Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


3COM NBX 3000, Pix 506e, remote phone without using VPN

Posted on 2006-04-14
Medium Priority
Last Modified: 2007-12-19
I need the ability to connect remote phones to my NBX 3000 that resides withing my LAN (LAN1)  behind a PIX 506e.

Steps that have been taken:

NBX configured with external IP address

PIX configured for...

port 2093-2096 UDP
port 1040-1044 TCP
Fixup protocol h323 h225 1720

I have plugged in the phone within LAN1 and let the Auto discovery do its thing. Meaning it is in the NBX database and has been assigned an extension.  The phone was then taken to the offsite location (LAN2) and the LUI (local user interface) was used to assign the IP, subnet, and gateway for LAN1.

I plugged in the phone within LAN2, and the display shows "Connect to Phone Port".


LAN2 is a home address using a cable modem and a linksys WRT54G router.  I assume I have to set the router to port foward 2093-2096 - correct?  If this hasn't been done though, is that why the phone doesn't detect a phone port?

Question by:top_rung
  • 4
  • 4

Expert Comment

ID: 16471315
Port forwarding would not cause that error "Connect to Phone Port".
I´m assuming that in LAN 2 you do not have a PoE switch. You should first check that you do have a good conection between the phone and the home router. Check the cable and the port of the switch.
I would sugest plugging a PC on the other port of the phone to se if it can get connectivity to the router (if it at least gets a dhcp leased IP adress, it should be ok).


Expert Comment

ID: 16472443
Are you going to assign a valid external IP address to the phone placed externally?
I haven't tested using phones with port forwarding. We usually set them up with a vpn router. That way, the only port you have to care about is the IPSec at the central office.
If you are using it for a home instalation, a VPN router won't take too much space, and you can find some that are quite affordable.
LVL 14

Author Comment

ID: 16472727
Thanks for the reply,

The port/line is working, and has been tested. However, you make a good point to test the passthrough on the phone. Slipped my mind.

The setup instructions for this phone system say that the phone must be discovered within the NBX's LAN and given a valid IP (which was done), and then taken to the remote location.  From there, it just says to configure the remote router to accept and pass the traffic (I assume that is the port forwarding).  I assumed the phone should get an IP for the remote LAN - through DHCP.  But apparantly, it is not seeing the router at all and thus not getting an assignment.

So I did give the phone an internal address in LAN1, as well as set the gateway, subnet, and External NBX address for LAN1.   It appears that the phone reserves that information in memory, and for lack of a better term, has another "memory location" for the LAN2 configuration. Is that correct?

The router in LAN2 is a consumer grade Linksys WRT54G and does connect to LAN1 using VPN using Microsoft client on the PC.  Sorry for my ignorance on the subject, but what else  needs to be configured for the client's router to  do this?  Is the Linksys WRT54G capable of handling this, or is it a specialized router that is needed?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Accepted Solution

amaderog earned 2000 total points
ID: 16473542
Discovering the phone is a good first step, but I don't think it is absolutelly necesary. Giving it a valid IP on LAN1 though, is not a needed step, because you will end up changing that address later on. The phones can get an IP address from a dhcp server, but they require some special parameters set up. Those options to my knowledge, are not present on the regular dhcp servers within small routers. So giving the phone a valid IP for LAN2 manually is almost surely required. The phone does store its IP in memory, so you can configure it in the office and have the user take it preconfigured.
The phone has a configured IP and the IP it is using at the moment. That would be what you reffered to as "another memory location". I wouldn´t worry too much about that, because when they don't find a compatible dhcp, they take the configured address.

The wrt54g won't make the vpn tunnel. That's why you use the microsoft client on the PC. To have a VPN tunnel that links two networks you need something like:
3CR860-95        OfficeConnect Secure Router      (supports 2 tunnels)            
3CR870-95        OfficeConnect VPN Firewall      (supports 50 tunnels)
A VPN router I usually use for it's ease is the Sg-300 made by Cyberguard (now Secure-Computing), but they OEM to many others, so you can find them in many brands and colors.

In your central office you should have a router accepting incoming vpn connections. All three described above do that. Your PIX should too, but I'm not familiar with it or it's interface. In the Cisco page you can find:
"The Cisco PIX 506E Security Appliance provides...   ..site-to-site and remote access VPN..."

Having the VPN router is the easiest way in my opinion to get NBX phones to work.

Do you plan to have this configuration for only one user? or are many other users going to follow with this setup?
LVL 14

Author Comment

ID: 16478465
Thanks for the info.  What you say makes complete sense.

Initially, the setup will call for 5 remote users.  However, this is expected to grow in the near future.  We have satellite offices that have just opened in other countries.  The thought was (per sales rep and brochure) that the phones would work anywhere there is an internet connection and proper setup.

What confuses me about the entire setup is that the instructions imply that you must first setup the phone in LAN1 so that it will properly communicate inside the network once the connection is made. Hence have and IP in LAN1.  Second, it must be configured inside the remote location LAN2 so that it can work within it and be able to communicate out to the NBX.

Are there any step-by-step guides that show how to properly configure a VPN router for such an implementation?  Do you configure it to match the LAN1's network scheme?  ??




Expert Comment

ID: 16479541
When you say "instructions" do you refer to the administrators guide?

The steps I think you refer to, are the ones for installing a telephone inside a companys network, but in different sites, joined by routers. That also applies to VPNs, but not to internet, because of the way the nbx and phones communicate. They both need to know the address of each other and their gateways need to know the route to get there. When NAT is involved, port forwarding alone won't work.

To set up the VPNs, you should have an IP addressing plan.
For example having the central office have 192.168.1.xxx
Each remote office having one like 192.168.2.xxx, 192.168.3.xxx, 192.168.4.xxx
In each remote office have a vpn router establishing a vpn to the central office, where you would need a vpn router that can support the number of tunnels you will have.
If the device you use as the default gateway in your central office is the same as your vpn router, then it will know where to find all the other networks.
If you decide to have a separate vpn router, just be sure to setup static routes in your default gateway.

You won't need to setup port forwarding from the internet to your nbx (in fact it is recomended that you don't). The nbx will know to find IP phones through its default gateway, which will find them through the VPNs.
In the remote offices, the phones should have an IP address corresponding to that VPN (ie. if it is located in vpn 192.168.2.xxx), and its default gateway should be its VPN router. Set the NBX (NCP) IP to the IP address of your central office NBX

That should be all you have to do, but just to be sure, check under "system configuration / system wide"  in your NBX that the network protocol is set as IP on the fly, and that in "system configuration / IP addresses" you have an IP address range that is free for your central office phones to use when they need to communicate with the outside phones. (this is a pool of addresses assigned temporarilly to devices that need them for an IP call; most calls inside your office happen through layer 2 MAC address and don't need IP)

A little warning: conferencing doesn't always work through this setups pecause conferencing in nbx requires multicast. To get it to work you would need to have multicast through the VPN... we have found it to be too much trouble to implement, but you might find someone around here to make it easier. If you really need conferencing, we usually recomend an external conferencing server. One compatible with NBX is Sonexis (it can comunicate with NBX over the network so you don't have to mess around with T1 connections and cost).
LVL 14

Author Comment

ID: 16488893
Thank you amaderog.

The instructions are from the section titled "Adding a Remote Phone" in the Administrators guide. It is very clear that the steps I am taking are all that is needed.  It starts with this...

"NBX system software (release R4.2 and higher) supports Network Address
Port Translation (NAPT, also called NAT overloading). NAPT allows you to
put an NBX Telephone behind a device that applies network address
translation at a remote location, such as a home office, and connect to
the NBX call processor through an Internet connection. One typical
configuration is to connect a cable/DSL modem to a small office/home
office router that includes a firewall and Ethernet ports. You connect the
NBX Telephone directly to one of the Ethernet ports. Another option is
use the pcXset soft telephone application instead of an NBX Telephone."

Anyway, It doesn't work as simply as they claim.  At least not this far.

I appreciate your detailed advice.   Have you seen this before?


At $70, it seems like a solution that can't be beat...

LVL 14

Author Comment

ID: 16545580
Okay, for the record, I have to apologize to 3COM (to some degree)

I made a mistake on the instructions....

The phone "works" remotely now with their simple instructions.

All I had to do was let the NBX system auto-detect the phones and that was it on LAN1.
Then I took the phone to the remote sight and set its IP to match the LAN2 scheme and opened port 2093-2096 (port forwarding) on the router.
The phone downloaded the info and I could see everthing on the display, I could dial extensions and recieve calls from LAN1.

HOWEVER, no one I called EXCEPT FOR ANOTHER REMOTE PHONE can hear me.  I can hear them just fine, i see their extenision, etc, but they can't hear me.  The strange thing is that if i call another phone that was setup remotely, we can communicate just fine.  

Any ideas ?

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: user_n
How Sip Phone (User Agent) works and communicates with sip servers 1.  There is a sip server and a sip registrar.  The sip server and sip registrar can be one server or two different servers. The sip registrar is the server on which it is record…
Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month10 days, 15 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question