lpa du morvan wrote: >But I did not make any configuration on my asterisk because when I used >MNF2, all is functionnal with the native installation of asterisk, and on >MNF2 I have right addition in /etc/shorewall/rules
MNF2 ? >I must thus preserve my MNF2 only for my asterisk !!! and I would like to >give up my MNF2 completely. MNF2 is another firewall ? I'm not entirely sure what you are saying, but what I can tell you is : 1) SIP does NOT work through NAT without some help. 2) Some firewalls have a SIP ALG (Application Level Gateway) which intercept all SIP traffic and do some mangling to the addresses contained within. The ALG may also do automatic port forwarding - again by using the content of the SIP packets it passes. I'm guessing that your MNF2 system had such an ALG. 3) Asterisk has a setting that will tell it to take account of NAT (IIRC it's sip_nat.conf). For SIP exchanges Asterisk determines (based on what you tell it) are to go out through a NAT gateway, Asterisk will use the correct public IP & port in it's messages. This DOES work. 4) Just for completeness, many SIP devices have STUN (Simple Traversal of UDP through NAT) which use exchanges with an external server to determine the public IP & port, and the type of NAT in use. This isn't relevant to your problem. IMHO, the best way to make Asterisk work through NAT is : Configure sip_nat.conf correctly. Configure the firewall to map between port 5060 on the public IP and port 5060 on the Asterisk box. Similarly configure port forwarding for the RTP ports specified in rtp.conf - and I would suggest significantly reducing the number of ports used unless you expect to need in excess of 5 thousand simultaneous calls going on ! Do NOT configure a SIP ALG on the gateway as it will conflict with the 'corrections' done by Asterisk. Since (I assume) you are using a Linux box as your gateway, the following will also not apply - but I include it for completeness. Some NAT gateways (Zyxel take note) are well and truly f***ed up by design ! They do stupid things like mapping outbound packets from port 5060 to a random public port in spite of you having created an inbound rule to map port 5060 to 5060 - this breaks SIP. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
