[CentOS] ASTERISK BOX behind a filewall

Ross S. W. Walker rwalker at medallion.com
Wed Sep 12 23:57:17 UTC 2007 

Feizhou wrote:
> 
> >> asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
> >>
> >> I have never managed to get this to work. Getting the below 
> >> was trouble 
> >> enough. Forget about trying to get an asterisk box behind a 
> >> nat to work 
> >> with clients outside.
> >>
> >> asterisk <-> nat <-> sip client.
> > 
> > Yes, you will need a specific SIP iptables filter for this to
> > work from behind a firewall.
> 
> Getting it to work with a firewall is not a problem...it is 
> getting the 
> thing to work with a natting firewall that is the problem. If 
> one end is 
> natted, you can still do some tricks to get it to work but if 
> both ends 
> are natted, forget it.

Well that was the idea behind the ipfilter stuff. It will change
the IPs in the protocol stream to compensate for the NAT.

I face the same problem trying to do H.323 behind a NAT'd firewall.

> > 
> > I know of an H.323 filter, but haven't explored SIP as we aren't
> > running any SIP application here yet.
> > 
> > Another possibility would be a SIP proxy installed on the
> > firewall, but it is not as secure as a filter.
> 
> asterisk IS a sip proxy.

Yes, well what I was hinting at was a dumbed-down install of
asterisk installed ON the firewall that would be responsible
for handing off calls coming in to and out of the network
from/to another larger asterisk system.

That is the setup I had to do with GNU gatekeeper and H.323 since
at the time I wasn't able to get the ipfilter h.323 filter to
work properly with my Polycom system.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the CentOS mailing list