01-30-2012 03:23 AM
I have a customer who is trying to set up VOIP for their homeworkers:
This is the current set up:
I have policies in place permitting the traffic from the DMZ-zone to the VOIP provider
and vice versa so the call set up is sent through the box through the SSG and hitting the VOIP provider ok.
The problem is that the VOIP provider access is controlled with a list of MAC addresses (as the homeworkers IPs
are assigned by the SA and so change each time). This works fine for the office users who connect from the office
LAN via the SSG, but the source MAC of the homeworkers IP is always the MAC of the SA and not the actual homeusers laptops the call set up request is dropped.
Any idea how I can get this working? (enabling the MAC of the SA on the VOIP server is not an option)
Would it be possible to get around this by configuring a static ARP for the MAC of the homeusers laptops on the SSG?
01-31-2012 08:30 AM
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional
[Please mark it as Accepted Solution if it works, Kudos if you like]
02-01-2012 02:37 AM
Thanks for the reply.
It is a 2500, unfortunately I cannot provide the config for it (the support set up is a little convoluted) we support the SSG but not the SA and my customer will not give me the SA config...
I know it is difficult to offer a solution without full access to the setup, but do you think - based on the limited info available - the solution I am thinking of would work?
03-20-2012 01:06 PM
I can't see how using static ARP on the SSG would help here.
Really, the VoIP provider should use a better method than the source MAC address for differentiating handsets/users. I'm not a VoIP expert so I can't make a suggestion here, unfortunately.
Failing this, another option may be to reconfigure the SA to assign specific IP addresses to specific users, rather than assigning a random free IP from a pool (which I'm assuming is what happens now). Then the VoIP provider might be able to use the source IP address instead of the MAC address to determine handset users.