Correct SIP NAT Settings

I have two PBX’s connected to each other via SIP trunk. My outgoing routes are configured correctly and I’m able to ring phones connected on the other PBX. However, while they can hear me perfectly, I am not able to hear them. Googling around led me to conclude that it’s a problem with NAT. Can somebody guide me the correct settings for NAT?

I found out that I can hear the other caller if I enter the NAT settings like this (blank):

As soon as I enter the actual settings, the problem reappears. Note that both PBX’s are inside our internal network although in different subnets.

Any thoughts?

For NAT, you need to set NAT=yes if the machine is actually behind NAT. You also need to forward the ports to the server from the NAT router. Lastly, make sure that you define all local address spaces that do NOT have a NAT router between them and the Asterisk box (ie: the local LAN, another subnet connected via a non-NAT router, and subnets connected via IPSec). Be certain to limit the port forwarding rules to only be accessible from trusted IP Addresses (this is a function of your router).


What kind of router connects your two LAN segments?

We only have an HP core switch between the two LANs that does basic routing. So, really there is no NAT between them. Perhaps as @rymes said, I just need to specify ALL local address spaces. What I did before was only to specify mine, and not the other PBX’s local LAN.

For security reasons, I don’t open access to the PBX from outside so perhaps NAT is totally unnecessary. Outside users have to connect to VPN first if they want to use softphones.

I can confirm that specifying ALL the local address spaces fixed my problem. Thanks everybody.

It sounds like you have your system set to NAT=yes. You could technically just set the system to NAT=No, and your configuration would work without specifying the local networks, but that is a Bad Idea®.

My recommendation is to always set up the NAT settings correctly for your installation, even if you do not send traffic to the outside world. That way, when you do end up with an external trunk, it will work properly out of the box. Thus, for a server with a NAT router between it and the outside world:

ExternIP = External IP Address
LocalNet = All address spaces that do not traverse NAT to get to the box.

This tells the machine to modify the outgoing traffic to work with NAT for those networks that are on the other side of the NAT router, while not doing so for those networks that are not.


PS: One interesting thing that we ran into was that, if you connect a new LAN to your network (eg: via IPSec), but forget to specify a localnet, it will still work fine, just so long as that network can send traffic to the PBX over the open internet via a port forwarding rule on the router. When you do this, the traffic from the PBX to the new LAN travels internally without traversing NAT. Then, the traffic coming back will actually exit the new LAN, cross the internet, and come back to the PBX via the port forward. Disable the port forwarding, though, and you get one-way audio like you were experiencing.

nat= is for various hacks to make NAT work, particularly when Asterisk is outside NAT and the peer is inside. Probably becaue nat=yes suggests you are enabling NAT, that option is deprecated in the latest versions (although there is or was a problem that there is no completely equivalent set of individual options). (Unfortunately cook books simply give the nearest equivalent options, rather than saying when they are really needed.)

You can avoid these problems by using IAX2 to interconnect. I wrote instructions for that configuration here:

You can use your internal IP addresses if you prefer…

This is an interesting idea. I’ve always wanted to try IAX2 but didn’t really have an incentive to mess around. The fact that you don’t have to explicitly open ports is definitely a plus. I will try it out soon. Thanks.

While in some ways true, I would disagree that “nat=” is just a bunch of hacks. The purpose of the nat, externip, and localnet directives is to tell asterisk when it should and should not modify the packets it sends out to work with NAT. It is quite simple to set up, and works very well; just remember to always configure the NAT settings if your machine is behind NAT.