Well, if you are not using NAT the sipxrelay and remote users doesn't change, only the "server behind nat" does. If you have (remote) end users behind a firewall you will have to employ some sort of FENT (Far End Nat Traversal) technology at your host (sipx) end.
How extensive a technology you use in front of sipx to help FENT (or us sipxbridge) is really up to you sipx is not hardened, and if it were it would run under SELinux, but this has never been done. If you put another system in front (always my preference) it allows more granular control over avoiding DOS and other issues, which a hardened system in front can do IF configured properly. Whether that system runs NAT or not for sipx is entirely up to you. Since our deployments are usually enterprise based, it is a preference to have it behind a controlled firewall and to allow the least amount of Internet bandwidth to be used for internal (LAN) based calls. We use different FENT methods depending on what the customers needs are. Some of the FENT methods do not typically require SIP ALG or SPI to be turned off at the remote end, which is good, but more expensive than free. On Tue, Sep 28, 2010 at 10:07 AM, Nico (sipxecs) <[email protected]>wrote: > Tony, > > To be honest, i don't like NAT at all. > That's why a hardened system is put parallel to the firewall. It only > allows SIP & Co on the outside. > For your suggestion, i would need another firewall next to the current > one, just to handle NAT for Sipxecs, to avoid NAT problems....? > Wouldn't it be better to just drop NAT where possible? > > Kind regards, > Nico > > > On Tue, 28 Sep 2010 04:28:30 -0400, Tony Graziano > <[email protected]> wrote: > > It really is best to leave only one interface active (disabling the > others) > > and use a properly configured firewall to handle NAT for you at this > time. > > > > On Tue, Sep 28, 2010 at 4:17 AM, <[email protected]> wrote: > > > >> Hi, > >> > >> I have a Sipxecs box with one interface having a public IP address > >> (213...) > >> and one having a local address (192.168.1.) > >> How do I configure this, I can only tell it that it has one IP address. > >> I Configured the Local address as Primary IP Address, > >> The Public IP Address has been specified with NAT (although NAT has > been > >> disabled). > >> > >> This internal phones (Gigaset, Dect) do register and can call each > other > >> through the internal interface. > >> Operator, Voicemail, and routing to a SIP gateway don't work and > >> terminate > >> with 408 immediately. > >> > >> Of all the services only sipxacd (tcp & udp, 5150&5152) & freeswitch > >> (udp& > >> tcp 15060) listen on the public interface > >> sipxacd also listens on the pivate address on 5150&5152 and for 8110 in > >> general , > >> freeswitch listens on lo: tcp 8021 and private tcp 8080. > >> > >> So how how should this be configured. (BTW there is a ton of > information > >> about how to configure sipxecs on one interface internally > >> but that is hardly an option with all the ALG's sitting in the way., > >> It has been on the LAN but that caused a lot of problems as well, > >> depending > >> on make & model. > >> (Boy do i hate NAT, Glad IPv6 will be needed sooon.) > >> > >> kind regards, > >> Nico > >> _______________________________________________ > >> sipx-users mailing list > >> [email protected] > >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ > >> > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ Why do mathematicians always confuse Halloween and Christmas? Because 31 Oct = 25 Dec.
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
