12-01-2008 11:11 AM - edited 03-15-2019 02:50 PM
We are looking at using "ASA Phone Proxy" to send IP phones home with a large number of our end users. In reading through the ASA 8.0 config guide, I see it mentioned that the networks of the end users must do port forwarding (big UDP range or 'dmz' config) on their SoHo routers to make TFTP and bi-directional voice work.
Is this true? Has this been the experience of people that have deployed this technique?
Thanks in advance for your insight...
12-01-2008 01:11 PM
logically u need big range of udp to be opened for voice traffic
but from security and firewalls prespective u will not open that range u will only open lets say SCCP, TFTP then when the call start after call signalling establishment the firewall will do traffic inspection and open the required udp traffic for that call two ways
this is also called statefull packet filltering
hope this helpful
12-01-2008 01:56 PM
One other key requirement for ASA Phone Proxy is the requirement of two external IP addresses. One for TFTP/Signaling and the other for Media Termination. This causes an issue for most home Internet access as most people don't have business class Cable or multi-space IP space on DSL.
If someone has found a way around this I'd love to hear about it.
Thank you,
Jon
12-01-2008 02:25 PM
Hi Jon,
You only need the extra IPs on the 'head-end' side, right?
Thanks.
Ben
12-01-2008 02:53 PM
That is correct. I wanted to point it out for people that don't have full class C's available, extra IP space or people that want to test from home or even use a backup connection in the office such as Cable or DSL.
Thanks for clarifying my post. 5 points!
-Jon
01-07-2009 10:14 PM
hi jmnelson78,
Are you saying that at least one static ip is needed on the user's end in other for the phone proxy to work? sorry, just want to clarify it since we are looking into deploying it. Should it work even if it's a dynamic ip (DSL) as the guide says?
pls. enlighten me...
thnx
01-09-2009 02:09 PM
We use the phone proxy appliance (pre ASA code). Dynamic IP is fine. If your home WAN ip changes then you just need to go back to the registration web page and log in again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: