<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2600.0" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=044234216-29012004>Never
tried it myself - but I think it should work the following way. If the Router
(NAT) has DMZ support, you can put SER on a machine in the Router's
DMZ interface. This will make the SER appear with a globally routable
address (that of the gateway or something else if you have multiple IP address
support). So when UA3 registers itself with SER (configured with NAT
support), the nathelper module will detect that UA3 is behind a NAT gateway and
will enable rtp-relaying. So the trick out here is to make the SER appear to be
on the Internet - rather than on the private network. Note that the router
should allow communication between NATted devices and machines on
the DMZ. Also note that by putting the SER on the internet, you are making
it open to attacks. Add proper firewall rules.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=044234216-29012004></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=044234216-29012004>Let me
know if it works :)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=044234216-29012004></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=044234216-29012004>
<P><FONT size=2>Dhiraj Bhuyan<BR>Network Security Specialist,<BR>BT Exact
Business Assurance Solutions<BR><BR> </FONT></P></SPAN></FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> serusers-bounces@lists.iptel.org
[mailto:serusers-bounces@lists.iptel.org]<B>On Behalf Of </B>Edson Gellert
Schubert<BR><B>Sent:</B> 29 January 2004 15:19<BR><B>To:</B> Adrian
Georgescu<BR><B>Cc:</B> Lista SER - IPTEL<BR><B>Subject:</B> Re: [Serusers]
SER + Proxy + NAT<BR><BR></FONT></DIV><FONT face="Courier New" size=2>
<DIV><BR>-----BEGIN PGP SIGNED MESSAGE-----<BR>Hash: SHA1</DIV>
<DIV> </DIV>
<DIV>I thing that I didn't put myself very clear... Let me try an
ASCII-Diagram... ;)</DIV>
<DIV> </DIV>
<DIV> UA1 ---- public IP ---- Internet ------ ADSL/GW ------
UA2<BR> (Win Mes)
(dialup) |
| (IPTables) (Win
Mes)<BR>
|
|<BR>
/-----/
\-----------\<BR>
|
|<BR>
Router(NAT)
ADSL/Win
(Windows)<BR>
|
|<BR> UA3
------------+
|<BR> (Win
Mes)
|
UA4 (Win
Mes)<BR>
SER</DIV>
<DIV> </DIV>
<DIV><BR>What I'm looking for is a Proxy to put in the ROUTER-Machine (could
be a Linux/IPTables, FreeBSD, etc):</DIV>
<DIV> </DIV>
<DIV>I undestand what Jan explain, about the complications, and that's why I
was asking about an "inteligent" Proxy to handle SIP traffic.</DIV>
<DIV> </DIV>
<DIV>Suppose that UA3 wants to talk with UA2 (were the ADSL/GW should have
SIProxd installed). The communications flow would be
UA3-SER-Router-Internet-ADSL/GW-UA2. Ok, in the Router appears the first
challenge (how to transverse the NAT, keeping track from the flow?). Here
comes the SIP-Proxy in action. It recieves the packet from SER, make desired
changes and forward it through "Internet" to ADSL/GW. There, the SIProxyd
recieves the packet, apply the related changes and forward it to UA2. Great.
Is what we want. </DIV>
<DIV> </DIV>
<DIV>The reverse, that is, when UA2 (or UA1, or UA4) wants to talk with UA3
becomes the great challenge. How should the Proxy, in Router, knows where to
send the packets that arrive from Internet? To SER? Directly to UA3? It's hard
to make the decision.</DIV>
<DIV> </DIV>
<DIV>The Proxy had to have many from a SIP-Server functionalities. It has to
maintain flows tables with users-ID, ports and servers IP used in each
communication flow (other infos could help in other tasks, but I thing that
these one are the minimum), so that it could decide to whom send each packet
from each flow.</DIV>
<DIV> </DIV>
<DIV>So, do I make my doubts/points clear to You? If my understand is wrong,
sorry and please correct me where necessary.</DIV>
<DIV> </DIV>
<DIV>Edson.</DIV>
<DIV> </DIV>
<DIV>P.S.: In my scenario there is no SER-2-SER communications, but another
problem would be having two (or more) sites like the "Router" one. How to make
than communicate each other through NAT GW/FW?</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>- ----- Original Message ----- <BR>From: "Adrian Georgescu" <<A
href="mailto:ag@ag-projects.com">ag@ag-projects.com</A>><BR>To: <<A
href="mailto:serusers@lists.iptel.org">serusers@lists.iptel.org</A>><BR>Sent: Thursday,
January 29, 2004 8:00 AM<BR>Subject: [Serusers] SER + Proxy + NAT</DIV>
<DIV> </DIV>
<DIV><BR>> Edson,<BR>> <BR>> Putting a NAT traversal solution behing
NAT is a chicken and eg <BR>> problem, isn't it?<BR>> <BR>>
--<BR>> Adrian<BR>> <BR>> <BR>> <BR>> Hi all...<BR>>
<BR>> I look through the list's archives, but an not finding info to help
me.<BR>> <BR>> The goal is use SER but not instaled in the GW/FW (it's
not an <BR>> acceptable<BR>> option, well it's acceptable, but not for
now). So I'm trying to put <BR>> the SER<BR>> in the Internal LAN (it
could be installed in a DMZ also). So the <BR>> question<BR>> is if
there is any proxy that could be putted on the GW/FW to handle<BR>>
incomming calls (INVITEs) and forward it correctly to the SER machine <BR>>
taken<BR>> over the NAT issues?<BR>> <BR>> I already look at SIProxd
and RTProxy, but the first didn't forward<BR>> incomming calls, and the
second demands that it be instaled, with SER <BR>> on the<BR>> GW/FW. I
also am looking at SERMediaProxy (RTProxy alternative) but the<BR>>
documentations aren't sufficient detailed to answer my question. Any <BR>>
help<BR>> would be appreciated.<BR>> <BR>> Edson.<BR>> <BR>>
</DIV>
<DIV> </DIV>
<DIV><BR>-
--------------------------------------------------------------------------------</DIV>
<DIV> </DIV>
<DIV><BR>> _______________________________________________<BR>> Serusers
mailing list<BR>> <A
href="mailto:serusers@lists.iptel.org">serusers@lists.iptel.org</A><BR>> <A
href="http://lists.iptel.org/mailman/listinfo/serusers">http://mail.iptel.org/mailman/listinfo/serusers</A><BR>>
<BR>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP 8.0</DIV>
<DIV> </DIV>
<DIV>iQA/AwUBQBkkYDdMQB7Du1dpEQLGiQCfcjklZxwiAtG+rj+rKqCpKIORLA0AoOZF<BR>oBf1QhqGvX67oZ14W127mCxl<BR>=oB8Y<BR>-----END
PGP SIGNATURE-----<BR></FONT></DIV></BLOCKQUOTE></BODY></HTML>