I know this issue has been covered with at least 2 different patches, and
probably a dozen different discussions, however I'm a bit unclear as to what
my options are.
I have a DSL line coming in with 8 IP addresses going to an OpenBSD firewall
doing 1:1 NAT for machines behind the firewall. My asterisk box is one of
these machines, and I'd like to allow foreign SIP clients
(softphones/hardware phones) to register to my Asterisk box -WITHOUT-
breaking internal connectivity.
A brief example of my setup works like this:
asterisk box -------------> openbsd firewall ---------------> internet
(192.168.250.7) |
----------------------
--> other internal networks (192.168.0.0/16)
The OpenBSD firewall provides a 1:1 NAT mapping for the asterisk box to
216.254.114.221 so ports/port forwarding is a non issue.
I also have several other internal subnets hanging off of the OpenBSD
firewall, all using 192.168.0.0/16 address space, and I do have some
hardware/software clients running internally.
I've also noticed that in newer CVS versions, there are provisions for
'externip', but nothing for internal net/netmask, so I suspect this will
break my internal clients.
My question is, first off, do I need to apply a patch, and if so, which one?
Second, once I apply said patch, what options do I need to supply in
sip.conf?
I could also run something on the openbsd firewall (maybe a SIP proxy?),
I've seen references to 'STUN' but haven't found enough info on
it to know
if it will help me.
Thanks,
Pat
bug 104 on bugs.digium.com take a look at it. Also your setup is EVIL bkw On Thu, 18 Dec 2003, Patrick Cantwell wrote:> I know this issue has been covered with at least 2 different patches, and > probably a dozen different discussions, however I'm a bit unclear as to what > my options are. > > I have a DSL line coming in with 8 IP addresses going to an OpenBSD firewall > doing 1:1 NAT for machines behind the firewall. My asterisk box is one of > these machines, and I'd like to allow foreign SIP clients > (softphones/hardware phones) to register to my Asterisk box -WITHOUT- > breaking internal connectivity. > > A brief example of my setup works like this: > > asterisk box -------------> openbsd firewall ---------------> internet > (192.168.250.7) | > ---------------------- > --> other internal networks (192.168.0.0/16) > > The OpenBSD firewall provides a 1:1 NAT mapping for the asterisk box to > 216.254.114.221 so ports/port forwarding is a non issue. > > I also have several other internal subnets hanging off of the OpenBSD > firewall, all using 192.168.0.0/16 address space, and I do have some > hardware/software clients running internally. > > I've also noticed that in newer CVS versions, there are provisions for > 'externip', but nothing for internal net/netmask, so I suspect this will > break my internal clients. > > My question is, first off, do I need to apply a patch, and if so, which one? > Second, once I apply said patch, what options do I need to supply in > sip.conf? > > I could also run something on the openbsd firewall (maybe a SIP proxy?), > I've seen references to 'STUN' but haven't found enough info on it to know > if it will help me. > > Thanks, > Pat > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users >
Hi all, I've done quite a bit of reading, and I see that it's going to be difficult, but as a last-ditch effort before implementing a suggestion I don't like at all, I figured I'd ask... Has anyone successfully put an asterisk box on an internal network behind a NAT device and been able to connect with SIP from outside? The real point behind all this is to implement QoS for the voice traffic, and putting a third box in front of the asterisk and NAT boxes has been deemed "too expensive". Currently, asterisk has a public IP, as does the NAT box behind which all the office machines sit. If it can be done, the NAT box would be the best place to do the QoS, so why not ask, right? Alternatively, I'm open to any suggestions that would work. I've been handed this challenge on my first day on a new job... :/ Thanks, ---sambo
<<Alternatively, I'm open to any suggestions that would work>> Like you I read about and NAT and the problems. After a few days unsuccessful battling I gave up. Instead of using SIP directly, we've taken SIP numbers with a VoIP service provider and receive calls using IAX from the VoIP provider. I guess you could do the same yourself: have an instance of Asterisk outside your firewall holding just SIP definitions and a simple dialplan to direct calls to and an Asterisk instance within a firewall using IAX that has a complete dialplan. I'm sure the VoIP providers that offer SIP->IAX and IAX->SIP, such as the one we use, are doing more and that there are some gotchas. But its an idea. Bill Seddon ________________________________ From: asterisk-users-bounces@lists.digium.com on behalf of sammy ominsky Sent: Mon 2/28/2005 9:03 PM To: Asterisk Users Subject: [Asterisk-Users] Asterisk Behind NAT Hi all, I've done quite a bit of reading, and I see that it's going to be difficult, but as a last-ditch effort before implementing a suggestion I don't like at all, I figured I'd ask... Has anyone successfully put an asterisk box on an internal network behind a NAT device and been able to connect with SIP from outside? The real point behind all this is to implement QoS for the voice traffic, and putting a third box in front of the asterisk and NAT boxes has been deemed "too expensive". Currently, asterisk has a public IP, as does the NAT box behind which all the office machines sit. If it can be done, the NAT box would be the best place to do the QoS, so why not ask, right? Alternatively, I'm open to any suggestions that would work. I've been handed this challenge on my first day on a new job... :/ Thanks, ---sambo _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20050228/5dc11670/attachment.htm
Hi, I am working on exact same problem now and open to any suggestions. So far I : 1. Made my NAT device to forward port 5060 to Asterisk server. 2. Added line 'nat=yes' to the sip.conf for the user that is on outside. At the moment, outside phone registers with Asterisk, but I can only place calls in one direction and when cal is established, no sound path exist. Asterisk tries to talk to the remote phone using its local IP address and this does not work. Let us know if you get anywhere and I will keep you posted too. Rudolf> sammy ominsky <s@avoidant.org> wrote: > > Hi all, > > I've done quite a bit of reading, and I see that it's going to be > difficult, but as a last-ditch effort before implementing a suggestion > I don't like at all, I figured I'd ask... > > Has anyone successfully put an asterisk box on an internal network > behind a NAT device and been able to connect with SIP from outside? > The real point behind all this is to implement QoS for the voice > traffic, and putting a third box in front of the asterisk and NAT boxes > > has been deemed "too expensive". > > Currently, asterisk has a public IP, as does the NAT box behind which > all the office machines sit. If it can be done, the NAT box would be > the best place to do the QoS, so why not ask, right? > > Alternatively, I'm open to any suggestions that would work. I've been > handed this challenge on my first day on a new job... :/ > > Thanks, > > ---sambo > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
Hi! How do I configure my * to have a remote extension if the asterisk is behind a nat? Regards Anders Svensson -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20051004/64e4351d/attachment.htm
As for the current release asterisk will not support STUN. You will have problems when you run asterisk behind NAT and try to configure a remote extension. Refer voxilla.com <http://voxilla.com> forums for more details. On 10/4/05, Anders Svensson <anders@bobascom.com> wrote:> > Hi! > > How do I configure my * to have a remote extension if the asterisk is > behind a nat? > > Regards > > Anders Svensson > > > _______________________________________________ > --Bandwidth and Colocation sponsored by Easynews.com <http://Easynews.com>-- > > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20051005/b600729a/attachment.htm
Hello to all Can we put Asterisk in a company that has an ADSL connection with just one public IP address? Because with just one public IP, Asterisk must have a private (NATed) IP... but the idea is to make him dial other SIP domains. Can Asterisk work behing NAT, and still route calls to the Internet? And he can still receive calls from the Internet? Thanks Joao Pereira
IT works fine behind firewall . enable NAT in sip.conf and it works fine. Giridhar Bandi On 4/6/06, Joao Pereira <joao.pereira@fccn.pt> wrote:> > Hello to all > Can we put Asterisk in a company that has an ADSL connection with just > one public IP address? Because with just one public IP, Asterisk must > have a private (NATed) IP... but the idea is to make him dial other SIP > domains. > > Can Asterisk work behing NAT, and still route calls to the Internet? > And he can still receive calls from the Internet? > > Thanks > Joao Pereira > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com -- > > Asterisk-Users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20060406/bc86bf24/attachment.htm