3COM NBX 3000, Pix 506e, remote phone without using VPN

Posted on 2006-04-14
Last Modified: 2007-12-19
I need the ability to connect remote phones to my NBX 3000 that resides withing my LAN (LAN1)  behind a PIX 506e.

Steps that have been taken:

NBX configured with external IP address

PIX configured for...

port 2093-2096 UDP
port 1040-1044 TCP
Fixup protocol h323 h225 1720

I have plugged in the phone within LAN1 and let the Auto discovery do its thing. Meaning it is in the NBX database and has been assigned an extension.  The phone was then taken to the offsite location (LAN2) and the LUI (local user interface) was used to assign the IP, subnet, and gateway for LAN1.

I plugged in the phone within LAN2, and the display shows "Connect to Phone Port".


LAN2 is a home address using a cable modem and a linksys WRT54G router.  I assume I have to set the router to port foward 2093-2096 - correct?  If this hasn't been done though, is that why the phone doesn't detect a phone port?

Question by:top_rung
    LVL 2

    Expert Comment

    Port forwarding would not cause that error "Connect to Phone Port".
    I´m assuming that in LAN 2 you do not have a PoE switch. You should first check that you do have a good conection between the phone and the home router. Check the cable and the port of the switch.
    I would sugest plugging a PC on the other port of the phone to se if it can get connectivity to the router (if it at least gets a dhcp leased IP adress, it should be ok).

    LVL 2

    Expert Comment

    Are you going to assign a valid external IP address to the phone placed externally?
    I haven't tested using phones with port forwarding. We usually set them up with a vpn router. That way, the only port you have to care about is the IPSec at the central office.
    If you are using it for a home instalation, a VPN router won't take too much space, and you can find some that are quite affordable.
    LVL 14

    Author Comment

    Thanks for the reply,

    The port/line is working, and has been tested. However, you make a good point to test the passthrough on the phone. Slipped my mind.

    The setup instructions for this phone system say that the phone must be discovered within the NBX's LAN and given a valid IP (which was done), and then taken to the remote location.  From there, it just says to configure the remote router to accept and pass the traffic (I assume that is the port forwarding).  I assumed the phone should get an IP for the remote LAN - through DHCP.  But apparantly, it is not seeing the router at all and thus not getting an assignment.

    So I did give the phone an internal address in LAN1, as well as set the gateway, subnet, and External NBX address for LAN1.   It appears that the phone reserves that information in memory, and for lack of a better term, has another "memory location" for the LAN2 configuration. Is that correct?

    The router in LAN2 is a consumer grade Linksys WRT54G and does connect to LAN1 using VPN using Microsoft client on the PC.  Sorry for my ignorance on the subject, but what else  needs to be configured for the client's router to  do this?  Is the Linksys WRT54G capable of handling this, or is it a specialized router that is needed?
    LVL 2

    Accepted Solution

    Discovering the phone is a good first step, but I don't think it is absolutelly necesary. Giving it a valid IP on LAN1 though, is not a needed step, because you will end up changing that address later on. The phones can get an IP address from a dhcp server, but they require some special parameters set up. Those options to my knowledge, are not present on the regular dhcp servers within small routers. So giving the phone a valid IP for LAN2 manually is almost surely required. The phone does store its IP in memory, so you can configure it in the office and have the user take it preconfigured.
    The phone has a configured IP and the IP it is using at the moment. That would be what you reffered to as "another memory location". I wouldn´t worry too much about that, because when they don't find a compatible dhcp, they take the configured address.

    The wrt54g won't make the vpn tunnel. That's why you use the microsoft client on the PC. To have a VPN tunnel that links two networks you need something like:
    3CR860-95        OfficeConnect Secure Router      (supports 2 tunnels)            
    3CR870-95        OfficeConnect VPN Firewall      (supports 50 tunnels)
    A VPN router I usually use for it's ease is the Sg-300 made by Cyberguard (now Secure-Computing), but they OEM to many others, so you can find them in many brands and colors.

    In your central office you should have a router accepting incoming vpn connections. All three described above do that. Your PIX should too, but I'm not familiar with it or it's interface. In the Cisco page you can find:
    "The Cisco PIX 506E Security Appliance provides... and remote access VPN..."

    Having the VPN router is the easiest way in my opinion to get NBX phones to work.

    Do you plan to have this configuration for only one user? or are many other users going to follow with this setup?
    LVL 14

    Author Comment

    Thanks for the info.  What you say makes complete sense.

    Initially, the setup will call for 5 remote users.  However, this is expected to grow in the near future.  We have satellite offices that have just opened in other countries.  The thought was (per sales rep and brochure) that the phones would work anywhere there is an internet connection and proper setup.

    What confuses me about the entire setup is that the instructions imply that you must first setup the phone in LAN1 so that it will properly communicate inside the network once the connection is made. Hence have and IP in LAN1.  Second, it must be configured inside the remote location LAN2 so that it can work within it and be able to communicate out to the NBX.

    Are there any step-by-step guides that show how to properly configure a VPN router for such an implementation?  Do you configure it to match the LAN1's network scheme?  ??



    LVL 2

    Expert Comment

    When you say "instructions" do you refer to the administrators guide?

    The steps I think you refer to, are the ones for installing a telephone inside a companys network, but in different sites, joined by routers. That also applies to VPNs, but not to internet, because of the way the nbx and phones communicate. They both need to know the address of each other and their gateways need to know the route to get there. When NAT is involved, port forwarding alone won't work.

    To set up the VPNs, you should have an IP addressing plan.
    For example having the central office have
    Each remote office having one like,,
    In each remote office have a vpn router establishing a vpn to the central office, where you would need a vpn router that can support the number of tunnels you will have.
    If the device you use as the default gateway in your central office is the same as your vpn router, then it will know where to find all the other networks.
    If you decide to have a separate vpn router, just be sure to setup static routes in your default gateway.

    You won't need to setup port forwarding from the internet to your nbx (in fact it is recomended that you don't). The nbx will know to find IP phones through its default gateway, which will find them through the VPNs.
    In the remote offices, the phones should have an IP address corresponding to that VPN (ie. if it is located in vpn, and its default gateway should be its VPN router. Set the NBX (NCP) IP to the IP address of your central office NBX

    That should be all you have to do, but just to be sure, check under "system configuration / system wide"  in your NBX that the network protocol is set as IP on the fly, and that in "system configuration / IP addresses" you have an IP address range that is free for your central office phones to use when they need to communicate with the outside phones. (this is a pool of addresses assigned temporarilly to devices that need them for an IP call; most calls inside your office happen through layer 2 MAC address and don't need IP)

    A little warning: conferencing doesn't always work through this setups pecause conferencing in nbx requires multicast. To get it to work you would need to have multicast through the VPN... we have found it to be too much trouble to implement, but you might find someone around here to make it easier. If you really need conferencing, we usually recomend an external conferencing server. One compatible with NBX is Sonexis (it can comunicate with NBX over the network so you don't have to mess around with T1 connections and cost).
    LVL 14

    Author Comment

    Thank you amaderog.

    The instructions are from the section titled "Adding a Remote Phone" in the Administrators guide. It is very clear that the steps I am taking are all that is needed.  It starts with this...

    "NBX system software (release R4.2 and higher) supports Network Address
    Port Translation (NAPT, also called NAT overloading). NAPT allows you to
    put an NBX Telephone behind a device that applies network address
    translation at a remote location, such as a home office, and connect to
    the NBX call processor through an Internet connection. One typical
    configuration is to connect a cable/DSL modem to a small office/home
    office router that includes a firewall and Ethernet ports. You connect the
    NBX Telephone directly to one of the Ethernet ports. Another option is
    use the pcXset soft telephone application instead of an NBX Telephone."

    Anyway, It doesn't work as simply as they claim.  At least not this far.

    I appreciate your detailed advice.   Have you seen this before?

    At $70, it seems like a solution that can't be beat...

    LVL 14

    Author Comment

    Okay, for the record, I have to apologize to 3COM (to some degree)

    I made a mistake on the instructions....

    The phone "works" remotely now with their simple instructions.

    All I had to do was let the NBX system auto-detect the phones and that was it on LAN1.
    Then I took the phone to the remote sight and set its IP to match the LAN2 scheme and opened port 2093-2096 (port forwarding) on the router.
    The phone downloaded the info and I could see everthing on the display, I could dial extensions and recieve calls from LAN1.

    HOWEVER, no one I called EXCEPT FOR ANOTHER REMOTE PHONE can hear me.  I can hear them just fine, i see their extenision, etc, but they can't hear me.  The strange thing is that if i call another phone that was setup remotely, we can communicate just fine.  

    Any ideas ?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Although VoiceOver IP has been around for a while, internet connections have only recently become fast enough to provide good call quality. Now, VoIP has become a real option for businesses looking at ways to improve their business model. In this ar…
    I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video discusses moving either the default database or any database to a new volume.

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now