About six months ago we upgraded all of our global Cisco 3000-series VPN Concentrators to Cisco ASAs. A very smooth and nice upgrade for us that has provided a nice boost of per-user VPN performance (my download speeds from home via Cisco IPSec client on my laptop jumped from 2 Mbps to 8-9 Mbps).
As part of the purchase, our Cisco partner enticed us with some Cisco ASA IP Phone Proxy licenses. We've had it up and running for a couple months now and, after a recent ASA code upgrade, the IP Phone at my house has become my new best-friend-forever (BFF).
The ASA IP Phone Proxy works by tunneling IP Phone traffic via SSL to the ASA. The Cisco IP Phone runs TLS (SSL) itself and connects the ASA at the office. There is no Cisco home router or SOHO router at my house. Just a Cisco 7970 IP Phone manually configured with the ASA public IP as its TFTP server. The phone is connected to my home Linksys router; it DHCPs like any other device on my home network.
Once it reaches my corporate office, the ASA delivers the TFTP, signaling, and voice payload into the internal network (just like any other traffic). The IP Phone registers with the call manager and I have my office number at the house.
Now when someone calls my office number, it rings at the house. I can work from home without any difference from work and I don't have to mess with buggy softphones. I added a wireless headset to the phone and it's awesome. Outbound calls go via the ASA Proxy to our internal PSTN gateways so my home phone isn't tied up (wife love that). I also have my shortcuts for dialing internally.
Overall, this is a simple, kick-butt solution for mobile workers, executives, and contractors. It takes four things:
Hook it up and go!!
I am looking forward to rolling this out for our users.
More >From the Field blog entries:
Too Many IOS Versions, Something's Gotta Give Soon
(Network) Engineering a Merger
Applying Accounting Measures to Data Networking Financial Performance
Is RTP Becoming a Favored Location for Data Centers?
Next Round of CCDE Practical Results Coming Today
Today's Incredible International Submarine Cable Systems
Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.
Michael Morris is a communications engineering manager at a $3-billion high-tech company. His background is in enterprise WANs working with telcos and developing large-scale routing designs. He has worked on networks at government and corporate organizations, including networks at two Fortune 10 companies. In his current role, he leads a team of 10 engineers responsible for large-scale IT networking projects and architectural standards for data networks, storage area networks, IP telephony, contact centers, and security. Michael is CCIE #11733 and recently became one of the first three Cisco Certified Design Experts (CCDE) ever (#20080002). He has 11 years experience in networking and communications, including four years as a paratrooper in the U.S. Army. He has a bachelor's degree in MIS from the University at Buffalo and is working on his MBA from NC State University. In 2008, he was awarded the Network Professional Association (NPA) Professional Excellence and Innovation Award for his work on network architecture, templates and enterprise MPLS design.
The Leader in Network Knowledge
computer behind the phone
Will the phone tunnel data traffic to the corporate internal network if a computer is connected to the phones switch port?
Re: Computer behind the phone
No, today, the computer gets normal IP on the home network. You'll need to load your VPN client on the laptop to access the corporate network.
We getting ready to roll this out for ~250 phones on our ASAs. The important thing to note is that if you use redundant UCM servers, you burn a phone proxy phone license for each connection to UCM. For example, if your device pool has a CMG with 2 different UCM servers defined, 1 phone will burn 2 PhoneProxy Licenses.
Another gotcha, right now, the PhoneProxy licenses can't be shared between a ASA failover pair. Cisco is also working on this.
How's the quality? If
How's the quality? If you're downloading bit-torrent for example can you hold a phone call?
That's a big "it depends."
That's a big "it depends." If you didn't implement any QoS and you're rolling 8mbps of torrent traffic through your Linksys... Well, you can probably guess the end result. However, even the basic QoS options in the WRT54GS will give you what you need to prioritize the traffic.
/using a Cisco 7921 wireless IP phone
Isn't QoS uni-directional
Isn't QoS uni-directional going over the public internet? If so, wouldn't this mean you could only apply outbound QoS on your WRT54? Given this information would QoS still have a significant benefit in the situation?
QoS
On a home router, QoS settings would only affect local queuing: most ISPs re-mark ingress traffic and no inbound prioritisation would occur without some sort of traffic management agreement with the ISP.
In short, if you're working from home and you run an IP phone, perhaps it's a good idea to throttle or pause the torrents during business hours.
Torrents was just an example
Torrents was just an example you could be uploading/downloading information to HQ, but thanks.
I ordered a Cisco ASA with that license
I wish to share my own experience soon.
What do you need to do in the ASA to get that voice traffic in the voice network?
how to authenticate
I am only concerned about the authentication process of the phone to the ASA.... Since ASA Public IP is acting like the TFTP server Ip of the UC server. I guess without authentication any one other traffic can also come till the server... Are you using any sort of authentication for this???
Post new comment