[Asterisk-Users] secure

[Benjamin on Asterisk Mailing Lists]

Altus Syman <altus at stormcorp.co.za> wrote:
> So if I have 2 networkcards,on for the inernal lan and one for the publick ip,I only need to open
> IAX2's ports on publick interface not ony RTP ports.This will happen between the internal
> interface and the phones?

Since SIP phones are more common than IAX supporting ones, you will
likely be using SIP on your LAN between your IP phones and your local
Asterisk server.

Then, between your local Asterisk server and the remote Asterisk
server, you would be using IAX.

Like so ...

[SIP-phone]---SIP---[Asterisk]===IAX===[Asterisk]---SIP---[SIP-phone]

where --- denotes the LAN and === denotes the WAN

Therefore, you only have SIP and RTP on the LAN side network interface
of the Asterisk server, not on the WAN side. On the WAN side you'd
only need the IAX port 4569 to be open. You could even set a rule that
only UDP traffic on port 4569 from the IP address of the remote
Asterisk server is allowed and any other traffic on that port is
rejected.

The VPN tunnel scenario looks similar ...

[Asterisk]---SIP---[VPN-FW]===IPsec===[VPN-FW]---SIP---[Asterisk]

where --- denotes the (now extended) LAN and === denotes the encrypted tunnel

Here, you wouldn't even need a second NIC on the Asterisk server
(unless you want to set the Asterisk server up to also be your VPN
server). Again, you only have SIP and RTP on the LAN, not on the WAN
side. Instead, the SIP and RTP traffic will be encapsulated into IPsec
and send on port 500 over the WAN to the remote VPN server where it is
passed on to the LAN there. The effect is that both LANs appear as if
they are joined into a single LAN. Only port 500 has to be open on the
WAN side for this to work.

hope this helps
rgds
benjk

-- 
Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya,
Tokyo, Japan.

NB: Spam filters in place. Messages unrelated to the * mailing lists
may get trashed.