Software VPN and IP phones

[FDproductions]

I have just installed a new BCM 400 4.0 and was looking at the best way to get an IP set to hook up with the corporate office. Most location have a hardware VPN, but we have several sales guys who use our software VPN but still want a physical phone at their desk. I know that they could use the 12050 Soft phone, but don't want to unless we absolutely have to.

They have a PIX and we were thinking that we could do a NAT translation with a public IP to an internal IP and just send all traffic looking for the BCM to the BCM. I am just not sure how safe that is and if it will work effectivly.

Any thoughts?

 

[ktludwig]

It's not going to work. You might get the phone to register, but if there is any NATting at all, there won't be any talk path.

 

[MagnaRGP]

They have a PIX..." who? Main office or sales guys?

2 options here...one more expensive but solidly "within the box", and one "outside the box" but not guaranteed to work, very complex but costs about $10.00 to $50.00.

More expensive one first. Buy a BSR222 and set up an ABOT to the main. Simple and gives reliable access to the whole main office. Portable too as the BSR is small and will fit into a large laptop case (even though the phone won't). I use this method when travelling all the time and it's rock-solid.

Cheaper one:

Put a second NIC into the sales guy's computer and plug the phone into that NIC. Use Windows internet sharing to share the connection out to the phone. Launch VPN client on the PC to run the phone. You may need to configure static routes in the PC and the phone has to be configured properly, but I've been told that this can work, but fussy to set up.

Good luck

 

[FDproductions]

And i guess it would be a dumb idea to assign the BCM a public IP and let it hang out there...Thanks for the ideas.

 

[MagnaRGP]

And i guess it would be a dumb idea to assign the BCM a public IP and let it hang out there..."

Loooong standing debate on this forum. IMHO, Yes. Others would disagree. Search i2050, IP Phone and VPN and you'll likely come across the discussions. Read 'em and come to your own conclusions.

 

[skb2005]

I have tried using the second NIC. It did not work for me OR may be I was not able to configure it properly.

 

[MagnaRGP]

Could also be that either your VPN client or user tunnel permissions prevent split tunneling.

Like I said, very fussy to set up.

 

[skb2005]

My VPN tunnel allow split-tunnel.

Could you please put some more light on the steps one should follow after connecting the second NIC ?

 

[MagnaRGP]

I have never done this...only repeating what someone once told me. I wouldn't even try it myself as it it too fussy and has too many variables for my liking.

K.I.S.S.

Keep It Simply Simple. That's my motto.

 

[gberger]

To MagnaRP:

When you say "Buy a BSR222 and set up an ABOT to the main" what do you mean by "abot" and what do you have at the other end(main office) Is it another Nortel Router?

 

[MagnaRGP]

ABOT = Asynchronous Branch Office Tunnel -- Basically means that it doesn't require a static IP address. The Main office waits for a tunnel request and cannot itself initiate.

I have a Contivity 1500 (Ancient) and a Contivity 1010, but I have sucessfully built tunnels with a PIX at the main, some other Cisco unit at the main a c1600, c1750, BSR222 and even a BCM at the main office (customer was adamant until the BFT went bad and lost ALL connectivity to the 8 branches until the BFT got replaced).