[asterisk-users] asterisk across a firewall
Gordon Henderson
gordon+asterisk at drogon.net
Wed Feb 11 12:56:17 CST 2009
On Wed, 11 Feb 2009, Erick Perez wrote:
> Excuse my ignorance but if i have an asterisk in a LAN, and i have
> users in their homes/internet (dozens), in order to correctly connect
> those users across my firewall, what is the technology that i need to
> buy, called?
> secure border gateway?
> session controller?
> secure gateway?
> the audiocodes site seems to have many names for the same thing...but
> i better ask here and learn before i make a big mistake.
>
> my customer has a dumb firewall (not SIP aware) that will not replace.
> he wants another box to do the magic.
I have many customers like that, and "working from home" is gaining
momenting where I live...
So the scenario (if I interpret it correctly): Asterisk at HQ is behind a
NAT firewall with remote users (who themselves may be behing a NAT
firewall)
HQ needs a static IP address on the outside and plenty of bandwidth.
The dumb router at HQ needs to port-forward external port 5060 and
10000-20000 into the asterisk box (you can limit this range - see
rtp.conf) Most dumb routers can port-forward.
Asterisk needs to know it's LAN and extneral ip address - sip.conf,
externip= and localnet=
remote extensions need nat=yes in sip.conf
and that's basically it.
If the remote extensions are themselves behind a NAT firewall, then the
easiest way to get them through it is by using a stun server - ether run
your own, or use someone elses... Do not do any port-forwarding at the
remote users sites.
Yes, you can fiddle about with proxies, gateways, etc. but keep it simple
to start with and I have many installations doing it this way and it "just
works". One day I'm sure I'll trip up, but until then...
Pitfalls - the same with all VoIP - bandwidth, espeically outgoing b/w
from HQ. Broken NAT gateways, and routers which have SIP ALGs built in
which are also broken. (Turn them off!)
Routers with broken SIP ALG are the biggest PITA to work round.
Gordon
More information about the asterisk-users
mailing list