Hi All,
I want to put a ASTERISK BOX bend a Firewall. So I have given below rules.
iptables -A FORWARD -p udp -d 192.168.101.30 -m multiport --dports 3478,4569,5060 -m state --state NEW -j ACCEPT iptables -A FORWARD -p udp -d 192.168.101.30 --dport 10000:20000 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 -m multiport --dports 3478,4569,5060 -j DNAT --to-destination 192.168.101.30 iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 --dport 10000:20000 -j DNAT --to-destination 192.168.101.30
pls assume 1.2.3.4 is the ip that connects to the internet.
I use Xlite sotphone to talk. I can register. it says user ready. I can dial extentions as well. But , WHEN I talk , Both parties can not hear anyrhing.
in rtp.conf file, PORT 10000 to 20000 are also available.
Hope to hear from you.
Indunil Jayasooriya wrote:
Hi All,
I want to put a ASTERISK BOX bend a Firewall. So I have given below rules.
Sure. So long as it is NOT a natting firewall.
iptables -A FORWARD -p udp -d 192.168.101.30 http://192.168.101.30 -m multiport --dports 3478,4569,5060 -m state --state NEW -j ACCEPT iptables -A FORWARD -p udp -d 192.168.101.30 http://192.168.101.30 --dport 10000:20000 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 http://1.2.3.4 -m multiport --dports 3478,4569,5060 -j DNAT --to-destination 192.168.101.30 http://192.168.101.30 iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 http://1.2.3.4 --dport 10000:20000 -j DNAT --to-destination 192.168.101.30 http://192.168.101.30
pls assume 1.2.3.4 http://1.2.3.4 is the ip that connects to the internet.
Forget it. This will never work.
I use Xlite sotphone to talk. I can register. it says user ready. I can dial extentions as well. But , WHEN I talk , Both parties can not hear anyrhing.
in rtp.conf file, PORT 10000 to 20000 are also available.
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Feizhou wrote:
Indunil Jayasooriya wrote:
Hi All,
I want to put a ASTERISK BOX bend a Firewall. So I have
given below rules.
Sure. So long as it is NOT a natting firewall.
iptables -A FORWARD -p udp -d 192.168.101.30
multiport --dports 3478,4569,5060 -m state --state NEW -j ACCEPT iptables -A FORWARD -p udp -d 192.168.101.30
--dport 10000:20000 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4
-m multiport --dports 3478,4569,5060 -j DNAT --to-destination 192.168.101.30 http://192.168.101.30 iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4
--dport 10000:20000 -j DNAT --to-destination 192.168.101.30 http://192.168.101.30
pls assume 1.2.3.4 http://1.2.3.4 is the ip that connects to the internet.
Forget it. This will never work.
I use Xlite sotphone to talk. I can register. it says user
ready. I can
dial extentions as well. But , WHEN I talk , Both parties
can not hear
anyrhing.
in rtp.conf file, PORT 10000 to 20000 are also available.
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.
I'm just spit balling (since it has been a good number of years since I've used asterix), but why not have two asterix boxes (one your side, one client side) connected via aix (you'll have to setup the fw rules to make the aix go to the asterix box (on both sides) and just route your call through your nearest box? Afaik this capability has been around for a long time, but I've never used aix with nat.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: Feizhou feizhou@graffiti.net
Date: Thu, 13 Sep 2007 06:47:19 To:CentOS mailing list centos@centos.org Subject: Re: [CentOS] ASTERISK BOX behind a filewall
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
gjgowey@tmo.blackberry.net wrote:
I'm just spit balling (since it has been a good number of years since I've used asterix), but why not have two asterix boxes (one your side, one client side) connected via aix (you'll have to setup the fw rules to make the aix go to the asterix box (on both sides) and just route your call through your nearest box? Afaik this capability has been around for a long time, but I've never used aix with nat.
Geoff
Cor, you need line wrapping! thunderbird does it for me but on hitting reply...
You are assuming that he has access and control to the client site or that the client side is an office. I think he has remote roaming clients in mind.
The main thing is to eliminate natting so adding a vpn client should fix that. That is what I did for my asterisk <-> nat <-> nat <-> sip-client. asterisk <-> vpn <-> sip-client is far less troublesome.
I'm only using the wonderful *bleh* email client that rim put on this blackberry. If anyone knows of a better email client for a blackberry please show me the way.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: Feizhou feizhou@graffiti.net
Date: Thu, 13 Sep 2007 08:06:53 To:CentOS mailing list centos@centos.org Subject: Re: [CentOS] ASTERISK BOX behind a filewall
gjgowey@tmo.blackberry.net wrote:
I'm just spit balling (since it has been a good number of years since I've used asterix), but why not have two asterix boxes (one your side, one client side) connected via aix (you'll have to setup the fw rules to make the aix go to the asterix box (on both sides) and just route your call through your nearest box? Afaik this capability has been around for a long time, but I've never used aix with nat.
Geoff
Cor, you need line wrapping! thunderbird does it for me but on hitting reply...
You are assuming that he has access and control to the client site or that the client side is an office. I think he has remote roaming clients in mind.
The main thing is to eliminate natting so adding a vpn client should fix that. That is what I did for my asterisk <-> nat <-> nat <-> sip-client. asterisk <-> vpn <-> sip-client is far less troublesome. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
gjgowey@tmo.blackberry.net wrote:
I'm only using the wonderful *bleh* email client that rim put on this blackberry. If anyone knows of a better email client for a blackberry please show me the way.
Geoff
Sent from my BlackBerry wireless handheld.
Ah! I failed to notice this line. How about getting a WIFI PDA device with sip and email? <:^)
So I can enjoy dropped calls as I transfer from one open WAP to the next while driving? Or no service when I'm out in the boonies? Yeah... Maybe the day I move to nyc and never leave nyc I'll go for a wifi phone, but until then I'll stick with my trusty GSM based blackberry that I can take anywhere and still use.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: Feizhou feizhou@graffiti.net
Date: Thu, 13 Sep 2007 08:19:08 To:CentOS mailing list centos@centos.org Subject: Re: [CentOS] ASTERISK BOX behind a filewall
gjgowey@tmo.blackberry.net wrote:
I'm only using the wonderful *bleh* email client that rim put on this blackberry. If anyone knows of a better email client for a blackberry please show me the way.
Geoff
Sent from my BlackBerry wireless handheld.
Ah! I failed to notice this line. How about getting a WIFI PDA device with sip and email? <:^) _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
gjgowey@tmo.blackberry.net wrote:
So I can enjoy dropped calls as I transfer from one open WAP to the next while driving? Or no service when I'm out in the boonies? Yeah... Maybe the day I move to nyc and never leave nyc I'll go for a wifi phone, but until then I'll stick with my trusty GSM based blackberry that I can take anywhere and still use.
Take it easy. It was a joke. :-p
Ah! I failed to notice this line. How about getting a WIFI PDA device with sip and email? <:^)
gjgowey@tmo.blackberry.net wrote:
I'm only using the wonderful *bleh* email client that rim put on this blackberry. If anyone knows of a better email client for a blackberry please show me the way.
surely the client lets you not toppost ?
Nope. Top post only. I can see everything beneath the --original message--, but I can't edit anything under it.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: Karanbir Singh mail-lists@karan.org
Date: Thu, 13 Sep 2007 12:13:21 To:CentOS mailing list centos@centos.org Subject: Re: [CentOS] ASTERISK BOX behind a filewall
gjgowey@tmo.blackberry.net wrote:
I'm only using the wonderful *bleh* email client that rim put on this blackberry. If anyone knows of a better email client for a blackberry please show me the way.
surely the client lets you not toppost ?
-- Karanbir Singh : http://www.karan.org/ : 2522219@icq _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Feizhou wrote:
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
Well that was the idea behind the ipfilter stuff. It will change the IPs in the protocol stream to compensate for the NAT.
I face the same problem trying to do H.323 behind a NAT'd firewall.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.
Yes, well what I was hinting at was a dumbed-down install of asterisk installed ON the firewall that would be responsible for handing off calls coming in to and out of the network from/to another larger asterisk system.
That is the setup I had to do with GNU gatekeeper and H.323 since at the time I wasn't able to get the ipfilter h.323 filter to work properly with my Polycom system.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Ross S. W. Walker wrote:
Feizhou wrote:
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
Well that was the idea behind the ipfilter stuff. It will change the IPs in the protocol stream to compensate for the NAT.
It looks like there is a netfilter sip conntrack module.
I face the same problem trying to do H.323 behind a NAT'd firewall.
Man, I stopped playing with netmeeting and gnomemeeting quite some time ago while waiting for ekiga to be available to support my video...only that you cannot compile the thing on Centos 4 without some major surgery.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.
Yes, well what I was hinting at was a dumbed-down install of asterisk installed ON the firewall that would be responsible for handing off calls coming in to and out of the network from/to another larger asterisk system.
You still have to setup the sip configuration to handle that. Not much dumb downing on that aspect.
That is the setup I had to do with GNU gatekeeper and H.323 since at the time I wasn't able to get the ipfilter h.323 filter to work properly with my Polycom system.
Ugh. Is that good luck with the sip conntrack module then?
Feizhou wrote:
Ross S. W. Walker wrote:
Feizhou wrote:
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
Well that was the idea behind the ipfilter stuff. It will change the IPs in the protocol stream to compensate for the NAT.
It looks like there is a netfilter sip conntrack module.
I face the same problem trying to do H.323 behind a NAT'd firewall.
Man, I stopped playing with netmeeting and gnomemeeting quite some time ago while waiting for ekiga to be available to support my video...only that you cannot compile the thing on Centos 4 without some major surgery.
Well, no it isn't for Netmeeting or Gnomemeeting, but for gatewaying our internal Polycom conferencing system to our outside bridging service. When it comes to video conferencing SIP is still in it's infancy.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.
Yes, well what I was hinting at was a dumbed-down install of asterisk installed ON the firewall that would be responsible for handing off calls coming in to and out of the network from/to another larger asterisk system.
You still have to setup the sip configuration to handle that. Not much dumb downing on that aspect.
Well yes it's going to need some config, it won't need to know the full config because it is just going to do a full hand-off to the internal asterisk server for DID (does sip use DIDs?) routing.
That is the setup I had to do with GNU gatekeeper and H.323 since at the time I wasn't able to get the ipfilter h.323 filter to work properly with my Polycom system.
Ugh. Is that good luck with the sip conntrack module then?
Well, no actually you will probably have better luck then me because the module was probably written for asterisk behind a firewall. I was trying to get a proprietary Polycom system to work which is a little different.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
What nat box are you running? Cable/DSL modem, Cisco router or firewall, or just a plain old home gateway?
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: "Ross S. W. Walker" rwalker@medallion.com
Date: Wed, 12 Sep 2007 20:26:05 To:"CentOS mailing list" centos@centos.org Subject: RE: [CentOS] ASTERISK BOX behind a filewall
Feizhou wrote:
Ross S. W. Walker wrote:
Feizhou wrote:
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
Well that was the idea behind the ipfilter stuff. It will change the IPs in the protocol stream to compensate for the NAT.
It looks like there is a netfilter sip conntrack module.
I face the same problem trying to do H.323 behind a NAT'd firewall.
Man, I stopped playing with netmeeting and gnomemeeting quite some time ago while waiting for ekiga to be available to support my video...only that you cannot compile the thing on Centos 4 without some major surgery.
Well, no it isn't for Netmeeting or Gnomemeeting, but for gatewaying our internal Polycom conferencing system to our outside bridging service. When it comes to video conferencing SIP is still in it's infancy.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.
Yes, well what I was hinting at was a dumbed-down install of asterisk installed ON the firewall that would be responsible for handing off calls coming in to and out of the network from/to another larger asterisk system.
You still have to setup the sip configuration to handle that. Not much dumb downing on that aspect.
Well yes it's going to need some config, it won't need to know the full config because it is just going to do a full hand-off to the internal asterisk server for DID (does sip use DIDs?) routing.
That is the setup I had to do with GNU gatekeeper and H.323 since at the time I wasn't able to get the ipfilter h.323 filter to work properly with my Polycom system.
Ugh. Is that good luck with the sip conntrack module then?
Well, no actually you will probably have better luck then me because the module was probably written for asterisk behind a firewall. I was trying to get a proprietary Polycom system to work which is a little different.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
gjgowey@tmo.blackberry.net wrote:
What nat box are you running? Cable/DSL modem, Cisco router or firewall, or just a plain old home gateway?
Geoff
Well I had initially done it on CentOS, but then moved it to Microsoft ISA as managing both a CentOS and an ISA was becoming a PITA and I liked how the ISA integrated with AD. Yeah I got GNU gatekeeper to run on ISA in gateway mode... Much easier to do on CentOS though.
This is on a corporate network with 2 T1 Internet links.
Ross S. W. Walker wrote:
Feizhou wrote:
Ross S. W. Walker wrote:
Feizhou wrote:
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
Well that was the idea behind the ipfilter stuff. It will change the IPs in the protocol stream to compensate for the NAT.
It looks like there is a netfilter sip conntrack module.
I face the same problem trying to do H.323 behind a NAT'd
firewall.
Man, I stopped playing with netmeeting and gnomemeeting quite some time ago while waiting for ekiga to be available to support my video...only that you cannot compile the thing on Centos 4 without some major surgery.
Well, no it isn't for Netmeeting or Gnomemeeting, but for gatewaying our internal Polycom conferencing system to our outside bridging service. When it comes to video conferencing SIP is still in it's infancy.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.
Yes, well what I was hinting at was a dumbed-down install of asterisk installed ON the firewall that would be responsible for handing off calls coming in to and out of the network from/to another larger asterisk system.
You still have to setup the sip configuration to handle that. Not much dumb downing on that aspect.
Well yes it's going to need some config, it won't need to know the full config because it is just going to do a full hand-off to the internal asterisk server for DID (does sip use DIDs?) routing.
That is the setup I had to do with GNU gatekeeper and H.323 since at the time I wasn't able to get the ipfilter h.323 filter to work properly with my Polycom system.
Ugh. Is that good luck with the sip conntrack module then?
Well, no actually you will probably have better luck then me because the module was probably written for asterisk behind a firewall. I was trying to get a proprietary Polycom system to work which is a little different.
-Ross
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Why not put a second ethernet card in the ISA connected directly to the asterix server and have all inbound and outbound sip calls through it? You could then preserve the IP addresses for both your internal and external addresses. You wouldn't even have to nat to the asterix box since the ISA server could handle the routing and obviously if the source or dest is an internal IP then the packet gets sent to the internal interface and vice versa.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message----- From: "Ross S. W. Walker" rwalker@medallion.com
Date: Wed, 12 Sep 2007 20:46:39 To:"CentOS mailing list" centos@centos.org Subject: RE: [CentOS] ASTERISK BOX behind a filewall
gjgowey@tmo.blackberry.net wrote:
What nat box are you running? Cable/DSL modem, Cisco router or firewall, or just a plain old home gateway?
Geoff
Well I had initially done it on CentOS, but then moved it to Microsoft ISA as managing both a CentOS and an ISA was becoming a PITA and I liked how the ISA integrated with AD. Yeah I got GNU gatekeeper to run on ISA in gateway mode... Much easier to do on CentOS though.
This is on a corporate network with 2 T1 Internet links.
Ross S. W. Walker wrote:
Feizhou wrote:
Ross S. W. Walker wrote:
Feizhou wrote:
asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
I have never managed to get this to work. Getting the below was trouble enough. Forget about trying to get an asterisk box behind a nat to work with clients outside.
asterisk <-> nat <-> sip client.
Yes, you will need a specific SIP iptables filter for this to work from behind a firewall.
Getting it to work with a firewall is not a problem...it is getting the thing to work with a natting firewall that is the problem. If one end is natted, you can still do some tricks to get it to work but if both ends are natted, forget it.
Well that was the idea behind the ipfilter stuff. It will change the IPs in the protocol stream to compensate for the NAT.
It looks like there is a netfilter sip conntrack module.
I face the same problem trying to do H.323 behind a NAT'd
firewall.
Man, I stopped playing with netmeeting and gnomemeeting quite some time ago while waiting for ekiga to be available to support my video...only that you cannot compile the thing on Centos 4 without some major surgery.
Well, no it isn't for Netmeeting or Gnomemeeting, but for gatewaying our internal Polycom conferencing system to our outside bridging service. When it comes to video conferencing SIP is still in it's infancy.
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.
Yes, well what I was hinting at was a dumbed-down install of asterisk installed ON the firewall that would be responsible for handing off calls coming in to and out of the network from/to another larger asterisk system.
You still have to setup the sip configuration to handle that. Not much dumb downing on that aspect.
Well yes it's going to need some config, it won't need to know the full config because it is just going to do a full hand-off to the internal asterisk server for DID (does sip use DIDs?) routing.
That is the setup I had to do with GNU gatekeeper and H.323 since at the time I wasn't able to get the ipfilter h.323 filter to work properly with my Polycom system.
Ugh. Is that good luck with the sip conntrack module then?
Well, no actually you will probably have better luck then me because the module was probably written for asterisk behind a firewall. I was trying to get a proprietary Polycom system to work which is a little different.
-Ross
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I know of an H.323 filter, but haven't explored SIP as we aren't running any SIP application here yet.
Another possibility would be a SIP proxy installed on the firewall, but it is not as secure as a filter.
asterisk IS a sip proxy.
Yes, well what I was hinting at was a dumbed-down install of asterisk installed ON the firewall that would be responsible for handing off calls coming in to and out of the network from/to another larger asterisk system.
You still have to setup the sip configuration to handle that. Not much dumb downing on that aspect.
Well yes it's going to need some config, it won't need to know the full config because it is just going to do a full hand-off to the internal asterisk server for DID (does sip use DIDs?) routing.
It still needs a full SIP config. Just not the other stuff like voice menus, voicemail or what not.
-
Feizhou -
gjgowey@tmo.blackberry.net -
Indunil Jayasooriya -
Karanbir Singh -
Ross S. W. Walker