So I have a client who needs to have employees to be able to use some phones from home so that they can accept calls and transfer calls to and from a home phone. We asked them if they would like to use cisco firewalls with a site-to-site VPN but they did not want to. I wanted to ask, is there any other way we might be able to achieve this? At the central office, they have a UCM 6116 and GXP2170s. I have no idea about any other ways I can achieve this so I’d appreciate any help I could get.
Absolutely, just takes some firewall forwards.
It’s even easier to lock down if they have static IPs at home.
Well, a VPN (not necessarily Cisco only) would have been nice, but I guess it boils down to expense and dynamics IPs. You might want to look at the following for some ideas:
They unfortunately do not have static IPs at home and the only firewall is a Cisco at the central office location
So would I need to set up DDNS at their homes then?
No, The issue is how much you want to open up to the rest of the world.
If you are already using SIP trunking then you already should have this in place:
-port forwards(this is with default settings on the UCM)
UDP 5060 to UCM (can be locked down to just SIP Provider IPs)
UDP 10000-20000 to UCM (must be open to all)
SIP ALG must be off
On the UCM
PBX-SIP-NAT External Host should have static IP or dynamic DNS address in it (this tells the SIP Provider what address to respond to)
This will also allow you to have remote phones connected since they will register using the same public IP address as your SIP provider. If don’t have a static IP at the office, then you can use dynamic dns instead.
At the homes, if they had static IPs, then you could isolate what addresses are allowed through the firewall or not. Since they are dynamic then you have to allow all IPs through or at least narrow it down to just the IPs that the Internet provider could use.
I hope that makes sense.
Yes I think I understand you. Thank you sir. I am going to try it and will update on how it went.
Just limit port in UCM, no one need 10k ports. 500 is enough and it make forward much smaller.
Ideally the endpoints at there homes would use openVPN in to the office, however so far this is very elusive as i have tickets open with support to try and get this working as there is a lot of packet routing that needs to happen (i have NO IDEA why openVPN server was not built in to the UCM, but there we have it).
Home firewall VPN to the office Cisco, home phone has LAN IP address, and UCM IP address can be routed through the VPN tunnel from home, this means the home subnet and office subnets need to be different to work (and ideally every home subnet is different otherwise IP clashes will happen inside the UCM). This can be messy to manage though.
Office firewall is setup to SIP (5060 or a moved port range) and RTP (10000-20000) are port forward to the UCM with NAT turned on for the extensions, not very secure and fail2ban will be worked to the bone sotpping people trying to hack the SIP ports inside the UCM.
Your best route would be openVPN, however as mentioned above i am working on getting this setup with an industry standard firewall with Grandstream as i type.