| Author |
|
hermes
Junior
Joined: October 27 2006
Posts: 64
|
| Posted: April 27 2009 at 7:56am | IP Logged
|
|
|
Good morning,
Since some weeks we´ve detected a problem in our SIP Service. Our Service Architecture is like this:
- All our Sip servers are in the same private network (Private Network B) and they are connected to a Sip Proxy in the same local network.
- We´ve implemented NAT because all our clients connect to our SIP proxy through Internet.
- When a client (Private Network A) wants to use our service, he connects to our proxy (Proxy B) and he establishes a new call with one of our servers.
The problem we have detected is the next one:
An UAC creates a SIP instance and it is configured with Sip Port 5060 for example. When it sends SIP messages to our proxy, they are routed by 5060 external port in the router A. The problem is when multiples UACs in the same private network try to send SIP messages because all of them are routed by the same external port, so when they receive the responses, only the last UAC receive it.
I suppose it is a router configuration problem but I can´t explain me why the router is assigning the same external port to all requests.
I think that my explanation hasn´t been very good, excuse me.
Have you any suggestion?
Thank you very much.
|
| Back to Top |
|
| |
support
Administrator
Joined: January 26 2005
Location: United States
Posts: 1666
|
| Posted: April 27 2009 at 12:39pm | IP Logged
|
|
|
Hola hermes,
Thanks for posting the nice graphics. Good work.
It is OK if all of your SIP UACs in the private network all use SIP port 5060. I will go through a short explanation of what should occur.
Lets use SIP REGISTER operations for our discussion. I assume the following:
UAC-1 192.168.1.2:5060
UAC-2 192.168.1.3:5060
UAC-3 192.168.1.4:5060
NAT router private IP is 192.168.1.1
I assume the NAT router is in a default power up state and has no current NAT mappings for any host in private network A.
1)
If we assume that UAC-1 is the first to send a REGISTER to your SIP server, the NAT router should create an internal mapping for UAC-1 and use external port 5060 for the register request. I assume your NAT router is not aware of SIP protocol and will not change the SIP in the REGISTER request. The REGISTER should arrive at the SIP server. The REGISTER request will look like it came from your NAT router’s WAN IP address using port 5060. Your SIP server should send a 200 OK response back to UAC-1 through your private network A’s NAT router. The NAT router for private network A should be able to route the 200 OK response back to UAC-1 due to it having a valid mapping for UAC-1.
2)
Now if UAC-2 performs the same REGISTER operation, your NAT router should map the requesting port 5060 on the private side to some “dynamic” port on the WAN side. The router will select this translated port value – lets assume it is 1024. The actual translated port value used may be controlled by your NAT router configuration or it may be totally automatic – it depends on the manufacturer and type of NAT router you are using.
Your SIP server will receive UAC-2’s REGISTER request but it will look like it is coming from the WAN IP of your NAT router on port 1024.
Your SIP server must be “smart” enough to know the SIP in the REGISTER message is not accurate and that the SIP 200 OK response must be sent back to your router’s WN IP address at port 1024. Does that make sense?
3)
UAC-3 can register in the same was as UAC-2. This time, the NAT router should create a new mapping for this private host and translate port 5060 to some new WAN port value.
Let’s assume it is 1026. Everything else for UAC-3 is the same as for UAC-2 from the standpoint of your SIP server.
Summary:
For your VOIP deployment to function within your described NAT environment, you need to have two things working.
1)
Your NAT router in private network A must properly translate the SIP ports to dynamic mapped WAN port values. If your NAT router is using port 5060 for all internal port 5060 host requests that go to the WAN side, the router is either not configured properly, has a bug, or simply does not operate properly. You may have to change it out with a router that functions properly.
2)
Your SIP servers must be mart enough to be able to send back responses to the SIP requests coming from behind NAT. Note that the IP address and port information contained within the SIP requests going to your SIP servers is incorrect due to the translations your NAT performs.
For the simplest case, your SIP servers must be smart enough to be able to send the responses back to the source of the SIP requests no matter what IP and port information has been supplied in the SIP requests. Normally if you configure your VOIP deployment (your servers) to always use symmetrical signaling, things will function as expected.
Your original explanation is good. I hope I have interpreted your question properly. Please repost if I have missed something of if you want to ask further questions.
Randal
|
| Back to Top |
|
| |
hermes
Junior
Joined: October 27 2006
Posts: 64
|
| Posted: April 27 2009 at 4:42pm | IP Logged
|
|
|
Thank you very much. It´s a great explanation and it confirms my suspicions...
The great majority of our clients are averse to changing their NAT router configuration so I´m thinking another possible solution. All calls are initiated from clients so if we install a SIP proxy in 'Private Network A' without NAT mappings, it should solve the problem, shouldn´t it?
Thanks again for your support.
|
| Back to Top |
|
| |
support
Administrator
Joined: January 26 2005
Location: United States
Posts: 1666
|
| Posted: April 28 2009 at 9:23am | IP Logged
|
|
|
hermes,
You >>>
The great majority of our clients are averse to changing their NAT router configuration so I´m thinking another possible solution.
<<< Support
Ahh… yes. I understand. The good news is there are other solutions.
You >>>
All calls are initiated from clients so if we install a SIP proxy in 'Private Network A' without NAT mappings, it should solve the problem, shouldn´t it?
<<< Support
Yes, that would work for the SIP but the RTP interchange between UAC’s in private network A still won’t work unless you also proxy the media to/from private network A using a media proxy. You will still have the same NAT port issue with RTP ports if all UAC’s in private network A use the same RTP port ranges.
When we assist our local customers here in the USA with their VOIP installs, we often have the exact same deployment you outlined in your original post. It is very common.
What we do is deploy all of the UAC’s in the private network (private network A in your example) and then deploy our Centrex SIP proxy with one or more VOIP media Proxies .
The LanScape SIP and media proxies are all deployed behind the customer’s outermost NAT router in their private network. We rarely have to deploy the SIP and RTP proxies into a special DMZ of the outermost NAT router (even though this would work also). It is not necessary with our software proxy products. Besides, being behind the outer most NAT router adds an additional layer of security.
Once the SIP and RTP proxies are installed, we configure the customers NAT router to properly port forward port 5060 to the main SIP proxy. We also port forward the proper media ports to the “one or more” media proxies that are installed. We usually assign 100 to 200 concurrent calls to each media proxy (the actual number of calls reserved on each media proxy depends on the capabilities of the connecting network and host’s CPU). You know the drill.
So for the above scenario, if we assume we have one SIP proxy and one 100 call media proxy installed, the customer’s outermost NAT router would be configured to port forward SIP port 5060 to the installed LanScape SIP proxy and ports 8000 to 8198 the installed media proxy. Note that we install and configure the RTP media proxy to only use even ports for RTP media.
Once the proxies are up and running, all UACs in the private network can be installed, configured and used. The UAC’s can use whatever SIP and RTP ports they want. All the SIP and RTP ports on each UAC can be different or they can all be the same. It will not matter.
For the installation I described above, all SIP to/from the SIP proxy that is exchanged with “private network B” stays on port 5060 (in the private network and on the WAN side of the NAT router) and all RTP media traffic will be managed properly (also remaining on the same RTP ports on the private side and the public side). The SIP and RTP between the UACs and the SIP+media proxies in “private network A” can be on any SIP and RTP ports.
I should also note that our SIP proxy will fix-up the SIP that is leaving the private network when it is used with one or more media proxies. This gives the best possible chance for interoperating with “Private network B”.
This is a good topic to discuss so post additional questions if needed. I hope this additional info has helped.
Thanks hermes,
Randal
|
| Back to Top |
|
| |
hermes
Junior
Joined: October 27 2006
Posts: 64
|
| Posted: April 28 2009 at 10:01am | IP Logged
|
|
|
It is very clear now. When I spoke about Proxy I referred to SIP Proxy and Media Proxy so I think, as well you say, it can be our best solution if they don´t want to change their security policies.
Thanks a lot.
|
| Back to Top |
|
| |
|
|
Active Topics 
Member List 
Search 
Help 
Register 
Login
LanScape Support Forum -> LanScape VOIP Media Engine™ - Technical Support
Topic: UDP Port problem
