When SIP was designed it was expected that IP V.6 would be widely available by the time of first services deployment. Unfortunatly this is not the case and the concept of NAT (Network Address Translation ) had to be added to SIP.
We will need to implement NAT (Network Address Translation) on both sites. These translations will allow to push IP traffic coming from the outside world to the device which can manage it. We need to provide a translation for the SIP signaling and the media (voice). As the media run independently in both directions, we will have to manage both directions independently.
SIP signaling
The SIP signaling must be transfered over UDP because Asterisk current release 1.2 does not support SIP over tcp. When tcp will be supported by Asterisk, the situation will be a bit simplier. SIP signaling uses a well defined port 5060. Any other port can be used if required. The SIP signalling port is used for the SIP proxy, SIP registrar and SIP calls signalisation.
The SIP signaling that will, in practice, alway be initiated by the remote SIP phone routed back in Asterisk. Gateways will, by default, let the IP traffic move from a protected zone to a less protected zone without / little constrains. So, the SIP signalling should quit the student room to the university network and then to the Internet without issue.
In case of difficulty, the unix command nmap can be used for UDP port scan.If the University filter outgoing traffic, then you need to get the port 5060 open. As this is a well defined port it should not be real problems.
The SIP phone to be forced as the SIP signaling initiator by configuring a proxy server (actually implemented by the Asterisk server) toward which, the SIP phone will register itself and reports presence every few seconds (e.g. 10 to 30s.). This permanent traffic on the port SIP Signalling port (5060) will create in the firewalls a return route for the SIP signaling initiated by the Asterisk server back to the SIP phone.
The SIP proxy IP host name pointing on the address A1 (public internet address of the local site).
Don't forget to open in all your firewalls the port udp 5060 to let the traffic get in.
Trick : If you see the SIP traffic with tcpdump or ethereal but your Asterisk console with SIP debug remains silent, you have more than likely forgotten to open your firewall. tcpdump and ethereal see the traffic before the firewall function, Asterisk see it after the firewall.
A NAT rule will be required to forward the traffic coming from the Internet on the interface A1, port 5060 to the interface A2, port 5060. If your Asterisk server is not localised inside your second level home firewall you will need a third NAT rule to push the traffic to the Asterisk IP port 5060 in your home LAN (case not shown on the schematic).
The returning signaling (from the server to the phone) will be routed by the gateways which will have learned the route with the initial incoming traffic (remote SIP phone to Asterisk server). Note that Asterisk will repond to SIP signalling on the port used to initially send the SIP signalling on the public internet (unlikly to be 5060 after two levels of NAT). This is normal and will be used by remote firewalls to route back the SIP to the remote SIP phone.
Asterisk IP address
The IP address that your Asterisk server will add in the SIP signaling will, by default, be the IP address of the main Ethernet interface located in the Asterisk host server (/dev/eth0). This address will obviously not work outside your home LAN. You need to configure Asterisk to present the A1 address to the outside world in the SIP signaling.
This change is achieved by modifying the sip.conf Asterisk configuration file located by default in /etc/asterisk/sip.conf. See example bellow.
---------------------------- Fixed IP address example ( /etc/asterisk/sip.conf) ---------------------------------
; UDP Port to bind to (SIP standard port is 5060)
bindport=5060
nat=yes
; This is your fixed public internet IP address
externip=80.178.117.137
; localnet are not passed via NAT (You MUST declare your local LAN)
localnet=10.44.120.0/255.255.255.0
; declare each local LAN
localnet=10.0.0.0/255.255.255.0
; your SIP domain
realm = fridu.org
--------------------------- DynDNS address example ( /etc/asterisk/sip.conf) -----------------------------------
; UDP Port to bind to (SIP standard port is 5060)bindport=5060
nat=yes
; host name pinting on your A1 IP address
externhost=myhostname.dyndns.net
externrefresh=10
; localnet are not passed via NAT (You MUST declare your local LAN)
localnet=10.44.120.0/255.255.255.0
; declare each local LAN
localnet=10.0.0.0/255.255.255.0
; your SIP domain
realm = fridu.org
