Registering Through a Firewall

Unanswered Question
Feb 17th, 2007

I have a setup in which some of my phones must register with CallManager across the internet through a pix firewall. I'm using CallManager 4.x. The phones are on an internal network of 10.0.0.0/24 and the CallManager and the Gateway are on 172.16.0.0/24. I've opened up the ports on the firewall to allow TFTP, Skinny and RTP traffic through, and have redirected TFTP and Skinny traffic to the CallManager server and RTP traffic to the gateway. I've set option 150 in DHCP to point to the public IP of the firewall (which then shoots the traffic over to CallManager). The phones are picking up the TFTP download from CallManager, but that's where it ends. Nothing really registers after that. The phones are getting information about CallManager being at 172.16.0.x, but ? of course ? none of the routers on the internet know how to get to my 172.16.0.0 network. Also, CallManager isn't going to know how to get back to 10.0.0.0. I could use a VPN, I suppose, but I don't know how well that works for voice. Furthermore, the client has a low-end firewall at the remote site that doesn't support VPNs, and I'm afraid they'll have a little, hairy, cat-fit if I ask them to shuck out more money.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Sat, 02/17/2007 - 05:24

refram,

if you have a poor firewall you will get nowhere anyway, because it won't be able to understand sccp protocol and dynamically open ports for media.

You might consider sosma small router like the 800 series thta are really cheap but come with the full set of security features like VPN firewall, etc. With these everything should work fine, or at least is diagnosticable.

Paolo Bevilacqua Sun, 02/18/2007 - 16:07

In practice, yes, unless you want to play with NAT static translations (aka forwards) on the non-cisco firewall. Results are not guaranteed.

Actions

This Discussion