Using remote extensions outwside the firewall

We are deploying an Asterisk server at our company and I want us to be able to give remote workers (who work at home around the world) a physical VOIP extension to make their work environment more efficient and effective. We’re using Cisco phones - maybe the 7960 or something close to that, I’m not certain.

I’m being told by our technical folks that we can’t deploy remote Cisco phones (i.e. phones outside the firewall) without also deploying a hardware-based VPN in each remote location, unless we want to open up lots of ports on our main router (which is also a pretty good Cisco router - I don’t know the model number). That doesn’t make sense to me - why would Cisco design a system which didn’t allow VOIP phones to connect securely, particularly their own phones?

We do have a VPN (Cisco AnyConnect) and I assume we could get around the problems above by having people use softphones on their PCs, connecting securely using the VPN. But we really want to have physical phones in each remote location.

We don’t have a huge number of remote locations - perhaps 50 in total - and they change very infrequently. Wouldn’t it be possible to program the router to accept connections only from 50 specific MAC addresses? Or is there some other way to connect these remote extensions that does not require us to open lots of ports on the router? I’m willing to have us install some additional software or hardware on the central network, but I don’t want to have to install 50 hardware VPN boxes, at a huge cost and effort, when I suspect it is not necessary.

Thaniks in advance for any help you can provide. Regards.

Cisco’s market is large organisations who would naturally use VPNs for satellites. Also Cisco’s phones are intended to be used with a Cisco Call Manager. Incidentally, I believe that Cisco phones, in SIP mode, don’t work properly when crossing a network address translation boundary.

Note that Asterisk does not support speech path encryption, yet, so high security use of Asterisk currently requires a VPN.

What David55 said is true. Also, your phone will need to contact your company’s DHCP server to get a local IP address and find out where to pull it’s configuration and firmware from. This is located on a TFTP server that you do NOT want to leave open to the Internet. A VPN will let the phone act like it is physically plugged into your company’s local network and handle all of this. The techs are correct that you will need some type of VPN hardware to establish a connection for the phone to flow through.

OK, thanks. It’s not the answer I wanted to hear, but the fact that everyone is in agreement is comforting…

Jwshome,

I set up a Cisco 7941 on Asterisk phone and it’s not friendly for people new to this. My advice is to stay well clear. You need to get your hands on and reload a SIP firmware version, program it using XML scripting etc. Having said that, once set up they are extremely good and reliable.

You can, contrary to silverglade50, set Cisco phones with a static IP, and they don’t need to connect to a TFTP each time the phone starts. You can do this once in the office to provision the phone, before assigning it to your remote workers. But supporting this would be a disaster. Furthermore, I would not be too worried about sending voice unencrypted over the internet. It’s still far more difficult to listen to a Voip conversation compared to tapping into a PSTN line.

I know Cisco phones look the business and are the height of cool from some very good product placement, but can I suggest a completely different and far more sensible approach?

Go with a better equipped, better value, more user/support friendly Linksys phone, they are owned by Cisco. With the immense amounts of cash you will save, buy IPSEC VPN enabled routers for your office workers. They will have to get a router anyways, so I’m sure this will work out more cost effective. It will give you a secure environment with more flexibility to run other network applications/file sharing etc.

I recommend and I have Linksys SPA942 for the standard worker and they work a total treat. (Don’t make a mistake for going for SPA941, they are about $15 cheaper and look the same, but have no POE, no second net port, no backlight, can’t reprogram line keys for BLF etc.)

Excellent, thanks for the advice. I can see us going in that direction, and I agree the cost would not be onerous.

Our IT Director has since come up with another solution - setting up a separate server, with all relevant ports open, to handle just the remote phones and pass on the calls to the Asterisk server. This apparently keeps our Asterisk server secure, and also reduces the functionality of the remote phones slightly - we lose some sort of Directory information - but otherwise provides us with reasonable security other than encryption (which I am not concerned about).

Any reaction to this solution? It made a lot of sense to me.

No, don’t bother. Sounds like double trouble… I don’t see what that would achieve, you still have the same issue if some one hacked a users pass, and make calls thru this server. Risks are the same.

There is nothing wrong with having an asterisk box accessible for outgoing calls from the internet once its set up securly.

See this article blogs.digium.com/2009/03/28/sip-security/ for some tips.