H323 Remote Phones and Firewalls

[twitchy087]

Hey Guys,

I want to preface this by saying that I know H323 phones are a bad idea however we are in a place where we are a bit stuck right now. We are doing our best to completely lock down the IPO in every sense.

I am looking to add a firewall between an IPO and ISP for the phones to go through. Does anyone have any recommendations for a firewall that has been ideal for this purpose? Keep in mind that this will ONLY be used for these H323 phones and nothing else so ideally, we dont want to spend a ton of money.

Thanks

 

[twitchy087]

 

[janni78]

Most firewalls will work since it only needs to support port forwarding.

"Trying is the first step to failure..." - Homer

 

[telfire]

I would stay clear of high-end FW's such as SonicWall or Cisco unless you truly understand how to program port forwarding on those particular vendors.

APSS-SME
ACIS-SME
ACSS-SME
CTP+

 

[nnaarrnn]

I would stay clear of high-end FW's such as SonicWall or Cisco unless you truly understand how to program port forwarding on those particular vendors.

I would use Sonicwall or Cisco and setup those remote phones as VPN phones. No port forwarding necessary.

 

[twitchy087]

That would be ideal however at this point, that would be A LOT of work which we just cant swing for multiple reasons. I just know that these H323 phones have a history of being whacky with some routers and perfectly fine with others which is why I was asking for recommendations in regards to specific routers. I know they are a BAD idea but again, we are a bit stuck.

Thanks all

 

[derfloh]

hat would be A LOT of work

I would say it is a one time work. Getting the right settings, let the phones get the settings from 46xxsettings.txt and enable VPN on the phone.

No open ports from public to inside network, less problems with ALGs in home office routers, no phone traffic directly through Internet, no home office providers who block voip traffic...

 

[hairlessupportmonkey]

Well I'm also a Watchguard engineer, and they work fine on both h323 and VPN remote phones.



ACSS - SME
General Geek

 

[stownsend]

We have Cisco Firewalls and Site to Site VPNs between them. at the Head end is a ASA5510 and all of the remotes are ASA5505 (the 5505 has PoE and 5506 does not)
With them being Site to Site VPNs there is no Port forwarding or anything. We Programed the DHCPd Server on the ASA5505 to Point to the IPO and TFTP server behind the ASA5510.

So we can Drop a Phone at a Remote location for $300 + cost of the Phone.

If all that the ASA would be used for is the Site to Site VPNs the setup is pretty simple. You could even use a 5505 at the head end. I could Provide a Sample Config if you needed. The Main site would need a Static Public IP.

You get the Added Benefit of allowing the end user access to Corp network (if you wanted) and they don't need a VPN Client at home. If you wanted to Prevent that, you could setup your Access Lists to only allow traffic to the IPO and TFTP Server.


Scott<-