atcomsystems.ca/forum Forums TDM Business Telephone Systems Inter-Tel Telephones & Systems 8602 IP softphone

I'd try eliminating everything at the other end too. Try connecting the phone directly to the internet (bypassing the router.)

5566 TCP (ITP Call Control)
5567 UDP (ITP Call Control)
6004-6247 (RTP & RTCP)
Axxess/IPRCs of that era supports near and far end NAT, if you are permitting those ports through you should be in good shape.
Make sure that you configure the device in the DB configured to Auto or NAT. Also make sure that you have the public IP defined in the 8602 setup.

I opened those ports and made sure to check the settings you suggested and everything is set up as you stated. Also, I am testing this from a laptop connected to Verizon's wireless network via a 1XRTT card so there is no router on the client side. I would think it might be Verizon blocking ports on their wireless network, but since it works through the VPN is that still a possibility?

Again, this works fine if I establish a VPN connection from the client first, but not if I just try to port-forward through the firewall. Any other ideas? I'm at a loss.

Thanks,
Mike

I've been told by our firewall vendor that it does not support SIP traffic, so it appears that is the problem.

Does anyone know of another device we could implement that would accept the SIP traffic and bypass the firewall? Would we just need a second firewall to do this?

Mike

The 8602 does not use SIP, it uses ITP (InterTel Protocol) for VoiP so that is not the cause of your issue. If you can connect through the VPN, that indicates that something in your NAT is not configured properly if you have the 8602 configured for both the native and NAT IP of the IPRC card that you are connecting to AND you have that endpoint flagged for AUTO or NAT in the Axxess DB.(System/DevicesandFeatureCodes/Endpoints/[Ext]/IP Settings/NAT Address Type
What kind of firewall do you have? You should be able to see your ACL matches to determine if your NAT and your ACLs are configured properly.

We have a WatchGuard Firebox X700. I do have the NAT type configured properly in the the Axxess DB (Auto). The 8602 has both IP addresses configured properly, as well. I am certain there is something misconfigured in the firewall but since I've created a NAT policy specifically for the ports you defined I can't figure out what else to check. Here is my policy:

allow from any-external to (NAT IP)->(private IP)
ports:
5566 TCP
5567 UDP
5004-5069 TCP
6004-6247 TCP, UDP

Am I missing something?

Mike

Those are definitely the right ports, have you tried to reboot the firewall since you made the change? Some firewalls need to have their Xlate tables reset.

Ports 5004-5069 are UDP only. Ports 6004-6247 are not used on an Axxess.

Make sure your Watchguard is using the latest firmware as Watchguard has had issues in the past not supporting NAT per RFC specifications.

If the softfone works internally and works remotely via VPN, are you changing the IP address to test w/ NAT? Normally you wouldn't use an external IP address to connect via VPN.

Another thing you can do to test your NAT programming is telnet to the NAT'ed IPRC address on port 5566. If you immediately get a bunch of nonsense characters on the top of the telnet window, your NAT translation for that port is correct. Example in telnet window: "open 64.65.128.9 5566".

9.0 and higher firmware on axxess uses that port range.

I think I may have found the problem. While browsing through System Prog I found that the NAT IP Address assigned to the IPRC card is 255.255.255.255 - I assume I need to change this to our public IP address. Is that correct?