[asterisk-users] "remote" SIP, no audio, or one way audio.

Joe Acquisto joea at j4computers.com
Thu Apr 5 04:57:34 MST 2007


"J. Oquendo" <sil at infiltrated.net> Wrote: 4/5/2007 6:47 AM:
> Joe Acquisto wrote:
>>
>>
>> Thanks. And this might go where, in rc.d/rc.firewall.local ?
>>
>> But I don't get it. Isn't this redundant? Since I have port forwarding 
>> already. . .?
>>
>> joe a.
>>
>> _______________________________________________
>> --Bandwidth and Colocation provided by Easynews.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users 
>>
> 
> What this is doing is allowing unfettered access between your PBX and 
> phones. Too many people forget that a VoIP transaction consists of more 
> than just opening up ports 5060 and 5061. This are used for 
> registration/administration, etc., in the case of one way audio, or 
> audio for any matter, this is carried out by RTP on separate ports 
> which 
> will never be the same port unless you have it specified.
> 
> Summarized: NAT + VoIP = nightmare
> 
> If at all doable, segment your phones out to a DMZ with VLANs, 
> constructive routing, and ACL's to avoid leveraged security incidents 
> via those phones being opened.
> 

Thanks.

Do you have recommended switches, capable of supporting VLAN's in an appropriate manner?  The cheaper the better, at this point.

I have attempted VLAN's several times, for this purpose specifically, using Nortel  Baystack 450-24's.  Not working as one would expect.  Some say these simply do not do VLAN's "properly"

This can go off list, if it is OT.

joe a.



More information about the asterisk-users mailing list