04-21-2022 08:05 AM
Hi all,
I need to make work a voip server behind my pa-3020. The server is using stun protocol and requires that nat is not symmetric.
I've tested a public stun server (for example stun.telbo.com on port 3478) using pystun3 (a python tool to retrieve nat type).
That's what I got (A.B.C.D is my public ip)
~# pystun3 -H stun.telbo.com -d
DEBUG:pystun3:Do Test1
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:recvfrom: ('77.72.169.210', 3478)
DEBUG:pystun3:Result: {'Resp': True, 'ExternalIP': 'A.B.C.D', 'ExternalPort': 45548, 'SourceIP': '77.72.169.210', 'SourcePort': 3478, 'ChangedIP': '77.72.169.211', 'ChangedPort': 3479}
DEBUG:pystun3:Do Test2
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:sendto: ('stun.telbo.com', 3478)
DEBUG:pystun3:Result: {'Resp': False, 'ExternalIP': None, 'ExternalPort': None, 'SourceIP': None, 'SourcePort': None, 'ChangedIP': None, 'ChangedPort': None}
DEBUG:pystun3:Do Test1
DEBUG:pystun3:sendto: ('77.72.169.211', 3479)
DEBUG:pystun3:recvfrom: ('77.72.169.211', 3479)
DEBUG:pystun3:Result: {'Resp': True, 'ExternalIP': 'A.B.C.D', 'ExternalPort': 11317, 'SourceIP': '77.72.169.211', 'SourcePort': 3479, 'ChangedIP': '77.72.169.210', 'ChangedPort': 3478}
NAT Type: Symmetric NAT
External IP: A.B.C.D
External Port: 11317
What we can see is that
- my internal server try to call stun.telbo.com on port 3478
- 77.72.169.210 replies with the alternate ip address and alternate port (as stun works for retrieving nat type), 77.72.169.211 port 3479
- pan drops the connection because it come back from a different ip and port (that's symmetric nat)
How could I configure pan to make nat port restricted (at least for my private ip and for a couple of address of my stun server provider)?
Thanks
04-22-2022 07:24 AM
There was a session that needs to be cleared before retrying, now it's working.
Thanks
N.
04-22-2022 05:38 AM
is the application being identified properly as stun?
have you tried disabling ALG on the app-id ?
04-22-2022 05:56 AM
The application is identified as stun. In addition, I've done an application override to customize udp timeout but with no results
I've disabled alg in sip but there's no sip traffic, just stun
Thanks
04-22-2022 07:24 AM
There was a session that needs to be cleared before retrying, now it's working.
Thanks
N.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
