[asterisk-users] asterisk across a firewall
Erick Perez
eaperezh at gmail.com
Thu Feb 12 15:28:09 CST 2009
On Wed, Feb 11, 2009 at 1:56 PM, Gordon Henderson
<gordon+asterisk at drogon.net> wrote:
> On Wed, 11 Feb 2009, Erick Perez wrote:
>
>> Excuse my ignorance but if i have an asterisk in a LAN, and i have
>> users in their homes/internet (dozens), in order to correctly connect
>> those users across my firewall, what is the technology that i need to
>> buy, called?
>> secure border gateway?
>> session controller?
>> secure gateway?
>> the audiocodes site seems to have many names for the same thing...but
>> i better ask here and learn before i make a big mistake.
>>
>> my customer has a dumb firewall (not SIP aware) that will not replace.
>> he wants another box to do the magic.
>
> I have many customers like that, and "working from home" is gaining
> momenting where I live...
>
> So the scenario (if I interpret it correctly): Asterisk at HQ is behind a
> NAT firewall with remote users (who themselves may be behing a NAT
> firewall)
>
> HQ needs a static IP address on the outside and plenty of bandwidth.
>
> The dumb router at HQ needs to port-forward external port 5060 and
> 10000-20000 into the asterisk box (you can limit this range - see
> rtp.conf) Most dumb routers can port-forward.
>
> Asterisk needs to know it's LAN and extneral ip address - sip.conf,
> externip= and localnet=
>
> remote extensions need nat=yes in sip.conf
>
> and that's basically it.
>
> If the remote extensions are themselves behind a NAT firewall, then the
> easiest way to get them through it is by using a stun server - ether run
> your own, or use someone elses... Do not do any port-forwarding at the
> remote users sites.
>
> Yes, you can fiddle about with proxies, gateways, etc. but keep it simple
> to start with and I have many installations doing it this way and it "just
> works". One day I'm sure I'll trip up, but until then...
>
> Pitfalls - the same with all VoIP - bandwidth, espeically outgoing b/w
> from HQ. Broken NAT gateways, and routers which have SIP ALGs built in
> which are also broken. (Turn them off!)
>
> Routers with broken SIP ALG are the biggest PITA to work round.
>
> Gordon
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
Thank you all for the excellent responses. I will do some test here to
decide on a method/technology to use.
--
------------------------------------------------------------
Erick Perez
Cel +(507) 6675-5083
------------------------------------------------------------
More information about the asterisk-users
mailing list