[CentOS] ASTERISK BOX behind a filewall

gjgowey at tmo.blackberry.net gjgowey at tmo.blackberry.net
Thu Sep 13 01:01:20 UTC 2007 

Why not put a second ethernet card in the ISA connected directly to the asterix server and have all inbound and outbound sip calls through it?  You could then preserve the IP addresses for both your internal and external addresses.  You wouldn't even have to nat to the asterix box since the ISA server could handle the routing and obviously if the source or dest is an internal IP then the packet gets sent to the internal interface and vice versa.

Geoff



Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Ross S. W. Walker" <rwalker at medallion.com>

Date: Wed, 12 Sep 2007 20:46:39 
To:"CentOS mailing list" <centos at centos.org>
Subject: RE: [CentOS] ASTERISK BOX behind a filewall


gjgowey at tmo.blackberry.net wrote:
>
> What nat box are you running?  Cable/DSL modem, Cisco router
> or firewall, or just a plain old home gateway?
>
> Geoff
>

Well I had initially done it on CentOS, but then moved it to Microsoft
ISA as managing both a CentOS and an ISA was becoming a PITA and I
liked how the ISA integrated with AD. Yeah I got GNU gatekeeper to
run on ISA in gateway mode... Much easier to do on CentOS though.

This is on a corporate network with 2 T1 Internet links.


Ross S. W. Walker wrote:
>
> Feizhou wrote:
> >
> > Ross S. W. Walker wrote:
> > > Feizhou wrote:
> > >>>> asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
> > >>>>
> > >>>> I have never managed to get this to work. Getting the below
> > >>>> was trouble
> > >>>> enough. Forget about trying to get an asterisk box behind a
> > >>>> nat to work
> > >>>> with clients outside.
> > >>>>
> > >>>> asterisk <-> nat <-> sip client.
> > >>> Yes, you will need a specific SIP iptables filter for this to
> > >>> work from behind a firewall.
> > >> Getting it to work with a firewall is not a problem...it is
> > >> getting the
> > >> thing to work with a natting firewall that is the problem. If
> > >> one end is
> > >> natted, you can still do some tricks to get it to work but if
> > >> both ends
> > >> are natted, forget it.
> > >
> > > Well that was the idea behind the ipfilter stuff. It will change
> > > the IPs in the protocol stream to compensate for the NAT.
> >
> > It looks like there is a netfilter sip conntrack module.
> >
> > >
> > > I face the same problem trying to do H.323 behind a NAT'd
> firewall.
> >
> > Man, I stopped playing with netmeeting and gnomemeeting quite
> > some time
> > ago while waiting for ekiga to be available to support my
> > video...only
> > that you cannot compile the thing on Centos 4 without some
> > major surgery.
>
> Well, no it isn't for Netmeeting or Gnomemeeting, but for gatewaying
> our internal Polycom conferencing system to our outside bridging
> service. When it comes to video conferencing SIP is still in it's
> infancy.
>
> > >
> > >>> I know of an H.323 filter, but haven't explored SIP as we aren't
> > >>> running any SIP application here yet.
> > >>>
> > >>> Another possibility would be a SIP proxy installed on the
> > >>> firewall, but it is not as secure as a filter.
> > >> asterisk IS a sip proxy.
> > >
> > > Yes, well what I was hinting at was a dumbed-down install of
> > > asterisk installed ON the firewall that would be responsible
> > > for handing off calls coming in to and out of the network
> > > from/to another larger asterisk system.
> >
> > You still have to setup the sip configuration to handle that.
> > Not much
> > dumb downing on that aspect.
>
> Well yes it's going to need some config, it won't need to know the
> full config because it is just going to do a full hand-off to the
> internal asterisk server for DID (does sip use DIDs?) routing.
>
> > >
> > > That is the setup I had to do with GNU gatekeeper and H.323 since
> > > at the time I wasn't able to get the ipfilter h.323 filter to
> > > work properly with my Polycom system.
> > >
> >
> > Ugh. Is that good luck with the sip conntrack module then?
>
> Well, no actually you will probably have better luck then me
> because the module was probably written for asterisk behind
> a firewall. I was trying to get a proprietary Polycom system
> to work which is a little different.
>
> -Ross
>
> ______________________________________________________________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list