Mapping of ports for Voip - setup or major bug ?

Hi,

I have this problem that results in one way voice when making a voip call.

I have a w2k3 server with two network cards present, one a safe external
address 192.168.. connected to a corporate network, the other a 10.0....
address for our department. The 10.0.. interface has dhcp enabled.

I have the 192.168 interface set as ras 'public' and 'nat enabled'. I have
the 10... set up as 'private'. All normal traffic works fine. Its just vopip,
in fact its just the voip payload (rtp) data the actual sip signalling is
also fine.

Ethereal traces show the issue. The sip client on the 10.... network signals
during its sip setup (to the sip server) that it will be on port 1694, the
other end of the voip call signals its on port 32580. The 10... client sends
on port 1694, and the nat bit does it stuff showing it leaving on the
192.168 interface on port 62487 (to 32580) and the far end of the call can
hear voice fine.

However, the 192.168 interface shows audio data from the far end arriving
for port 1694, which of course has no meaning on the 192.168 interface. It
expects traffic to be sent to port 62487 so it can map it back to 1694.

So it there a way of nailing up a port ( I control the voip client ports),
or making the RAS sip aware so it does the right stuff.

I'd appreciate any comments

regards

nick

"Nick Farrow" <(E-Mail Removed)> wrote in message
news:71DB992B-D727-44A0-A0CE-(E-Mail Removed)...
> However, the 192.168 interface shows audio data from the far end arriving
> for port 1694, which of course has no meaning on the 192.168 interface. It
> expects traffic to be sent to port 62487 so it can map it back to 1694.

That is what it is supposed to do. It is two separate connections. You
talking to them is one connection,...them talking to you is another distinct
connection. Each side will initiate it's own separate connection to the
opposite side. This fails because the "side" that is behind the NAT Box is
not directly reachable from the "outside" via port 1694 (or any port for
that matter).

> So it there a way of nailing up a port ( I control the voip client ports),

No,..it is not possible.

> or making the RAS sip aware so it does the right stuff.

Contact the VoIP vendor and ask them how they expect their product to work
when a NAT box is between the two Hosts. They will either explain the
method or config,...of they will tell you that it can't work over a NAT box.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks Phillip,

Right so its there is no way round it - apart from get a router that is sip
aware. Most major vendors we have tried are fine - just hoping MS was one of
these !

nick

"Phillip Windell" wrote:

> "Nick Farrow" <(E-Mail Removed)> wrote in message
> news:71DB992B-D727-44A0-A0CE-(E-Mail Removed)...
> > However, the 192.168 interface shows audio data from the far end arriving
> > for port 1694, which of course has no meaning on the 192.168 interface. It
> > expects traffic to be sent to port 62487 so it can map it back to 1694.
>
> That is what it is supposed to do. It is two separate connections. You
> talking to them is one connection,...them talking to you is another distinct
> connection. Each side will initiate it's own separate connection to the
> opposite side. This fails because the "side" that is behind the NAT Box is
> not directly reachable from the "outside" via port 1694 (or any port for
> that matter).
>
> > So it there a way of nailing up a port ( I control the voip client ports),
>
> No,..it is not possible.
>
> > or making the RAS sip aware so it does the right stuff.
>
> Contact the VoIP vendor and ask them how they expect their product to work
> when a NAT box is between the two Hosts. They will either explain the
> method or config,...of they will tell you that it can't work over a NAT box.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
>
>

"Nick Farrow" <(E-Mail Removed)> wrote in message
news:426941A9-D920-4D91-9B32-(E-Mail Removed)...
> Thanks Phillip,
>
> Right so its there is no way round it - apart from get a router that is
> sip
> aware. Most major vendors we have tried are fine - just hoping MS was one
> of
> these !

Call the Vendor. It their product works with MS products,...they will
know,...I won't :-)

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Hi Phillip,

I am the vendor - its my voip client ! I dont want to rely on stun servers
or the like but I have managed to make some progress.

The service mapping ability has helped. I managed to map the port on the
external side back to the voip client.

The only drawback is that you need to specify the redirect address so its
the redirect of the voip client. Do you know if there is any way to use
*.*.*.* rather than 10.0.0.1 in the redirect address so it will redirect to
what ever client calls ?

Thanks

nick

"Phillip Windell" wrote:

> "Nick Farrow" <(E-Mail Removed)> wrote in message
> news:426941A9-D920-4D91-9B32-(E-Mail Removed)...
> > Thanks Phillip,
> >
> > Right so its there is no way round it - apart from get a router that is
> > sip
> > aware. Most major vendors we have tried are fine - just hoping MS was one
> > of
> > these !
>
> Call the Vendor. It their product works with MS products,...they will
> know,...I won't :-)
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"Nick Farrow" <(E-Mail Removed)> wrote in message
news:EFB89C2B-B1CB-41C5-ACE6-(E-Mail Removed)...
> Hi Phillip,
>
> I am the vendor - its my voip client !

Ah!

> The service mapping ability has helped. I managed to map the port on the
> external side back to the voip client.

Well, I'm not a developer and cannot help with that side of things.
What you have to keep in mind is that the firewall device (NAT Server, Proxy
Server, whatever) cannot see inside the packet, so there is no way for it to
know what connection "specs" are being negotiated between the two clients.

Checkout this link. It involves ISA Server and Instant Messengers but the
"problems" experienced and the same kind of issues you face. Go down to the
part of the article that mentions "ISA Server Issues",...these are the same
issues faced by any other firewall device as well,..not just ISA server.

http://www.microsoft.com/technet/pro.../isaimsec.mspx


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com