This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One last problem: connecting from the VPN to our internal VOIP server

Here's our setup:

Internal Network INTERNALNET 10.2.2.X
L2TP Network setup via the VPN setup FAQ for VPNNET 10.242.3.X
External IP address INETADDY

voip PHONEADDY server on the internal network 10.2.2.25

Packet Filter rule allowing any SIP -> PHONEADDY
Packet Filter rule allowing any RTP -> PHONEADDY

DNAT forwarding INETADDY SIP -> PHONEADDY
DNAT forwarding INETADDY RTP -> PHONEADDY

I can connect just fine from the internal network to PHONEADDY, and I can connect just fine from anywhere on the internet to INETADDY.

When I am connected to the VPN I can force connections to PHONEADDY and it works fine but I want the VPN folks to be able to keep their soft phone connections the same for when they are not connected and when they are connected using voip.our.domain.com. Is this a viable thing to do?

I had a similar problem with trying to get folks on INTERNALNET to get standard http/ftp requests to resolve correctly when they are trying to view the corporate website via http://INETADDY and setup FNAT's from INTERNALNET to INETADDY.

I tried this same thing with the phone:

VPNNET for the SIP service -> INETADDY Destination PHONEADDY source INETADDY
VPNNET for the RTP service -> INETADDY Destination PHONEADDY source INETADDY

but I still can't get the mobile users to be able to connect to our phone via voip.our.domain.com when VPN'ed into our network.

Uhm, is that crystal clear? Am I doing this wrong? Thanks!

predator

This thread was automatically locked due to age.

Parents

0 predatorsw over 16 years ago

I may try to simply get voip.our.domain.com to resolve differently when running through our own DNS. This way externally it will resolve to INETADDY but internally it will resolve to PHONEADDY.

?????
Cancel
Vote Up 0 Vote Down

Cancel
0 predatorsw over 16 years ago in reply to predatorsw

I can't seem to do the same thing with HTTP from the vpn pool that I could do with INTERNALNET -> http://our.domain.com via FNAT either. Is there something strange about the VPN pool that doesn't allow these FNAT translation?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 predatorsw over 16 years ago in reply to predatorsw

I can't seem to do the same thing with HTTP from the vpn pool that I could do with INTERNALNET -> http://our.domain.com via FNAT either. Is there something strange about the VPN pool that doesn't allow these FNAT translation?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 predatorsw over 16 years ago in reply to predatorsw

I do have a VPNNET -> INTERNETADDY Masq on.
Cancel
Vote Up 0 Vote Down

Cancel
0 predatorsw over 16 years ago in reply to predatorsw

Opened a ticket on this and got a response super fast, and it works! The real problem? DNS!

What is occurring here is an issue with running the IPSec client (L2TP) to the
ASG.  When IPSec is connected it only allows traffic between the client IP
address and the ASG IP Address if it is occurring over IPSec.  All other
connetions such as HTTP between the two IPs are disregarded as a potential
security breach.

In order to connect to these DNS names when connecting over a VPN tunnel a DNS
redirect needs to occur.  In the ASG this is done by the network>>DNS>>Static
Entries.

Here you can add a definition for voip.our.domain.com to point to the private
IP address.

Then in order to allow the L2TP clients to use the ASG to perform this DNS
lookup goto network>>DNS and add the L2TP network to allowed networks.

Under remote access>>Advanced set the DNS server to the ASG internal IP
addresss

Clients should now be able to connect to the ASG over L2TP and when using
their softphones the DNS redirect tells the remote client to connect to the
softphone server with the private IP address, thus routing over the VPN.

So both of the cross-net problems I can be fixed by faking out DNS.
Cancel
Vote Up 0 Vote Down

Cancel