SIP and EC2 elastic IPs

3
votes

I'm trying to make a custom SIP software work on an EC2 instance. My software at the moment doesn't have NAT handling capabilities, and I was wondering If I could get it to work transparently with the public (elastic) IP associated to the EC2 instance.

Here's the output of "iconfig -a" run on my EC2 box:

eth0 Link encap:Ethernet HWaddr XXXXXX
inet addr: PRIVATE-IP-ADDRESS Bcast:10.48.195.255 Mask:255.255.254.0
inet6 addr: XXXXXX/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3825 errors:0 dropped:0 overruns:0 frame:0
TX packets:3596 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:259666 (253.5 KiB) TX bytes:1106872 (1.0 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:78 errors:0 dropped:0 overruns:0 frame:0
TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6892 (6.7 KiB) TX bytes:6892 (6.7 KiB)

Is there a way to change this so that my application can transparently open a UDP socket on the PUBLIC (elastic) IP address? And basically work as if the public IP was normally assigned to eth0.

I thought about using iptables DNAT/SNAT or adding the IP address manually, but no success so far.

5
amazon-ec2sipnatifconfig

5 Answers

3
votes

I recommend buying static IP for EC2. You will save a lot of effort. Nonetheless you will have to think about NAT in SIP communication in general. Btw in most of the cases the nat traversal is handled from the infrastructure - sip routers/gateways/sip servers - which add/remove "route" headers in your SIP messages. SIP services intent to have public endpoints, so I am not sure if you'll ever have to implement NAT capabilities. This custom SIP Software you talk about, I assume it's client, not server.

3
votes

The answer is no. There is no good way to get a SIP server application to work transparently on the internet when it's using a private IP address. The server application needs to know both its public IP address and the fact that it should use that IP address in preference to the private one. SIP requires inserting the public address in a number of headers such as Record-Route, Route and Contact. As a server it will also need to use the public IP address in SDP payloads for INVITE requests and responses. Most SIP server applications have the ability to do this and if you are writing a custom server then it would be advisable to add the capability to yours.

Apart from the above there is one way you could get away with using the private IP address and that is to use install a SIP Application Layer Gateway (ALG) in front of your application and use it to mangle all the private IP addresses in the SIP packets from your server. However SIP ALG's are a disaster and always cause more problems than they solve so I'd highly recommend you don't go down this path.

2
votes

I had some problems similar to this that I solved by editing my sip_nat.conf file to have the following:

externip=x.x.x.x
localnet=10.0.0.0/255.0.0.0
nat=yes

Your mileage may vary, of course, but this seemed to solve a lot of problems. Of course, you'll have to figure out someway to update Asterisk's configs and reload the settings if your IP changes or if you launch a new instance.

My understanding is without telling it the IP address, it's always pinging some server to get it back, but that Asterisk has a problem where if it receives any other data before the ping response it isn't smart enough to know that it's not the IP address. Hard coding it seems to solve a lot of problems.

0
votes

Answer from https://forums.aws.amazon.com/

The Elastic IP address is mapped to the instance using 1:1 NAT. The instance itself is not aware of the public address. As this address can't be bound to the interface, I'm afraid you will need to handle it in another way. You will want to avoid changing the network configuration as it might result in loss of connectivity.

0
votes

Here is another way in which you can make your sip works well with asterisk.

In sip.conf or chan_sip.conf -> [general] settings, add these

nat=force_rport,comedia
externip=<PUBLIC_IP/ELASTIC_IP>
localnet=<PRIVATE_IP>/20

If you are not using Elastic IP, then you may have to change the public ip everytime you restart the server. Hope this helps