please help no one seems to know. We are using a 3rd party device Sonicwall w/ QoS for NATTing (firewall with all services configured) we CAN connect with an ip phone (i2004) INTERNALLY (local LAN) but when we try from the outside of the firewall, the ip phone connects to port 7000 through the NAT and when it reconnects it tries to access the non routable address through port 51000, How do I connect it to the routable address. Can this be done without setting a VPN on the BCM
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
CANT CONNECT IP PHONE FROM OUTSIDE
- Thread starter cpazos
- Start date
Well, first, what network interface is set as the "Published IP Address" setting in your BCM ? You can find that setting in the Unified Manger -> Services -> IP Telephony -> Global IP Settings Page.
For this device designated in the "Published IP Address" assigned primary IP address must be the S1 (and/or S2) IP address programmed into the VoIP phone. Changing the IP address of a BCM interface, and/or changing the interface designated in the "Published IP Address" requires a full reboot of the BCM. You can change both in one single reboot.
Secondly, The only way I have ever been able to establish 'reliable' connectivty between a VoIP phone on the other side of the Internet and a BCM is via a VPN tunnel.
As an experiment I toggled back and forth between using a VPN and not using a VPN. With not using a VPN tunnel I got lucky and was able to make a connection, but I could not get dialtone 9 out of 10 times. I could login to F981 Voice Mail, but couldn't hear anything. As soon as I connected through a VPN everything cleared right up and I got dialtone everytime.
I checked how many Internet hops there were and found something like 12 hops. When the VoIP phone talks to the BCM thousands and thousands of itty bitty UDP packets are generated. Probably most of these are lost or jumbled up or arrive out of order or arrive late by the time they get across the Internet. But with a VPN tunnel a whole bunch of the VoIP packets are grouped together and encrypted into as large of a VPN packet as possible, therefore you get more of the VoIP packets through, and in order, and on time, if you do use a VPN tunnel.
Create the VPN tunnel, it'll work alot better compared to if you don't.
Marc
For this device designated in the "Published IP Address" assigned primary IP address must be the S1 (and/or S2) IP address programmed into the VoIP phone. Changing the IP address of a BCM interface, and/or changing the interface designated in the "Published IP Address" requires a full reboot of the BCM. You can change both in one single reboot.
Secondly, The only way I have ever been able to establish 'reliable' connectivty between a VoIP phone on the other side of the Internet and a BCM is via a VPN tunnel.
As an experiment I toggled back and forth between using a VPN and not using a VPN. With not using a VPN tunnel I got lucky and was able to make a connection, but I could not get dialtone 9 out of 10 times. I could login to F981 Voice Mail, but couldn't hear anything. As soon as I connected through a VPN everything cleared right up and I got dialtone everytime.
I checked how many Internet hops there were and found something like 12 hops. When the VoIP phone talks to the BCM thousands and thousands of itty bitty UDP packets are generated. Probably most of these are lost or jumbled up or arrive out of order or arrive late by the time they get across the Internet. But with a VPN tunnel a whole bunch of the VoIP packets are grouped together and encrypted into as large of a VPN packet as possible, therefore you get more of the VoIP packets through, and in order, and on time, if you do use a VPN tunnel.
Create the VPN tunnel, it'll work alot better compared to if you don't.
Marc
StephenWyker
Technical User
does the bcm (1000 in my case) actually act as a vpn server? Right now, we just have our BCM connected locally to our lan, and have no external access at this point. We want to add VPN but instead we going to add it via a device (PIX 506e or similer) -- is this not necessary?
The BCM will support VPN with a keycode. I would advise that you buy a third party box to set up VPN. The BCM will support 16 VPN tunnels and is bit limited to what can be done with the VPN tunnels. I would go with some other box maybe a contivity or someother vendor (like the cisco pix as you have stated).
Marshall
Marshall
StephenWyker
Technical User
I pix will work with the RSA SecurID's we are going to be issuing ... Just didn't want to duplicate efforts if we had a system already here! Thanks for the info
- Thread starter
- #6
The thing that is amazing and very misunderstood is why does it have 2 lans but only one gateway. I guess if you want it to be part of your local infrastructure, you must connect it with a small vpn box from the outside conecting it to your inside.
- Thread starter
- #8
If yo wanted to use this setup, you would use one of your LAN ports as the Public interface and set the Next hop on NetLink Mgr to the public gateway for your subnet. The other LAN port would be set up as the internal gateway for your LAN. The BCM will route the internal traffic destined for the Public internet across the ports with no problems using the internal router.
You would then set up firewall rules (up to 16 if I remember correctly) for inbound traffic. Be very carefull if you intend to have VPN tunnels or public access to your unified manager. 1 wrong check mark and you lose access. You also want to be sure that LAN 1 is your INTERNAL LAN so that patches will only be applied from inside the LOCAL LAN. You will not be able to tunnel in and apply patches as the IPSec service will stop when the windows portion of the BCM reboots. I believe this occurs on modem access as well, but I have never tried applying patches this way.
The BCM will do all of this resonably well, but not as well as individual boxes. But, if you are looking at sheer cost-effectiveness, the BCM in this application deserves a close look-see.
You would then set up firewall rules (up to 16 if I remember correctly) for inbound traffic. Be very carefull if you intend to have VPN tunnels or public access to your unified manager. 1 wrong check mark and you lose access. You also want to be sure that LAN 1 is your INTERNAL LAN so that patches will only be applied from inside the LOCAL LAN. You will not be able to tunnel in and apply patches as the IPSec service will stop when the windows portion of the BCM reboots. I believe this occurs on modem access as well, but I have never tried applying patches this way.
The BCM will do all of this resonably well, but not as well as individual boxes. But, if you are looking at sheer cost-effectiveness, the BCM in this application deserves a close look-see.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
