[asterisk-users] Asterisk behind a PIX firewall?

Steve Totaro stotaro at totarotechnologies.com
Tue Nov 27 11:03:15 CST 2007


Matt wrote:
> 
> 
> On Nov 27, 2007 11:02 AM, C F <shmaltz at gmail.com 
> <mailto:shmaltz at gmail.com>> wrote:
> 
>     On Nov 27, 2007 9:08 AM, Steve Totaro
>     <stotaro at totarotechnologies.com
>     <mailto:stotaro at totarotechnologies.com>> wrote:
>      >
>      > Matt wrote:
>      > >
>      > >
>      > >
>      > >     Just checking....  NAT=yes, canreinvite=no ?
>      > >
>      > >
>      > > Correct, I have those settings set for this phone.  Asterisk
>     has been
>      > > reloaded even restarted.
>      > >
>      > >
>      >
>      > Is this a dual NAT situation?  NAT on the phone side and NAT at
>     the PIX?
>      >   If so, I fear it will never work, you might get one way audio
>     though.
>      >
> 
>     I disagree with you, setting in sip.conf:
>     externhost=ddnsname;or set the next setting
>     externip=x.x.x.x;external ip
>     externrefresh=10;for dns
>     localnet=192.168.0.0/255.255.0.0 <http://192.168.0.0/255.255.0.0>
>     should take care of this, I have never had a problem with dual nat
>     like this, using Aastra, Cisco, Polycom and linksys.
> 
> 
> LO!  This worked!  All it needed was an externip entry!
> 
> 

This is good to hear.  Now I know it can be done this way, although I 
still prefer OpenVPN for it's security and ability to let you do other 
things such as AMI or whatever.

It is kind of hard to portscan 5060 when it is not open.  I bet I could 
do a portscan on 5060 and of those hits try username 100 password 100 
all the way up to 9999 and eventually get some toll fraud access in a 
day's time.

Thanks,
Steve




More information about the asterisk-users mailing list