Cisco Support Community
Community Member

Securing PIX vpn tunnel for home IP phone users

We are looking to roll out some beta users with 7960 telephones connected at their home. We would supply them with a PIX 501 to connect back to the main 515E and setup a site-to-site VPN tunnel.

We would like the user to have the 7960 function at the house and access from one desktop to the mail server. We plan to hardcode the IPs on the desktop and phone.

What are the best practices for securing this type of connection? Want to make sure "kids" or others on the home LAN will not interfere with the servers back at the office (spyware, viruses, etc finding their way back to the office).

How would be the best way to secure this, the use of ACL's on each of the tunnels?

Thanks very much for any advice.


Re: Securing PIX vpn tunnel for home IP phone users


I see to ways to do this one is with an access-list on the interface only permitting certain traffic to the vpn the other is with setting up the VPN matching acl to actually only encrypt the traffic needed for your ip phone and mail server for the vpn.


Community Member

Re: Securing PIX vpn tunnel for home IP phone users

We have implemented a similar setup but instituted the policy that if there are other computers installed at home they must install a router in front of the pix and all home computers be connected to it. If you are running the latest code 6.3.5 on th epix, you do not have to hard code the IP in the phone, you can setit up for DHCP and specify option 150 so the phone can find the Call manager server.

This can also be done with a Linksys router and a VPN concentrator, however then you must program the IPs in the phone. I have not found a way to add option 150 to the DHCP server in the linksys.

Re: Securing PIX vpn tunnel for home IP phone users

Hi .. adding to what has been said in conjuction to restricting the traffic that is to traverse over the tunnel .. you could also implement an IPS or ActiveX ( ASA with the ActiveX module ) at the head office for protecting the site from spyware, span, virus ..etc which can't be effectively detected by layer 3 firewalls.

I hope it helps .. please rate if it does !!!

CreatePlease to create content