asterisk users - Nov 2006 - Terrible, horrible firewall issues in * to * setup

My mission is to get one * box to dial another * box' extensions. I
have set this up previously without any issues by making a simple IAX
trunk/extension pair on the two boxes and create a dial plan with a
prefix like 9|XXX to select an extension on the other box.

My problem is that I now have to do this with extremely restrictive
firewalls thrown into the mix - firewalls I have no control over.
Basically, the setup is:

*1 <---> FW1 <---> (Internet) <---> FW2 <---> FW3
<---> *2

I have control over firewall 1 and 3, but not 2. Using port forwarding
(4569 UDP) on FW1, I have been able to make calls from *2 to *1. My
problem lies with making calls the other way, as I have no way of port
forwarding on FW2.

My initial thought was to set up a reverse SSH tunnel from *2 to *1,
which would have worked fine if SSH would tunnel UDP (latency is a
different matter altogether). I found a software called Zebedee
(http://www.winton.org.uk/zebedee/) which claims to do UDP tunneling,
and is able to do it "in reverse", but I can't for the life of me
get
it to work.

Before I try further with Zebedee, I thought it wise to ask the *
community if there is a standard solution in this particular case, or
perhaps if I'm attempting the impossible.

Any input is greatly appreciated.

Lachek Butalek wrote:
> My mission is to get one * box to dial another * box' extensions. I
> have set this up previously without any issues by making a simple IAX
> trunk/extension pair on the two boxes and create a dial plan with a
> prefix like 9|XXX to select an extension on the other box.
>
> My problem is that I now have to do this with extremely restrictive
> firewalls thrown into the mix - firewalls I have no control over.
> Basically, the setup is:
>
> *1 <---> FW1 <---> (Internet) <---> FW2 <---> FW3
<---> *2
>
> I have control over firewall 1 and 3, but not 2. Using port forwarding
> (4569 UDP) on FW1, I have been able to make calls from *2 to *1. My
> problem lies with making calls the other way, as I have no way of port
> forwarding on FW2.
>
> My initial thought was to set up a reverse SSH tunnel from *2 to *1,
> which would have worked fine if SSH would tunnel UDP (latency is a
> different matter altogether). I found a software called Zebedee
> (http://www.winton.org.uk/zebedee/) which claims to do UDP tunneling,
> and is able to do it "in reverse", but I can't for the life
of me get
> it to work.
>
> Before I try further with Zebedee, I thought it wise to ask the *
> community if there is a standard solution in this particular case, or
> perhaps if I'm attempting the impossible.
>
> Any input is greatly appreciated.
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
Try OpenVPN www.openvpn.net, *2 as client, *1 as server

regards,

Drew

-- 
Drew Gibson

Systems Administrator
OANDA Corporation
416-593-6767 x322
www.oanda.com

On 22 Nov 2006, at 22:21, Lachek Butalek wrote:
> My mission is to get one * box to dial another * box' extensions. I
> have set this up previously without any issues by making a simple IAX
> trunk/extension pair on the two boxes and create a dial plan with a
> prefix like 9|XXX to select an extension on the other box.
>
> My problem is that I now have to do this with extremely restrictive
> firewalls thrown into the mix - firewalls I have no control over.
> Basically, the setup is:
>
> *1 <---> FW1 <---> (Internet) <---> FW2 <---> FW3
<---> *2
>
> I have control over firewall 1 and 3, but not 2. Using port forwarding
> (4569 UDP) on FW1, I have been able to make calls from *2 to *1. My
> problem lies with making calls the other way, as I have no way of port
> forwarding on FW2.
If FW2 and FW3 permit outbound UDP and associated replies you won't  
need to.
(even if they NAT them).

Set up 4569 on FW1 to go to *1
Add *2 as a peer (and user) in iax.conf on *1
Do _nothing_ with FW3
Set up *2 to _register_ with *1

The repeated registration from 2 to 1 will keep the any
NAT's and port maps open and tell 1 how to reach 2.

(IAX is great)

Tim.