VoIPowering Your Office with Asterisk: Getting SIP through Firewalls

by Carla Schroder

Corporate firewalls prevent unauthorized access to corporate networks. Unfortunately, they can also prevent the completion of SIP phone calls.

SIP is a complex protocol, and all this newfangled VoIP stuff is still pretty new, so there are some kinks to iron out. Probably the most common problem is getting SIP calls through NAT (Network Address Translation: define) firewalls. SIP is a peer-to-peer protocol, and this presents two different types of problems when you're trying to get past a NAT firewall: managing peer calls made without a local VoIP server, and managing a VoIP server like Asterisk. Let's tackle the first one first.

Why SIP confounds NAT
The SIP (Session Initiation Protocol) protocol is very flexible and transports voice and video to all manner of devices. It's an application-layer signaling protocol that creates and terminates sessions. The difficulty with traversing NAT firewalls lies not with SIP, but with the RTP (Real-time Transport Protocol: define). SIP establishes the connection; then RTP moves the actual voice packets. It works like this:

  • SIP sends an INVITE packet containing the caller's IP address and port number for RTP to use
  • When the call is received, the receiver's IP address and port for RTP are sent back
  • With the ports and IP addresses established, happy conversation ensues
Except when NAT is in the way. Because traffic that passes through a NAT firewall is mangled and the port numbers are changed, which makes all kinds of weird things happen. The call fails entirely, or you can hear but not speak, or speak not but hear. Fortunately these are problems that can be fixed.

Direct SIP calling
This is very popular, and all manner of providers of such service have sprouted like mushrooms after a rain. Vonage is the biggest and most famous, and runs the most annoying TV commercials. (OK, so it's a question of taste—if you like the Three Stooges, you'll love the Vonage ads.) Skype, the other famous and popular peer VoIP network, does not use SIP, but some secret proprietary protocol that doesn't work with any other services, so we shall ignore it for now. (However, it has a number of very interesting advantages over SIP VoIP services, such as sliding through firewalls with ease, bandwidth efficiency, and excellent call quality, which we shall discuss in a future article.)

As loyal readers of VoIPplanet.com, you have no doubt already read and enjoyed Softphones Reviewed: Gizmo Project, in which intrepid editor Ted Stevenson puts his computer and money on the line to test the SIP-based Gizmo VoIP service. Alas, he had to retreat to his home to test Gizmo, thanks to the SIP-unfriendliness of the corporate firewall. There's not much Mr. Stevenson can do, short of launching a Ninja attack on the network administrators and commandeering the firewalls. But users who have control of their own firewalls can get their SIP calls through.

First check the instructions for your service on how to configure your router and firewall. For example, Gizmo users should refer to this page first. Vonage users go here.

If you are wisely protecting your network with a Linux iptables NAT firewall, these rules should make your Gizmo service work:

# SIP 
iptables -A INPUT -p udp --dport 5004 -j ACCEPT
iptables -A INPUT -p udp --dport 5005 -j ACCEPT
iptables -A INPUT -p udp --dport 64064 -j ACCEPT
Presumably you have a default iptables -P OUTPUT ACCEPT policy, so you won't need to explicitly open outgoing ports. If you have your firewall more locked down and are using a iptables -P OUTPUT DENY policy, this rule will fix the outgoing Gizmo port requirements:
iptables -A OUTPUT -p udp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 7070 -j ACCEPT

Vonage users need these rules:

# these rules are not needed with a default OUTPUT ACCEPT policy
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dport 21, 69, 2400 -j ACCEPT
iptables -A OUTPUT -p udp --dport 80 -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --dport 5061 -j ACCEPT
iptables -A OUTPUT -p udp --dport 10000:20000 -j ACCEPT
# for incoming RTP packets
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

If your service provider is unhelpful, the motherlode of all help resources is Portforward.com. Don't leave home without it. PortForward provides detailed instructions for dozens of routers and VoIP services. Maybe even hundreds. Anyway it's a lot, and you should find everything you need there.

Asterisk and NAT fun
Next week we'll explore some ways to help Asterisk handle SIP calls without having a nervous breakdown. Us, that is, not Asterisk, which is immune to nervous disorders.

Portforward.com gives detailed instructions for configuring routers for many VoIP service
An Introduction To SIP, Part 1: Meet SIP
Build a Linux-Based Single-Board WAP (Part 3) tells how to build a NAT iptables firewall on a Soekris router board
What Is Skype

This article was originally published on Monday Oct 16th 2006