gjgowey at tmo.blackberry.net wrote: > > What nat box are you running? Cable/DSL modem, Cisco router > or firewall, or just a plain old home gateway? > > Geoff > Well I had initially done it on CentOS, but then moved it to Microsoft ISA as managing both a CentOS and an ISA was becoming a PITA and I liked how the ISA integrated with AD. Yeah I got GNU gatekeeper to run on ISA in gateway mode... Much easier to do on CentOS though. This is on a corporate network with 2 T1 Internet links. Ross S. W. Walker wrote: > > Feizhou wrote: > > > > Ross S. W. Walker wrote: > > > Feizhou wrote: > > >>>> asterisk <-> nat <-> nat <-> sip client = big pain in the neck. > > >>>> > > >>>> I have never managed to get this to work. Getting the below > > >>>> was trouble > > >>>> enough. Forget about trying to get an asterisk box behind a > > >>>> nat to work > > >>>> with clients outside. > > >>>> > > >>>> asterisk <-> nat <-> sip client. > > >>> Yes, you will need a specific SIP iptables filter for this to > > >>> work from behind a firewall. > > >> Getting it to work with a firewall is not a problem...it is > > >> getting the > > >> thing to work with a natting firewall that is the problem. If > > >> one end is > > >> natted, you can still do some tricks to get it to work but if > > >> both ends > > >> are natted, forget it. > > > > > > Well that was the idea behind the ipfilter stuff. It will change > > > the IPs in the protocol stream to compensate for the NAT. > > > > It looks like there is a netfilter sip conntrack module. > > > > > > > > I face the same problem trying to do H.323 behind a NAT'd > firewall. > > > > Man, I stopped playing with netmeeting and gnomemeeting quite > > some time > > ago while waiting for ekiga to be available to support my > > video...only > > that you cannot compile the thing on Centos 4 without some > > major surgery. > > Well, no it isn't for Netmeeting or Gnomemeeting, but for gatewaying > our internal Polycom conferencing system to our outside bridging > service. When it comes to video conferencing SIP is still in it's > infancy. > > > > > > >>> I know of an H.323 filter, but haven't explored SIP as we aren't > > >>> running any SIP application here yet. > > >>> > > >>> Another possibility would be a SIP proxy installed on the > > >>> firewall, but it is not as secure as a filter. > > >> asterisk IS a sip proxy. > > > > > > Yes, well what I was hinting at was a dumbed-down install of > > > asterisk installed ON the firewall that would be responsible > > > for handing off calls coming in to and out of the network > > > from/to another larger asterisk system. > > > > You still have to setup the sip configuration to handle that. > > Not much > > dumb downing on that aspect. > > Well yes it's going to need some config, it won't need to know the > full config because it is just going to do a full hand-off to the > internal asterisk server for DID (does sip use DIDs?) routing. > > > > > > > That is the setup I had to do with GNU gatekeeper and H.323 since > > > at the time I wasn't able to get the ipfilter h.323 filter to > > > work properly with my Polycom system. > > > > > > > Ugh. Is that good luck with the sip conntrack module then? > > Well, no actually you will probably have better luck then me > because the module was probably written for asterisk behind > a firewall. I was trying to get a proprietary Polycom system > to work which is a little different. > > -Ross > > ______________________________________________________________________ > This e-mail, and any attachments thereto, is intended only for use by > the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail, you are hereby notified that any dissemination, > distribution or copying of this e-mail, and any attachments thereto, > is strictly prohibited. If you have received this e-mail in error, > please immediately notify the sender and permanently delete the > original and any copy or printout thereof. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.