Connecting a phone to Asterisk outside the firewall


I have been running the Asterisk system for a few years now and it works great.

The server is at the home office but I have employees who work out of their own home offices and connect via VPN to our office. Currently they use a soft phone but for a few reasons, I don’t think that is ideal. It would be preferable if I could buy them a hard VoIP phone that is configured to connect through their firewall and our firewall to the Asterisk server so they can make or take calls regardless if the PC is running.

Is this possible? Is there a special phone needed that can do this? What configurations do we need to make on our firewalls to make this work? Where can I find documentation or assistance on this?

You have a couple of choices.

  1. Punch holes for SIP (UDP port 5060) & RTP (by default in Asterisk UDP ports 10000 - 20000) in your firewall and port forward those ports to your Asterisk box. Then set up “externip” and “localnets” in your sip.conf to match your internal networks. This exposes your Asterisk to the outside world with all of the scum and villiany that portscans around looking for open SIP ports.

  2. There’s a few phones out in the world that have a VPN client in them, but that requires that you find the right phone that supports your VPN type (OpenVPN, Cisco EasyVPN, IPSEC, or whatever you use).

I think the actual fiddly bit here is that there are two NAT traversals, even though nothing was actually said about NAT. That is best handled by a combination of port forwarding on remote router, and a NAT aware phone, but SIPALG on that router, or other approaches might work.

A router with VPN support would be an easier and securer solution.

One more vote for buying routers with VPN support and let the routers to the VPN’s. That way not only telephony would work via VPN, but you can also set up a server on your central office LAN which remote users can access.