asterisk users - Dec 2004 - very OT - basic newbie networking

> I have a * box with 2 nics in the following setup:
> 
> Internet
> |
> 192.168.5.253 (firewall)
> |
> 192.168.5.xxx network (gw 192.168.5.253)
> |
> 192.168.5.10 (* nic 1)
> 192.168.6.10 (* nic 2)
> |
> 192.168.6.xxx network
> 
> The netmask for both networks is 255.255.255.0
> 
> The 192.168.6.xxx networks has a 48 port switch solely for the use of 
> cicso 7940 phones, the 192.168.5.xxx is for the pc's (winxp) / servers 
> (2003) etc.
> 
> I want to be able to access the phones (telnet/web etc) from the .5.xxx 
> network, and I want the phones to be able to access the .5.xxx network.
1. Make sure IP forwarding is on.
2. Turn off iptables (at least for testing).
3. From a windows command prompt:
   route add 192.168.6.0 mask 255.255.255.0 192.168.5.10
4. Try to ping 192.168.6.10 from Windows.  If it fails,
   recheck 1 and 2 above.  If ok, try to ping a phone.
   If that fails, make sure phone has 192.168.6.10 as
   its default gw.  If ok, you should now be able to access
   the phone's web server from the Windows box.
5. To avoid having to add a route to every Windows box,
   add a static route to your firewall, specifying
   that 192.168.6.0/24 is reached via the LAN interface
   using gw 192.168.5.10 .

Good luck,

Stewart

that's all helpful advice: see below:

Stewart Nelson wrote:
>>I have a * box with 2 nics in the following setup:
>>
>>Internet
>>|
>>192.168.5.253 (firewall)
>>|
>>192.168.5.xxx network (gw 192.168.5.253)
>>|
>>192.168.5.10 (* nic 1)
>>192.168.6.10 (* nic 2)
>>|
>>192.168.6.xxx network
>>
>>The netmask for both networks is 255.255.255.0
>>
>>The 192.168.6.xxx networks has a 48 port switch solely for the use of 
>>cicso 7940 phones, the 192.168.5.xxx is for the pc's (winxp) /
servers
>>(2003) etc.
>>
>>I want to be able to access the phones (telnet/web etc) from the .5.xxx 
>>network, and I want the phones to be able to access the .5.xxx network.
> 
> 
> 1. Make sure IP forwarding is on.
1. It is.
> 2. Turn off iptables (at least for testing).
2. It is off.
> 3. From a windows command prompt:
>    route add 192.168.6.0 mask 255.255.255.0 192.168.5.10
3. Already done that, thanks.
> 4. Try to ping 192.168.6.10 from Windows.  If it fails,
>    recheck 1 and 2 above.  If ok, try to ping a phone.
>    If that fails, make sure phone has 192.168.6.10 as
>    its default gw.  If ok, you should now be able to access
>    the phone's web server from the Windows box.
4. Can do. Works like a charm. Access to telnet / web server not a 
problem. So, 192.168.5.xx -> 192.168.6.xx works fine.
> 5. To avoid having to add a route to every Windows box,
>    add a static route to your firewall, specifying
>    that 192.168.6.0/24 is reached via the LAN interface
>    using gw 192.168.5.10 .
5. I will look into that tomorrow, most useful advice.
> 
> Good luck,
Thanks.

However, even though I've added the 192.168.6.10 as the gw for the the 
192.168.6.xx network, the phones cannot access the 192.168.5.xx network 
(or the internet).
> 
> Stewart
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
>

> However, even though I've added the 192.168.6.10 as the gw
> for the 192.168.6.xx network, the phones cannot access
> the 192.168.5.xx network (or the internet).
Well, if you can open a TCP connection from 192.168.5.xx to
192.168.6.xx, then routing in the reverse direction must be
working.  If you can't connect from 192.168.6.xx back to
192.168.5.xx, two things come to mind:

Your * box might be acting as a NAT (aka IP masquerading)
router, rather than a normal router.  When you connect from
a host on 192.168.5.xx to a phone, verify that the source
IP seen by the phone is 192.168.5.xx .  You can do this
with debug features in the phone, by running Ethereal on *
on the 192.168.6.10 interface, or with an external monitor.
If you see 192.168.6.10 as the source address, then you
are running NAT and need to disable it.

The connection might be blocked by a software firewall on
the destination host, e.g. Windows Firewall, on by default
in XP SP2.  Note that a service enabled with Local Subnet
scope won't be accessible from the phones.

If it's neither of the above, you'll just have to debug it.
Run Ethereal on the 192.168.5.10 interface, and check for
SYN packets going out and responses coming in.

Accessing the Internet from the phones is another story.
First, do you need it?  If you are coming into * in SIP
and going out to a provider or another * in IAX, * will
have to proxy the call anyhow, so Internet access is not
required.  If both sides are SIP, and you want to get
the performance benefits of reinvite, then you can
try to get it working.  Your firewall needs to have a
static route for 192.168.6.0/24 with gw 192.168.5.10 ,
and it also must know to perform NAT on packets coming in
from 192.168.6.xx .  Some routers will do this automatically,
some need a configuration setting, and with others you're
out of luck.  In the latter case, you could tell the
router that the LAN subnet is 192.168.4.0/22, and set up
* to do proxy ARP.  Once you have NAT and the static route
configured, you should be able to plug a PC into the
192.168.6.xx net and browse the Web.  But whether you can
make phone calls through this system is a complex issue.
NAT traversal for SIP is often problematic, and many on
this list have had to set canreinvite=no.

Regards,

Stewart

> Is NAT enabled by default on Fedora core 1 (latest patches) ?
Sorry, don't know.  I believe that if you have disabled iptables
by e.g. /etc/init.d/iptables stop
then NAT should be off, but it still wouldn't hurt to check the
source address reaching the phones.
> The target machines can be pinged from the * box, but not the phones.
See if you can do ping -I 192.168.6.10 <target IP>

--Stewart