Re: [asterisk-users] Asterisk Behind Firewall

[IPN Comm]

I have a /29 to use for the network.

My immediate go-to set-up will be to put the asterisk server on a public IP
off the /29 and harden the IPtables along with other monitoring scripts and
lock down methods. Then add the router on a different /29 IP and have all
the phones register through the router to the public asterisk server and
limit only registrations from that router's IP address.

I then would add the three trunks I need such as inbound/outbound,
international, and 911 to the asterisk box

However, I do think this is best practices. It is my understanding to move
the asterisk box behind a router/firewall and have the phones on the same
subnet of the asterisk box. Then the router/firewall will do the trunking
to the vendors.

I dont know which is best nor do I know the hardware for the
router/firewall device.

On Mon, Jan 4, 2016 at 1:31 PM, Ron Wheeler 
wrote:

> Both work.
> If you have enough IP addresses to dedicate one to your Asterisk server,
> that removes one node in the path from the world.
> You will need a firewall on the Asterisk server to protect it from outside
> meddling.
> If you can put the Asterisk server on the same network as the SIP devices
> (using a second NIC) that should help performance.
>
> Is the SIP network on the same network as your internet/data LAN?
>
> Ron
>
>
> On 04/01/2016 1:15 PM, IPN Comm wrote:
>
> I was wondering if anyone can give me any pointers or insights of whether
> or not to have an asterisk server behind a firewall.
>
> I have always ran Asterisk on a public IP but was wondering if I should
> move it to a local IP behind a firewall.
>
> I am looking to set up a location with 300 SIP phones.
>
> Normally, I would put the Asterisk server on one public IP and let the SIP
> phones get DHCP from a router on a different IP and they would register to
> the Public Asterisk server from that IP address.
>
> Should I move the asterisk server behind the same router?
>
> If so, how should the server be set up and what is the best
> router/firewall hardware to accomplish this environment?
>
> Thanks,
> -H
>
>
>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: rwhee...@artifact-software.com
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk Behind Firewall

[Madushan Geethanga]

Hi,

I have used a sonicwall  Firewall, it has a sip transformation feature. It
is necessary to use a firewall to protect your server

Best Regards,
Madushan

On Mon, Jan 4, 2016 at 11:45 PM, IPN Comm  wrote:

> I was wondering if anyone can give me any pointers or insights of whether
> or not to have an asterisk server behind a firewall.
>
> I have always ran Asterisk on a public IP but was wondering if I should
> move it to a local IP behind a firewall.
>
> I am looking to set up a location with 300 SIP phones.
>
> Normally, I would put the Asterisk server on one public IP and let the SIP
> phones get DHCP from a router on a different IP and they would register to
> the Public Asterisk server from that IP address.
>
> Should I move the asterisk server behind the same router?
>
> If so, how should the server be set up and what is the best
> router/firewall hardware to accomplish this environment?
>
> Thanks,
> -H
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Asterisk Behind Firewall

[IPN Comm]

I was wondering if anyone can give me any pointers or insights of whether
or not to have an asterisk server behind a firewall.

I have always ran Asterisk on a public IP but was wondering if I should
move it to a local IP behind a firewall.

I am looking to set up a location with 300 SIP phones.

Normally, I would put the Asterisk server on one public IP and let the SIP
phones get DHCP from a router on a different IP and they would register to
the Public Asterisk server from that IP address.

Should I move the asterisk server behind the same router?

If so, how should the server be set up and what is the best router/firewall
hardware to accomplish this environment?

Thanks,
-H
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk Behind Firewall

[Ron Wheeler]

Both work.
If you have enough IP addresses to dedicate one to your Asterisk server, 
that removes one node in the path from the world.
You will need a firewall on the Asterisk server to protect it from 
outside meddling.
If you can put the Asterisk server on the same network as the SIP 
devices (using a second NIC) that should help performance.


Is the SIP network on the same network as your internet/data LAN?

Ron

On 04/01/2016 1:15 PM, IPN Comm wrote:
I was wondering if anyone can give me any pointers or insights of 
whether or not to have an asterisk server behind a firewall.


I have always ran Asterisk on a public IP but was wondering if I 
should move it to a local IP behind a firewall.


I am looking to set up a location with 300 SIP phones.

Normally, I would put the Asterisk server on one public IP and let the 
SIP phones get DHCP from a router on a different IP and they would 
register to the Public Asterisk server from that IP address.


Should I move the asterisk server behind the same router?

If so, how should the server be set up and what is the best 
router/firewall hardware to accomplish this environment?


Thanks,
-H





--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[Asterisk-Users] Asterisk behind firewall and IAX

[Simon Brown]

I have my Asterisk server behind a Cisco firewall.  I am trying to set up IAX
but I cannot work out which ports I need to open up on my firewall.  I have
opened 4569, 5036, and 5060 but IAX calls will not proceed unless I turn off
all access lists on the firewall.

I have searched all the Asterisk documentation but cannot find the answer.

Any help will be greatly appreciated.

Simon Brown

-
This mail was content checked for malicious code and viruses
by GFI MailSecurity.

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [Asterisk-Users] Asterisk behind firewall and IAX

[Eric Wieling]

On Mon, 2004-03-22 at 20:42, Simon Brown wrote:
 I have my Asterisk server behind a Cisco firewall.  I am trying to set up IAX
 but I cannot work out which ports I need to open up on my firewall.  I have
 opened 4569, 5036, and 5060 but IAX calls will not proceed unless I turn off
 all access lists on the firewall.

4569 is IAX2, 5036 is IAX, 5060 is SIP Signaling.  Remember these are
all UDP.  Looks at the logs from your Cisco, they will tell you exactly
which packets are being blocked.  Assuming you put deny ip any any log
at the end of your access list (having the router log to a syslog server
somewhere is also helpful.

-- 
Useful Asterisk Docs (BOOKMARK THEM!):
http://www.digium.com/index.php?menu=documentation (look at the
Unofficial Links) and http://www.voip-info.org/wiki-Asterisk and
http://www.fnords.org/~eric/asterisk/ (my site) and
http://asteriskdocs.org/

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [Asterisk-Users] Asterisk behind firewall and IAX

[Rich Adamson]

 I have my Asterisk server behind a Cisco firewall.  I am trying to set up IAX
 but I cannot work out which ports I need to open up on my firewall.  I have
 opened 4569, 5036, and 5060 but IAX calls will not proceed unless I turn off
 all access lists on the firewall.
 
 I have searched all the Asterisk documentation but cannot find the answer.

Depends on how you've set up asterisk...

using iax: open udp 5036
using iax2: open udp 4569 (most common)
 (not sure whether iax or iax2, open both)
using sip: need more info...
  a. sip uses udp 5060 to set up a call, and,
  b. other udp ports (generally above 16,000) to transport the voice (rtp
 protocol).
Both a and b are required for sip phones to function.

The sip protocol is used to negotiate the rtp ports. Some firewalls are
aware of the sip protocol and will monitor that port negotiation while
other firewalls do not. It's my understanding (although possibley incorrect)
that certain versions of PIX do monitor the sip protocol; don't have a
clue which versions though.

Depending upon whether asterisk is behind the firewall, or a sip phone
is behind it (or both), the parameters needed within the sip.conf file
can be a little tough to get right. The exact parameters are pretty much
dependent upon your exact implementation, and a packet sniffer (ethereal)
can be a big help.

Iax and iax2 are very straight-forward and easy to implement since they
use the same port number in both directions. Even the cheapest firewalls
can usually handle that.



___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users