[asterisk-users] asterisk across a firewall

[Gordon Henderson]

On Wed, 11 Feb 2009, Erick Perez wrote:

> Excuse my ignorance but if i have an asterisk in a LAN, and i have
> users in their homes/internet (dozens), in order to correctly connect
> those users across my firewall, what is the technology that i need to
> buy, called?
> secure border gateway?
> session controller?
> secure gateway?
> the audiocodes site seems to have many names for the same thing...but
> i better ask here and learn before i make a big mistake.
>
> my customer has a dumb firewall (not SIP aware) that will not replace.
> he wants another box to do the magic.

I have many customers like that, and "working from home" is gaining 
momenting where I live...

So the scenario (if I interpret it correctly): Asterisk at HQ is behind a 
NAT firewall with remote users (who themselves may be behing a NAT 
firewall)

HQ needs a static IP address on the outside and plenty of bandwidth.

The dumb router at HQ needs to port-forward external port 5060 and 
10000-20000 into the asterisk box (you can limit this range - see 
rtp.conf) Most dumb routers can port-forward.

Asterisk needs to know it's LAN and extneral ip address - sip.conf, 
externip= and localnet=

remote extensions need nat=yes in sip.conf

and that's basically it.

If the remote extensions are themselves behind a NAT firewall, then the 
easiest way to get them through it is by using a stun server - ether run 
your own, or use someone elses... Do not do any port-forwarding at the 
remote users sites.

Yes, you can fiddle about with proxies, gateways, etc. but keep it simple 
to start with and I have many installations doing it this way and it "just 
works". One day I'm sure I'll trip up, but until then...

Pitfalls - the same with all VoIP - bandwidth, espeically outgoing b/w 
from HQ. Broken NAT gateways, and routers which have SIP ALGs built in 
which are also broken. (Turn them off!)

Routers with broken SIP ALG are the biggest PITA to work round.

Gordon