NEC VoIP Firewall ports....what are they?
We just recently implemented VoIP into our NEC phone system. Internally the VoIP phone connects to the system perfectly. I am having an issue getting it to work from the outside. NEC says that they really only support VoIP using VPN and not NAT, however i can't have my users running around with a VPN router wherever they go along with an IP set. The tech who set everything up for us gave me port numbers to pass through the firewall but i cant seem to get it working. I have a Watchguard firewall that i have created services to allow ports to go through to an internal IP address using NAT. On the IP set i have it connecting to the public IP address that goes thorugh our firewall, get NATed and passed to the internal IP of the card.
If anyone has done this before or is familiar with NEC and what ports they use let me know. The ports below is what the tech gave me:
60000 UDP
50000-56500 UDP
10000 TCP
If anyone has done this before or is familiar with NEC and what ports they use let me know. The ports below is what the tech gave me:
60000 UDP
50000-56500 UDP
10000 TCP
grblades
Do you know if the NEC uses its own priopetry protocol or if it ises a standard one such as H232 or SIP?
ASKER
Standard.
which one?
If you have multiple IP addresses then the best option would be configure 1-1 NAT for the VoIP phones and then configure services to open specific ports for the phones.
If you have just one IP address and you can try opening the ports and check if that works; I have not seen the pre-configured H323 service on WG working without 1-1 NAT.
Thank you.
If you have just one IP address and you can try opening the ports and check if that works; I have not seen the pre-configured H323 service on WG working without 1-1 NAT.
Thank you.
ASKER
I have a 1-1 NAT setup and ive opened the ports that the tech gave me but it doesnt connect. Well, actually i think it connectes to a crtain point then disconnects. In my WG i could see where it was denying the IP phone from connecting. So i added ports 3400-3500 in my policy. I no longer get the deny in but the phone goes into a loop where it reboots itself. i asked the tech and he said that may be because of the TCP connection. So far this is what ive opened:
6000 UDP
50000-56500 UDP
3400-3500 UDP/TCP
10000-20000 TCP
5000 UDP/TCP
6000 UDP
50000-56500 UDP
3400-3500 UDP/TCP
10000-20000 TCP
5000 UDP/TCP
ASKER
the tech told me its based on h323.
h323 used tcp port 1720 to setup the calls so you definetly need to permit that.
There are some other ports h323 used listed at http://www.ncih.net/h323/gl8.html
I suspect the UDP range 50000-56500 the engineer told you is the port range used for RTP.
There are some other ports h323 used listed at http://www.ncih.net/h323/gl8.html
I suspect the UDP range 50000-56500 the engineer told you is the port range used for RTP.
ASKER
Yes it is. the tech sent me more docs and ive opened what its asks for. so im wondering if its something with the firewall not sending something back.
It could be because your are using NAT. H323 sends IP addresses within the packets so you can end up with the pbx sending data back to the IP address instructed in the packet which of course never gets there.
The Cisco PIX firewall for example has a 'fixup h323' command to inspect the contents of the packets and correct them in a similar way to what most firewalls do to ftp traffic.
The Cisco PIX firewall for example has a 'fixup h323' command to inspect the contents of the packets and correct them in a similar way to what most firewalls do to ftp traffic.
If you are getting incoming traffic for IP phone from one single public host/subnet, if yes, then just for testing purpose we can open ANY service on the firewall for testing; to see what all ports are actually needed for communication and then configure specific service to allow communication.
Although ANY service is not recommended, I think just for testing it can be fine.
WG H323 proxy service works, but not always; as your IP phones are rebooting and as per tech they are as some ports are still blocked, I think testing with ANY service would be one way to proceed ahead.
Please advice what you think.
Although ANY service is not recommended, I think just for testing it can be fine.
WG H323 proxy service works, but not always; as your IP phones are rebooting and as per tech they are as some ports are still blocked, I think testing with ANY service would be one way to proceed ahead.
Please advice what you think.
ASKER
i will try the ANY service. I wont be able to test until monday. I will report back with results.
ASKER
I gave the cpu and ipla card static public ip's and it still doesnt work. our vendor is going to get a hold of the NEC techs to see whats up.
Thanks everyone for trying.
Thanks everyone for trying.
ASKER
I got this resolved. The way I had to do it was by using my Bellsouth DSL line with my static ip's exposed to the internet. On the Ip Phone side NEC finally was able to tell me the ports to pass through to the IP Phone. so the bad part is that whoever gets an IP Phone (lets say at their house) will need to go into the router and pass those ports through.
What a mission. Inter-Tel was easier.
What a mission. Inter-Tel was easier.
Good to know that the problem is resolved! :)
ASKER
I stumbled across this site: http://home.grandecom.net/~patandsusan/NEAX2000_NAT.pdf
and it pretty much said that the only way to get it to work is by assigning the PBX and the IPLA card static IP's, exposed to the internet. The Phone can be behind the firewall using NAT but the PBX shouldnt be. Also, with my watchguard firewall it would never connect even by exposing the ip.
and it pretty much said that the only way to get it to work is by assigning the PBX and the IPLA card static IP's, exposed to the internet. The Phone can be behind the firewall using NAT but the PBX shouldnt be. Also, with my watchguard firewall it would never connect even by exposing the ip.
ASKER
I was able to get it resolved using a different method than what was suggested.
If you advise on what that method was please I can recommend your points be refunded to you.
Thanks
keith
Thanks
keith
ASKER
I stumbled across this site: http://home.grandecom.net/~patandsusan/NEAX2000_NAT.pdf
and it pretty much said that the only way to get it to work is by assigning the PBX and the IPLA card static IP's, exposed to the internet. The Phone can be behind the firewall using NAT but the PBX shouldnt be. Also, with my watchguard firewall it would never connect even by exposing the ip. I had to use my Bellsouth DSL line with static ips.
and it pretty much said that the only way to get it to work is by assigning the PBX and the IPLA card static IP's, exposed to the internet. The Phone can be behind the firewall using NAT but the PBX shouldnt be. Also, with my watchguard firewall it would never connect even by exposing the ip. I had to use my Bellsouth DSL line with static ips.
Thank you very much for the update - i will make the recommendation for PAQ (add the question to the database) and a points refund over the next few days.
Regards
keith
Regards
keith
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.