VoIP Cookbook: NAT and Firewall
Network Address Translation (NAT) or better known as proxy server is often troublesome for SIP configuration. The resulting problem usually found is either poor VoIP connectivity or no connectivity at all as the connectivity is blocked by a Firewall/ NAT. When something like this occurs, you have to do the following:
- ensure that an antivirus software or firewall active in your PC is not blocking VoIP
- Contact your network administrator and tell him or her to enable NAT for you or give you a Public IP, and open the following ports:
For SIP:
UDP port 3478 and 3479 (STUN, NAT type discovery) UDP port 5060 and 5066 (SIP, signaling) UDP port 8000 to 20000 (RTP, data, voice + video)
For IAX2:
UDP port 4569 (IAX2, signaling and data)
Asterisk may act as a SIP client or SIP server. To make it a client, do the following command:
register =>
in part of[general] in sip.conf.
We may have Asterisk function as a SIP server, by configuring the username, password, and other details of the SIP client that will be registered to Asterisk in sip.conf.
There are some scenarios of SIP NAT network channels:
- Asterisk SIP client behind the NAT, with the client connected to a SIP proxy outside the NAT
- Asterisk SIP client behind the NAT, with the client connected to a SIP proxy within the NAT
- Asterisk SIP server behind the NAT, with the client outside the NAT connected to Asterisk
- Asterisk SIP server behind the NAT, with the client within the NAT connected to Asterisk
- Asterisk SIP client outside the NAT, with the client connected to SIP proxy outside the NAT
- Asterisk SIP client outside the NAT, with the client connected to SIP proxy within the NAT
- Asterisk SIP server outside the NAT, with the client outside the NAT connected to Asterisk
- Asterisk SIP server outside the NAT, with the NAT client connected to Asterisk
In general, the setup can work with the existing configuration, of course, depending on the configuration of the client, NAT, server and many other factors, especially the firewall configuration. Of those setups, number 3 and 6 are difficult to do because SIP is a peer-to-peer protocol and most NATs allow only clients inside their network to connect to a server located outside but not vice versa.
- Running with a proxy server that supports NAT
- Running with no NAT in between
- Running by doing port forwarding in the NAT/ proxy server
- Running with no NAT in between
- Running with no NAT in between
- Running by doing port forwarding on the NAT/ Proxy server
- Running with no NAT in between
- Running with configuration nat=yes and qualify=xxx in sip.conf. Some clients using X-Like use STUN and send UDP keep-alive packets. Qualify will send a keep-alive packets from Asterisk to any client in the NAT
However, the worst case occurs when Asterisk is within NAT and the client is within different NAT. For this, we need to have a mediator that could see both ways simultaneously. To channel voice data or streaming, we need a media server. Asterisk which is placed outside the NAT would be able to function as a media server, and we can also add the feature to do Codec conversion.