[Asterisk-Users] Asterisk behind LinkSys NAT Routing

WipeOut wipe_out at onetel.com
Mon Nov 3 03:41:05 MST 2003


Shoval Tom wrote:

>Isn't putting asterisk on the public IP network a bad  idea?
>
Is it a bad idea?, Not really if you take the right precautions..From 
how you described your setup you have connected your server directly to 
the internet anyway.. If you nominated you Asterisk box as the DMZ host 
in your router it effectively is directly on the internet.. if you 
havent secured the box itself I suggest you do.. :)

>What about security?
>
This is somthing that you will need to take care of.. Of course some 
people's opinions on securing a PC is to not connect it to the internet 
at all, of course that is a little silly.. You will have to decied on 
the level of security you are happy with..

This is a topic that can be debated for days so I will not get into it 
any further than that..

>And how will all us newbies make the linux box as secure as possible?
>  
>
The quickest way is to setup an IPTABLES firewall.. You will need ports 
5060 and 10000 to 20000 open for a default Asterisk install using SIP only..

(NOTE: make sure you know how to activate and deactivate IPTABLES from a 
command line because while you are playing there is a good chance you 
will lock yourself out of the server from any remote PC and you can even 
break Xwindows running locally with a firewall..)

Later..

>-----Original Message-----
>From: asterisk-users-admin at lists.digium.com
>[mailto:asterisk-users-admin at lists.digium.com] On Behalf Of WipeOut
>Sent: Monday, November 03, 2003 11:05 AM
>To: asterisk-users at lists.digium.com
>Subject: Re: [Asterisk-Users] Asterisk behind LinkSys NAT Routing
>
>Robert Mann wrote:
>
>  
>
>>Problem I have is this.  outside firewall (extension 2003) can call me 
>>inside firewall (extension 2000) and all is fine.  If I call from 
>>inside firewall (extension 2000) to outside firewall (extension 2003) 
>>I hear no ringing and person at other end can pick up and I hear for 
>>maybe a half second then I go to voicemail.  If I add another 
>>extension on the outside then communication between outside and 
>>outside through * is not possible at all.  I know I can not be the 
>>only one who has tried to do this.  Please any help would be greatly 
>>appreciated.
>> 
>>    
>>
>
>Robert,
>
>You need to get Asterisk onto a public IP address.. Using the DMZ 
>function on the router will not work.. If you search the archives you 
>will see that it has been attempted many times..
>
>The reason is not in the IP but in the SIP headers.. they will be sent 
>out from the Asterisk server with the internal IP address of the server, 
>this means that when the SIP UA reads the SIP message and responds it 
>will respond to the incorrect IP address..
>
>So the basic rules where NAT is involved are..
>
>Asterisk server must always be on a public IP address..
>
>SIP UA's can be behind NAT but need "nat=yes", "canreinvite=no" and 
>"qualify=yes" set in the phone configuration in sip.conf..
>
>Hope that helps..
>
>Later..
>
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
>  
>





More information about the asterisk-users mailing list