[Asterisk-Users] RE: Cisco firewalls and softphones (Matthew Oulton)

Paul Davidson planac at gmail.com
Fri Oct 15 06:47:50 MST 2004


Speaking from personal experience using Cisco Callmanager and Cisco
VPNs (not PIX, but Cisco VPNs hosted on routers with AIM cards), I can
say that this is possible- but it's not easy.

Essentially, the problem is not the VPN, it's NAT.  In the cisco IP
Softphone client, there's a rather disturbing section where you enter
in your client's address- you can either have it pull the IP off the
card, or set one permanently, or have it connect via HTTP to return
the IP address.  The important part is that the IP address chosen here
must be the IP issued on the VPN, and *NOT* your current interface
address.  In other words, remove NAT entirely from the equation.

Callmanager will accept the RTP stream from wherever it sees a valid
connection- but, as we're all familiar with issues with NAT, and SIP,
and H.323, Cisco Callmanager follows the standard and replies back to
the IP that the client presents during call setup- hence, if the
client presents a NATted address (from the callmanager's perspective),
it will send the backhaul RTP to that address, and you get one-way
audio.

Some softphones are better at dealing with this than others.  

Long live IAX2!

Paul Davidson



More information about the asterisk-users mailing list