Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

General Question: Cisco phones across non-Cisco VPN

Setting aside the QoS discussions, is there anything special I should think about with regard to running a Cisco remote phone as a teleworker's house across a hardware-based IPSec tunnel (using something other than ASAs)?  I know I will need to manually set info on the phone.  I'm mainly looking for gotchas with regard to the tunnel itself.  Is it as simple as setting up a standard IPSEC tunnel where no ports are blocked and letting the phone run over that tunnel?

New Member

Teleworker Cisco phones across WatchGuard VPN


Cisco Employee

General Question: Cisco phones across non-Cisco VPN

As long as you have IP connectivity and understand the possible quality issues with no QoS you should be fine, just hard code the network settings (at the least, the tftp settings) on the remote phones.


Teleworker Cisco phones across WatchGuard VPN

Hi Kyle

No, nothing special to worry about. You can run this over pretty much any Lan to Lan tunnel (including non Cisco).

You do need to watch out for QoS (which Cisco firewalls can do even over IPSEC). Another one to watch out for is if you have multiple remote offices configured in this way (e.g. home "a" and home "b"). In CUCM environments, audio flows handset to handset so if the phone in home "a" calls the phone in home "b" you also need an IPSec tunnel between the remote offices.

Hope this helps. Barry

Barry Hesk

Intrinsic Network Solutions

Cisco Employee

Teleworker Cisco phones across WatchGuard VPN

You don't necessarily need a tunnel between the site for the remote phones to be able to call each other depending on the capabilities of the router/firewall.  On an ASA you would use:

same-security-traffic permit

This would allow the VPN traffic to hairpin at the ASA and negate the need for a third tunnel connecting the remote sites.

I'm not sure if your hardware can do this.