Re: Call Manager remote phone with VPN/ NAT

acgarcia · ‎01-05-2001

Is there any way to make a remote IP PHONE 7960 or softphone to work accross VPN?

Also, is there any way to get this done accroos a router that is doing NAT or PAT?

Thx,

Anson

mschlenger · ‎01-08-2001

We use Raptor client to VPN in our internal network. Once the VPN is established, I'm viewed as another device on our network and the rest is done through DHCP. It works fine with both the softphone and an IP phone. I haven't tried configuring NAT or PAT but I don't see why it would not work.

lnthompson · ‎01-10-2001

It is definately possbile to have a 7960 Phone working accross an existing VPN Connection. I have already tested the 7960 and IP SoftPhone v1.1 over a VPN connection.

I believe the most important setting for accomplishing this is the ability to have the remote DHCP Server push down the appropriate TFTP server information for the 7960 Phone.

If you have problems with one-way communication you might want to reference the command

h323-gateway voip bind srcaddr

We ran into this issue with the VPN'd phone and resolved it via that command. Simple enough...

I have not actually tested the 7960 through a NAT/PAT router but have heard from Cisco it didn't work. But personally I think it might with some tweaking.

dgoodwin · ‎01-11-2001

It should work if the phone is on one side of the NAT/PAT router and the CallManager is on the other. I am speaking about hardware phones (and possibly gateways) that use the Skinny protocol. H.323 based phones should work as well. I am not sure about the SoftPhone application.

Note that a minimum of IOS version 12.1(5)T is required, due to a NAT enhancement. Docs can be found at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dtnipcm.htm

acgarcia · ‎01-13-2001

Thx,

This is the info I was looking for.

a.bouchard · ‎09-29-2001

We are using Cisco806 with IP+... and it is working fine

bphelps · ‎10-02-2001

We haven't got the NAT for the call manager to work yet, but.. it looks like you can NAT the call manager if you do a static address NAT using the command already referenced in this conversation.

The problem I'm having with NAT is that I'm doing overloading for the LAN and I'm trying to NAT the Call Manager and other internal phones, including the skinny station and gateway, h323, h225, h245, the rtp stream and the tftp server. All using one ip address. No VPN. Has anyone done this? Does anyone think it will work? What about referencing ip phones by ip address and tcp port so we can overload the rtp stream on the router?

In an interesting and somewhat related twist, here are example access list rules for allowing basic ip telephony through a firewall. Found these at this url:

http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/solution/6_operat.htm

access-list avvid_in permit udp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq tftp

! Allow TFTP from the Voice Network to the CallManager Cluster Subnet

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2000

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2001

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2002

! Allow Skinny from the Voice Network to the CallManager Cluster Subnet

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 1719

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 1720

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 range 11000

11999

! H.323 access from the Voice Network to the CallManager Cluster Subnet

access-list avvid_in permit udp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2427

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2428

! MGCP from the Voice Network to the CallManager Cluster Subnet

access-list avvid_in permit tcp 172.21.0.0 255.255.0.0 10.21.100.0 255.255.255.0 eq 2748

! CTI (TAPI and JTAPI) for SoftPhone to the CallManager Cluster Subnet

access-list avvid_in permit tcp 172.21.0.0 255.255.0.0 10.21.100.0 255.255.255.0 eq 8404

! SoftPhone Directory to the CallManager Cluster Subnet

access-list avvid_in permit tcp 172.21.167.0 255.255.255.0 10.21.100.0 255.255.255.0 eq

www

access-list avvid_in permit tcp 172.21.167.0 255.255.255.0 10.21.100.0 255.255.255.0 eq

telnet

access-list avvid_in permit tcp 172.21.167.0 255.255.255.0 10.21.100.0 255.255.255.0 eq 22

access-list avvid_in permit icmp 172.21.167.0 255.255.255.0 10.21.100.0 255.255.255.0 0

access-list avvid_in permit icmp 172.21.167.0 255.255.255.0 10.21.100.0 255.255.255.0 8

access-list avvid_in permit udp 172.21.167.0 255.255.255.0 10.21.100.0 255.255.255.0 eq

snmp

! Allow Network Admin subnet access to CallManager Cluster subnet

access-list avvid_in permit tcp 172.21.0.0 255.255.0.0 10.21.100.0 255.255.255.0 eq www

! SoftPhone Telecaster HTTP access to the CallManager Cluster Subnet

ip address outside 10.21.199.2 255.255.255.0

! Interface attached to the Voice Network

ip address inside 10.21.100.1 255.255.255.0

! Interface attached to the CallManager Cluster

static (inside,outside) 10.21.100.0 10.21.100.0 netmask 255.255.255.0

! Do not NAT the CallManager Cluster address across the firewall

access-group avvid_in in interface outside

! Apply the access-list to the outside interface of the firewall