Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1327
Views
0
Helpful
4
Replies

registerinh IP Phone by NAT

Go to solution
luis_Borja
Level 1
Level 1

‎12-16-2014 07:35 AM - edited ‎03-17-2019 01:20 AM

is this posible???

 

a customer wants to register an IP communicator, but without VPN, and in their infraestructure there isn´t an express way.

their firewall is a third-party, in wireshark appears that there is comuniction between computer an CUCM, but ip communicator doesn´t registering.

 

a co-worker says to me, that this is not posible, because the voice payload contains aditional data that is not handled by NAT.

 

 

regards

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni

‎12-16-2014 07:57 AM

Hi

The firewall would have to be NAT-aware for skinny/SIP, but also for things like fiddling the CUCM IP addresses in the phone config files that CIPC downloads.

I'd say it wouldn't work.

Also it would be massively insecure - authentication of phones to CUCM by default is simply by MAC or (in the case of CIPC) a user-configurable device ID (that might be MAC, or username, or '1'). Given that the signalling is plaintext it would be very insecure, a remote hacker could simply keep registering with random device names against your SCCP service on CUCM until they get lucky.

I would tell your client not to do it, and that it's not possible anyway. 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

0 Helpful

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to luis_Borja

‎12-17-2014 04:26 AM

According to the release notes, CIPC works with VPN solutions that provide a virtual interface to bind to. http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cipc/8_5/english/release_notes/CIPC_Release_Notes_8_6/CIPC_Release_Notes_8_6_chapter_00.html#CIPC_RF_S6A8B454_00

No VPN solution = no VPN interface. That's the only supported method for remote access.

Beyond that it's simply knowing a little about how CIPC works - it receives config info from CUCM with IP addresses in it, those IPs will be internal IPs that are not routable over the Internet. It's just extremely bad practice, poor security to attempt to make CUCM available on the Internet directly. 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni

‎12-16-2014 07:57 AM

Hi

The firewall would have to be NAT-aware for skinny/SIP, but also for things like fiddling the CUCM IP addresses in the phone config files that CIPC downloads.

I'd say it wouldn't work.

Also it would be massively insecure - authentication of phones to CUCM by default is simply by MAC or (in the case of CIPC) a user-configurable device ID (that might be MAC, or username, or '1'). Given that the signalling is plaintext it would be very insecure, a remote hacker could simply keep registering with random device names against your SCCP service on CUCM until they get lucky.

I would tell your client not to do it, and that it's not possible anyway. 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Go to solution
luis_Borja
Level 1
Level 1
In response to Aaron Harrison

‎12-16-2014 08:52 AM

thank you so much Aaron,

 

another question, do you have any documentation were there explain why this isn´t posible, because my client is so much quiestionable about this.

 

thanks so much again.

0 Helpful

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to luis_Borja

‎12-17-2014 04:26 AM

According to the release notes, CIPC works with VPN solutions that provide a virtual interface to bind to. http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cipc/8_5/english/release_notes/CIPC_Release_Notes_8_6/CIPC_Release_Notes_8_6_chapter_00.html#CIPC_RF_S6A8B454_00

No VPN solution = no VPN interface. That's the only supported method for remote access.

Beyond that it's simply knowing a little about how CIPC works - it receives config info from CUCM with IP addresses in it, those IPs will be internal IPs that are not routable over the Internet. It's just extremely bad practice, poor security to attempt to make CUCM available on the Internet directly. 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Go to solution
luis_Borja
Level 1
Level 1
In response to Aaron Harrison

‎12-17-2014 07:11 AM

thank you Aaron, this was help me.

 

regards

0 Helpful
Customers Also Viewed These Support Documents