VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
caduceus_abode at hotm...
Guest
|
 Posted: Thu Jan 17, 2008 8:09 pm Post subject: [asterisk-users] Two Asterisks behind NAT and need to link t |
 |
|
Hi there
this is an interesting topic that I see here and a problem that I am trying to solve too.
But I was wondering if the forwarding solution will work for my case.
So I have two Asterisk boxes A and B.
A is behind a corporate NAT such that A can SSH to B, but not vice versa( "One-way SSH" ) . The UDP port 5060 of the corporate NAT is blocked off and I will not be able to have it unblocked for security reasons.
Hence, is my only choice using an SSH tunnel between A and B for the IAX connection to work? Will it work though with that "One-way SSH" factor mentioned before?
Thanks
John
| Quote: | From: thp at westhawk.co.uk> To: asterisk-users at lists.digium.com> Date: Wed, 2 Jan 2008 16:29:45 +0000> Subject: Re: [asterisk-users] Two Asterisks behind NAT and need to link them using IAX trunk> > Sure, but if (as is often the case) you only have control over the > firewall at one end of the> link, you set the forwarding at the end you control and have the far > end to register to you every> 30 seconds.> > Tim.> On 2 Jan 2008, at 15:13, Rob Hillis wrote:> > > Perhaps. I've never been one to trust that firewalls operate as > > they should - I've been bitten far too many times by a firewall that > > doesn't quite behave as you expect. Also, when diagnosing network > > connectivity problems, I find that it helps to have the rules in > > place rather than having to infer the rule.> >> > Tim Panton wrote:> >>> >> If you are careful, you only need to setup a port forward at one end> >> of the IAX trunk.> >>> >> Have one Asterisk register (regularly) with the other.> >> The second asterisk (server) will need to have port 4569 forwarded> >> through it's router.> >> The first asterisk (client) wont need any port forwarding.> >>> >> Tim.> >> On 2 Jan 2008, at 10:18, Rob Hillis wrote:> >>> >>> >>> The reason that IAX2 is considered good for NAT issues is that it> >>> uses only one port for both control messages and voice traffic as> >>> opposed to SIP that uses a predictable port for control messages and> >>> an unpredictable one for voice/video traffic.> >>>> >>> If both servers are behind NAT servers, you will need to ensure that> >>> the appropriate UDP port (by default 4569) are forwarded to your> >>> Asterisk servers. Only this port is required - RTP isn't used by> >>> IAX2.> >>>> >>> bilal ghayyad wrote:> >>>> >>>> Hi List;> >>>>> >>>> I heared that IAX is good for NATing issues, but I do> >>>> not know if it can help me in that senario:> >>>>> >>>> I have two Asterisks machines in different sites and> >>>> both are behind NAT (both have private IP address), I> >>>> need to link these two asterisks with IAX trunk (if it> >>>> help really in such senario), but I do not know if it> >>>> will work without doing special routing settings on> >>>> the router (like TCP/UDP port mapping or IP> >>>> forwarding)? How that will be it if possible? Or I> >>>> have to do a kind of port mapping?> >>>>> >>>> If I will need to use port mapping, then I have to map> >>>> the TCP and UDP ports that are determined in iax.conf> >>>> and rtp.conf files at site A for asterisk ip address> >>>> at site A? Or I have to map the TCP and UDP ports that> >>>> are in iax.conf and rtp.conf at site B for asterisk ip> >>>> address at site A? In other words, if I am at site B> >>>> then I have to go for router B and do mapping for> >>>> TCP/UDP ports of the asterisk at site B or the> >>>> asterisk at site A?> >>>>> >>>> Any help.> >>>> Regards> >>>> Bilal> >>>>> >>>>> >>>>> >>>> ____________________________________________________________________________________> >>>> Looking for last minute shopping deals?> >>>> Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping> >>>>> >>>> _______________________________________________> >>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--> >>>>> >>>> asterisk-users mailing list> >>>> To UNSUBSCRIBE or update options visit:> >>>> http://lists.digium.com/mailman/listinfo/asterisk-users> >>>>> >>>>> >>> _______________________________________________> >>> --Bandwidth and Colocation Provided by http://www.api-digital.com--> >>>> >>> asterisk-users mailing list> >>> To UNSUBSCRIBE or update options visit:> >>> http://lists.digium.com/mailman/listinfo/asterisk-users> >>>> >>> >> _______________________________________________> >> --Bandwidth and Colocation Provided by http://www.api-digital.com--> >>> >> asterisk-users mailing list> >> To UNSUBSCRIBE or update options visit:> >> http://lists.digium.com/mailman/listinfo/asterisk-users> >>> > _______________________________________________> > --Bandwidth and Colocation Provided by http://www.api-digital.com--> >> > asterisk-users mailing list> > To UNSUBSCRIBE or update options visit:> > http://lists.digium.com/mailman/listinfo/asterisk-users> > > _______________________________________________> --Bandwidth and Colocation Provided by http://www.api-digital.com--> > asterisk-users mailing list> To UNSUBSCRIBE or update options visit:> http://lists.digium.com/mailman/listinfo/asterisk-users
|
_________________________________________________________________
Shed those extra pounds with MSN and The Biggest Loser!!
http://biggestloser.msn.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080117/0c67902b/attachment.htm |
|
| Back to top |
|
 |
bilmar_gh at yahoo.com
Guest
|
| Posted: Fri Jan 18, 2008 7:21 am Post subject: [asterisk-users] Two Asterisks behind NAT and need to link t |
|
|
Hi;
Via OpenVPN or port forwarding is known for me, but
via SSH is new for me, how I can do it and what is the
difference by SSH and OpenVPN?
Regards
Bilal
-----------------------------
Good question. I have never tried tunneling IAX over
SSH but it seems
like
it should work just like anything else.
How about a port opened up for OpenVPN. You know you
can run IAX on
any
port you wish, port 80 may work for you if you have
some extra external
IPs
not being used for HTTP. The same is true for
OpenVPN.
Thanks,
Steve Totaro
On Jan 17, 2008 8:09 PM, John Constalgie
<caduceus_abode at hotmail.com>
wrote:
| Quote: |
Hi there
this is an interesting topic that I see here and a
|
problem that I am
| Quote: | trying to solve too.
But I was wondering if the forwarding solution will
|
work for my case.
| Quote: |
So I have two Asterisk boxes A and B.
A is behind a corporate NAT such that A can SSH to
|
B, but not vice
versa(
| Quote: | "One-way SSH" ) . The UDP port 5060 of the corporate
|
NAT is blocked
off and
| Quote: | I will not be able to have it unblocked for security
|
reasons.
| Quote: |
Hence, is my only choice using an SSH tunnel between
|
A and B for the
IAX
| Quote: | connection to work? Will it work though with that
|
"One-way SSH"
factor
| Quote: | mentioned before?
Thanks
John
|
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs |
|
| Back to top |
|
|
dhartman at djhsolutio...
Guest
|
| Posted: Fri Jan 18, 2008 11:17 am Post subject: [asterisk-users] Two Asterisks behind NAT and need to link t |
|
|
bilal ghayyad wrote:
| Quote: | Hi;
Via OpenVPN or port forwarding is known for me, but
via SSH is new for me, how I can do it and what is the
difference by SSH and OpenVPN?
|
SSH uses tcp. Openvpn, by default uses udp.
--
Darrick Hartman
DJH Solutions, LLC
http://www.djhsolutions.com |
|
| Back to top |
|
|
Guest
|
| Posted: Fri Jan 18, 2008 11:48 am Post subject: [asterisk-users] Two Asterisks behind NAT and need to link t |
|
|
It is possible to run openVPN in TCP mode over an SSH tunnel. Don't turn
compression on on both though - I'd just switch it on the openVPN if you
have to.
You will probably find the speech is rather choppy due to the delays and
fragmentation, but I have done this.
Peter
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of bilal
ghayyad
Sent: 18 January 2008 12:21
To: asterisk-users at lists.digium.com
Subject: Re: [asterisk-users] Two Asterisks behind NAT and need to link
themusing IAX trunk
Hi;
Via OpenVPN or port forwarding is known for me, but via SSH is new for
me, how I can do it and what is the difference by SSH and OpenVPN?
Regards
Bilal
-----------------------------
Good question. I have never tried tunneling IAX over SSH but it seems
like it should work just like anything else.
How about a port opened up for OpenVPN. You know you can run IAX on
any port you wish, port 80 may work for you if you have some extra
external IPs not being used for HTTP. The same is true for OpenVPN.
Thanks,
Steve Totaro
On Jan 17, 2008 8:09 PM, John Constalgie <caduceus_abode at hotmail.com>
wrote:
| Quote: |
Hi there
this is an interesting topic that I see here and a
|
problem that I am
| Quote: | trying to solve too.
But I was wondering if the forwarding solution will
|
work for my case.
| Quote: |
So I have two Asterisk boxes A and B.
A is behind a corporate NAT such that A can SSH to
|
B, but not vice
versa(
| Quote: | "One-way SSH" ) . The UDP port 5060 of the corporate
|
NAT is blocked
off and
| Quote: | I will not be able to have it unblocked for security
|
reasons.
| Quote: |
Hence, is my only choice using an SSH tunnel between
|
A and B for the
IAX
| Quote: | connection to work? Will it work though with that
|
"One-way SSH"
factor
| Quote: | mentioned before?
Thanks
John
|
________________________________________________________________________
____________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. |
|
| Back to top |
|
|
tzafrir.cohen at xorco...
Guest
|
| Posted: Fri Jan 18, 2008 1:03 pm Post subject: [asterisk-users] Two Asterisks behind NAT and need to link t |
|
|
On Thu, Jan 17, 2008 at 11:06:22PM -0500, Steve Totaro wrote:
| Quote: | Good question. I have never tried tunneling IAX over SSH but it seems like
it should work just like anything else.
|
SSH tunnels TCP alone. IAX is UDP. You can use it to create some sort of
full-fledged VPN connection, but it is not trivial. Instead, you should
probably go for openvpn. SSH is on top of TCP, so there is an inherent
potential delay.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir |
|
| Back to top |
|
|
bilmar_gh at yahoo.com
Guest
|
| Posted: Fri Jan 18, 2008 5:46 pm Post subject: [asterisk-users] Two Asterisks behind NAT and need to link t |
|
|
Hi;
How can I use SSH in that senario? Is there a link
that can help to understand what I have to install and
to configure?
Regards
Bilal
------------------
bilal ghayyad wrote:
| Quote: | Hi;
Via OpenVPN or port forwarding is known for me, but
via SSH is new for me, how I can do it and what is
|
the
| Quote: | difference by SSH and OpenVPN?
|
SSH uses tcp. Openvpn, by default uses udp.
--
Darrick Hartman
DJH Solutions, LLC
http://www.djhsolutions.com
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs |
|
| Back to top |
|
|
chris at cgb1911.mine.nu
Guest
|
| Posted: Sat Jan 19, 2008 3:11 am Post subject: [asterisk-users] Two Asterisks behind NAT and need to link t |
|
|
Hi Bilal,
| Quote: | How can I use SSH in that senario? Is there a link
that can help to understand what I have to install and
to configure?
|
I don't think SSH is a recommended approach. You can't run an IAX2
trunk over SSH (IAX2 used UDP and SSH only supports TCP port
forwarding.
http://www.securityfocus.com/infocus/1816 documents TCP port
forwarding over SSH. As above in this thread have a suggested, you'll
need to implement OpenVPN (TCP tunnel) over SSH in order to establish
an IAX2 trunk.
It is much simpler to just use OpenVPN and forget about SSH
altogether. The additional overhead in an IAX2 over OpenVPN over SSH,
coupled with the use of TCP for the SSH and OpenVPN tunnels, will
cause more problems with voice quality.
The documentation on openvpn.net is excellent. Try
http://openvpn.net/static.html for quick guide using static pre-shared
keys.
Installation of openvpn on your Linux distribution should be a simple
as:
Ubuntu/Debian: apt-get install openvpn
Redhat based: http://dag.wieers.com/packages/openvpn will give you
an RPM
Gentoo: emerge openvpn
Others: use tarball and compile, or find appropriate package
Good luck and feel free to email back if you have troubles.
Regards,
Chris Bennett |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
