Sip and NAT and how they play together and how voip one way audio don’t play together. very well so firstof all what is NATwell that is network address translation is where a device such as a routeror firewall translate one IP intoanother so like on the inside we have192 168 120.
The outside two one six oneone five same thing down here fourthoctet twenty one fourth octet over hereis dot six along with NAT which issimply translating one IP into anotherwe also have Pat Pat is port addresstranslation this is where all trafficfrom the inside of the network ispresented as the same IP in the outsidebut from a different source port sonotice the outside address is the samebut the port that we are using betweenthese two different devices it’sdifferentNAT impact work very well with normalweb traffic.
Sip though that’s a littlebit of another story you have toremember sip is an application layerprotocol this is because what is listedin the headers and SDP may not match theactual IP packet all right so we have aninvite that is going out here the actualIP is coming from one 92168 1.20 but ifwe look down here at the C equals lineyou know it remains the same there wesend it to the outsideand while the packet has changed andwe’re using port address translation theactual sip message and the SDP theyremain the same that is going to give ussome issues so here’s a little bit of awalkthrough on some of these things herewe’ve got the invite going from theoutside over from the inside that IPpacket it flows over to the outside liesall the way across the internet hits thesip server.
The sip server it creates aresponse it creates its ownP packet we it ruts that over to theoutside of the firewall sends it on tothe inside of it and there we go andthat is how it started to flow but theproblem we’re looking at is these two IPaddresses this phone is saying hey sendme audio two one nine two one six eight1.20 but the server is saying okay sendme audio two seventy two five five fivenow this phone is going to be able tosend this traffic over here because thisis just another IP out on the Internetwe’re going to go through port andhraaddress translation and all as wellokay well what about the server it willhave no route to send this traffic sowhat do you get from that one-way audiohow do we fix that.
There are a fewmethods that one can use to resolve thatissue some of them are better thanothers you can use a stun server stunst. stands for simple traversalutilities for NAT it is defined in RFCfive three and stun is a simple protocolfor discovering the public IP addresslet’s look at that so we’re going tohave a stun request here this phone it’sgoing to send it out my source IP is192.168.0.1 says okay I’m going to sendthis to two one six one one five twofour five nine three the payload is thesame that goes to the outside of thefirewallnow the firewall itself or the router itdoes a little look up here and itfigures out who it needs to send it toit says okay I am going to send this tothe phone but the packet the destinationof this was modified by the router orthe firewall so now that is being sentto one 92168 120 port 1 2 3 4 but thepayload has not been modified so nowthis phone knows the public IP addressbased upon that response from the stunserver because it says ok this is yourpublic IP it’s 2 1 6 1 1 5 and this isthe port that you are using right so nowwhen this sends a respite request out wecan modify the C equals line we canmodify our port we can modify any othervalues up here that need to be modifiedto make this happy and in that case sendthat IP packet out so that their IPpacket comes back it aroused back overto the phone and we now have audio goingtwo different ways because the phone issending it all the way up to the serverIP we now have traffic from the SIPserver being sent to 2 1 6 1 1 5 thisport the firewall or router turns thatinto one 92168 1.20 : 1 2 3 4 4 the portsip al G an al G is an application layergateway modern consumer and pro similarrouters have this feature enabled andthe al G modifies sip headers and theSDP before the packet is forwarded tothe upstream device.
So again let’s take a look at that we got an IP packet andwe have our invite you know we’ve gotthe standard stuff private IP easeeverything listed in the C equals linewe send that up and out through ourrouter or through a firewalland the firewall or router it’s okay Isee this is sip I have inspected thispacket I know this is sip and I knowthat I need to change the C equals lineand I’m also going to change the vo lineand the contact header okay it does thatand then of course that gets sent off tothe sip server and hopefully everythingas well the problem with sippy LG ismost firewall vendors have an awfulawful awful awful implementation of it Ihave seen a break more things than I’veseen a fix it often fails to Ford thesip message to the NAT at endpoint andit will fail to Ford RTP packetsproperly so what’s the point well weoften need to go in and disable it onfirewalls and a long time ago I startedto write a guide it’s now on avoidengineer training com on various devicesyou got like Linksys stop SonicWALL 40net.
There’s a number of them but I walkyou through how you can go and disableSIP alg void engineer training comm gocheck that guide out now a good alg canbehave badly if your service providerhas an SBC capable of handling net thatcould also be why I’ve seen so manyproblems because normally I’ve worked atservice providers with good SBC’s likean acne packet and we want to see thattraffic unmodified because the SVC issmart enough to figure out what it needsto do with it based upon the source IPvia header C equals lines and all thosedifferent things now who has a good algimplementation this is not a sponsoredthing this is just my experience of whodoes this well first one is audio cutsthey have products called the medianseries you got like a M 500 M 800 theyare an enterprise level SBC Cisco Ciscotypically can do this pretty wellthey’re a sa firewalls handle it quitewell you can also use something calledCisco cube.
If you want to pay for thelicensing on that Edgewater networksthey have another good one local companyhere in Arizonaa simple land the guy that founded thiscompany used to own a VoIP providertherefore he has added some things intohis product to make sure that it worksproperly and then we have Velo cloud andthey’re kind of running the pack onsoftware-defined LAN sip an app anothersolution is turn-turn stands fortraversal using relays around nack turnis built off a stun and it has similarbehavior except return RTP flows throughthe turn server rather than direct let’slook at that so we’ve got this requestpacket going out here’s our source we weset it to be outside the outside wechange that to a different IP this getsrouted to a turn server turn then sendsthis response back we here’s the payloadand everything there is cool all rightso now we send this request out go backhere we send the request out okay allthat stuff has been modified the serverit gives us a 200 ok everything’s coolthere there’s our IP packet it goes outwe that goes over to here so here’s oursignaling IP packet it’s routed backover here cool now we have the mediapath so the media from the UAC towardthe server.
It may or may not go throughthe turn server but the return audio orRTP stream from the UAS it is going togo through that turn server and it isgoing to have a new leg of it createdand then of course we go back throughour firewall and everything getstranslated through that Sauternesguarantees communication in all NATscenarios unless a firewall policy isblocking communication one thing to kindof keep in mind is turn is getting useda lot with like WebRTC platforms nowit’s superior to stun in many ways yetit has disadvantages oneto remain in the forwarding pathrequires a lot of bandwidth the turnserver must remain available throughoutthe entire session and my favoritesolution is having an intelligent SBCthat handles it and it just workshigh-end SBC is like Oracle or Acmepacket use a feature called H n key orheader NAT traversal to accomplish NATdetection and mitigation in Oracle andacne terms the SPC looks at the IPdatagram source Dirkdetermines the actual IP if it matchesthe via contact or SD piece equals lineif it does not the SD or the SBCmanipulates headers and routes trafficwhere.
It needs to go and honestly itworks fantastic I absolutely love theOracle product line biggest downfallthat no high-end SBC’s are expensiveusually only large enterprises andcarriers can’t afford these that is nojoke to SBC’s and a high availabilityset up with a few thousand concurrentsession licenses can run you to 150 K ormore now as mentioned these SBC’s canstill experience a problem if SIP al Gis enabled on the customer side asidefrom audio issues NAT is prone tocausing call control signaling problemsas well and this is often related to theamount of time that a firewall keeps aNAT pinhole open right again similarscenario we’ve seen this a few times inthis video we’ve got this device itsends a request out register messageokay a pin hole is created in thatfirewall boom 60 seconds the pin hole isopen we send this messageoutbound over to the sip server okaythat’s a register we get a responsequickly everything’s cool there 70seconds later an inbound call to theuser is being sent from the SIP servernow we’re trying to use that exact samesocket so that same IP and portcombination but andtoo bad that knack pinhole is closedhow do we fix that well method one oftenin ISP or someone that manages yourproxy or back-to-back UAE’s well adjustthe timer on the registration intervaland they will set it to a kind of lowvalue we set to a low number to forceregister messages to constantly be sentthus keeping the panel open methodnumber two port forwarding is configuredon the firewall or router downfall tothis is ports for RTP are typicallygoing to be dynamic and you never knowwhat is going to use mess it method 3you may have lucked out have a good algrunning on your firewall and it willhandle these requests properlyto summarize nap can cause RTP andsignalling issues stun and turn thoseare servers used to work around audioissues and along with signaling issuesas wellsip a LG’s are often activated bydefault on consumer firewalls sometimesI work but from my experience youusually have to just turn them offhigh-end s pcs work amazingly well toresolve NAT issues they can even adjustthe registration interval to make sureNAT pinholes are opened for signalingtraffic