10")) {
                sl_send_reply("483","Too Many Hops");
                break;
        };
        if ( msg:len > max_len ) {
                sl_send_reply("513", "Message too big");
                break;
        };

        # we record-route all messages -- to make sure that
        # subsequent messages will go through our proxy; that's
        # particularly good if upstream and downstream entities
        # use different transport protocol
        record_route();
        # loose-route processing
        if (loose_route()) {
                t_relay();
                break;
        };
        # if the request is for other domain use UsrLoc
        # (in case, it does not work, use the following command
        # with proper names and addresses in it)

        log(1,"Checking for ATA\n");
        # Do NAT fixing
        if (search("ATA")) {
                log(1,"Cisco user agent detected - fix contact\n");
                fix_nated_contact();
                if (method=="INVITE") {
                       log(1,"Cisco user agent detected - fix sdp\n");
                        fix_nated_sdp("3");
                };
        };


        if (uri==myself) {

                if (method=="REGISTER") {

# Uncomment this if you want to use digest authentication
                        if (!www_authorize("111.111.111.13",
"subscriber")) {
                                www_challenge("111.111.111.13", "0");
                                break;
                        };

                        save("location");
                        break;
                };
        };

        # PSTN vs SIP traffic
        #Find canonical username
        lookup("aliases");

        #PSTN
        #if ( (uri=~"^sip:911 at .*") | (uri=~"^sip:9911 at .*") |
(uri=~"^sip:[0-9][0-8].*@.*")) {
        if ( (uri=~"^sip:911 at .*") | (uri=~"^sip:9911 at .*") ) {
                route(3);
                break;
        };

        #off-line or non-existent users
        if (!lookup("location")) {
                route(4);
        };

# Relay to SIP destination
        setflag(1);
        if (!t_relay()) {
                sl_reply_error();
                break;
        };
}

# ------------- process traffic leaving Internet for PSTN

route[3] {

  # all calls through the gateway must be record routed to assure
  # acl acceptance on the gateway -- this is already done in initial
routing
  # record_route();


#Authenticate call
if (!proxy_authorize("111.111.111.13","subscriber")) {
  proxy_challenge("111.111.111.13","0");
  break;
};

  rewritehostport("111.111.111.11:5060");
  setflag(1);
  if (!t_relay()) {
    sl_reply_error();
    break;
  };
}


#-----------Process calls for users offline
route[4] {

        if (!t_newtran()) {
                sl_reply_error();
        };

        if (!t_reply("404","Not Found")) {
                sl_reply_error();
        };
        break;

}

_______________________________________________
Serusers mailing list
serusers at lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers




_______________________________________________
Serusers mailing list
serusers at lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list