[cisco-voip] Deploying 7961 Phones Remotely with ASA5500?

Wes Sisk wsisk at cisco.com
Thu May 7 14:55:57 EDT 2009 

Hmm, I'm going to need a little more convincing on this one.

phone1----------homerouter-----------ASA--(typical enterprise with 
cm)--phone2
10.10.11.2   10.10.11.1 10.10.10.76 
*homerouter doubles as a firewall as is common

In the ORCAck that leaves phone1 offers to receive audio on 10.10.11.2 
port 33333.
homerouter is blissfully unaware of SCCP so passes the IP datagram along 
after rewriting IP headers for the 10.10.10.76 network
this gets through ASA with any translation it does, then on to CM, then 
on to phone2.

phone2 begins to transmit audio.  Audio goes to the IP:Port fixed up by 
ASA.  ASA rewrites IP and UDP and passes along back toward home router.

Now comes the challenge.  homerouter never knew it should listen on port 
33333.  It would have to be SCCP aware to do that.  It would have to be 
SCCP aware to rewrite that to any other port number.

So the audio via RTP/UDP/IP is back to the "outside" interface of 
homerouter, but how does it get through to phone1?

/Wes


On Thursday, May 07, 2009 10:47:36 AM, Jason Burns 
<burns.jason at gmail.com> wrote:
> Ryan,
>
> Even though the IP Phone would be embedding it's own private IP 
> address inside of SCCP ORCAck messages, the ASA Phone Proxy feature 
> would know the message was really sourced from the public IP. The 
> Phone Proxy would handle that, so that the Linksys doesn't have to 
> worry about SCCP fixup.
>
> One important caveat is that with PAT, not al homel routers support a 
> TFTP Client connection like the phone tries to do to the ASA Phone Proxy.
>
> TFTP is destined to UDP port 69 for the initial Read Request, then a 
> new connection on an ephemeral port is negotiated, and not all home 
> routers know to look for this to open the new UDP Port.
>
> If you run into TFTP problems you will have to configure the IP 
> Phone's IP to be in the DMZ so that all ports get forwarded to the IP 
> Phone.
>
> So, the short answer is that just about any home router should work 
> with the ASA Phone Proxy. Provided you're on the very latest ASA code 
> (as PhoneProxy is still a very new product).
>
> On Thu, May 7, 2009 at 10:29 AM, Ryan Ratliff <rratliff at cisco.com 
> <mailto:rratliff at cisco.com>> wrote:
>
>     Your Linksys router is going to be doing NAT/PAT and I'm pretty
>     confident they don't support SCCP fixup.  You will need the phone
>     to either be in the DMZ or have a vpn tunnel behind the Linksys.
>
>     -Ryan
>
>
>     On May 7, 2009, at 10:12 AM, Miller, Steve wrote:
>
>     Yes. I am just trying to make sure that there is nothing other
>     than generic router (Linksys or whatever someone would normally
>     have in their home) and the phone which are necessary to work with
>     the the ASA55XX back at the network site.  We have been using
>     VPN3002 boxes which are expensive and sometimes problematic to set
>     up/program. Thank you for your feedback!
>
>     Steve Miller
>     Telecom Engineer
>     Dickstein Shapiro LLP
>     1825 Eye Street NW | Washington, DC 20006
>     Tel (202) 420-3370| Fax (202) 330-5607
>     MillerS at dicksteinshapiro.com <mailto:MillerS at dicksteinshapiro.com>
>
>
>
>     From: Matthew Loraditch [mailto:MLoraditch at heliontechnologies.com
>     <mailto:MLoraditch at heliontechnologies.com>]
>     Sent: Thursday, May 07, 2009 10:08 AM
>     To: Miller, Steve; Cisco VOIP
>     Subject: RE: Deploying 7961 Phones Remotely with ASA5500?
>
>     What do you mean by necessary? If you can get your Linksys to
>     setup a vpn tunnel then yes
>
>
>
>
>
>     Matthew Loraditch
>     1965 Greenspring Drive
>
>     Timonium, MD 21093
>     support at heliontechnologies.com <mailto:support at heliontechnologies.com>
>     (p) (410) 252-8830
>     (F) (443) 541-1593
>
>     Visit us at www.heliontechnologies.com
>     <http://www.heliontechnologies.com>
>     Support Issue? Email support at heliontechnologies.com
>     <mailto:support at heliontechnologies.com> for fast assistance!
>
>
>
>     From: Miller, Steve [mailto:MillerS at DicksteinShapiro.COM
>     <mailto:MillerS at DicksteinShapiro.COM>]
>     Sent: Thursday, May 07, 2009 10:05 AM
>     To: Matthew Loraditch
>     Subject: Re: Deploying 7961 Phones Remotely with ASA5500?
>
>
>
>     Thanks. Only the phone is necessary, correct?
>
>
>     Steve Miller
>     Telecom Engineer
>     Dickstein Shapiro LLP
>     1825 Eye Street NW
>     Washington, DC 20006
>     Tel (202) 420-3370
>     Fax (202)-330-5607
>     millers at dicksteinshapiro.com <mailto:millers at dicksteinshapiro.com>
>
>     From: Matthew Loraditch
>     To: Miller, Steve; Cisco VOIP
>     Sent: Thu May 07 09:45:41 2009
>     Subject: RE: Deploying 7961 Phones Remotely with ASA5500?
>
>     Only the hardware needed to establish connectivity back to the
>     cluster (VPN or direct via a t-1 or other circuit), and provide
>     power for the phone.
>
>     You could use an ASA5505 and that does poe and the vpn tunnel all
>     in one
>
>
>
>
>
>     Matthew Loraditch
>     1965 Greenspring Drive
>
>     Timonium, MD 21093
>     support at heliontechnologies.com <mailto:support at heliontechnologies.com>
>     (p) (410) 252-8830
>     (F) (443) 541-1593
>
>     Visit us at www.heliontechnologies.com
>     <http://www.heliontechnologies.com>
>     Support Issue? Email support at heliontechnologies.com
>     <mailto:support at heliontechnologies.com> for fast assistance!
>
>
>
>     From: cisco-voip-bounces at puck.nether.net
>     <mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-
>     <mailto:cisco-voip->bounces at puck.nether.net
>     <mailto:bounces at puck.nether.net>] On Behalf Of Miller, Steve
>     Sent: Thursday, May 07, 2009 9:34 AM
>     To: Cisco VOIP
>     Subject: [cisco-voip] Deploying 7961 Phones Remotely with ASA5500?
>
>
>
>     Simple question:
>
>
>
>     What hardware is required (if any) at the remote location to allow
>     a Cisco phone to work?  My understanding was that hardware was
>     unnecessary....that the phone could just hang off a regular
>     Linksys router at a person's home. Please advise.  Thank you!
>
>
>
>     Steve Miller
>     Telecom Engineer
>     Dickstein Shapiro LLP
>     1825 Eye Street NW | Washington, DC 20006
>     Tel (202) 420-3370| Fax (202) 330-5607
>     MillerS at dicksteinshapiro.com <mailto:MillerS at dicksteinshapiro.com>
>
>
>
>     --------------------------------------------------------This
>     e-mail message and any attached files are confidential and are
>     intended solely for the use of the addressee(s)named above. This
>     communication may contain material protected by attorney-client,
>     work product, or other privileges. If you are not the intended
>     recipient or person responsible for delivering this
>     confidentialcommunication to the intended recipient, you have
>     received this communication in error, and any review, use,
>     dissemination, forwarding, printing, copying, or other
>     distribution of this e-mail message and any attached files is
>     strictly prohibited. Dickstein Shapiro reserves the right to
>     monitor any communication that is created, received, or sent on
>     its network.  If you have received this confidential communication
>     in error, please notify the sender immediately by reply e-mail
>     message and permanently delete the original message.  To reply to
>     our email administrator directly, send an email to
>     postmaster at dicksteinshapiro.com
>     <mailto:postmaster at dicksteinshapiro.com> Dickstein Shapiro
>     LLPhttp://www.DicksteinShapiro.com
>     <http://www.DicksteinShapiro.com>
>     ==============================================================================--------------------------------------------------------This
>     e-mail message and any attached files are confidential and are
>     intended solely for the use of the addressee(s)named above. This
>     communication may contain material protected by attorney-client,
>     work product, or other privileges. If you are not the intended
>     recipient or person responsible for delivering this
>     confidentialcommunication to the intended recipient, you have
>     received this communication in error, and any review, use,
>     dissemination, forwarding, printing, copying, or other
>     distribution of this e-mail message and any attached files is
>     strictly prohibited. Dickstein Shapiro reserves the right to
>     monitor any communication that is created, received, or sent on
>     its network.  If you have received this confidential communication
>     in error, please notify the sender immediately by reply e-mail
>     message and permanently delete the original message.  To reply to
>     our email administrator directly, send an email to
>     postmaster at dicksteinshapiro.com
>     <mailto:postmaster at dicksteinshapiro.com> Dickstein Shapiro
>     LLPhttp://www.DicksteinShapiro.com
>     <http://www.DicksteinShapiro.com>
>     ==============================================================================
>
>
>
>     -------------------------------------------------------- This
>     e-mail message and any attached files are confidential and are
>     intended solely for the use of the addressee(s) named above. This
>     communication may contain material protected by attorney-client,
>     work product, or other privileges. If you are not the intended
>     recipient or person responsible for delivering this confidential
>     communication to the intended recipient, you have received this
>     communication in error, and any review, use, dissemination,
>     forwarding, printing, copying, or other distribution of this
>     e-mail message and any attached files is strictly prohibited.
>     Dickstein Shapiro reserves the right to monitor any communication
>     that is created, received, or sent on its network. If you have
>     received this confidential communication in error, please notify
>     the sender immediately by reply e-mail message and permanently
>     delete the original message. To reply to our email administrator
>     directly, send an email to postmaster at dicksteinshapiro.com
>     <mailto:postmaster at dicksteinshapiro.com> Dickstein Shapiro LLP
>     http://www.DicksteinShapiro.com <http://www.DicksteinShapiro.com>
>     ==============================================================================
>
>     _______________________________________________
>     cisco-voip mailing list
>     cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/cisco-voip
>
>     _______________________________________________
>     cisco-voip mailing list
>     cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20090507/7a276f70/attachment.html>

More information about the cisco-voip mailing list