SCCP over WAN?

OK, I’m thinking that this should be possible but for the life of me I can’t get it working. I had planned on allowing SCCP over WAN through my ASA5505, reasoning that it really wouldn’t be a huge security issue since the MAC would have to match to register. There’s also TFTP… so maybe it’s a bad idea. In testing I have stopped inspecting skinny and tftp, and simply allowed all access to the host in the firewall rule. Everything else is solid, SIP works fine registering and communication with clients coming in from the outside in, so that rules a lot of the normal NAT type of stuff out. I ran a wireshark and can see some TCP retransmissions from the outside IP to the inside IP of the PBX on port 2000, but no successful registration. Obviosuly phone was tested inside to ensure it did work that way.

Chan SCCP B is being used.

Am I just being an idiot? I am guessing I should just flash it with SIP and tell the end user just to use manual feature codes, but they are all used to the buttons that the sccp-b image offers.

I know it’s a shot in the dark, but figured I would ask.

The problem that we discussed when this first came up is that the MAC address (as in the ARP level traffic) doesn’t translate well, so it was kind of a long shot. The TFTP stuff should work, assuming your TFTP server has a routable address.

Having said that, though, nearly all of the traffic is coming through the UDP 2000 port, so if it fails, it has to be something more local.

Check to see if you ARP table has the right addresses in it. This might end up being a case where a VPN would be a good idea.

One other place to check is the allowed and denied addresses. If there is NAT involved anywhere in here, it’s going to be a tough slog.

Right on Dave. I will look at the ARP tables, currently the router IS the ASA, only because it has to be. Current config with hub and spoke topology and my spokes being users with cable modems on DHCP, I have to use EZVPN on both my headend and the stubs. The only thing I couldn’t test was putting the phone directly connected to a modem, for whatever reason the phone only pulls an IP when I’ve got it connected to a router with DHCP. No matter what, it seems like the phone wouldn’t pull the outside WAN IP of the modem, like a laptop would connected the same way. I don’t know what is up with that. TFTP is on the FreePBX itself, so same IP.

You last sentence, you talking allowed and denied addresses on the ASA? I have a static NAT configured for the PBX, and everything else is translating. I dunno, maybe it’s simply not worth it. I’ll poke around a bit more, I was justifying it by thinking I would have something to contribute to the wiki if I got it working. I wasn’t aware there would be translation issues.

There may not be any translation problem, but the list of allowed and denied addresses for SCCP is maintained in the SCCP configuration (to allow for stuff like this), so you may need to make the remote addresses (if they are actually remote) accessible in the configuration.

Are we talking about IP ranges in sccp.conf? I have the externip configured to the static outside address assigned to the PBX, and my deny/permit is
the NAT is static translation from the inside to outside.

OK - your deny and permit look reasonable - that’s not the issue then.

Sounds like it’s time to wireshark the crap out of this thing. I’m gonna guess we end up with a NAT address in a routable packet somewhere causing the entire things to implode.