11-30-2011
09:51 AM
- last edited on
03-25-2019
11:01 PM
by
ciscomoderator
For about a year now, I've been attempting to use a sip softphone client on the internet to connect to a uc560, 540 and 2800-based CME with no success. I've tried portgo and 3cx from both a pda and from my laptop out on the internet. I can get both sip clients to connect instantly as an extension on the local LAN. When I try from the internet, I see "invalid ip address" on debug ccsip, and it reflects the internet IP of the client trying to register.
My client login is the extension for both the username and password, and i have the MAC as 0000.0000.0000 in the voice register pool. I use the outside internet IP of the network for the host. I map thru 5060 over both tcp/udp to the inside phone system and forward 10,000-20,000 over both tcp/udp as well. I've tried a source-address on CME for the voice register global of the internet, the local loopback, the outside of the phone system and the voice vlan side of the phone system,
I'm stumped! If anyone has gotten this to work successfully, can you post a config? Is it an issue of the firewall? Perhaps it requires all ports open on the internet IP to the inside phone system with a 1 to 1 nat translation?
Thanks in advance for any input.
Jeff
-----
Config:
voice service voip
callmonitor
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
h323
sip
registrar server expires max 3600 min 120
no call service stop
!
!
voice register global
mode cme
source-address 192.168.72.1 port 5060
max-dn 5
max-pool 5
hold-alert
mwi reg-e164
voicemail 500
tftp-path flash:
create profile sync 0003025739805842
!
voice register dn 1
number 200
allow watch
name Jeff
no-reg
label Jeff
!
voice register pool 1
id mac 0000.0000.0000
number 1 dn 1
dtmf-relay sip-notify
username 200 password 200
codec g711ulaw
12-21-2011 07:24 AM
Dear Jeff;
When you say over the internet, do you have a VPN link between the sites?
Regards
Alberto
12-21-2011 03:06 PM
If I use a vpn into the network where the 540 and/or 560 exists, i can connect up no problem with a soft sip client. I can even connect up polycom phones. If i'm outside the network, on my pda or laptop on the road without a vpn client, i get the error above. If I run a switchvox phone system, i dont need a vpn client, i connect right in with a soft sip client or polycom phone. It doesn't sound like CME/UC series supports SIP connectivity from outside the network without a vpn client. It would be great for customers who might not be able to support a vpn client into whichever vendor firewall on their pda. I wish Cisco would adapt this functionality.
Another great reason
Instead I implemented a switchvox that allowed me to connect my pda's sip softphone effortlessly thru the internet without maintaining a vpn, and took calls that way while on vacation. No toll charges and forwarded all calls to the magicjack back home to my pda acting as an in-house extension on the switchvox.
Sorry, long answer. But I've been battling with this on CME for over a year. I believe it the last hurdle CME needs to overcome regardless of it being on a 2900, 2800, 3500 etc or a uc540/560 platform. Be nice if you could tie in pdas as "soft" extensions for salesmen, remote users, owners, service techs who are anywhere in the world. As long as there's wireless internet, they're on the pbx.
ps- I've setup iphones that will register the vpn automatically and constantly based on being outside the network with certificates for authentication - pita in my mind
12-22-2011 01:53 AM
Hi Jeff;
I see your point. UC500 is not only a PBX but a UC solution, so VPN secure access for users is a pre-requisite for remote users on UC products.
Regards
Alberto
12-22-2011 08:06 AM
Your solution is to use SSLVPN along with Anyconnect VPN client with CIPC softphone.
CIPC:
http://www.cisco.com/cisco/software/release.html?mdfid=278468661&catid=278875240&softwareid=282074237&release=8.6(1)&rellifecycle=&relind=AVAILABLE&reltype=latesthttp://www.cisco.com/cisco/software/cart.html?mdfid=&treeMdfId=278875240&flowid=null&addoption=DN&imageGuId=7F9109F576648CCF303D190CA17DE211544D7B20&isLatestRel=Y
Anyconnect (download the one named anyconnect-win-2.5.3055-k9.pkg)
In CCA, go to Configure -> Security -> SSL VPN
Under the Basic tab, add users accordingly.
Under the Advanced tab, leave "Thin Client" unchecked.
Check "Full Tunnel mode" and enter an IP range, for example Start: 172.16.1.1, End: 172.16.1.10
Under SSL VPN Client, click Install and choose the Anyconnect file you downloaded earlier.
I would also check "Keep SSL VPN Client Software installed on the client PC."
I believe that's all on the UC end. This is how we have our SSL VPN setup and it works fine.
Install the CIPC softphone on your client computer. Navigate to the UC's WAN IP address using HTTPS. Login with the credentials you've created and it will download the anyconnect client and connect you. You're now on a SSL VPN with your UC and you can open the CIPC softphone. It should register after you've connected, otherwise I'd check the TFTP server setting for the softphone. The default I believe is 10.1.1.1.
-Renato
12-22-2011 09:00 PM
Hi Jeff,
I know what you are trying to do and was able to do is successfully with a 2810 ISR, but with those systems you can hack away at the CLI with no problems at all... Your biggest draw back is, in order to get it to work you have to punch some pretty damn big holes in your firewall (ACL's) and here is where the problem lays, the minute we did that we had all sorts of whack jobs trying to connect to the 2800 using randomized passwords, and the only way to overcome it was to lock it down to only allow connection from a single IP address.
As you can imagine this was no good because we couldnt then use NetSIP on our mobiles to connect over 3G because the IP address constantly changes.
I would recommend using the VPN client on either the iPhone or the Android to connect via IPSEC and then tunnel in that way with a SIP phone, it is the only safe way to do it without opening your system up to some major kick A** toll fraud.
Cheers,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide