{"id":386,"date":"2011-02-24T10:11:04","date_gmt":"2011-02-24T09:11:04","guid":{"rendered":""},"modified":"2018-11-01T10:31:55","modified_gmt":"2018-11-01T09:31:55","slug":"riesenie-nat-pre-sip-openser-server","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/riesenie-nat-pre-sip-openser-server\/","title":{"rendered":"Rie\u0161enie NAT pre SIP OpenSER server"},"content":{"rendered":"<p><style type=\"text\/css\">\n\t<\/style>\n<\/p>\n<h2>\n\tRie&scaron;enie NAT pre SIP OpenSER server<\/h2>\n<p>\n\t&nbsp;<\/p>\n<p>\n\t<strong>Testovan&aacute; topol&oacute;gia:<\/strong><\/p>\n<h2>\n\t&nbsp;<img decoding=\"async\" alt=\"Testovan\u00e1 topol\u00f3gia\" height=\"480\" src=\"\/wp-content\/uploads\/files\/image\/SIP\/openser\/IP_SIP_NAT_testing_openser.png\" width=\"640\" \/><\/h2>\n<p>\n\t&nbsp;<\/p>\n<p>\n\t&nbsp;<\/p>\n<p>\n\tPou\u017eit&yacute; SIP server pri testovan&iacute;: <b>OpenSER<\/b><\/p>\n<p>\n\t&nbsp;<\/p>\n<p>\n\tPou\u017eit&yacute; softphone: <b>X-lite 4 <\/b><\/p>\n<p>\n\t&nbsp;<\/p>\n<p>\n\tPou\u017eit&yacute; router pre testovanie SIP NAT Traversal: <b>Cisco 1841<\/b>, IOS 12.4<\/p>\n<p>\n\t&nbsp;<\/p>\n<p>\n\t&nbsp;<\/p>\n<h2>\n\tMo\u017en&eacute; situ&aacute;cie<\/h2>\n<p>\n\t&nbsp;<\/p>\n<ol>\n<li>\n<p>\n\t\t\t<span><b>UA(NAT) =<\/b><span lang=\"en-US\"><b>&gt;<\/b><\/span><b> UA (PUBLIC)<\/b><\/span><\/p>\n<\/li>\n<\/ol>\n<ul>\n<li>\n<p>\n\t\t\tklient za NAT vol&aacute; klienta, ktor&yacute; ma verejn&uacute; IP adresu<\/p>\n<\/li>\n<\/ul>\n<ul>\n<li>\n<p>\n\t\t\t<b>Bez STUN<\/b><\/p>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service zapnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\tBe\u017e&iacute; &#8211; na Cisco routeri sa vyu\u017e&iacute;va slu\u017ebu sip nat service, ktor&aacute; defaultne be\u017e&iacute; po spusten&iacute; routera (spustenie\/vypnutie slu\u017eby &ndash; (no) ip nat service sip udp port 5060). Pre UDP testovan&eacute; na verzii IOS 12.4. Pre TCP je potrebn&yacute; ale a\u017e IOS verzie 15.0.<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service vypnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\tNebude fungova\u0165. Natovan&yacute; klient posiela na seba iba priv&aacute;tny kontakt a&nbsp;v&scaron;etky pokusy o&nbsp;zalo\u017eenie RTP streamu, ako aj signaliz&aacute;cia zo strany public klienta p&ocirc;jdu na priv&aacute;tnu IP, nep&ocirc;jdu.<\/p>\n<ul>\n<li>\n<p>\n\t\t\t<b>So STUN<\/b><\/p>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service zapnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\tNebude v&nbsp;poriadku. Slu\u017eba SIP NAT service invertuje v&scaron;etky adresy v&nbsp;SIP spr&aacute;ve. To znamen&aacute;, \u017ee invertuje aj adresy v&nbsp;hlavi\u010dke via. Klienti s&uacute; ale schopn&iacute; zalo\u017ei\u0165 RTP stream, preto\u017ee volan&yacute; public klient si dok&aacute;\u017ee pre\u010d&iacute;ta\u0165 verejn&uacute; adresu NATovan&eacute;ho klienta z&nbsp;hlavi\u010dky via. Server preposiela signaliz&aacute;ciu na NATovan&eacute;ho klienta aj ke\u010f m&aacute; na neho lok&aacute;lny kontakt, preto\u017ee si tie\u017e pom&ocirc;\u017ee hlavi\u010dkou via. Ak ale public klient do hlavi\u010dky via ned&aacute; verejn&uacute; IP NATovan&eacute;ho klienta signaliz&aacute;cia neprejde &ndash; napr. pri spr&aacute;ve BYE, pri ukon\u010den&iacute; spojenia. Je to nevyspytate\u013en&eacute;, a&nbsp;preto nepou\u017eite\u013en&eacute;.<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service vypnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\tBude fungova\u0165. Je potrebn&eacute; nastavi\u0165 na klientovi vyu\u017e&iacute;vanie STUN servera a&nbsp;posielanie KeepAlive spr&aacute;v m&ocirc;\u017ee by\u0165 vypnut&eacute; alebo zapnut&eacute; (port na NAT sa otvor&iacute; poslan&iacute;m SIP INVITE)<\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<ol start=\"2\">\n<li>\n<p>\n\t\t\t<span><b>UA(PUBLIC) =<\/b><span lang=\"en-US\"><b>&gt;<\/b><\/span><b> UA(NAT)<\/b><\/span><\/p>\n<\/li>\n<\/ol>\n<ul>\n<li>\n<p align=\"JUSTIFY\">\n\t\t\tklient s&nbsp;verejnou IP adresou vol&aacute; klienta, ktor&yacute; je za NAT. Je potrebn&eacute;, aby vo v&scaron;etk&yacute;ch pr&iacute;padoch bol na natovanom klientovi zapnut&yacute; keepalive, aby bol dosiahnute\u013en&yacute; na otvorenom porte.<\/p>\n<\/li>\n<\/ul>\n<ul>\n<li>\n<p>\n\t\t\t<b>Bez STUN<\/b><\/p>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service zapnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\tSitu&aacute;cia bez probl&eacute;mov. Sip nat service prelo\u017e&iacute; priv&aacute;tne IP na verejn&eacute; a&nbsp;signaliz&aacute;cia aj RTP stream p&ocirc;jde bez probl&eacute;mov.<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<p>\n\t\t\t\t\t&nbsp;<b>SIP NAT service vypnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\tNed&aacute; sa dovola\u0165. Neprebehne ani signaliz&aacute;cia ke\u010f\u017ee SIP server m&aacute; len priv&aacute;tnu IP adresu klienta za NAT a&nbsp;pri preposielan&iacute; INVITE spr&aacute;vy je t&aacute;to pou\u017eit&aacute;.<\/p>\n<ul>\n<li>\n<p>\n\t\t\t<b>So STUN<\/b><\/p>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service zapnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\tNed&aacute; sa dovola\u0165. NATovan&yacute; klient si s&iacute;ce vyp&yacute;ta svoju verejn&uacute; IP adresu od&nbsp;STUN u\u017e pri registr&aacute;cii na SIP server, ale SIP NAT service ju pri prechode cez&nbsp;router invertuje sp&auml;\u0165 na lok&aacute;lnu. Server m&aacute; teda na NATovan&eacute;ho klienta lok&aacute;lny kontakt a&nbsp;v&nbsp;pr&iacute;pade INVITE spr&aacute;vy na tohto klienta ju preposiela na&nbsp;lok&aacute;lnu IP adresu \u010do nebude fungova\u0165. Nie je teda mo\u017en&eacute; ma\u0165 zapnut&eacute; obidve testovan&eacute; rie&scaron;enia s&uacute;\u010dasne.<\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service vypnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\tV&scaron;etko v&nbsp;poriadku. NATovan&yacute; klient mus&iacute; ma\u0165 zapnut&eacute; keep-alive posielanie paketov a&nbsp;nastaven&yacute; STUN server. Ak je volan&yacute;, vyp&yacute;ta si svoju verejn&uacute; IP adresu a&nbsp;t&uacute; po&scaron;le ako contact, aby public klient mohol zalo\u017ei\u0165 RTP stream smerom k&nbsp;NATovan&eacute;mu klientovi.<\/p>\n<p>\n\t&nbsp;<\/p>\n<ol start=\"3\">\n<li>\n<p>\n\t\t\t<span><b>UA(NAT1) =<\/b><span lang=\"en-US\"><b>&gt; UA(NAT2)<\/b><\/span><\/span><\/p>\n<\/li>\n<\/ol>\n<p align=\"JUSTIFY\" class=\"rteindent1\" lang=\"sk-SK\">\n\t<span>&#8211; vo v&scaron;etk&yacute;ch pr&iacute;padoch je potrebn&eacute; ma\u0165 zapnut&eacute; keepalive spr&aacute;vy.<\/span><\/p>\n<ul>\n<li>\n<p>\n\t\t\t<span lang=\"en-US\"><b>Bez STUN<\/b><\/span><\/p>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service vypnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"rteindent3\">\n\t&#8211; nep&ocirc;jde preto\u017ee v&nbsp;kontakte bud&uacute; ma\u0165 priv&aacute;tne IP<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<p align=\"JUSTIFY\">\n\t\t\t\t\t<b>SIP NAT service zapnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\t&#8211; bude fungova\u0165. Router prep&iacute;&scaron;e priv&aacute;tnu adresu z&nbsp;po\u013ea contact na verejn&uacute;. Aby v&scaron;ak SIP server bol schopn&yacute; dosiahnu\u0165 volan&eacute;ho klienta, klient mus&iacute; ma\u0165 nastaven&eacute; posielanie keepalive paketov aby sa neuzavrel port v&nbsp;NAT.<\/p>\n<ul>\n<li>\n<p>\n\t\t\t<b>So STUN<\/b><\/p>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service vypnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\t&#8211; v&scaron;etko v&nbsp;poriadku. Klienti si vyp&yacute;taj&uacute; od STUN servera svoje verejn&eacute; IP a&nbsp;v&nbsp;poli contact uv&aacute;dzaj&uacute; tie. Posielanie keepalive paketov mus&iacute; by\u0165 na&nbsp;klientoch zapnut&eacute; aby boli dosiahnute\u013en&iacute; serverom. T&aacute;to situ&aacute;cia je bezprobl&eacute;mov&aacute;.<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service zapnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\t&#8211; nefunguje spr&aacute;vne, preto\u017ee router z&iacute;skan&uacute; verejn&uacute; IP adresu od STUN servera invertuje nasp&auml;\u0165 na lok&aacute;lnu IP.<\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<ol start=\"4\">\n<li>\n<p>\n\t\t\t<span><span lang=\"en-US\"><b>UA(NAT1) =&gt; UA(NAT1)<\/b><\/span><\/span><\/p>\n<\/li>\n<\/ol>\n<p align=\"JUSTIFY\" class=\"rteindent1\" lang=\"sk-SK\">\n\t<span>&#8211; vo v&scaron;etk&yacute;ch pr&iacute;padoch je potrebn&eacute; ma\u0165 zapnut&eacute; keepalive spr&aacute;vy.<\/span><\/p>\n<ul>\n<li>\n<p>\n\t\t\t<span lang=\"en-US\"><b>Bez STUN<\/b><\/span><\/p>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service vypnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\t&#8211; nep&ocirc;jde preto\u017ee v&nbsp;kontakte bud&uacute; ma\u0165 priv&aacute;tne IP. \u010co by bolo fajn pre&nbsp;zalo\u017eenie RTP streamu, ale signaliz&aacute;cia na priv&aacute;tnych IP nie je mo\u017en&aacute;.<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service zapnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\t&#8211; jedin&yacute; pr&iacute;pad, ktor&eacute;mu bude fungova\u0165 aj signaliz&aacute;cia aj RTP stream. Router prep&iacute;&scaron;e priv&aacute;tnu adresu z&nbsp;po\u013ea contact na verejn&uacute; a n&aacute;sledne naopak verejn&uacute; na priv&aacute;tnu, ke\u010f server po&scaron;le INVITE volan&eacute;mu klientovi.&nbsp;Signaliz&aacute;cia tak prebehne bez probl&eacute;mov. Klienti musia ma\u0165 zapnut&eacute; posielanie keepalive. RTP stream p&ocirc;jde na priv&aacute;tne IP.<\/p>\n<ul>\n<li>\n<p>\n\t\t\t<b>So STUN<\/b><\/p>\n<\/li>\n<\/ul>\n<ul>\n<li>\n<ul>\n<li>\n<p align=\"JUSTIFY\">\n\t\t\t\t\t<b>SIP NAT service vypnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\t&#8211; signaliz&aacute;cia bude fungova\u0165 v\u010faka zapnut&eacute;mu STUN a&nbsp;keepalive. Probl&eacute;m nast&aacute;va s&nbsp;RTP streamom, ktor&yacute; ide na verejn&eacute; adresy &ndash; teda na router a&nbsp;ten by ho mal posla\u0165 t&yacute;m ist&yacute;m interfacesom sp&auml;\u0165, \u010do mu nedovol&iacute; NAT. Preto\u017ee NAT-u nedovol&iacute; preklada\u0165 inside na inside interface.<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<p>\n\t\t\t\t\t<b>SIP NAT service zapnut&aacute;:<\/b><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\" class=\"rteindent3\">\n\t&#8211; nebude fungova\u0165, preto\u017ee service prelo\u017e&iacute; contact u\u017e v spr&aacute;ve register na&nbsp;priv&aacute;tny, ten si server ulo\u017e&iacute; a v&nbsp;pr&iacute;pade, \u017ee ho bude chcie\u0165 niekto kontaktova\u0165, tak to bude posiela\u0165 na priv&aacute;tnu adresa, \u010do samozrejme nie je funk\u010dn&eacute;.<\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<hr \/>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<p align=\"JUSTIFY\">\n\t<strong>Flow diagram pre pr&iacute;pad NAT -&gt; Public <\/strong><\/p>\n<p align=\"JUSTIFY\">\n\t<img decoding=\"async\" alt=\"\" height=\"1797\" src=\"\/wp-content\/uploads\/files\/image\/SIP\/openser\/Nat-Public-final.png\" width=\"1227\" \/><\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<p align=\"JUSTIFY\">\n\t<strong>Flow diagram pre pr&iacute;pad Public -&gt; NAT <\/strong><\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<p align=\"JUSTIFY\">\n\t<img decoding=\"async\" alt=\"\" height=\"2033\" src=\"\/wp-content\/uploads\/files\/image\/SIP\/openser\/Public-NAT-final.png\" width=\"1269\" \/><\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<p align=\"JUSTIFY\">\n\tAutori:<\/p>\n<ul>\n<li>\n<p align=\"JUSTIFY\">\n\t\t\tLadislav Jur&aacute;k<\/p>\n<\/li>\n<li>\n<p align=\"JUSTIFY\">\n\t\t\tMichal Paulus<\/p>\n<\/li>\n<li>\n<p align=\"JUSTIFY\">\n\t\t\t\u013dubom&iacute;r Troj&aacute;k<\/p>\n<\/li>\n<\/ul>\n<p align=\"JUSTIFY\">\n\t&nbsp;<\/p>\n<p>\n\t&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p><style type=\"text\/css\">\n\t<\/style>\n<\/p>\n<h2>\n\tRie&scaron;enie NAT pre SIP OpenSER server<\/h2>\n<p>\n\t&nbsp;<\/p>\n<p>\n\t<strong>Testovan&aacute; topol&oacute;gia:<\/strong><\/p>\n<h2>\n\t&nbsp;<img decoding=\"async\" alt=\"Testovan\u00e1 topol\u00f3gia\" height=\"480\" src=\"\/wp-content\/uploads\/files\/image\/SIP\/openser\/IP_SIP_NAT_testing_openser.png\" width=\"640\" \/><\/h2>\n<p>\n\t&nbsp;<\/p>\n<p>\n\t&nbsp;<\/p>\n<p>\n\tPou\u017eit&yacute; SIP server pri testovan&iacute;: <b>OpenSER<\/b><\/p>\n<p>\n\t&nbsp;<\/p>\n<p>\n\tPou\u017eit&yacute; softphone: <b>X-lite 4 <\/b><\/p>\n<p>\n\t&nbsp;<\/p>","protected":false},"author":435,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[783,785],"tags":[],"class_list":["post-386","post","type-post","status-publish","format-standard","hentry","category-nat-fw","category-openser-en"],"taxonomy_info":{"category":[{"value":783,"label":"NAT, FW"},{"value":785,"label":"OpenSER"}]},"featured_image_src_large":false,"author_info":{"display_name":"","author_link":"https:\/\/nil.uniza.sk\/en\/author\/"},"comment_info":8,"category_info":[{"term_id":783,"name":"NAT, FW","slug":"nat-fw","term_group":0,"term_taxonomy_id":781,"taxonomy":"category","description":"","parent":771,"count":5,"filter":"raw","cat_ID":783,"category_count":5,"category_description":"","cat_name":"NAT, FW","category_nicename":"nat-fw","category_parent":771},{"term_id":785,"name":"OpenSER","slug":"openser-en","term_group":0,"term_taxonomy_id":783,"taxonomy":"category","description":"","parent":771,"count":2,"filter":"raw","cat_ID":785,"category_count":2,"category_description":"","cat_name":"OpenSER","category_nicename":"openser-en","category_parent":771}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/435"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=386"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/386\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}