Hello *,
I try to establish a Asterisk-Server for internal and external usage.
Perfect use case for a DMZ, or not?
My configuration:
I N T E R N E T |
| | E
| | X
| | T
| | E
| 213.xxx.xx.68 | R
+-----#----+ | N
| Firewall | |
+-----#----+ - - - - - - - - - - - - - - - - - - - -+-
| 192.168.40.68 |
| |
+--------#--------+ |
| Switch | |
+--#---#---#---#--+ |
| | |
| +-----------------+ | D
| | | M
+--+ | | Z
| (213.xxx.xx.66) | (213.xxx.xx.70) |
| 192.168.40.66 | 192.168.40.70 |
+-----#----+ +-----#----+ |
| Firewall | | Asterisk | |
+----------+ +----------+ |
| Server | |
+-----#----+ - - - - - - - - - - - - - - - - - - - - -+-
| 192.168.0.1 |
| |
+--+ |
| |
+--------#--------+ |
| Switch | | I
+--#--#--#--#--#--+ | N
| | | | T
| | | | E
| | | | R
| | | | N
| | +-----------------------------+ |
| +--------------+ | |
| | | |
| 192.168.0.101 | 192.168.0.102 | 192.168.0.103 |
+--#---+ +--#---+ +--#---+ |
| Tel1 | | Tel2 | | Tel3 | |
+------+ +------+ +------+ |
But now the IP-Phones could not communicate with Asterisk because the
Server (a Linux host) will NAT the internal IP-Addresses.
Is there a good way to solve this Problem?
Regards
Bastian
On Tue, 2004-08-10 at 10:55, Bastian Schern wrote:> But now the IP-Phones could not communicate with Asterisk because the > Server (a Linux host) will NAT the internal IP-Addresses. > > Is there a good way to solve this Problem?Not the best solution, but you could tell the server not to nat when going to the * ip address. -- respectfully, Joseph ==============---------------------= ********** =
a) use a transparent bridge firewall b) Use redirect with multiport of the sip ports to the * box IP. c) And the most effective for your topology, don't use nat, use only the routing properties of linux... can u post ur firewall rules and routing table? Bastian Schern wrote:> Hello *, > > I try to establish a Asterisk-Server for internal and external usage. > Perfect use case for a DMZ, or not? > > My configuration: > > > I N T E R N E T | > | | E > | | X > | | T > | | E > | 213.xxx.xx.68 | R > +-----#----+ | N > | Firewall | | > +-----#----+ - - - - - - - - - - - - - - - - - - - -+- > | 192.168.40.68 | > | | > +--------#--------+ | > | Switch | | > +--#---#---#---#--+ | > | | | > | +-----------------+ | D > | | | M > +--+ | | Z > | (213.xxx.xx.66) | (213.xxx.xx.70) | > | 192.168.40.66 | 192.168.40.70 | > +-----#----+ +-----#----+ | > | Firewall | | Asterisk | | > +----------+ +----------+ | > | Server | | > +-----#----+ - - - - - - - - - - - - - - - - - - - - -+- > | 192.168.0.1 | > | | > +--+ | > | | > +--------#--------+ | > | Switch | | I > +--#--#--#--#--#--+ | N > | | | | T > | | | | E > | | | | R > | | | | N > | | +-----------------------------+ | > | +--------------+ | | > | | | | > | 192.168.0.101 | 192.168.0.102 | 192.168.0.103 | > +--#---+ +--#---+ +--#---+ | > | Tel1 | | Tel2 | | Tel3 | | > +------+ +------+ +------+ | > > > But now the IP-Phones could not communicate with Asterisk because the > Server (a Linux host) will NAT the internal IP-Addresses. > > Is there a good way to solve this Problem? > > Regards > Bastian > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Why not use a public address for * ? A firewall, if properly configured can protect your * server the same way as it would with NAT in a DMZ. Dominique Bastian Schern wrote:> Hello *, > > I try to establish a Asterisk-Server for internal and external usage. > Perfect use case for a DMZ, or not? > > My configuration: > > > I N T E R N E T | > | | E > | | X > | | T > | | E > | 213.xxx.xx.68 | R > +-----#----+ | N > | Firewall | | > +-----#----+ - - - - - - - - - - - - - - - - - - - -+- > | 192.168.40.68 | > | | > +--------#--------+ | > | Switch | | > +--#---#---#---#--+ | > | | | > | +-----------------+ | D > | | | M > +--+ | | Z > | (213.xxx.xx.66) | (213.xxx.xx.70) | > | 192.168.40.66 | 192.168.40.70 | > +-----#----+ +-----#----+ | > | Firewall | | Asterisk | | > +----------+ +----------+ | > | Server | | > +-----#----+ - - - - - - - - - - - - - - - - - - - - -+- > | 192.168.0.1 | > | | > +--+ | > | | > +--------#--------+ | > | Switch | | I > +--#--#--#--#--#--+ | N > | | | | T > | | | | E > | | | | R > | | | | N > | | +-----------------------------+ | > | +--------------+ | | > | | | | > | 192.168.0.101 | 192.168.0.102 | 192.168.0.103 | > +--#---+ +--#---+ +--#---+ | > | Tel1 | | Tel2 | | Tel3 | | > +------+ +------+ +------+ | > > > But now the IP-Phones could not communicate with Asterisk because the > Server (a Linux host) will NAT the internal IP-Addresses. > > Is there a good way to solve this Problem? > > Regards > Bastian > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 10 August 2004 10:55 am, Bastian Schern wrote:> Hello *, > > I try to establish a Asterisk-Server for internal and external usage. > Perfect use case for a DMZ, or not?Yes, use OpenBSD and make the "server firewall" a bridge. Then you can block by ip or MAC as needed. Since it's not visible from the network side you have to configure it from the console. (Or turn off NAT on your Linux box.) - -- Steve "They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBGRWMljK16xgETzkRAirXAKCQvC0SkHrZTYPc+NsSN7MkTH0aagCeNcSl zaNbI/kzqd8nD3LBrOFXQ6g=cE1e -----END PGP SIGNATURE-----