Anyone have IP UGW behind firewall? - Sundance Business VOIP Telephone Help

WHat needs to be done to get this to work ebhind firewall?

I am being told that I need to forward to 1 public addy for signaling (and enter that into phone for CA)- port 2427

THEN, forward another public IP to the internal ip for media with ports 16400-16499 and then it should work.

I even went so far as creating 1-1 NAT with each Ip going to it's corrwsponding internal IP and allowed ALL ports.

I have the Public IP for signaling in CA1.

I have been able to get the sginaling, but no voice over the phone.

Anyone make this work successufly with a REAL internal Firewall on the office side (not a little Linksys NAT box)?

You are supposed to either have a VPN setup or a Coral Sentinel. That being the case I have had it working in situations you described. You have to remember that the public IP of the remote station has to be unique to all connected. You never forward anything to the media gateway card. It's always to the UGW and its UDP. Easiest way to see if your firewall is hosing it up, is putting the UGW in front of it (prob need another pub IP to test it this way). I would have no problems exposing the UGW as it's not a windows device and can't be hacked. Trust me it's gonna be your firwall screwing things up if nothing is being blocked by your provider. Just check your IP setting on the UGW card to make sure it's looking back at the gateway (router).

Also:

Make sure that the firewall sends ports 16400 thru 16992 (UDP) to the gateway.

If you are setting FW open ports 2427 & 5060 for sig.
and for media to be on the safe side open 16400 till 17680.

Thanks,. I may just throw it in front of firewall and be done with it.

BTW, even with VPN it did not work (from my house to the office). I have hardware to hardware VPN, but the setup will just be a few phones scattered throgh out the country connecting remotly to central office, no vpn.

You might also check the far end where the IP Phone sits if it is behind a firewall it might be blocking traffic coming back from the UGW.

Yep, definately firewall issues if you had a VPN and it didn't work. Ya, Dustin is right the far end has to be open as well. Good way to really nail it down is with Wireshark.

I have to agree with Coral Tech in saying that it is probably being blocked by the firewall. If you get the phone going 2427 is setup correct. What you are missing is the media gateway to make the conversion from IP to TDM. You need to open UDP ports 16400 through 16490. When that is completed you should have voice in both directions.

16992,16940,17680 ?

What is the top end?

I have a customer that is looking at hooking at a couple of t208's outside without a sentinel and I want to make sure IT gets it right

Base RTP port + (MAX calls per MGW * 10) =

16400 + (128 *10) = 16400 + 1280 = 17680

Not every installation without Sentinel will work even if you will open all ports.

I am having a similar issue here.
We initially tried putting the UGW behind our SSG20 firewall, with all necessary ports open, and were only getting sync, but no voice.

I currently have the UGW outside of our firewall (on an unmanaged switch between our cable and our firewall) and am still getting no voice traffic. The phones will see the CA and sync up, even place a call, however there is no voice traffic.

I know the hardware itself works, because when i set it up inside our network, I get voice no problem.

So, I currently have the UGW facing the outside world, with the sync and the media having 2 different public IPs, and still no voice.

I'm basically stumped, any suggestions to try?

Thanks in advance!

Get wireshark and see if the problem is the remote end or your end blocking UDP ports.

Well I've run wireshark on a laptop that is directly connected to the switch that also has the UGW on it. Should I be looking somewhere else?

The only traffic I see on wireshark is the initial address resolution request (the ARP) when the phone first initializes.

Here's the weird thing:
-When I plug one of the phones into the same switch as the UGW I get sync and voice no problem.
-When I test a phone that is inside our network (and behind our router/firewall) I get sync but no voice.
-When I have a tadiran technician set one of his phones to use my CA (outside of our firewall) he also gets sync but no voice.

I have contacted our provider (Cox Cable) and they insist that they do not block any ports.

Still stumped.

turn Diffserv off on your UGW.

Quote

Originally posted by TadiranTechTexas:
turn Diffserv off on your UGW.

on both signaling and the media?

Quote

Originally posted by Coral Tech:
Get wireshark and see if the problem is the remote end or your end blocking UDP ports.

Ok while I cannot see any traffic from any phone, I ran wireshark while making a call with a softphone on the same PC, I was able to see all of the traffic with that, but not any traffic from another softphone on a different PC.

yes... Sometimes the provider (comcast) doesn't have this turned on and it will stop the diffserv packets thru.

Had this issue when first got UGW, figured could NAT to public so could use inside and outside. Gave phones 192 address space as well as Sig/Media then NAT'd Public, didn't work - always one way conversation. Used PIX/Checkpoint still did not work properly. End result put it in front of FW, however have ACL on L3 switch ports which restrict the only ports allowed to connect to it. For internal users had to go with 2nd card.

there is however an "outside the box" work around...on your router set up an ACL (sorry only familiar with Cisco on router/switches) denying bad ip addresses, (porno sits or any other destinations that are denied/restricted)

on the switch assign the IP phones (those IP addresses that are bad). Use sticky MAC one address then use shutdown if someone tries to set up computer to bypass company policies - make sure router/switch does not hand out DHCP)

example your UGW has 2 public IP's
1.2.3.4 Signal
5.6.7.8 Media

IP phones 100.100.100.1
100.100.100.2

and so forth (don't use those they are just examples they belong to Arin)

I just wound up putting it in front of FW and manually assigned some public Ip's to the phones I have out in the wild.

Wireshark reminder. You either need a manged switch that you can do port mirroring in order to see the traffic or you need an old fashioned HUB. I switch will NOT allow directed traffic to be seen on another port. You will only see broadcast traffic such as ARP

Currently Im trying to add T209 MGCP (setup with public IP no firewall) from external and I had been reading all this discussion but still no luck for me.
My IPXOffice is installed behind Checkpoint Firewall (no Sentinel) with 192.168.10.200 for signaling and 192.168.10.201 for media. The signal working but not the voice.

From wireshark I seen signaling go through public IP and forwarding to 192.168.10.200 port 2427 but the voice is trying to reach internal ip 192.168.10.200 16400 (RTP G729) instead of the public ip. Is this normal? or Did I do wrong setting on the UGW?
I use port mirroring to tap the T209M activity

Is anybody able to work on those discussion

Thanks a lot
Dendiko

dendiko - there could be several factors in play. your ISP do they impose any restrictions on VoIP (for example disallow certain port numbers) We use Verizon FIOS at one of our sites and they prevent VoIP ports from working. The problem you are seeing on the FW is the same thing we saw on the router using NAT and the CP's it all appears to be working according to the policy and rules however no communication. Not all applications can use NAT effectively. What we ended up doing is placing the Tadiran UGW/PUGW cards in front of the FWs. so we have an aggregation switch where everything is parallel plug a router into one of the ports and build crypto maps and the remote users have a low end Cisco router like a 8XX model. This works fine. Via ACL's if implemented correctly your router won;t even show up in a scan so your PBX and equipment will be fine. Also It keeps voice/data separate at the point of entry to your network, and the tunnels meets any compliance issues an auditor can think up.

Without the sentinel you will need either a VPN or the UGW (CUGW or PUGW) on 2 public IP addresses. One for the media gateway the other for the signalling. I have never found a way around this the way you are trying to do it. Also, if you DO put the UGW on the public side only ONE phone will work from another Public IP. If you try and use 2 phones on that remote public IP they will not work. If you have remote phones (etc) nothing beats the sentinel.

Hi Adrian and Coral Tech thanks for the advice. It looks using 2 IP for the signal and Media on IPXOffice system is the main problem for the Firewall to figure out and seems Sentinel is the ultimate solution. This is different with such as Asterix which use only 1 IP.

Before giving up on this, I will do one more shot to put the UGW outside using 2 public IP. How do I set the UGW with Public IP? The current setting for the signaling and media IP addr, netmask and gateway are set for internal IP (192.168.10.200 and 192.168.10.201) and for the Global IP, I dont see setting for netmask and gateway.
If I change the current Internal IP to Public, then how to set the internal IP netmask and gateway. Do I need to use Global IP for the internal?
Is the UGW lan port located the one in the front?

Is the STUN server or SIP Proxy can be use to replace Sentinel? Sentinel still to expensive expensive.

Thanks
Dendiko

Are you using this card for internal IP phones? If so you are going to lose those phones doing this FYI. All the setup info for your CUGW card is done via the PI on a terminal via telnet or serial connection. You MUST be careful doing this if you are using a SIP seamail and suggest you get a certified Tadiran tech in to do this.

I am using IPXOffice, The phone vendor (certified Tadiran tech) was set that way, the UGW IP was set using my internal private network and the Global was to other private ip that wasnt my network.
Is that the way standard setup?
I'll not do then if you think will ruin the setup. By theway, I use hyperterminal with tcp port to use PI.
What about STUN/SIP proxy, is this help?

thanks
Dendiko

Are you using a seamail SIP voicemail and are you using SIP/MGCP VOIP phones internally? You are attempting to do something from a routing standpoint that I do not think is possible with NAT translation. Signalling and voice are TWO different things. Signalling is done via TCP/IP stacks and the actual media is all UDP. This is actually more typical than you think. The problem is the way you are thinking through this. The actual call control is done on the signalling port BUT the phone MUST be able to communicate freely via an addressable IP to the remote phone on the media side that controls the tear down and up of the voice channels on the media gateway. FYI I have 2 customers now that went Asterisk and Avaya and are crying for their Tadiran to be put back in because of the sentinel capabilities and ease of use for remote phones and the reliability and call quality.

I actually have a 30 channel sentinel in my house on my old Coral SL that works flawlessly. It wasn't that expensive.

Hi Coral Tech,
Im sorry, its been awhile not to check.
Your ultimate solution looks much better and Sentinel is the only way for those outside client.
How expensive is your sentinel, can you send me in private? Do you think is doable for me to install with your guidence?

Thanks for your help

You will need a certified Tadiran dealer to help you locally I am afraid. If you are version 16 you want to be on a sentinel PRO for sure as it supports SIP. Pricing is never discussed on the forum as per guidelines. You will definitely want a tech on site helping you through this.