Patton 4554 in a DMZ - Again

Discussion in '3CX Phone System - General' started by ascentor, Oct 23, 2008.

Thread Status:
Not open for further replies.
  1. ascentor

    Joined:
    Sep 17, 2008
    Messages:
    10
    Likes Received:
    0
    Hi All,

    I had a previous topic about this but only one response (thanks Kris). I have now got to the stage where I have 3cx and the 4554 on the same LAN and all working fine. I can make and receive call via the 2 ISDN lines connected to the Patton. Now I have a firm baseline to fall back to I tried putting the patton in a DMZ (I am using a Cisco ASA 5500 series firewall). After configuring the ASA to allow any ip traffic from a particular DMZ ip address to the ip address of the 3cx server (known as static address translation) I could make outgoing calls but not incoming calls. So 3cx could get to the patton and initiate an isdn call and i could speak to and hear the distant end but the patton can not initiate a connection to 3cx.

    I put this down to the patton configuration. As part of the config of the Patton 3cx generated a config file that includes the ip address of the 3cx server. That ip address is the inside LAN ip address that is no longer accessible from the DMZ. So it looked like all i needed to do was modify that config file and change the 3cx ip address to the presentation ip address of the static between the dmz and 3cx. Tried that and could not make any outgoing or incoming calls so either my theory is wrong or I made a mistake when changing the config or something else.

    Does anyone have a set up like this or can anyone confirm my theory is correct and all I need to do is change Patton config.

    I have spoken to ZEN Software (UK 3cx reseller) and they are unaware of any of their clients with a voip gateway (of any type) in a dmz, surely I cant be the only one with this set up, can I?

    I intend to ask for support from Patton as well and I will post all response here for future reference.

    DaveJ
     
  2. mickp

    Joined:
    Jun 9, 2008
    Messages:
    72
    Likes Received:
    0
    Hey there,

    I've not tried putting a gateway onto the dmz (not sure why I would want to) but have been considering putting gateways onto remote sites and configuring them to pass their calls to the 3cx box via the internet. I had thought that you should be able to configure the gateway as either a sip trunk or separate sip providers. Perhaps this would stop 3cx from being confused about the interface to use.

    Mick.
     
  3. worksighted

    worksighted New Member

    Joined:
    Aug 19, 2008
    Messages:
    204
    Likes Received:
    0
    Are you actually performing a NAT between the internal and the DMZ?

    I noticed you said the internal LAN address of the 3CX is not reachable from the DMZ. This may be the issue thats creating your complexity.

    In a PIX or an ASA you always have to have a Static NAT translation static to publish addresses from the Private LAN to the DMZ. But, you can craft the statement to indicate that the address should remain unchanged. In other words, the actual address and the natted address are the same.

    Is this making any sense or am I about as clear as mud? I can post the statement if needed.

    Best,

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,913
    Likes Received:
    219
    The gateway has to be on the same subnet as 3Cx. Putting it on the DMZ is not a supported configuration.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ascentor

    Joined:
    Sep 17, 2008
    Messages:
    10
    Likes Received:
    0
    Hi guys,

    Thanks for the feedback. Especially Nick for preventing me wasting more of my time trying to get 3cx to do something it cant. I have also discovered that the ip phones need to be part of the same subnet as 3cx (when on different subnets (VLANS) calls could be initiated but there was no audio).

    Unfortunately my company will not be able to use 3CX unless it can support ip phones on different subnets and gateways in the DMZ. So the question for Nick is "do you have a plan to enable 3Cx to support this network config?"

    Regards

    DaveJ
     
Thread Status:
Not open for further replies.