[ale] Placing SIP Server in DMZ or use DNAT?
Derek Atkins
derek at ihtfp.com
Wed May 22 09:20:54 EDT 2019
HI,
I've got a network with the following configuration. I am being routed
IP range a.b.c.120/29. The modem takes .126. I've configured my
firewall for .121. I can add a switch between the modem and firewall to
add additional machines there:
.126 .121
ISP -- <Modem> --<switch>-- <firewall> -- intranet
I want to add a SIP server as .122. I have two ways to do this.
I could put it outside the firewall and just have it be natively on
.122:
.126 .121
ISP -- <Modem> --<switch>-- <firewall> -- intranet
\--<sip> (.122)
Or I have it inside the intranet and configure the firewall to
forward and rewrite packets via a set of (D)NAT rules:
.126 .121/.122
ISP -- <Modem> -- <firewall> -- intranet
\-- <sip>
What do you all feel is the best approach? I feel like the former is a
simpler configuration, even though it requires one more piece of
hardware. On the other hand, the latter approach lets me have more
visibility into the packets hitting the SIP server.
I should add that I do have at least 2 phones/ATAs sitting in the
intranet network that need to connect to the SIP server, but standard
NAT should work for that.
Currently the SIP server is sitting behind the firewall but living on a
tunneled class-C network. My IP phones are able to talk to it directly,
and because it's got a public IP on the class-C it is reachable from
devices outside the intranet. Part of this project is to remove that
extra level of latency caused by the tunnel, with the hope that removing
that extra point of failure will improve my VOIP service.
What do you all think?
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the Ale
mailing list