Re: How to allow all in and out traffic for one internal address
- From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
- To: "ISALists" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Feb 2004 14:06:54 -0600
The phone system (PBX) is 3Com NBX.
This system operates out of the box as an Ethernet only system.
The phones and PBX communicate at the layer 2 level.
These phones only connect via Ethernet, and will not work unless they
can see the main PBX box.
NO IP involved.
What I am trying to get done is put one of these phones at home on my
DSL connection, and use it to communicate with the internal PBX.
For this to work, the phone at home is assigned an IP address, and tries
to communicate to the main PBX over IP.
The main PBX is behind ISA, so a server publishing thing would have to
be done with the correct protocols and ports.
Once it reaches the PBX, the PBX will decide what other device the home
phone is trying to call, and then assign that target phone an IP
address, so that it can communicate over the internet.
Now that a second internal IP is involved, a second one to one
translation would have to be done, so another server publish rule?
Once the hand off of the conversation takes place, the PBX could die,
and the conversation would still work, because there is no more
communication with the PBX, it is strait phone to phone over the
network.
They sold us an upgrade that made talking to a phone behind a home
router possible, but it turns out the main PBX cant be behind a firewall
per say.
I am told by the reseller that the possible fix to make the system work
better would be a software upgrade that would make the calls use the
main PBX as a proxy for the communication between two phones, but that
is yet to be seen.
People that are doing it successfully have their phone system behind a
hardware VPN, and another hardware VPN at the users home, then it will
work.
That wont work with ISA, because the hardware VPN they suggest will not
complete a tunnel with ISA. They want certificates and such that ISA2000
doesn't do.
IF RRAS will provide some one to one translation "around" ISA, maybe
that will work.
I just don't know if it is possible.
Thanks for any help in advance.
Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762
Phone 870-864-8688
Fax 870-864-8689
Cell 870-866-9941
-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Thursday, February 19, 2004 11:18 AM
To: ISALists
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address
http://www.ISAserver.org
Can you give an example of what the connection topography is? Is this
phone connecting to an internet provider like vonage or something? Or
is the phone trying to talk back to a central PBX in another office?
Are you trying to use a PBX based VOIP phone from the office at home
(cisco, avaya, or inter-tel, etc.)?
----- Original Message -----
From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, February 19, 2004 8:55 AM
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address
http://www.ISAserver.org
Is there a way I can use RRAS on the ISA server to get what I need?
I am told by the phone system vendor that SIP is not used in this
system. He also told me of someone who configured his PIX to work by
mapping several internal IP's to external IP's, then configuring the
ports for those IP's only.
Here is how the system works.
When a call comes in from an outside IP phone, it communicates with the
call processor, which would be mapped from the public address to the
private. The processor determines which internal phone the call is for,
which at this point has no IP address, (its MAC based), and then assigns
the internal phone an IP for this call, and says, "phone one, meet phone
two, you two talk, I'm outta here"
So I would need to set up mapping for any internal IP's I would assign
to external IP's we have available.
I can't put the phone system outside the firewall, because we use one
wire to connect the phone to the network, then connect the desktop to
the phone. The gateways would have to be different.
I need to be able to define my own server publishing protocols, which
does not seem to be possible.
Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762
Phone 870-864-8688
Fax 870-864-8689
Cell 870-866-9941
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, February 18, 2004 7:01 PM
To: ISALists
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address
Hi Ray,
Bad news for ya. Still no SIP support for ISA 2004 :(
The first third party to create a SIP gateway for ISA 2004 will do very
well for themselves.
HTH,
Tom
-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Wednesday, February 18, 2004 5:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: How to allow all in and out traffic for one
internal address
It won't work. ISA, like most firewalls, does not play nice with the
SIP protocol. This may have changed in ISA 2004, but you would have to
ask others on the list that have been using 2004 to see if there is any
additional support for SIP yet. Your best bet is to simply hang a NAT
box infront of the ISA box if you only have one IP, or just hang it out
on the internet if you have to.
----- Original Message -----
From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 18, 2004 2:31 PM
Subject: [isalist] How to allow all in and out traffic for one internal
address
Time to get my phone system working for VOIP across ISA.
It really needs to be like a published server, but I cant get the
protocols ironed out. I cant get an answer on which directions the
protocols/ports need to be configured, send, send/receive, receive/send,
etc. So I thought there would be a way to allow everything going and
coming from the external address to the system itself.
Will it work?
I don't have a DMZ or tri-homed ISA Box.
Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762
Phone 870-864-8688
Fax 870-864-8689
Cell 870-866-9941
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rdzek@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
