0

I'm debugging an issue we're having with VoIP SIP registration. After looking at packet dumps, I think the issue results from 2 subnets accessing the same web service and the router not knowing how to forward replies.

We have 2 subnets (2 companies) behind our SonicWall firewall. We each have our own PBX server, and apparently we're both using the same VoIP provider. From packet dumps, it looks like our REGISTER request is going out OK and the response is received, but not forwarded anywhere by the SonicWall. Can I configure the NAT to determine which subnet/server initiated the connection and forward accordingly? If not, what are my options?

Thanks for your help

sleepisfortheweak
  • 41
  • 1
  • 3
  • NAT maintains a table that will tell it where to send replies. The problem is SIP/NAT. You probably need to set up [STUN](https://en.wikipedia.org/wiki/STUN). Unfortunately, NAT breaks many application-layer protocols. – Ron Maupin Jul 24 '18 at 17:04
  • I think I see how the NAT could keep track using the random ephemeral ports the two machines would use when they establish a connection. My NAT doesn't seem to be doing this. If I create an explicit inbound rule that points ports 5060-5061 to the PBX it works, but I figure this means the other company's PBX still won't register - since I can't make an inbound route that points from 1 port to 2 machines. – sleepisfortheweak Jul 24 '18 at 23:00
  • "_I think I see how the NAT could keep track using the random ephemeral ports the two machines would be using when they register._" Did you search for `sip nat problem`? You will get a good explanation of the problem, and some solutions, e.g. _[Using SIP Devices behind NAT](https://kb.smartvox.co.uk/voip-sip/sip-devices-nat/)_. – Ron Maupin Jul 24 '18 at 23:05

1 Answers1

0

OK, After enough Googling I believe I've found the answer to this situation. Ron's links in the comments have some helpful SIP+NAT information but my problem was related to having multiple Asterisk servers behind a single NAT (should have phrased the question that way). The solution is to configure each Asterisk Server to give its external provider a unique port number (5061,5062,...) instead of the default 5060. This allows you to route incoming traffic based on unique ports as usual. This is done from the Dynamic Host GUI box, or the externhost conf parameter. See this forum post for more explanation.

sleepisfortheweak
  • 41
  • 1
  • 3
  • I think you should definitely change the question title. Your Asterisk servers are _not_ web services. Not every network service is a web service. – Ron Maupin Jul 25 '18 at 21:23
  • Title changed. In this case the 'web service' was the external registration server. Multiple internal Asterisk servers needed to communicate with a single external web server. The problem could happen in many other internal-to-external scenarios, but the solution is specific to Asterisk so still made sense to change the title. – sleepisfortheweak Jul 25 '18 at 22:10