[cisco-voip] Deploying 7961 Phones Remotely with ASA5500?

Craig Staffin craig at staffin.org
Thu May 7 15:25:02 EDT 2009 

Wes,

The way the phone proxy works is by putting the phone into secure mode.  So
it actually sets up a TLS tunnel between itself and the ASA.  Since it is a
TLS tunnel that all routers understand it will open up the incoming ports to
it.  Atleast this is how I have seen it work and thats what documentation
states.

Craig

On Thu, May 7, 2009 at 1:55 PM, Wes Sisk <wsisk at cisco.com> wrote:

>  Hmm, I'm going to need a little more convincing on this one.
>
> phone1----------homerouter-----------ASA--(typical enterprise with
> cm)--phone2
> 10.10.11.2   10.10.11.1 10.10.10.76
> *homerouter doubles as a firewall as is common
>
> In the ORCAck that leaves phone1 offers to receive audio on 10.10.11.2 port
> 33333.
> homerouter is blissfully unaware of SCCP so passes the IP datagram along
> after rewriting IP headers for the 10.10.10.76 network
> this gets through ASA with any translation it does, then on to CM, then on
> to phone2.
>
> phone2 begins to transmit audio.  Audio goes to the IP:Port fixed up by
> ASA.  ASA rewrites IP and UDP and passes along back toward home router.
>
> Now comes the challenge.  homerouter never knew it should listen on port
> 33333.  It would have to be SCCP aware to do that.  It would have to be SCCP
> aware to rewrite that to any other port number.
>
> So the audio via RTP/UDP/IP is back to the "outside" interface of
> homerouter, but how does it get through to phone1?
>
> /Wes
>
>
> On Thursday, May 07, 2009 10:47:36 AM, Jason Burns <burns.jason at gmail.com><burns.jason at gmail.com>wrote:
>
> Ryan,
>
> Even though the IP Phone would be embedding it's own private IP address
> inside of SCCP ORCAck messages, the ASA Phone Proxy feature would know the
> message was really sourced from the public IP. The Phone Proxy would handle
> that, so that the Linksys doesn't have to worry about SCCP fixup.
>
> One important caveat is that with PAT, not al homel routers support a TFTP
> Client connection like the phone tries to do to the ASA Phone Proxy.
>
> TFTP is destined to UDP port 69 for the initial Read Request, then a new
> connection on an ephemeral port is negotiated, and not all home routers know
> to look for this to open the new UDP Port.
>
> If you run into TFTP problems you will have to configure the IP Phone's IP
> to be in the DMZ so that all ports get forwarded to the IP Phone.
>
> So, the short answer is that just about any home router should work with
> the ASA Phone Proxy. Provided you're on the very latest ASA code (as
> PhoneProxy is still a very new product).
>
> On Thu, May 7, 2009 at 10:29 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
>
>> Your Linksys router is going to be doing NAT/PAT and I'm pretty confident
>> they don't support SCCP fixup.  You will need the phone to either be in the
>> DMZ or have a vpn tunnel behind the Linksys.
>>
>> -Ryan
>>
>> On May 7, 2009, at 10:12 AM, Miller, Steve wrote:
>>
>> Yes. I am just trying to make sure that there is nothing other than
>> generic router (Linksys or whatever someone would normally have in their
>> home) and the phone which are necessary to work with the the ASA55XX back at
>> the network site.  We have been using VPN3002 boxes which are expensive and
>> sometimes problematic to set up/program. Thank you for your feedback!
>>
>> Steve Miller
>> Telecom Engineer
>> Dickstein Shapiro LLP
>> 1825 Eye Street NW | Washington, DC 20006
>> Tel (202) 420-3370| Fax (202) 330-5607
>> MillerS at dicksteinshapiro.com
>>
>>
>>
>> From: Matthew Loraditch [mailto:MLoraditch at heliontechnologies.com]
>> Sent: Thursday, May 07, 2009 10:08 AM
>> To: Miller, Steve; Cisco VOIP
>> Subject: RE: Deploying 7961 Phones Remotely with ASA5500?
>>
>> What do you mean by necessary? If you can get your Linksys to setup a vpn
>> tunnel then yes
>>
>>
>>
>>
>>
>> Matthew Loraditch
>> 1965 Greenspring Drive
>>
>> Timonium, MD 21093
>> support at heliontechnologies.com
>> (p) (410) 252-8830
>> (F) (443) 541-1593
>>
>> Visit us at www.heliontechnologies.com
>> Support Issue? Email support at heliontechnologies.com for fast assistance!
>>
>>
>>
>> From: Miller, Steve [mailto:MillerS at DicksteinShapiro.COM]
>> Sent: Thursday, May 07, 2009 10:05 AM
>> To: Matthew Loraditch
>> Subject: Re: Deploying 7961 Phones Remotely with ASA5500?
>>
>>
>>
>> Thanks. Only the phone is necessary, correct?
>>
>>
>> Steve Miller
>> Telecom Engineer
>> Dickstein Shapiro LLP
>> 1825 Eye Street NW
>> Washington, DC 20006
>> Tel (202) 420-3370
>> Fax (202)-330-5607
>> millers at dicksteinshapiro.com
>>
>> From: Matthew Loraditch
>> To: Miller, Steve; Cisco VOIP
>> Sent: Thu May 07 09:45:41 2009
>> Subject: RE: Deploying 7961 Phones Remotely with ASA5500?
>>
>> Only the hardware needed to establish connectivity back to the cluster
>> (VPN or direct via a t-1 or other circuit), and provide power for the phone.
>>
>> You could use an ASA5505 and that does poe and the vpn tunnel all in one
>>
>>
>>
>>
>>
>> Matthew Loraditch
>> 1965 Greenspring Drive
>>
>> Timonium, MD 21093
>> support at heliontechnologies.com
>> (p) (410) 252-8830
>> (F) (443) 541-1593
>>
>> Visit us at www.heliontechnologies.com
>> Support Issue? Email support at heliontechnologies.com for fast assistance!
>>
>>
>>
>> From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-
>> bounces at puck.nether.net] On Behalf Of Miller, Steve
>> Sent: Thursday, May 07, 2009 9:34 AM
>> To: Cisco VOIP
>> Subject: [cisco-voip] Deploying 7961 Phones Remotely with ASA5500?
>>
>>
>>
>> Simple question:
>>
>>
>>
>> What hardware is required (if any) at the remote location to allow a Cisco
>> phone to work?  My understanding was that hardware was unnecessary....that
>> the phone could just hang off a regular Linksys router at a person's home.
>> Please advise.  Thank you!
>>
>>
>>
>> Steve Miller
>> Telecom Engineer
>> Dickstein Shapiro LLP
>> 1825 Eye Street NW | Washington, DC 20006
>> Tel (202) 420-3370| Fax (202) 330-5607
>> MillerS at dicksteinshapiro.com
>>
>>
>>
>>  --------------------------------------------------------This e-mail
>> message and any attached files are confidential and are intended solely for
>> the use of the addressee(s)named above. This communication may contain
>> material protected by attorney-client, work product, or other privileges. If
>> you are not the intended recipient or person responsible for delivering this
>> confidentialcommunication to the intended recipient, you have received this
>> communication in error, and any review, use, dissemination, forwarding,
>> printing, copying, or other distribution of this e-mail message and any
>> attached files is strictly prohibited. Dickstein Shapiro reserves the right
>> to monitor any communication that is created, received, or sent on its
>> network.  If you have received this confidential communication in error,
>> please notify the sender immediately by reply e-mail message and permanently
>> delete the original message.  To reply to our email administrator directly,
>> send an email to postmaster at dicksteinshapiro.com Dickstein Shapiro
>> LLPhttp://www.DicksteinShapiro.com==============================================================================--------------------------------------------------------This
>> e-mail message and any attached files are confidential and are intended
>> solely for the use of the addressee(s)named above. This communication may
>> contain material protected by attorney-client, work product, or other
>> privileges. If you are not the intended recipient or person responsible for
>> delivering this confidentialcommunication to the intended recipient, you
>> have received this communication in error, and any review, use,
>> dissemination, forwarding, printing, copying, or other distribution of this
>> e-mail message and any attached files is strictly prohibited. Dickstein
>> Shapiro reserves the right to monitor any communication that is created,
>> received, or sent on its network.  If you have received this confidential
>> communication in error, please notify the sender immediately by reply e-mail
>> message and permanently delete the original message.  To reply to our email
>> administrator directly, send an email to postmaster at dicksteinshapiro.comDickstein Shapiro LLPhttp://
>> www.DicksteinShapiro.com==============================================================================
>>
>>
>> -------------------------------------------------------- This e-mail
>> message and any attached files are confidential and are intended solely for
>> the use of the addressee(s) named above. This communication may contain
>> material protected by attorney-client, work product, or other privileges. If
>> you are not the intended recipient or person responsible for delivering this
>> confidential communication to the intended recipient, you have received this
>> communication in error, and any review, use, dissemination, forwarding,
>> printing, copying, or other distribution of this e-mail message and any
>> attached files is strictly prohibited. Dickstein Shapiro reserves the right
>> to monitor any communication that is created, received, or sent on its
>> network. If you have received this confidential communication in error,
>> please notify the sender immediately by reply e-mail message and permanently
>> delete the original message. To reply to our email administrator directly,
>> send an email to postmaster at dicksteinshapiro.com Dickstein Shapiro LLP
>> http://www.DicksteinShapiro.com==============================================================================
>>
>>  _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
> ------------------------------
>
> _______________________________________________
> cisco-voip mailing listcisco-voip at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20090507/ab674fa2/attachment.html>

More information about the cisco-voip mailing list