TelNetSystems
Technical User
I have an IP Office 500v2 that is working great in the following configuration with voice services provided by a PRI.
DATA NETWORK (192.168.81.x) <-> COMPUTERS
|
- PIX FIREWALL <-> INTERNET (x.x.x.x/29)
|
VOICE NETWORK (192.168.82.x) <-> IP OFFICE LAN & LOCAL IP PHONES
This configuration is comfortable and familiar from a security standpoint since it isolates the IPO from the internet behind a packet inspection firewall and NAT. However, now I need to modify this system to add SIP trunks and remote IP phones.
What is the best way to modify this configuration to facilitate SIP trunks and Internet based IP phones?
[ul][li]Leave IPO-LAN alone and configure NAT traversal and firewall rules on the PIX?[/li]
[li]Move IPO-LAN to a DMZ using a public IP behind the PIX firewall?[/li]
[li]Leave IPO-LAN alone and connect IPO-WAN directly to the Internet using a public IP and no external firewall?[/li][/ul]
From what I have read, it seems NAT traversal is generally avoided for VoIP where possible, which makes me lean toward the second two options. However, I don't know if the IP Office WAN port is secure enough to directly connect to the Internet and/or if I would have to completely neuter the PIX firewall anyway to allow unobstructed VoIP traffic. I'm hoping some of you have done this enough to know which way is the best/standard practice in this situation.
Thanks,
David
DATA NETWORK (192.168.81.x) <-> COMPUTERS
|
- PIX FIREWALL <-> INTERNET (x.x.x.x/29)
|
VOICE NETWORK (192.168.82.x) <-> IP OFFICE LAN & LOCAL IP PHONES
This configuration is comfortable and familiar from a security standpoint since it isolates the IPO from the internet behind a packet inspection firewall and NAT. However, now I need to modify this system to add SIP trunks and remote IP phones.
What is the best way to modify this configuration to facilitate SIP trunks and Internet based IP phones?
[ul][li]Leave IPO-LAN alone and configure NAT traversal and firewall rules on the PIX?[/li]
[li]Move IPO-LAN to a DMZ using a public IP behind the PIX firewall?[/li]
[li]Leave IPO-LAN alone and connect IPO-WAN directly to the Internet using a public IP and no external firewall?[/li][/ul]
From what I have read, it seems NAT traversal is generally avoided for VoIP where possible, which makes me lean toward the second two options. However, I don't know if the IP Office WAN port is secure enough to directly connect to the Internet and/or if I would have to completely neuter the PIX firewall anyway to allow unobstructed VoIP traffic. I'm hoping some of you have done this enough to know which way is the best/standard practice in this situation.
Thanks,
David