Brad, I've played with XLite, but not with a firewall in this direction, so my comments might be off base.
> redirect_port udp 10.0.0.253:10000-20000 10000-20000 > redirect_port udp 10.0.0.253:5060 5060 > > * is set up with the demo/sandbox config. > > I'm using XLite as my SIP client and have configured it on PC to work with *. > I'm able to do everything I've tried so far. I should, though - I'm on the inside. > > However, when trying to make a call from the outside (via Laptop), something's > breaking. I've set up the SIP proxy in XLite to be the external interface on > the firewall, and am able to log into the proxy without difficulty. And while I > can begin conversations, I can't keep them going for long. I'd guess that udp/5060 is working fine, but the voice channel is being dropped for a couple of possible reasons. The Xlite doc suggests the voice channel will be using udp/8000-8006 where 8000 & 8001 are used for line #1, etc. Based on the redirect_port statement above, I wonder if one-half of the voice port is being blocked (and therefore times out), or, nat table timeout might might be an issue. > Any ideas what could be going on? My first guess is the firewall, but I can't > figure out why some of the packets would get through while others apparently are > not. I'm at a loss. I'd download ethereal (or whatever other sniffer you'd like) and watch the flow of packets. It should give you a pretty good clue what's happening for real. I'm not so sure you're going to want to live with direction that you're heading (asterisk on the inside) as the nat function is going to limit what can be done. Example, even if you get this to work, trying to make any other call through nat while the first one is happening will be a problem; the first call nails up udp/5060, but the second call will have the udp/5060 nat'ed to some other port which will fail. Reversing the role of * and the laptop will work, and many others have that very implementation working for a single instance of Xlite. Depending upon what your real objectives are for *, I'd suggest either moving * to the outside, or add another NIC to * and placing it on the outside. You should be able to lock down that external interface in such a way as to only allow selected tcp/udp ports to be used. _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users