ASA Phone Proxy - UDP Forward required?

Unanswered Question
Dec 1st, 2008

We are looking at using "ASA Phone Proxy" to send IP phones home with a large number of our end users. In reading through the ASA 8.0 config guide, I see it mentioned that the networks of the end users must do port forwarding (big UDP range or 'dmz' config) on their SoHo routers to make TFTP and bi-directional voice work.

Is this true? Has this been the experience of people that have deployed this technique?

Thanks in advance for your insight...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Marwan ALshawi Mon, 12/01/2008 - 13:11

logically u need big range of udp to be opened for voice traffic

but from security and firewalls prespective u will not open that range u will only open lets say SCCP, TFTP then when the call start after call signalling establishment the firewall will do traffic inspection and open the required udp traffic for that call two ways

this is also called statefull packet filltering

hope this helpful

Jon Nelson Mon, 12/01/2008 - 13:56

One other key requirement for ASA Phone Proxy is the requirement of two external IP addresses. One for TFTP/Signaling and the other for Media Termination. This causes an issue for most home Internet access as most people don't have business class Cable or multi-space IP space on DSL.

If someone has found a way around this I'd love to hear about it.

Thank you,


btfreitag Mon, 12/01/2008 - 14:25

Hi Jon,

You only need the extra IPs on the 'head-end' side, right?



Jon Nelson Mon, 12/01/2008 - 14:53

That is correct. I wanted to point it out for people that don't have full class C's available, extra IP space or people that want to test from home or even use a backup connection in the office such as Cable or DSL.

Thanks for clarifying my post. 5 points!


redrobish Wed, 01/07/2009 - 22:14

hi jmnelson78,

Are you saying that at least one static ip is needed on the user's end in other for the phone proxy to work? sorry, just want to clarify it since we are looking into deploying it. Should it work even if it's a dynamic ip (DSL) as the guide says?

pls. enlighten me...


donniefowler Fri, 01/09/2009 - 14:09

We use the phone proxy appliance (pre ASA code). Dynamic IP is fine. If your home WAN ip changes then you just need to go back to the registration web page and log in again.


This Discussion