Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1854
Views
0
Helpful
5
Replies

what ports need to be open for 871 remote VPN?

Paul Santabarbara
Level 1
Level 1

‎03-07-2011 10:05 AM - edited ‎03-06-2019 03:56 PM

When a Cisco 800 series router is used to connect a IP (7960) phone at a customer remote location, what ports (TCP/UDP) need to be open on the premise router/modem to allow the VPN traffic for voice?

Thank you, Paul

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Brandon Turpin
Cisco Employee
Cisco Employee

‎03-07-2011 12:45 PM

You will want to open the following traffic:

UDP 500 - ISAKMP

UDP 4500 - NAT-T

Protocol 50 - ESP

Protocol 51 - AH

Thanks,

Brandon

0 Helpful

David Trad
VIP Alumni
VIP Alumni

‎03-07-2011 03:33 PM

Hi Paul,

Just to understand this a little better

Remote Site:

  • Cisco 800 Series Router WAN
  • Behind the 800 series router you have a 7900 series phone with a plug back and plugged into the 800 series router
  • 800 series router has a VPN tunnel back to main site??

If the Cisco router has a VPN tunnel created then standard configuration would say the ACL should have all the applicable access in/out already applied for the VPN tunnel to work, in this case you should not need to open up those ports or forward them, packets back to the main site will be within the VPN tunnel anyway (Assuming the VPN tunnel is created as a Split).

Now the other way of this happening is that at the main site you have the following configured:

  • Cisco UC has VPN configured on it using CCA and the WAN router has pass through of the VPN configured
  • Cisco Router has VPN configured on it and is forwarding the traffic from the remote site to the UC
  • The remote site is using the Cisco VPN client to establish the VPN tunnel back to the main site

In in the above way the only thing that needs to be done is that you allow for the IP address from the remote VPN tunnel to be allowed in the access list, unless the remote site is running Dynamic IP assignment, then I would suggest setting them up with DDNS. Or the remote site has to use TCP instead of UDP in which case I would then recommend using Port 10000 for the VPN tunnel and have that forwarded on the main site to the UC from the 800 series router

The above is not meant to confuse you are cause more issues, to me it just seems less troublesome having to manage NAT/PAT and where possible leaving the configuration up to CCA to do it, or just basic ACL on the 800 series, unless you are a tinkerer and love doing that stuff

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *
0 Helpful

Paul Santabarbara
Level 1
Level 1
In response to David Trad

‎03-08-2011 11:28 AM

Brandon/David, thank you for your responses.

Let me first point out that this remote 871/7940 combo was deployed a few years ago and working.

The remote user just changed ISP's and let me know that his phone is not "registering" any longer.

As I thought about it, can it be as simple as the new ISP is using a different IP than the previous one?

Or does the remote side not matter, just the UC side it sends the VPN to?

Thank you, Paul

0 Helpful

DuncanM2008
Level 1
Level 1
In response to Paul Santabarbara

‎03-08-2011 12:47 PM

If the change of ISP at the remote branch has caused the phone to stop registering I suspect it's the fact that the VPN is no longer established.

You probably just need to update your VPN peer configurations, that being the external IP address of the 871 at the remote branch.

As David said though, if you're remote site's external IP is dynamically assigned you need to look at Dynamic DNS (DDNS), there's plenty of external providers that should be able to do this for you.

Once you've updated that the VPN should establish and the phone should re-register with the UC Servers.

The UC IP the phone is looking for should be a remote VPN address/internal and thus not related to the change of ISP.

Thanks,

0 Helpful

aapexisinc
Level 1
Level 1
In response to DuncanM2008

‎03-08-2011 01:03 PM

The 871 was probably set up to register with the UC500 at a fixed IP address; properly configured, the remote site IP address can be dynamic and not known a priori to the UC500.  What may be your problem is if the 871 is sitting behind the ISP's router.  In that case changing ISPs probably meant getting a new router, so you must make sure that the gateway address the 871 is using points to the new router's LAN IP address, and that ports 500, 4500 and 10000 on the new router are forwarded to the 871.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card