[CentOS] ASTERISK BOX behind a filewall

Ross S. W. Walker rwalker at medallion.com
Thu Sep 13 00:46:39 UTC 2007 

gjgowey at tmo.blackberry.net wrote:
> 
> What nat box are you running?  Cable/DSL modem, Cisco router 
> or firewall, or just a plain old home gateway?
> 
> Geoff
>

Well I had initially done it on CentOS, but then moved it to Microsoft
ISA as managing both a CentOS and an ISA was becoming a PITA and I
liked how the ISA integrated with AD. Yeah I got GNU gatekeeper to
run on ISA in gateway mode... Much easier to do on CentOS though.

This is on a corporate network with 2 T1 Internet links.


Ross S. W. Walker wrote:
> 
> Feizhou wrote:
> >
> > Ross S. W. Walker wrote:
> > > Feizhou wrote:
> > >>>> asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
> > >>>>
> > >>>> I have never managed to get this to work. Getting the below
> > >>>> was trouble
> > >>>> enough. Forget about trying to get an asterisk box behind a
> > >>>> nat to work
> > >>>> with clients outside.
> > >>>>
> > >>>> asterisk <-> nat <-> sip client.
> > >>> Yes, you will need a specific SIP iptables filter for this to
> > >>> work from behind a firewall.
> > >> Getting it to work with a firewall is not a problem...it is
> > >> getting the
> > >> thing to work with a natting firewall that is the problem. If
> > >> one end is
> > >> natted, you can still do some tricks to get it to work but if
> > >> both ends
> > >> are natted, forget it.
> > >
> > > Well that was the idea behind the ipfilter stuff. It will change
> > > the IPs in the protocol stream to compensate for the NAT.
> >
> > It looks like there is a netfilter sip conntrack module.
> >
> > >
> > > I face the same problem trying to do H.323 behind a NAT'd 
> firewall.
> >
> > Man, I stopped playing with netmeeting and gnomemeeting quite
> > some time
> > ago while waiting for ekiga to be available to support my
> > video...only
> > that you cannot compile the thing on Centos 4 without some
> > major surgery.
> 
> Well, no it isn't for Netmeeting or Gnomemeeting, but for gatewaying
> our internal Polycom conferencing system to our outside bridging
> service. When it comes to video conferencing SIP is still in it's
> infancy.
> 
> > >
> > >>> I know of an H.323 filter, but haven't explored SIP as we aren't
> > >>> running any SIP application here yet.
> > >>>
> > >>> Another possibility would be a SIP proxy installed on the
> > >>> firewall, but it is not as secure as a filter.
> > >> asterisk IS a sip proxy.
> > >
> > > Yes, well what I was hinting at was a dumbed-down install of
> > > asterisk installed ON the firewall that would be responsible
> > > for handing off calls coming in to and out of the network
> > > from/to another larger asterisk system.
> >
> > You still have to setup the sip configuration to handle that.
> > Not much
> > dumb downing on that aspect.
> 
> Well yes it's going to need some config, it won't need to know the
> full config because it is just going to do a full hand-off to the
> internal asterisk server for DID (does sip use DIDs?) routing.
> 
> > >
> > > That is the setup I had to do with GNU gatekeeper and H.323 since
> > > at the time I wasn't able to get the ipfilter h.323 filter to
> > > work properly with my Polycom system.
> > >
> >
> > Ugh. Is that good luck with the sip conntrack module then?
> 
> Well, no actually you will probably have better luck then me
> because the module was probably written for asterisk behind
> a firewall. I was trying to get a proprietary Polycom system
> to work which is a little different.
> 
> -Ross
> 
> ______________________________________________________________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the CentOS mailing list