[Serusers] Running SER Server behind NAT

Leo leo at ltcjp.com
Mon May 15 01:02:38 CEST 2006


Alan,

This may be obvious, but in addition to the static translate you need to
turn on SIP fix-up in the PIX. Have you done this?

Leo P.

-----Original Message-----
From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] On
Behalf Of Alan
Sent: Thursday, May 11, 2006 10:20 AM
To: 'Michael Grigoni'; serusers at lists.iptel.org
Subject: RE: [Serusers] Running SER Server behind NAT

Thanks for responding.

I was referring to the SIP server interface defined with a non-routable
class A (10.x.x.x) IP address for example. The PIX firewall is configured
with a static NAT translation (12.x.x.x <--> 10.x.x.x) and an access control
list which directs traffic destined for port 5060 outside global address to
the NAT'ed inside address. 

The problem I have is when UA1 sends an invite to UA2. After the proxy sends
the invite to UA2 the "Record Route" address is the local IP address
(10.x.x.x). In result, both UA1 and UA2 never receive a BYE message. Please
help.

~Alan

--------------------------------------------------------------------------
| SER External      | UA2               | UA1               | SER Internal
| 12.xxx.xxx.xx     | 192.168.215.103   | 151.xxx.xxx.xx    | 10.181.0.35
|                   |                   |                   |
|INVITE SDP         |                   |                   |
|------------------>|                   |                   |
|                   |                   |                   |
|         100 Trying|                   |                   |
|<------------------|                   |                   |
|                   |                   |                   |
|        180 Ringing|                   |                   |
|<------------------|                   |                   |
|                   |                   |                   |
|         200 Ok SDP|                   |                   |
|<------------------|                   |                   |
|                   |RTP                |                   |
|                   |------------------>|                   |
|                   |                   |                   |
|             200 Ok|                   |                   |
|<------------------|                   |                   |
|             200 Ok|                   |                   |
|<------------------|                   |                   |
|             200 Ok|                   |                   |
|<------------------|                   |                   |
|                   |RTP                |                   |
|                   |------------------>|                   |
|                   |BYE                |                   |
|                   |-------------------------------------->|
|                   |BYE                |                   |
|                   |-------------------------------------->|
|                   |BYE                |                   |
|                   |-------------------------------------->|


-----Original Message-----
From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] On
Behalf Of Michael Grigoni
Sent: Thursday, May 11, 2006 3:50 AM
To: serusers at lists.iptel.org
Subject: Re: [Serusers] Running SER Server behind NAT

Alan wrote:

 > Is it possible to run SER SIP server behind a NAT? If so, what type of  >
configuration changes am i looking at? My current scenario is as  > follows.
 >
 >
 > Internet <-----> Pix (12.x.x.x translates to 10.x.x.x) <----> SIP Server


We have been running ser 0.8.99-dev19 (sparc/openbsd) for more than a year
on NAT; our solution required ser to run on the NAT border router so that it
could service the public net interfaces and the internal NAT'ed interfaces.
We use rtpproxy on the same box.  I have not actively watched the lists for
any developments involving running it on a host only on a private ip space.
I don't know of a ser port to run on the Pix. All external UAs so far have
been on public ip addresses; we haven't yet dealt with the issue of external
UAs behind NAT (perhaps a STUN solution would work, or a VPN where
feasible).

Michael Grigoni
Cybertheque Museum


_______________________________________________
Serusers mailing list
serusers at lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers


_______________________________________________
Serusers mailing list
serusers at lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers




More information about the sr-users mailing list