Ross S. W. Walker wrote: > Feizhou wrote: >>>> asterisk <-> nat <-> nat <-> sip client = big pain in the neck. >>>> >>>> I have never managed to get this to work. Getting the below >>>> was trouble >>>> enough. Forget about trying to get an asterisk box behind a >>>> nat to work >>>> with clients outside. >>>> >>>> asterisk <-> nat <-> sip client. >>> Yes, you will need a specific SIP iptables filter for this to >>> work from behind a firewall. >> Getting it to work with a firewall is not a problem...it is >> getting the >> thing to work with a natting firewall that is the problem. If >> one end is >> natted, you can still do some tricks to get it to work but if >> both ends >> are natted, forget it. > > Well that was the idea behind the ipfilter stuff. It will change > the IPs in the protocol stream to compensate for the NAT. It looks like there is a netfilter sip conntrack module. > > I face the same problem trying to do H.323 behind a NAT'd firewall. Man, I stopped playing with netmeeting and gnomemeeting quite some time ago while waiting for ekiga to be available to support my video...only that you cannot compile the thing on Centos 4 without some major surgery. > >>> I know of an H.323 filter, but haven't explored SIP as we aren't >>> running any SIP application here yet. >>> >>> Another possibility would be a SIP proxy installed on the >>> firewall, but it is not as secure as a filter. >> asterisk IS a sip proxy. > > Yes, well what I was hinting at was a dumbed-down install of > asterisk installed ON the firewall that would be responsible > for handing off calls coming in to and out of the network > from/to another larger asterisk system. You still have to setup the sip configuration to handle that. Not much dumb downing on that aspect. > > That is the setup I had to do with GNU gatekeeper and H.323 since > at the time I wasn't able to get the ipfilter h.323 filter to > work properly with my Polycom system. > Ugh. Is that good luck with the sip conntrack module then?