asterisk users - Jan 2007 - Suggestion for a new asterisk setup.

Hello all,

I need to setup a new asterisk system with the following requirements:

1.  Will be moving from chan_sccp to sip (7960's), but I want to support
the sccp phones until everyone has been migrated.

2.  Need to maintain current portability of the 7960's.  (ie a user can
unplug his phone from the internal LAN, take it home or wherever, and
plugin and have the phone register and work just like in the office.

I have tried the following:

1.  Asterisk server on LAN behind NAT, LAN phones on the same net,
tested a phone with a public IP.

2.  Asterisk on Public IP, LAN phones on LAN behind NAT, didn't even get
to testing remote phones.

I am having trouble with calls completing but not passing the audio
stream.
I have done fixup SIP/opened 5060/tried many settings in SIP.conf/set
7960's to NAT=YES etc. I can not NAT each phone individually and allow
RTP to it, as I saw one person did.  I really don't want to run asterisk
on a public IP and a LAN IP going around my firewall.  

Do I need to put the phones on a separate LAN network and run asterisk
on a public ip and private? 

Do I need to run a SIP proxy.  I looked at SER/OPENSER, but it seems to
break some things.  (Need to be able to record all calls need MWI)

Should I run 2 asterisk boxes connected with maybe TDMoE?  Would that
work?

Any suggestions would be greatly appreciated.

Thanks,
Andy Hester

Dear all

I have found this on Queue :
I send calls to PSTN numbers, i set some a variable in the channel, like
CALLERID(name)=${recordid}, and i send the answered calls to  a Queue .
In the softphone i read callerid(name) and do some  action on CRM.
All is sweet till here...


The problem come when i have CALLS WAITING in the queue, all the agent
are busy,  after some times some Agent began available again and the
call is passed to an Agent, in this case callerid(name)  began blank, so
look like that i have lost my variable.


Any idea ??????????????


-- 

Cheers Andrea

Andrea Cristofanini
Gedam Europe Srl
Gedam Advanced Communication Ltd
Torino, Italy
C.so Re Umberto 21
Mobile  : + 39 329 1871756
PSTN    : + 39 011 19824516
FreeVoip: 6838601
http://www.gedameurope.com
http://freevoip.gedameurope.com

I assume there is one NAT router for the LAN and nothing fancy, so setup the
Asterisk machine on the router/firewall (or make it such) and have it listen
on both LAN and WAN interface.

Now use a hostname for the SIP server, and run a DHCP/DNS server that will
resolve that hostname to the LAN IP address of  your router, when it is
queried from the LAN side, when from the WAN side it would just be the
regular lookup (use FQDN).

Now phones will work from anywhere, no NAT issues to deal with at all. Each
interface that asterisk runs on is isolated from the other.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20070112/c321662e/attachment-0001.htm

Andrew,

Thanks, for the response.  That is a very clean solution and much less
work/complication, however, I am not sure that the security guy for this network
will allow me to put up the asterisk box dual homed to the public IP and the
LAN.  If there is not another feasible way then I may end up going with this
anyway.  Any other feasible ways to accomplish this?


Sorry for the top post... Having to use Outlook for the moment.

Thanks,
Andy Hester

________________________________________
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Andrew Joakimsen
Sent: Friday, January 12, 2007 9:57 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Suggestion for a new asterisk setup.

I assume there is one NAT router for the LAN and nothing fancy, so setup the
Asterisk machine on the router/firewall (or make it such) and have it listen on
both LAN and WAN interface.

Now use a hostname for the SIP server, and run a DHCP/DNS server that will
resolve that hostname to the LAN IP address of? your router, when it is queried
from the LAN side, when from the WAN side it would just be the regular lookup
(use FQDN).

Now phones will work from anywhere, no NAT issues to deal with at all. Each
interface that asterisk runs on is isolated from the other.

>I am not sure that the security guy for this network will allow me to put
up the asterisk box dual homed to the public IP and the LAN.  

Your security guy needs to go back to school. If eth0 is on the LAN and eth1
is on the WAN, and the WAN connection is properly secured with only the
ports you need, and your SIP passwords arent 1234 or something that can be
guessed, what difference is there between this configuration and port
forwarding? The footprint you are exposing to the public internet is exactly
the same. The only thing that I can think of is for IDS, you may have a
firewall that does this. Optionally, one could run a "soft" firewall
on the
WAN side that supports IDS if that is the issue. Otherwise, why not?

In the current setup, asterisk is behind a different nat/firewall than
the LAN phones.  The phones are using sccp.  If the asterisk box is
compromised, it is not on the local LAN.  This is what I think he
doesn't want to give up.

Andy

> -----Original Message-----
> From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-
> bounces@lists.digium.com] On Behalf Of Colin Anderson
> Sent: Friday, January 12, 2007 12:20 PM
> To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: RE: [asterisk-users] Suggestion for a new asterisk setup.
> 
> >I am not sure that the security guy for this network will allow me to
put
> up the asterisk box dual homed to the public IP and the LAN.
> 
> Your security guy needs to go back to school. If eth0 is on the LAN
and
> eth1
> is on the WAN, and the WAN connection is properly secured with only
the
> ports you need, and your SIP passwords arent 1234 or something that
can be
> guessed, what difference is there between this configuration and port
> forwarding? The footprint you are exposing to the public internet is
> exactly
> the same. The only thing that I can think of is for IDS, you may have
a
> firewall that does this. Optionally, one could run a "soft"
firewall
on
> the
> WAN side that supports IDS if that is the issue. Otherwise, why not?
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

>In the current setup, asterisk is behind a different nat/firewall than
>the LAN phones.  The phones are using sccp.  If the asterisk box is
>compromised, it is not on the local LAN.  This is what I think he
>doesn't want to give up.
Oho, now I see. Well, there's the philisophical endless debate about
security vs easy access. It's quite true that SIP will have a more
compromise-able footprint than SCCP, which is quite obscure these days. In
the end, your choices are a security-through-obscurity using SCCP and a
seperate NAT, or standards based, modern, cleaner implementation with a
single Asterisk box port-forwarded or dual-homed. 

SCCP pros and cons:

Pros:

-Works today
-Protocol does not have large attack surface simply because it is obscure

Cons:

-Obscure. Any issue with SCCP will be difficult to research as time goes on,
isn't Cisco dropping it?
-SCCP will go bye-bye eventually in Asterisk just like ADSI then you are
painted in a corner forever with a 1.2.X box

SIP pros and cons:

Pros:

-Modern, interop (mostly) guaranteed 
-Not painted into a corner with respect to 3rd party stuff
-Security risks are well understood and can be mitigated through prudent
configuration
-Thousands of people hammer on SIP millions of times a day, if something
comes up with respect to security, you're going to hear about it. 
-Well understood firewall/DMZ guidelines and advice.
-SIP will never go bye-bye. I can see SIP running 50 years from now. 

Cons:

-NAT of course
-Attack surface area larger
-More people trying to do bad things with it

Your first idea has merit, that of 2 seperate boxes. 1 in the LAN, 1 outside
the LAN, tied together with IAX. I say IAX because you can use the Switch()
directive to shunt inbound calls from Box A to Box B and change dialplan
logic based on if they are at the office or outside. Later versions of
Asterisk I belive support MWI through IAX. Advantage is, if outside box gets
compromised, no big deal. Disadvantage is, 2 dialplans, 100% more points of
failure.

Maybe what you need for your security guy is some sort of executive summary
as to the state of the Union with respect to SIP security, what the risks
are, how they can be mitigated. SIP when set up halfassed is horribly
insecure, but when set up correctly it has no more or no less attack surface
area than httpd. Because otherwise you will never get this thing done and
you may as well put in a Meridian and issue cell phones.

good luck