Anyone have experiance of the SIP ALG used to solve SIP over NAT problems.

[robmurphy]

Has anyone used a router with a SIP ALG that works, and if so what router and what SIP server was it.

I'm particulary interested in the use of the SIP ALG with an asterix soft switch, so avoiding the use of a nat proxy for SIP.

It would also be interesting to hear any views as to what is the best way to get SIP working over NAT.

Most of the platforms involved are open source ones like asterix, SIP express router, and some form of open source media gateway.

SIP is being used for VoIP, rather than video ect.

Rob.

 

[drebo]

In general, ALGs should not be used. Particularly for SIP. That being said, the Transparent SIP Proxy in the Adtran NetVanta series routers is the only ALG that I've had success with and it works fairly well. It does, however, eat up resources like nothing else, and I could never get it to work reliably for more than 10 phones.

I do not use ALGs when I implement SIP over NAT. If you properly configure the SIP proxy (your Asterisk server) and the user agent (your softphone), you should not need any ALG to make NAT work properly. That usually means removing or disabling any router configuration that sounds like ALG, proxy, or helper. On your SIP peer, configure nat=yes (this tells Asterisk to use the source address of the packet, rather than the IP address contained within the SIP header itself), and tell your phone it's behind a NAT (this may or may not be necessary depending on phone models...Polycoms usually don't care or are smart enough to realize the difference, and Cisco phones absolutely must be explicitly told or they won't register).

On the client side, you will not need to forward any ports to your phones. On the server side, forward UDP ports 5060 and whatever RTP ports you've configured in rtp.conf. Some routers will NOT support it (SonicWalls and Version 3 NetGear RangeMAX routers to name a couple).

It's not rocket surgery. Attempting to employ ALGs is usually MORE difficult and MORE prone to issues.

 

[Agamar]

I have had good luck with the Cisco ASA 5505 SIP ALG. I have had both the Asterisk and the phones behind one at one time or another. Not sure on the number of phones I had out though.

 

[drebo]

Why on earth would you intentionally turn on a feature of a Cisco firewall that doesn't work reliably when the ASA is more than powerful enough to maintain the NAT translations for your phones under default settings? (Hint: the ALG on the Cisco ASA firewalls is OFF by default)

 

[robmurphy]

Sorry for the late reply/update on this.

I have dealt with a couple of SIP service providers now, and both suggest disabling of the SIP ALG on any routers/firewalls used.

One provider recommends using public static IP addresses for the IP phones (all IP phones using port 5060, and same ports for RTP), or setting up port forwarding to the private IP addresses if they are behind NAT (each phone has different port for SIP, and different ports for RTP).

Another provider just recommends using a router with a good NAT implementation and private IP addresses. No special config was set up on the router just the normal NAT, and private 192.168.X.X IPs on the LAN side. The phones all use port 5060 and the same RTP ports. I think this works by keep alive message sent every few seconds between the SIP provider and the phones. If there is a problem change the router. I have heard this work much to my surprise. With one router the call was crap with another crystal clear. The routers used were a Billion Bipac 5200 and a Netgear 834.

I think the reason for not recommending the use of the SIP ALG is that it would need to be tested on all the routers that would be used with the SIP service. Most SIP service providers in this country (UK) do not have the resources to do that. If like the second provider I mentioned above all that is needed is a good router with the default settings then it makes you wonder if the SIP ALG is really needed.

Again sorry for the much delayed response.

Rob

I think the main reason