How to configure a fortigate 60( to work with a callmanager cluster remote

Unanswered Question
May 5th, 2007

I have a request from one of my executives.

This person is moving to another state, and she wants an ip phone 7040 or 7060 to be able to connect to our phone network. we use for a vpn solution fortinet fortigate 60 to let our remote users to connect to our data applications but we have never had a request to use an ip phone,. now this is the picture.

voice vlan ip range is 10.0.0.XXX

data vlan ip range is 192.168.10.xx

vpn 172.10.10.xx

now basically when the user connects to our fortigate 60 she gets a 172.x.x.x address and cant reach our voice vlan. (i think this can be a routing issue at the vpn tunnel)

If you have configured a fortigate 60 to work with your ccm cluster before and know how to do it or if you know another way to let this user connect to our ccm cluster from her remote site please also let me know..also the the callmanager cluster doesnt have a externip.

Is there a simple way for a remote user to have her or his 7940 or 7060 connected to our ccm cluster and be able to utilize our system without using a vpn ?...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Sat, 05/05/2007 - 16:26


in reality you could connect her without the vpn, but in between there is your firewall and the remote broadband router. Both should support either SCCP or SIP. The latter is more likely. On your FW you should open ports for this to work.

So depending on the above it could be a more or less easy alternative, as to find out how to establish connectivity between remote phone and voice vlan via the vpn.

charlotterob Sat, 05/05/2007 - 17:18

Hi Paolo

Yeah but even if i open the sccp and/or sip ports on the firewall that will not do any good if the is not able to get an ip address that is either on the data or voice lan range

Paolo Bevilacqua Sun, 05/06/2007 - 04:14


the FW also does NAT, so just like you browse the internet with a private address, the CCM address would be translated to connect to the remote phone. In turn, there could be NAT also in the place where the phone in installed. That doesn't mean it won't work, just that is more complicated.

Please remember to rate all useful posts using the scrollbox below!

charlotterob Sun, 05/06/2007 - 09:18


I think there is an issue that covers more a a nat issue.

I think the problem is on the fortinets... because the fortigate 60 is the vpn/firewall device that connects to the fortigate 300a and the fortigate 300a is the one who according to how was configured will give access to certain ip range and vlan to the device attached to the fortigate 60 at the remote location, in this case the ip phone, we have try to use the DMZ port at the fortigate 60 for the phone and nothing..not counting verifying if the ccm could see the phone at all, and..we couldnt ping the 172.x.x.x device plug also at the fortigate 60 we couldnt even ping from the switch 3560 to the fortigate device ? i would think with all due respect that i think the issue is with those fortinet devices.. but if we cant use the fortinets, and we had to use the ip phone but can we set up the ip phone to when the executive plug the phone into her fast internet device the phone will reach our ccm and register succesfully

Paolo Bevilacqua Sun, 05/06/2007 - 10:14

Hi Charlotte,

This is actually what I was telling you. If you cannot make the phone connection work inside the vpn, it must work outside. This will require the FW (fortinet or what is it) let you reach from internet, the inside address of CCM using an external public address statically mapped.

This address you will configure manually as TFTP in phone's settings, together with address, netmask and default GW.

Further alternative is that you expose one CCM interface directly on the internet, but from what I know, this is not something a typical enterprise would do.

So you may have NAT issues that I was trying to explain before, and considering that SCCP is not widely supported by non-cisco devices, your have better chances loading SIP software on the phone.

charlotterob Sun, 05/06/2007 - 11:24

ok, I am sorry I misunderstood you.. Right SCCP is not widely used within non cisco devices , like you said it will probably be a solution to use sip protocol port 5060 to use the ip phone from a remote location. Question is how can i download the sip firmware into this ip phone 7040 or 7060 ?, so by default all this phones have the sccp firmware instead of the sip firmware how can i verify which firmware is loaded in the ip phone


This Discussion