Bob Dobb wrote:
My home office is growing as my wife moves from the office to the home.
Her work requires her to have an 831 to which is attached a 7960 IP phone.
Currently, my network just has a cheap intel box with OpenBSD doing
nat/firewall. My question is how do I make the openbsd nat/firewall box
disappear in front of the 831, so that her 7960 can configure
appropriately and her work doesn't get all uptight that she is not
connecting it the way they suggest.
I guess the alternative is that I move the openbsd box and all of my
computers behind the 831, but I have been running OpenBSD for 5-6 years
with no problems (for her or me).
I currently have the 831 plugged into a switch via a regular port on the
831 (port 1-4) rather than the ethernet/internet(e1) port which may be
my biggest problem. Of course I can plug other boxes into the 831 in
this configuration and connect to the internet through the OpenBSD nat
box no problems. Since I am not familiar with the Cisco hardware, maybe
someone who has done the same thing can point me in the correct
direction (i.e. do i have to drill holes through my firewall for the
7960 to work).
Thanks.
Just a bit more to help you out as I left out the possible music on hold
for example that your wife company may also provide.
This is usually also a different port range at the source, but it is
also dictate by the configuration and the destination to your phone will
be the same range as the voice RTP stream, and it also comes from a
different server usually for the music stream. So, you can make a
special rule for that if you wish. So, you may also need to identify
this if you want to get it. That would only affect you as the incoming
as if you put someone on hold, the stream is not coming from your side
obviously and your phone doesn't interact with this in anyway.
So, you may simply not do it if you want, or fully implement it, your
choice.
Anyway a simplistic configuration would be like this for SIP if:
- UDP range in use is 32000 to 32031 as an example.
- SBC master 1.2.3.4
- SBC backup if any 1.2.3.5
- SBC third part if any w.x.y.z ( then add it below)
- TFTP in use 1.2.3.10 (here I assume it's with HI port starting at
45000, but most likely it will not be, so adjust for the proper range
you see fit)
- phone 2.3.4.5
permit udp any host 2.3.4.5 range 32000 32031
permit udp host 1.2.3.4 host 2.3.4.5 eq 5060
permit udp host 1.2.3.5 host 2.3.4.5 eq 5060
permit udp host 1.2.3.10 gt 45000 host 2.3.4.5 range 32000 32031 (not
really needed, but in case you want to be more restrictive)
Now here the range for the host if from any source, that's only in case
you have multiple source and as you might imagine, if your company
provide you this IP phone, then most likely they do the same for others.
So, you can't block that port range to specific source as if you do,
then you will have one way conversation if you connect to an other
person from the office working form home as well that you do not know
the IP. So obviously, you need to allow for that.
In short, you want the UDP RTP stream to be as small as you need it and
the important part is to protect the control port UDP/5060 and the TFTP
as well for the configuration of the phone. These two should only come
from fix source ONLY and ALWAYS!
Best,
Daniel
