sundance-communications.com/forum Forums VOIP Phones & IP PBX VoIP & Cloud Phones, Hosted PBX, General IP Phones I will Pay Money!!!

I have a NEC IPK II system, I haven't had time to get anyone in school for certification yet. We installed some IP phones on it and they work great inside the office on the LAN. When we try to get them to work outside the firewall, we can't get them to connect.

The Firewall is a Netgear Prosafe VPN FVS318
We have mapped port 49150 to the LAN address of 192.168.0.220 which is the address of the MGC.
Created a service called VoIP, TCP/UDP and opened ports 49150-49158 for it. Created a port that maps the service to the port of the MGC.

I set the IP phone to look for the Media Gateway at the public IP address of the firewall.

I have tried DHCP on the phone and a Static public IP, neither will work.

I have spent several hours reading thru all of the post and haven't found a clear answer.

There are VLAN, DRS and CDP settings that I can't find any information on.

Help and I will pay!!!

Thanks,

Mike

It could be a problem with the MGC not Routing back out of the Internal Network over the Internet back to the outside user and on to their internal network.

I'd Start Troubleshooting by giving my MGC a Public IP address and putting it outside the Firewall and see if the problem is still there. Could be at the far end if it still fails.

Also does the phone have a public or private IP address?

There are some applications that port forwarding will not work properly, I have seen problems with security systems.

When NAT is being used it rewrites the source/destination information in the header of the packet, if the phone system has IP information in the payload of the packet, it will not be rewritten, so the destination does not have the proper IP information. If the phone system is trying to send host information to the client phone it will most likely put that information in the payload, so the phone thinks it has to talk to the host on its non-routable IP the 192.168.0.220.

One option you have is to set up VPN endpoint routers on either side of your link, and tie the sites togerhet with a VPN so the devices think they are on the same local segment and the phone can contact the switch on its local IP (192.168.0.220)

I have really good luck with the simple Linksys VPN endpoint, I think they retail for about $80 each. You tell one router the IP information for the other and vice versa, and they establish a tunnel between each other.

I have a diagram of the setup I have used with IP addresses, here is a link to it

https://www.securitycomm.us/mtephraimschools.jpg

Thanks for the response guys, I tried to assign an external IP to both the phone and the MGC and still couldn't connect.
I think I will try the VPN option with a router. Also, I know that if I take my laptop to a customer site, I can click the remote connection icon and connect directly back to my office which I would think is like a VPN tunnel. I will see if this works also.

Thanks again,

Mike

If NAT is an issue you build a LAN-TO-LAN tunnel or use what is called network extension mode. This mode does not NAT it pushes out a VPN client config to the remote side. You just have to add a couple of static routes on the router side.

Ok with this card you need to upgrade the firmware to allow it to NAT.

My firmware version on my card is:


Firmware Version: 3.00
Card Type: ESI
Service Pack: 2

Following this upgrade log in to the WEBUI for the card, click the "card" tab and you will now see a textbox labeled "Firewall IP Address" place the PUBLIC IP address you are natting here. Other than that you should be set.

PS:

I don't have much experience with Netgear routers, but it sounds like you only forwarded the 49150 port and just opened the rest. Try forwarding the entire 49150-49158 range to 192.168.0.220. Also, just to be perfectly clear, you do have your MGC set as a static IP (x.220 in your case) correct? If this server is getting it's IP from DHCP, you'll run into problems when it gets handed a new IP.

You might also try (only for testing purposes) to place your MGC in the DMZ. This will leave it sectioned off from the rest of your internal network, but will leave all communication ports open, so you should be able to connect without a problem over the Internet. If everything works with the server in the DMZ, then you have at least eliminate many issues that are NOT causing the problem. ;-)

Silly as it might seem, there might also be a setting in your router to ignore external WAN requests. This obviously needs to be disabled. It's an easy thing to overlook because it seems silly that you would forward a port and then expect to have to make ANOTHER setting change for the port to actually BE forwarded, but this is the case with many different brands.

Also, is your Internet connection using a static IP? It needs to be.

Some NAT implementations can cause all sorts of strange issues with VOIP. You may need to put your MGC box on it's own public IP, assuming you can with your current connection. You'll need to contact your ISP if you don't know your assigned range as just choosing a random one won't work. Also, I don't know if your current router is capable of routing multiple public IP's. Don't worry if it doesn't. There are simple ways to deal with that, but I won't go into that until it's determined to be an issue for you.

First, I'd say try throwing the box in the DMZ and see if you can connect from the outside at that point.

Does NEC support NAT far and near end? I was under the impression that they did not support it. I know the 2000 and 2400 don't.

Chris..welcome to the board. Please try to start new threads instead of tagging on to 3 month old posts. Thanks.

Sorry about that stud, didn't know that was taboo here. Wont happen again.