Asterisk server static IP or behind NAT?

Discussion in 'VOIP' started by William P.N. Smith, Apr 18, 2006.

  1. I'm designing my first Asterisk system, and I'm a bit stuck on where
    to put the server. I've got a bunch of Polycom {IP501,IP601} phones
    and a Linksys SRW224P Poe switch, and I'm building a box to run
    A@Home...

    I have some public static IPs available, and I have NAT router(s)
    providing internet access to my LAN, so I can either give the PBX a
    static IP or put it on my LAN, but I can't figure out what's the
    'right' thing to do.

    Obviously I want to put the phones on the LAN, so I can move them
    around to any network jack, and they can supply LAN connectivity to
    connected computers. Therefore the phones will be behind my NAT
    router getting IP addresses in the 192.168.1.x subnet.

    I figure I can either:

    A) Put the PBX behind the NAT router. This puts the phones on the
    same subnet as the PBX, and adds some additional security by putting
    the PBX behind a (hardware) firewall. The downside is that there are
    ports to open in the firewall, and my impression is that connecting
    phones in other locations is more difficult and/or prone to problems.

    B) Put the PBX out on the net with a static IP, but then don't the
    phones have to do the (STUN?) NAT Traversal thing to get to their PBX?

    C) I suppose I could play some games with DMZ on a cheap router, but
    that feels like the worst of both worlds...

    D) There's probably something I can do with VLANs on the switch, but
    that's a rathole, I can't find any good VLAN references, and I really
    don't want to try to learn too many things at once. 8*|

    Anyway, I'd really appreciate some hints or general guidance from the
    experts here!

    Thanks!
    William P.N. Smith, Apr 18, 2006
    #1
    1. Advertising

  2. The scenario B) is definitely the best. In Asterisk's sip.conf, in the
    sections for the phones behind the NAT, set "nat=yes"; do NOT enable STUN
    on the phones, because that would likely prevent communications among
    internal phones if canreinvite=yes in also set for them in sip.conf . In
    fact, canreinvite=no is the safest choice anyway, even though it may
    slightly increase the latency by forcing all the traffic to flow through
    Asterisk.

    If you put Asterisk behind the NAT, you are going to have endless
    problems: port forwarding with SIP is not enough, as IP addresses are
    transmitted in ASCII inside the payload. Some modern routers have "SIP
    helper" modules able to modify them on the fly, similarly to what is done
    with FTP, but don't count of it. Dealing with NAT traversal is where IAX
    shines in comparison with SIP.

    Even better would be to use as router the Linux box where Asterisk runs,
    and have Asterisk bind to 0.0.0.0. This way, neither internal nor external
    connections would be NATted...

    For more details, see: http://www.voip-forum.com/?p=131&more=1 (under "SIP
    and NAT - what is the problem, really?") and the scenarios described at
    http://www.voip-info.org/wiki-Asterisk SIP NAT solutions .

    Enzo

    "William P.N. Smith" <> wrote in message
    news:...
    > I'm designing my first Asterisk system, and I'm a bit stuck on where
    > to put the server. I've got a bunch of Polycom {IP501,IP601} phones
    > and a Linksys SRW224P Poe switch, and I'm building a box to run
    > A@Home...
    >
    > I have some public static IPs available, and I have NAT router(s)
    > providing internet access to my LAN, so I can either give the PBX a
    > static IP or put it on my LAN, but I can't figure out what's the
    > 'right' thing to do.
    >
    > Obviously I want to put the phones on the LAN, so I can move them
    > around to any network jack, and they can supply LAN connectivity to
    > connected computers. Therefore the phones will be behind my NAT
    > router getting IP addresses in the 192.168.1.x subnet.
    >
    > I figure I can either:
    >
    > A) Put the PBX behind the NAT router. This puts the phones on the
    > same subnet as the PBX, and adds some additional security by putting
    > the PBX behind a (hardware) firewall. The downside is that there are
    > ports to open in the firewall, and my impression is that connecting
    > phones in other locations is more difficult and/or prone to problems.
    >
    > B) Put the PBX out on the net with a static IP, but then don't the
    > phones have to do the (STUN?) NAT Traversal thing to get to their PBX?
    >
    > C) I suppose I could play some games with DMZ on a cheap router, but
    > that feels like the worst of both worlds...
    >
    > D) There's probably something I can do with VLANs on the switch, but
    > that's a rathole, I can't find any good VLAN references, and I really
    > don't want to try to learn too many things at once. 8*|
    >
    > Anyway, I'd really appreciate some hints or general guidance from the
    > experts here!
    >
    > Thanks!
    Enzo Michelangeli, Apr 18, 2006
    #2
    1. Advertising

  3. William:

    I may be pointing out the obvious but.... Be sure to secure your Asterisk
    box if you put it on a static IP or in the DMZ. I have a test box in the
    DMZ and gets pounded all day and night by people trying to get into it.

    Jonathan

    "William P.N. Smith" <> wrote in message
    news:...
    > I'm designing my first Asterisk system, and I'm a bit stuck on where
    > to put the server. I've got a bunch of Polycom {IP501,IP601} phones
    > and a Linksys SRW224P Poe switch, and I'm building a box to run
    > A@Home...
    >
    > I have some public static IPs available, and I have NAT router(s)
    > providing internet access to my LAN, so I can either give the PBX a
    > static IP or put it on my LAN, but I can't figure out what's the
    > 'right' thing to do.
    >
    > Obviously I want to put the phones on the LAN, so I can move them
    > around to any network jack, and they can supply LAN connectivity to
    > connected computers. Therefore the phones will be behind my NAT
    > router getting IP addresses in the 192.168.1.x subnet.
    >
    > I figure I can either:
    >
    > A) Put the PBX behind the NAT router. This puts the phones on the
    > same subnet as the PBX, and adds some additional security by putting
    > the PBX behind a (hardware) firewall. The downside is that there are
    > ports to open in the firewall, and my impression is that connecting
    > phones in other locations is more difficult and/or prone to problems.
    >
    > B) Put the PBX out on the net with a static IP, but then don't the
    > phones have to do the (STUN?) NAT Traversal thing to get to their PBX?
    >
    > C) I suppose I could play some games with DMZ on a cheap router, but
    > that feels like the worst of both worlds...
    >
    > D) There's probably something I can do with VLANs on the switch, but
    > that's a rathole, I can't find any good VLAN references, and I really
    > don't want to try to learn too many things at once. 8*|
    >
    > Anyway, I'd really appreciate some hints or general guidance from the
    > experts here!
    >
    > Thanks!
    Jonathan Roberts, Apr 18, 2006
    #3
  4. "Jonathan Roberts" <> wrote:
    >I may be pointing out the obvious but.... Be sure to secure your Asterisk
    >box if you put it on a static IP or in the DMZ. I have a test box in the
    >DMZ and gets pounded all day and night by people trying to get into it.


    Yeah, also
    http://www.voip-info.org/wiki/view/...er 7#7223PolycomandNATSWelcometohellatleastas
    seems to say that my phones won't do NAT traversal very well, and (at
    least in the beginning) I'll be using the PBX with POTS lines, so
    maybe I'll put it inside the firewall to start with and see how it
    goes...

    Thanks for the feedback, all!
    William P.N. Smith, Apr 18, 2006
    #4
  5. William P.N. Smith <> writes:
    > Yeah, also
    > http://www.voip-info.org/wiki/view/...er 7#7223PolycomandNATSWelcometohellatleastas
    > seems to say that my phones won't do NAT traversal very well, and (at
    > least in the beginning) I'll be using the PBX with POTS lines, so
    > maybe I'll put it inside the firewall to start with and see how it
    > goes...


    My personal feeling is that phones and asterisk should really be on
    real static IP's so that they can re-invite and have a faster direct
    talk-path. Putting your phones inside a NAT-ing firewall forces you
    to turn off re-invites and leaves asterisk in your talk-path. If the
    machine gets busy and asterisk gets delayed by a few 100ms, audio will
    "hiccup".

    For security reasons you should run asterisk as some powerless user in
    a chroot jail. This is a bit fiddley to set up, but well worth it if
    some script kiddie finds an exploitable asterisk bug. And asterisk
    does have plenty of questionable code for kiddies to try to find some
    way to exploit. Look at the large number of system(...) calls. All
    of those are accidents waiting to happen.

    -wolfgang
    --
    Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
    Wolfgang S. Rupprecht, Apr 18, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tony
    Replies:
    2
    Views:
    455
    Jason Kau
    Dec 18, 2003
  2. Corbin O'Reilly
    Replies:
    2
    Views:
    3,123
    Corbin O'Reilly
    May 26, 2004
  3. Frej Jensen
    Replies:
    6
    Views:
    5,136
    ItsMe
    Aug 26, 2003
  4. Replies:
    1
    Views:
    463
    Brian V
    Sep 22, 2007
  5. Tamer Higazi
    Replies:
    3
    Views:
    1,729
    Tamer Higazi
    Feb 11, 2009
Loading...

Share This Page