Important Notice: This article is not currently maintained and is here for archival/informational purposes. This procedure is outdated.
I want to start off by giving credit on this nice little piece of engineering to Worksighted systems engineer Matt Scott.
I want to start off by defining a remote extension as one that must exit a NAT boundary to traverse the Internet before connecting to the 3CX IP PBX. This is typically the case when phones are used for remote tele-commuters or in service provider scenarios.
Some of you have seen my work with remote SNOM phones using openvpn. This solution DOES NOT require openvpn. This solution is much more plug and play and uses no thrid party applications.
In the last two days I was tasked with making a Snom 370 connect to a 3CX IP PBX from behind a NAT firewall, in my case a Cisco Pix 515. As you may or may not know, SIP has some challenges with NAT. This is because of the fact that SIP requires that certain information (namely IP address and port number) from the Internet and Transport layer of the Internet Protocol Stack be made available to the application layer (in other words, it is included in payload of the data packet). This is all fine and good except that many firewalls, while translating IP addresses and port numbers at lower levels either do not make any changes to the application layer at all or make them in somewhat inconsistent, or ineffective ways.
My goal was to make the phone work properly without using any firewall-specific packet rewriting voodoo so the first thing I did was turn off SIP Fixup on my Pix. SIP Fixup automatically modifies the data payload of a SIP message and re-writes the payload with the proper IP address and port numebrs in use after NAT translation.
First, I spent several hours wrestling with various settings on the phone. I got it so that the phone would register properly but I would get one way audio when making an incoming call to the Snom. Outgoing worked fine. Something wasn’t quite right.
I decided to update the phone’s firmware to the latest available. As soon as I did that, the phone started working perfectly. The phone was running version 7.3.14 and working like a champ. So, after that I factory reset the phone and started over so that I could document the procedure and attempt to reproduce. Here is what I had success with. Your mileage may very based on your firewall, ISP, etc.
- I upgraded the phone to firmware version 7.3.14
- Next I entered my Display Name, Account, Password, Registration Server, and Outbound Proxy Server on the Login tab of Identity 1 like so:
- Then I went to the NAT tab. Here I entered the STUN settings. STUN is the magic that allows a SIP device to function properly from behind a NAT firewall. Not only does it allow the device to determine what it’s public IP is it also plays the part of keeping UDP port translations set up so that the device can receive information on those ports.
- I set the STUN Interval to five minutes. I set the Keepalive Interval to 20 seconds. The Keepalive Interval needs to be shorter than the amount of time than your firewall keeps NAT translations around. You may need to play with this value. If it is too long you may not be able to receive incoming calls.