asterisk users - Jul 2005 - Need suggestions on solution for central Asterisk server and multiple private networks.

I am in the process of building up an Asterisk-based voice network using
PAP2-NA SIP clients from Linksys.  Our network consists of several
disconnected private networks (unaware of each other), and are all proxied out
to the Internet via a Linux server.  Our Asterisk PBX lies on the Internet on
yet another network.

I'm hoping to get all SIP clients (PAP2-NA's) to register at the central
Asterisk server so I can avoid setting up a whole bunch of Asterisk servers
within each private network.

Here is a generalized diagram of how I hope things could be layed out:

http://webdev.digitalpath.net/~rayvd/voice/voice-network.png

I figure if the load on our main Asterisk servers gets too high it would be
fairly trivial to add additional servers to cope with this.

I'm trying to figure out what options I have for "proxying" the
connections
from the PAP2-NA's directly to the central PBX server.  Here's what
I've come
up with:

Option 1 -- Asterisk install within each private Network

This would probably work the "best".  PAP2-NA's would register to
the Asterisk
server on the local network which would be linked back to the main asterisk
server via an IAX2 trunk.  The downside here is that I have to set up an
automatic provisioning system and maintain dial plans on each server.

Option 2 -- SIP Proxy

I'm not totally clear on this, but the concept would be that a SIP Server of
some sort sits on each private network's Linux server and basically passes
connections through itself to the Asterisk PBX.  To me this doesn't seem
much
different than Option 3 below, but perhaps would contain a bit more
intelligence.  What products would be available for this type of solution
(SER, OpenSER?).

Option 3 -- iptables

I've tested this solution on a small scale and it appears to work. 
Basically
I set up some nat rules on each Linux server and an additional IP address.  I
essentially forward all traffic destined to that IP address to the central
Asterisk server via the Internet.  Then I set up the PAP2-NA's to register
to
this additional IP address on their network's Linux server.  In actuality
though, the PAP2-NA is registering directly to the central server.

I've turned off reinvites on the Asterisk server so RTP shouldn't be a
problem, but my question is are there any issues here that might make this
break?  Ports?  Inbound calls (I'm using keep alives).  It seems a bit
kludgy,
but if it works it is by far the simplest solution.

Any other options out there that might be better?  My end goal is to stay as
centralized as possible to make administration easy and not be maintaining SIP
profiles / voicemail profiles and dial plans all over the place.

Thanks for any suggestions.

-- 
Ray Van Dolson
Linux/Unix Systems Administrator
Digital Path, Inc.