Reader Rex Rittmann shared his success story that involved setting up both IPsec access for multiple computers and an IP phone.  He used the SMC Barricade, but the techniques should be able to be used with the Asante FriendlyNet or any router that supports triggered port mapping.


Requirements:

1) Support Nortel i2004 IP Phone inside home LAN (firewall), behind a NAT

2) Support connectivity for secure client for media (voice, video and data communications)

3) Support fixed IP on a broadband connection with Computer Name authentication

4) Share broadband connection single IP between min. of 4 devices using both fixed IP and DHCP clients simultaneously

5) Provide an always on connection (on a 7X24 basis) for all clients

6) Configure network with NO changes to IBM Portable W98SE (wife does not want ANY changes to her computer)

Network Configuration

AT&T @Home Broadband Cable

|

Motorola Cybersurfer Cable Modem

|

SMC Barricade 7004BR

|

____________________________|____________________________

||||

Nortel i2004 IP phone

Pentium 533 W98SE

Dell Portable W98SE

IBM Portable W98SE

Fixed IP

DHCP

DHCP

DHCP

So, this was a bit of a tall order, as although most broadband routers on your site do a good job for “Pull” applications such as Browsers (Internet Explorer, Netscape), Telnet, FTP etc., “Push” applications are much more difficult, particularly behind a router employing Network Address Translation (NAT) and Virtual Private Networking (VPN) capability. Triggered NAT capability is key for these applications.

Media based applications such as telephony typically signal on one port while the media comes on a range of different ports. Most of the products cannot accomplish this without putting the “Push” applications into the DMZ. DMZ, although effective for “Push”, defeats the purpose of the Firewall!

Here are the network setup details:

  • Fixed IP to AT&T @Home (y.y.y.y)
    Important because the IP Phones Call Server are simpler with Fixed IP addresses.

  • Nortel i2004 IP Telephone
    Hosted by University of Texas at Austin. Needs fixed LAN IP to be able to receive calls at any time. Set fixed LAN IP outside (just below) the Barricade’s DHCP server range (x.x.x.99). IP Telephone Gateway address set to Barracade’s LAN side address.

  • IBM Portable W98SE:
    Configuration setup for wife’s office LAN and NO changes allowed! Set Barricade’s LAN side address subnet identical to IBM portable NIC Gateway address. Set Barricade’s Subnet Mask identical to IBM portable NIC Subnet Mask. Set Barricade’s DHCP range to include IBM portable NIC address (x.x.x.100-110)

  • Pentium 533:
    Configured NIC for DHCP.

  • Dell Portable:
    Configured NIC for DHCP and included both @home and Nortel domain suffix in DNS.

  • SMC Barricade: 
    – Upgraded to R1.89e firmware (IPSEC improvements necessary for VPN).
    – Virtual Server set service port 5000 to x.x.x.99 (IP Telephone signalling & heartbeat)
    – Special Applications set Trigger port 5000 & open Incoming Ports 6000-6066 (IP Telephone registers using port 5000 and will use media 6000-6066)
    – Special Applications Trigger port 500 & open Incoming Ports 500, 1723 (VPN signalling and authentication to network to Nortel servers, email FTP servers and Nortel IP Telephone Call Servers using Contivity extranet).

  • “Pull Applications”:
    No special configuration required
  • “Push Applications”:
    – Nortel i2004 is always online to University of Texas MSL-100 (campus switch).
    – Nortel extranet client (EAC) can run on P533 or Dell portable to make all Nortel resources available in my home (logically connected inside Nortel LAN).
    –  Nortel i2050 softclient (Software IP Phone) can run on Dell portable with EAC, logically on Nortel Network and Nortel campus MSL-100, tunnelling through Firewall with encryption of both media (voice) and signalling stream.

SMC has done an excellent job on the Barricade as all of these applications can run simultaneously on multiple computers!