try bottom posting, it's easier to follow ! Samer Y. Azmy wrote:
> >>I have done Static NAT from the External Address to the Address of >>>the Asterisk Box >>> >>>I added some rules like >>>ACCEPT net loc:192.168.1.250 tcp 5060 5060 > >>ACCEPT net loc:192.168.1.250 udp 5060 5060 > > > OK, what is your network topology ? Where did you do the static nat ? >> Have you tried just turning off the Shorewall until you get the >> network right ? > >1) Regarding the network tooplogy >It is two networks structure, local lan interface is connected to a switch, >where the rest of servers are there How are you connected to the internet, where is the NAT done, how are you sure that the NAT (or more precisely the port forwarding) is working correctly ? What I'm getting at is things like - is this system acting as the gateway (and doing NAT internally), or is it sat on a LAN with a separate router ? > > Are you running [EMAIL PROTECTED]/Trixbox or a manual install of Asterisk ? >> >> For AAH or Trixbox, you will need to populate sip_nat.conf so that >> Asterisk can put the right address/port in it's outbound SIP >> messages. Not sure which file it belongs in for a manual Asterisk >> install. >2) for Asterisk , we have TrixBox Don't forget to create sip_nat.conf - try google for what should be in it, I can't remember offhand. >3) the strange think that I need feed back on is that >i) we used to run rc.firewall and Asterisk used to work >ii) now with ShoreWall Asterisk does not work >iii) all what I have done is to stop rc.firewall (rc.firewall stop) >iiii) I did alter rc.firewall or any other files >v) I installed/Configured Shorewall > >Is that enough or I should something more I would be inclined to install tethereal so that you can sniff packets on the network - that way you can see if they are getting through your NAT gateway or not. >4) the strange thing when I nmap the server, I find closed ports although >that I opened them through shorewall but nmap reports them closed > >5) NMAP able to scan the server and report open ports , as well as >closed/filtered (so the ISP i snot block NMAP >Please note that I scan from another network (completely ISP) I'm not sure how useful nmap is for udp. udp doesn't have a protocol level handshake like tcp does, so if Asterisk doesn't respond then you simply don't get a reply. nmap can only tell you that a port is closed if it gets an appropriate icmp reply back, if it gets nothing then it cannot tell between an application not responding and a firewall dropping the packet. I think Asterisk is likely to ignore anything that doesn't look like a SIP packet. So, I would suggest installing tethereal (or any other sniffer if you prefer), then : tethereal -i ethx -f "port 5060" will show you any SIP packets in or out of interface ethx (you can leave out "-i ethx" if you only have one network interface). If you don't see any packets (and I would do this with all firewall(s) in the system disabled) then I think you need to look further out on the network. BTW - don't forget that you will need to open up your rtp ports as well, the range used by Asterisk is rather large by default, and is defined in rtp.conf IIRC. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
