[Discuss] Placing SIP Server in DMZ or use DNAT?

Dan Ritter dsr at randomstring.org
Wed May 22 09:34:00 EDT 2019 

Derek Atkins wrote: 
> HI,
> 
> I've got a network with the following configuration.  I am being routed
> IP range a.b.c.120/29.  The modem takes .126.  I've configured my
> firewall for .121.  I can add a switch between the modem and firewall to
> add additional machines there:
> 
>               .126           .121
>    ISP -- <Modem> --<switch>-- <firewall> -- intranet
> 
> I want to add a SIP server as .122.  I have two ways to do this.
> I could put it outside the firewall and just have it be natively on
> .122:
> 
>               .126           .121
>    ISP -- <Modem> --<switch>-- <firewall> -- intranet
>                             \--<sip> (.122)
> 
> Or I have it inside the intranet and configure the firewall to
> forward and rewrite packets via a set of (D)NAT rules:
> 
>               .126   .121/.122
>    ISP -- <Modem> -- <firewall> -- intranet
>                                  \-- <sip>
> 
> What do you all feel is the best approach?  I feel like the former is a
> simpler configuration, even though it requires one more piece of
> hardware.  On the other hand, the latter approach lets me have more
> visibility into the packets hitting the SIP server.
> 
> I should add that I do have at least 2 phones/ATAs sitting in the
> intranet network that need to connect to the SIP server, but standard
> NAT should work for that.
> 
> Currently the SIP server is sitting behind the firewall but living on a
> tunneled class-C network.  My IP phones are able to talk to it directly,
> and because it's got a public IP on the class-C it is reachable from
> devices outside the intranet.  Part of this project is to remove that
> extra level of latency caused by the tunnel, with the hope that removing
> that extra point of failure will improve my VOIP service.

Option C: pretend NAT doesn't exist for the SIP server and:

               .126   .121
    ISP -- <Modem> -- <firewall> -- intranet
                           \-- <sip> .122

route packets to .122 without NATting them. This assumes that
you have an interface available on the firewall. You may want to
use an RFC1918 /30 subnet between them.

Then you can firewall stuff without NAT funkiness. NAT never
makes SIP better.

-dsr-

More information about the Discuss mailing list