[CentOS] ASTERISK BOX behind a filewall
Ross S. W. Walker
rwalker at medallion.com
Wed Sep 12 23:57:17 UTC 2007
Feizhou wrote:
>
> >> asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
> >>
> >> I have never managed to get this to work. Getting the below
> >> was trouble
> >> enough. Forget about trying to get an asterisk box behind a
> >> nat to work
> >> with clients outside.
> >>
> >> asterisk <-> nat <-> sip client.
> >
> > Yes, you will need a specific SIP iptables filter for this to
> > work from behind a firewall.
>
> Getting it to work with a firewall is not a problem...it is
> getting the
> thing to work with a natting firewall that is the problem. If
> one end is
> natted, you can still do some tricks to get it to work but if
> both ends
> are natted, forget it.
Well that was the idea behind the ipfilter stuff. It will change
the IPs in the protocol stream to compensate for the NAT.
I face the same problem trying to do H.323 behind a NAT'd firewall.
> >
> > I know of an H.323 filter, but haven't explored SIP as we aren't
> > running any SIP application here yet.
> >
> > Another possibility would be a SIP proxy installed on the
> > firewall, but it is not as secure as a filter.
>
> asterisk IS a sip proxy.
Yes, well what I was hinting at was a dumbed-down install of
asterisk installed ON the firewall that would be responsible
for handing off calls coming in to and out of the network
from/to another larger asterisk system.
That is the setup I had to do with GNU gatekeeper and H.323 since
at the time I wasn't able to get the ipfilter h.323 filter to
work properly with my Polycom system.
-Ross
______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
More information about the CentOS
mailing list