3COM NBX 3000, Pix 506e, remote phone without using VPN

I need the ability to connect remote phones to my NBX 3000 that resides withing my LAN (LAN1)  behind a PIX 506e.

Steps that have been taken:

NBX configured with external IP address

PIX configured for...

port 2093-2096 UDP
port 1040-1044 TCP
Fixup protocol h323 h225 1720

I have plugged in the phone within LAN1 and let the Auto discovery do its thing. Meaning it is in the NBX database and has been assigned an extension.  The phone was then taken to the offsite location (LAN2) and the LUI (local user interface) was used to assign the IP, subnet, and gateway for LAN1.

I plugged in the phone within LAN2, and the display shows "Connect to Phone Port".


LAN2 is a home address using a cable modem and a linksys WRT54G router.  I assume I have to set the router to port foward 2093-2096 - correct?  If this hasn't been done though, is that why the phone doesn't detect a phone port?

LVL 14
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Port forwarding would not cause that error "Connect to Phone Port".
I´m assuming that in LAN 2 you do not have a PoE switch. You should first check that you do have a good conection between the phone and the home router. Check the cable and the port of the switch.
I would sugest plugging a PC on the other port of the phone to se if it can get connectivity to the router (if it at least gets a dhcp leased IP adress, it should be ok).

Are you going to assign a valid external IP address to the phone placed externally?
I haven't tested using phones with port forwarding. We usually set them up with a vpn router. That way, the only port you have to care about is the IPSec at the central office.
If you are using it for a home instalation, a VPN router won't take too much space, and you can find some that are quite affordable.
top_rungAuthor Commented:
Thanks for the reply,

The port/line is working, and has been tested. However, you make a good point to test the passthrough on the phone. Slipped my mind.

The setup instructions for this phone system say that the phone must be discovered within the NBX's LAN and given a valid IP (which was done), and then taken to the remote location.  From there, it just says to configure the remote router to accept and pass the traffic (I assume that is the port forwarding).  I assumed the phone should get an IP for the remote LAN - through DHCP.  But apparantly, it is not seeing the router at all and thus not getting an assignment.

So I did give the phone an internal address in LAN1, as well as set the gateway, subnet, and External NBX address for LAN1.   It appears that the phone reserves that information in memory, and for lack of a better term, has another "memory location" for the LAN2 configuration. Is that correct?

The router in LAN2 is a consumer grade Linksys WRT54G and does connect to LAN1 using VPN using Microsoft client on the PC.  Sorry for my ignorance on the subject, but what else  needs to be configured for the client's router to  do this?  Is the Linksys WRT54G capable of handling this, or is it a specialized router that is needed?
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Discovering the phone is a good first step, but I don't think it is absolutelly necesary. Giving it a valid IP on LAN1 though, is not a needed step, because you will end up changing that address later on. The phones can get an IP address from a dhcp server, but they require some special parameters set up. Those options to my knowledge, are not present on the regular dhcp servers within small routers. So giving the phone a valid IP for LAN2 manually is almost surely required. The phone does store its IP in memory, so you can configure it in the office and have the user take it preconfigured.
The phone has a configured IP and the IP it is using at the moment. That would be what you reffered to as "another memory location". I wouldn´t worry too much about that, because when they don't find a compatible dhcp, they take the configured address.

The wrt54g won't make the vpn tunnel. That's why you use the microsoft client on the PC. To have a VPN tunnel that links two networks you need something like:
3CR860-95        OfficeConnect Secure Router      (supports 2 tunnels)            
3CR870-95        OfficeConnect VPN Firewall      (supports 50 tunnels)
A VPN router I usually use for it's ease is the Sg-300 made by Cyberguard (now Secure-Computing), but they OEM to many others, so you can find them in many brands and colors.

In your central office you should have a router accepting incoming vpn connections. All three described above do that. Your PIX should too, but I'm not familiar with it or it's interface. In the Cisco page you can find:
"The Cisco PIX 506E Security Appliance provides...   ..site-to-site and remote access VPN..."

Having the VPN router is the easiest way in my opinion to get NBX phones to work.

Do you plan to have this configuration for only one user? or are many other users going to follow with this setup?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
top_rungAuthor Commented:
Thanks for the info.  What you say makes complete sense.

Initially, the setup will call for 5 remote users.  However, this is expected to grow in the near future.  We have satellite offices that have just opened in other countries.  The thought was (per sales rep and brochure) that the phones would work anywhere there is an internet connection and proper setup.

What confuses me about the entire setup is that the instructions imply that you must first setup the phone in LAN1 so that it will properly communicate inside the network once the connection is made. Hence have and IP in LAN1.  Second, it must be configured inside the remote location LAN2 so that it can work within it and be able to communicate out to the NBX.

Are there any step-by-step guides that show how to properly configure a VPN router for such an implementation?  Do you configure it to match the LAN1's network scheme?  ??



When you say "instructions" do you refer to the administrators guide?

The steps I think you refer to, are the ones for installing a telephone inside a companys network, but in different sites, joined by routers. That also applies to VPNs, but not to internet, because of the way the nbx and phones communicate. They both need to know the address of each other and their gateways need to know the route to get there. When NAT is involved, port forwarding alone won't work.

To set up the VPNs, you should have an IP addressing plan.
For example having the central office have 192.168.1.xxx
Each remote office having one like 192.168.2.xxx, 192.168.3.xxx, 192.168.4.xxx
In each remote office have a vpn router establishing a vpn to the central office, where you would need a vpn router that can support the number of tunnels you will have.
If the device you use as the default gateway in your central office is the same as your vpn router, then it will know where to find all the other networks.
If you decide to have a separate vpn router, just be sure to setup static routes in your default gateway.

You won't need to setup port forwarding from the internet to your nbx (in fact it is recomended that you don't). The nbx will know to find IP phones through its default gateway, which will find them through the VPNs.
In the remote offices, the phones should have an IP address corresponding to that VPN (ie. if it is located in vpn 192.168.2.xxx), and its default gateway should be its VPN router. Set the NBX (NCP) IP to the IP address of your central office NBX

That should be all you have to do, but just to be sure, check under "system configuration / system wide"  in your NBX that the network protocol is set as IP on the fly, and that in "system configuration / IP addresses" you have an IP address range that is free for your central office phones to use when they need to communicate with the outside phones. (this is a pool of addresses assigned temporarilly to devices that need them for an IP call; most calls inside your office happen through layer 2 MAC address and don't need IP)

A little warning: conferencing doesn't always work through this setups pecause conferencing in nbx requires multicast. To get it to work you would need to have multicast through the VPN... we have found it to be too much trouble to implement, but you might find someone around here to make it easier. If you really need conferencing, we usually recomend an external conferencing server. One compatible with NBX is Sonexis (it can comunicate with NBX over the network so you don't have to mess around with T1 connections and cost).
top_rungAuthor Commented:
Thank you amaderog.

The instructions are from the section titled "Adding a Remote Phone" in the Administrators guide. It is very clear that the steps I am taking are all that is needed.  It starts with this...

"NBX system software (release R4.2 and higher) supports Network Address
Port Translation (NAPT, also called NAT overloading). NAPT allows you to
put an NBX Telephone behind a device that applies network address
translation at a remote location, such as a home office, and connect to
the NBX call processor through an Internet connection. One typical
configuration is to connect a cable/DSL modem to a small office/home
office router that includes a firewall and Ethernet ports. You connect the
NBX Telephone directly to one of the Ethernet ports. Another option is
use the pcXset soft telephone application instead of an NBX Telephone."

Anyway, It doesn't work as simply as they claim.  At least not this far.

I appreciate your detailed advice.   Have you seen this before?


At $70, it seems like a solution that can't be beat...

top_rungAuthor Commented:
Okay, for the record, I have to apologize to 3COM (to some degree)

I made a mistake on the instructions....

The phone "works" remotely now with their simple instructions.

All I had to do was let the NBX system auto-detect the phones and that was it on LAN1.
Then I took the phone to the remote sight and set its IP to match the LAN2 scheme and opened port 2093-2096 (port forwarding) on the router.
The phone downloaded the info and I could see everthing on the display, I could dial extensions and recieve calls from LAN1.

HOWEVER, no one I called EXCEPT FOR ANOTHER REMOTE PHONE can hear me.  I can hear them just fine, i see their extenision, etc, but they can't hear me.  The strange thing is that if i call another phone that was setup remotely, we can communicate just fine.  

Any ideas ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Voice Over IP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.