NAT: global, per extension or only in the trunk definition?


#1

In FreePBX there is the NAT setting for each extension, but also global under Asterisk SIP Settings. What are these two attitudes to each other? In the trunk, NAT can be defined also. Can NAT be deactivated in the global settings and enabled in the trunk?

My FreePBX is behind a router and thus behind NAT. The phones are in the same network as the FreePBX and thus they do not need NAT. Therefore I assume NAT in the global setting should be true and on the extensions false.

But I was confused by the following comment from the sip.conf. He seems to say that if the global option NAT is turned on, it also has to be switched on for the extensions NAT and vice versa. Otherwise it could be a security problem.

IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
; the nat setting in a peer definition, then the peer username will be discoverable
; by outside parties as Asterisk will respond to different ports for defined and
; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
; GENERAL SECTION. Specifically, if nat=force_rport in one section and nat=no in the
; other, then valid peers with settings differing from those in the general section will
; be discoverable.


#2

Assuming that your External Address and Local Networks are properly set, the PBX emulates being on a public IP. The trunking provider is of course also on a public IP, so there is no need for Asterisk to do NAT and it can be turned off globally. If this causes a problem, post details.


#3

I don’t have a problem, I asked to understand things.

Today I use the settings NAT = no and Public IP in the global configuration. But I do not set the External Address nor Local Networks, because my VoIP provider handle this himself. But I set nat=force_rport, comedia in the trunk configuration. Should I delete this?

With PJSIP I see that RTP Symmetric, Rewrite Contact and Force rport are normally set to yes in the extensions configuration and even in a PJSIP trunk configuration. Does this mean, that I should set NAT = yes in the global configuration if I use PJSIP instead of chan_sip?


#4

The NAT settings in Asterisk are concerned with the endpoint (extension or trunk) being behind a NAT. If all your extensions are on the local LAN and your trunks are all commercial SIP providers on public IP addresses, then Asterisk does not need to do any NAT traversal.

However, when Asterisk is itself behind a NAT, it emulates being on a public IP when communicating with an endpoint that is not on its LAN. This is accomplished by setting Local Networks and External Address. When communicating with an endpoint with an IP address in the Local Networks range, Asterisk presents its private LAN address in SIP headers and SDP. If the endpoint address (as seen by Asterisk) is outside the Local Networks range, Asterisk uses the value of External Address in the SIP headers and SDP.

If your VoIP provider is also your ISP and they are addressing your Asterisk on a private IP address that was assigned by a router/firewall supplied by them, some special handling may be needed. If this is your case, please post details.


#5

No, my VoIP provider is not my ISP. I think the middle scenario is the one that I have. As I understand you I can set NAT to off globally and for all peers. If I use the new PJSIP channel I have to set RTP Symmetric, Rewrite Contact and Force rport to no. Right?

This changes, if the Asterisk server is outside of the internal net, eg on a provider that hostes virtual servers. Then the peers are all beind a NAT an I should enable it, regardless of the sip cannel (chan_sip, pjsip) I use, I assume.