[VoiceOps] Enterprise customer desiring NAT for their SIP

Scott Berkman scott at sberkman.net
Mon Feb 27 12:52:10 EST 2012

I would also recommend against this in general, the Firewall (depending on
Make/Model, software version, and config) may actively interfere with even a
single SIP trunk, and often in a very unpredictable manner.  Some devices do
this without even making it clear they do (one example is the Firewall
software in the Netopia routers ATT and other carrier deployed for
"business" DSL, which for some time or possibly still have an undocumented
SIP ALG enable by default which could only be disabled from the CLI, the GUI
didn't eve show the option).

I've seen cases where everything was fine initially, but the Firewall closed
the NAT hole too early and killed standing calls at a 5 or 10 minute mark,
usually due to a failed session audit from the Soft Switch.

Some firewalls may also view too much RTP traffic (when some specific
threshold is crossed) as an attack, which can result in one way audio at
some point during a call.

Someone mentioned CUBE already, but another similar option is to put in some
local ALG device that has predictable behavior.  One of my personal
favorites is the Edgemarc line of products (http://edgewaternetworks.com/),
but there are certainly others out there.

While it certainly CAN work, the real question is if the firewall does
interfere, are you willing and able to prove that to the customer before
they get mad that something is broken that you can't fix.  At a very
minimum, you should make it clear to the customer starting from the
pre-sales discussions that if the firewall does interfere, you won't be able
to support it and they'll need to get their vendor involved.

There are also concerns if there are multiple separate trunks to different
internal devices, especially if registrations aren't used.


-----Original Message-----
From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org]
On Behalf Of joshua sahala
Sent: Monday, February 27, 2012 12:29 PM
To: VoiceOps
Subject: Re: [VoiceOps] Enterprise customer desiring NAT for their SIP


On Mon, Feb 27, 2012 at 6:49 AM, Alex Balashov <abalashov at evaristesys.com>
> On 02/26/2012 11:34 PM, Frank Bulk wrote:
>> Yes, our SBC does supports the usual NAT traversal features, but our 
>> customer will have more than one trunk with us...they have several 
>> two PRIs today, so it will be 15 to 20 active trunks on a regular 
>> basis and almost 30 at peak.

in addition to the un-nat-magik on the sbc, the asa/pix will try to
translate not just the header, but the sip messages themselves (sip
inspection/sip fixup)

unless they have a very small fw, resources should be ok (i have done
>200Mbps with a 72xx doing the nat/sip mangling @50% cpu, iirc)

VoiceOps mailing list
VoiceOps at voiceops.org

More information about the VoiceOps mailing list