How did you get the IP Phone to work behind a NAT connection??? It just won't work for me. I used a Sniffer and found out that the IP Phone will register using the translated "public" IP address, however during a call setup the IP Phone communicates it's private IP address making it impossible for the other IP phone to route the UDP voice traffic properly. Essentially you get a 1-way voice conversation.

Any info on how to fix this would be grateful. OH, and please spare me the links to the Cisco info on how to configure a Cisco router to work with an IP Phone using NAT ... I don't know any consumer that buys Cisco routers for their home broadband (DSL/Cable) connections. They are very overpriced compared to the competition (Linksys, SMC, etc.).

I think the real solution is for the IP Phone protocols to not transmit private IP addresses.

Scott, when setting up the media streams, CallManager embeds the IP information in the payload of the SCCP packets. So any devices in the middle performing NAT translation will need to be able to rewrite the packets accordingly. I don't know of any non-Cisco NAT boxes that can do this currently. It's possible that Linksys/SMC/etc may be able to get this to work by pointing the "DMZ host" at the IP phone's inside address but I haven't tried it.

Maybe what would work better is instead of your connection at home going across the Internet through the PIX, you should get a device that can create an encrypted VPN tunnel between the 525 and your home office, such as an 806 or a PIX 501. Then your IP phone will have an address that is routable on the regular office network and NAT won't come into play.

Thanks, dav ... I won't knock myself out with NAT any more.

I'm looking into the Cisco 806, still a bit expensive but cheaper if I can buy it off a Government contract. But that brings up another IP Phone related question:

If the 806 creates a VPN tunnel to the office LAN and get's assigned an IP from the LAN address range, wouldn't the network behind the 806 still be using NAT to translate to that obtained IP address? Wouldn't the IP Phone still be communicating an illegal address? Or does the 806 support some kind of transparant substitution of the IP in the call setup payload to use the legal IP address?

Thanks.

If you have a Tunnel interface established, the ip traffic will simply route through that tunnel. No NAT is necessary.

In my particular configuration, I use a different IP network scheme at my house. I use NAT to traverse the Internet from my house, but route's destined for work (private IP scheme) are routed through the tunnel.

In fact, all of my branch offices work this way. However I am using faster encryption technologies with the devices at those locations, but the concept is the same. I have a single Callmanager cluster in our cenral office. The branch offices are using SRST in case of a WAN failure, however that is not an option at my house.

After many test, IOS using NAT fix the payload correctly. We have a test site running 3 ip phone connecting throught PAT (dhcp address from ISP). CallManager is located on the internet using PIX Firewall. Also the PIX will fix correctly the payload with NAT but not with PAT. The skinny protocol is broken for some reason with PAT. I have to open a case to TAC about that problem. You need a PIX OS that support skinny check out bugid CSCdv26953 for reference.

I have a PIX to PIX VPN set up between a 501 (my home) and a 506 (the office). The 7940 at home comes up, registers, and I can access data services and directory services, and even get dial tone, but I cannot make calls. Any idea on what might be wrong? I do have the no nat set up on both sides to include the data that will pass via the VPN.

I see you have an experience with VoIP. I want to ask you a question. I would like to "tunnel" internal phone lines over the Internet to users houses. I was looking at 827-4V (user end) and some kind of a VIC card for 3600 (company end). I would like to connect 5 users to internal phone system so full blown CCM is hardly justified. I just want to connect the line to VIC and phone to 827-4V POT port and have this phone a number from the voice line connected to VIC.

Is it possible? Can you comment on it?

You can set up a GRE tunnel, but I wouldn't apply encryption to it. The 827 would struggle with encrypting the udp/rtp on one call, much less any more. That said, remember if your link goes down, so do your phones. People are used to phones NEVER going down. People expect Internet circuits to go down, but they will not tolerate the phone failing. You have to determine how critical this is. If you can get over that hurdle, you have to make sure you have low latency and that your connection is consistent. Technically it can be done, however, what really matters is if the quality and reliability is enough to satisfy your users.

My plan is to use 1.5 link from my company and ADSL 1.5/512 to users. Both links would be provided by the same ISP what should keep traffic on ISPs network and hopefully reduce latency. Would you rather recommend a different solution? Will 1600 be a lot better? What about 1700?

Sorry for asking so many questions ;-)

The key here is, "Are you going to be encrypting the phone traffic?" If not, then the 827-4v should work just fine. A 1700 may be able to encrypt one call, and a 2600 can handle three calls at one time. And that's with a hardware encryption module using single DES over a T1. Cisco still has issues with encrypting UDP/RTP traffic. I've seen this first hand. You should be just fine though if you don't use encryption.

How much should I worry about encrypting VoIP? Assuming my ISP is safe what other reasons could make me request encryption on the tunnel?

Will you be using this connection for any confidential data that you don't want people to sniff out? Your packets can be collected and pieced back together. Your business has to decide if it's worth the risk of having your business data compromised.

Hi Rafal;

The scenario you're describing is one we use on a daily basis with VTALL from IP blue Technology Solutions at http://www.ipblue.com . It works extremely well over VPNs (it even establishes and tears down VPNs if needed), and integrates very well with CallManager.