Can you use a sip soft phone over internet to uc540/560/CME?

Jeff Cooper · ‎11-30-2011

For about a year now, I've been attempting to use a sip softphone client on the internet to connect to a uc560, 540 and 2800-based CME with no success. I've tried portgo and 3cx from both a pda and from my laptop out on the internet. I can get both sip clients to connect instantly as an extension on the local LAN. When I try from the internet, I see "invalid ip address" on debug ccsip, and it reflects the internet IP of the client trying to register.

My client login is the extension for both the username and password, and i have the MAC as 0000.0000.0000 in the voice register pool. I use the outside internet IP of the network for the host. I map thru 5060 over both tcp/udp to the inside phone system and forward 10,000-20,000 over both tcp/udp as well. I've tried a source-address on CME for the voice register global of the internet, the local loopback, the outside of the phone system and the voice vlan side of the phone system,

I'm stumped! If anyone has gotten this to work successfully, can you post a config? Is it an issue of the firewall? Perhaps it requires all ports open on the internet IP to the inside phone system with a 1 to 1 nat translation?

Thanks in advance for any input.

Jeff

-----

Config:

voice service voip

callmonitor

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

no supplementary-service h450.2

no supplementary-service h450.3

supplementary-service h450.12

no supplementary-service sip moved-temporarily

no supplementary-service sip refer

h323

sip

registrar server expires max 3600 min 120

no call service stop

!

voice register global

mode cme

source-address 192.168.72.1 port 5060

max-dn 5

max-pool 5

hold-alert

mwi reg-e164

voicemail 500

tftp-path flash:

create profile sync 0003025739805842

!

voice register dn 1

number 200

allow watch

name Jeff

no-reg

label Jeff

!

voice register pool 1

id mac 0000.0000.0000

number 1 dn 1

dtmf-relay sip-notify

username 200 password 200

codec g711ulaw

Alberto Montilla · ‎12-21-2011

Dear Jeff;

When you say over the internet, do you have a VPN link between the sites?

Regards
Alberto

Jeff Cooper · ‎12-21-2011

If I use a vpn into the network where the 540 and/or 560 exists, i can connect up no problem with a soft sip client. I can even connect up polycom phones. If i'm outside the network, on my pda or laptop on the road without a vpn client, i get the error above. If I run a switchvox phone system, i dont need a vpn client, i connect right in with a soft sip client or polycom phone. It doesn't sound like CME/UC series supports SIP connectivity from outside the network without a vpn client. It would be great for customers who might not be able to support a vpn client into whichever vendor firewall on their pda. I wish Cisco would adapt this functionality.

Another great reason , was in carribean and didnt want to pay roaming charges. I had wirelesss internet provided at the resort. If i could of used a sip client, i could of connected over the wireless internet as an extension to the uc540 back home. Then I could of dialed out with no charges over a magic jack that provides a pots line into the uc540.

Instead I implemented a switchvox that allowed me to connect my pda's sip softphone effortlessly thru the internet without maintaining a vpn, and took calls that way while on vacation. No toll charges and forwarded all calls to the magicjack back home to my pda acting as an in-house extension on the switchvox.

Sorry, long answer. But I've been battling with this on CME for over a year. I believe it the last hurdle CME needs to overcome regardless of it being on a 2900, 2800, 3500 etc or a uc540/560 platform. Be nice if you could tie in pdas as "soft" extensions for salesmen, remote users, owners, service techs who are anywhere in the world. As long as there's wireless internet, they're on the pbx.

ps- I've setup iphones that will register the vpn automatically and constantly based on being outside the network with certificates for authentication - pita in my mind

Alberto Montilla · ‎12-22-2011

Hi Jeff;

I see your point. UC500 is not only a PBX but a UC solution, so VPN secure access for users is a pre-requisite for remote users on UC products.

Regards
Alberto

renato.guimaraes · ‎12-22-2011

Your solution is to use SSLVPN along with Anyconnect VPN client with CIPC softphone.

CIPC:

http://www.cisco.com/cisco/software/release.html?mdfid=278468661&catid=278875240&softwareid=282074237&release=8.6(1)&rellifecycle=&relind=AVAILABLE&reltype=latest http://www.cisco.com/cisco/software/cart.html?mdfid=&treeMdfId=278875240&flowid=null&addoption=DN&imageGuId=7F9109F576648CCF303D190CA17DE211544D7B20&isLatestRel=Y

Anyconnect (download the one named anyconnect-win-2.5.3055-k9.pkg)

http://www.cisco.com/cisco/software/release.html?mdfid=281278373&flowid=4469&softwareid=282364313&release=2.5.3055&relind=AVAILABLE&rellifecycle=&reltype=latest

In CCA, go to Configure -> Security -> SSL VPN

Under the Basic tab, add users accordingly.

Under the Advanced tab, leave "Thin Client" unchecked.

Check "Full Tunnel mode" and enter an IP range, for example Start: 172.16.1.1, End: 172.16.1.10

Under SSL VPN Client, click Install and choose the Anyconnect file you downloaded earlier.

I would also check "Keep SSL VPN Client Software installed on the client PC."

I believe that's all on the UC end. This is how we have our SSL VPN setup and it works fine.

Install the CIPC softphone on your client computer. Navigate to the UC's WAN IP address using HTTPS. Login with the credentials you've created and it will download the anyconnect client and connect you. You're now on a SSL VPN with your UC and you can open the CIPC softphone. It should register after you've connected, otherwise I'd check the TFTP server setting for the softphone. The default I believe is 10.1.1.1.

-Renato

David Trad · ‎12-22-2011

Hi Jeff,

I know what you are trying to do and was able to do is successfully with a 2810 ISR, but with those systems you can hack away at the CLI with no problems at all... Your biggest draw back is, in order to get it to work you have to punch some pretty damn big holes in your firewall (ACL's) and here is where the problem lays, the minute we did that we had all sorts of whack jobs trying to connect to the 2800 using randomized passwords, and the only way to overcome it was to lock it down to only allow connection from a single IP address.

As you can imagine this was no good because we couldnt then use NetSIP on our mobiles to connect over 3G because the IP address constantly changes.

I would recommend using the VPN client on either the iPhone or the Android to connect via IPSEC and then tunnel in that way with a SIP phone, it is the only safe way to do it without opening your system up to some major kick A** toll fraud.

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *