Placing Call Manager 4.0(2)a behind Cisco Pix or Checkpoint Firewalls

[wirelesspeap]

All,
I would like to place a Cisco Call Manager 4.0(2)a behind either a Checkpoint or Cisco Pix firewall. This CCM will
have a private address (10.1.1.1/24). I would other
Cisco SoftPhone to be able to connect and being managed
by this CCM. My question is this:

1) Will CCM work with Port-redirect? I would like to NAT the CCM to the firewall external interface (firewall external interface IP is 199.0.216.222) so that when
a softphone on the internet try to connect to the firewall
external IP, it will be re-direct to IP 10.1.1.1? What
port(s) do I need to open on the firewall to accomplish this task?

2) Assuming the situation #1 is not possible? Will CCM work with static NAT? CCM private IP is 10.1.1.1/24 and it is being staticly NATed to 199.0.216.1. Again, which port(s) do I need to be opened on the firewall to accomplish this?

Many thanks.

Peap

 

[scaine]

I reckon statically NAT'ing your CCM on the Internet is simply asking for a world of pain. Keeping CCM secure on a LAN is a handful - making it publicly avaialble on the Internet would be a real headache.

For internet based softphone operation, you're better off looking at some kind of client VPN solution. I've used SecureClient from Checkpoint and after a few intitial problems with one-way audio, that ended up working well.

Currently, we use hardware based firewall routers from Draytek to create the VPNs between our home users and office - then we just ship out a statically configured 7960 to the home and up it comes. Of course, softphone/communicator works just as well.

Good luck.

 

[wirelesspeap]

Hi, I know how vpn work and I would rather prefer that
I would have a site-to-site vpn between my checkpoint firewall. I can also set SecureRemote on the chekckpoint firewall for Remote access to the CCM box as well; however, this is just a proof of concept so if the CCM 4.0 box does get hacked, it is not a big deal.

What I would like to do is to place this CCM box behind
a checkoint firewall. However, since I am on a cable modem
network, I only have a single public and that public IP is assigned to my firewall external interface. I would like to use port-redirect so that other softphone users on the Internet can connect to the call manager box. Keep in mind that the softphone users may also be behind coporate firewalls as well as directly connected to the Internet. When softphone users connected to the firewall external interface, they are re-directed to the CCM 4.0(2)a box.

What ports must be opened on my checkpoint firewall in order to accomplish this task? Or is it even possible to
do this with port-redirect? If port-redirect is NOT possible, can this be done with static NAT? Again, which ports needed to be opened on the firewall for this to work?

Thanks.

 

[rleestma]

One-way audio problems? That's exactly what I have right now!

I have a 2811 that is at corporate, and a Linksys WVR54g VPN router at my house.. Audio is only one-way, my 7920 at home can send audio but never hears anyhting...

What did you have to do to fix?

Thanks!

Ryan