This topic describes NAT and security issues.
- In single-site deployments, Cisco Unified Communications Manager and IP phones do not require access to public IP networks:
- NAT is not required.
- Servers and IP phones are not reachable from the outside.
- Attacks from outside are not possible.
- In multisite deployments, private links or VPN tunnels can be used:
- Requires gateway configuration at each site
- Allows only intersite communication
- Blocks access to and from outside (unless traffic is tunneled)
- Access to public IP networks is required in some situations:
- Connections to ITSPs or destinations on the Internet
- NAT required; Cisco Unified Communications Manager and IP phones exposed to the outside
- Cisco Unified Communications Manager and IP phones are subject to attacks.
In single-site deployments, Cisco Unified Communications Manager servers and IP phones usually use private IP addresses, because there is no need to communicate to the outside IP world. NAT is not configured, and attacks from the outside are not possible at all.
In multisite deployments, IPsec VPN tunnels can be used between sites. The VPN tunnels allow only intersite communication; access to the protected internal networks is not possible from the outside, but only from the other site (through the tunnel). Therefore, attacks from the outside are blocked at the gateway. To configure IPsec VPNs, you must configure gateways at each site. Sometimes this configuration is not possible, such as when the two sites are under separate administration, and security policies do not allow the configuration of IPsec VPNs.
In these cases, or when connecting to a public service such as an ITSP, you must configure NAT for Cisco Unified Communications Manager servers and IP phones. When Cisco Unified Communications Manager servers and IP phones are reachable with public IP addresses, they will be subject to attacks from the outside world, which introduces potential security issues.
Example: NAT Security Issues
The figure illustrates the private IP addresses of the Cisco Unified Communications Manager server and the IP phone, which are translated to public IP addresses.
Cisco Unified Communications Manager and IP phones are made accessible from the Internet by NAT.
|Company A Private IP||Company A Public IP||Company B Public IP||Company B Private IP|
|10.0.0.0/8||Public IP A||Public IP B||10.0.0.0/8|
In the example, both Company A and Company B use IP network 10.0.0.0/8 internally. For the companies to communicate over the Internet, the private addresses are translated to public IP addresses. Company A uses public IP network A, and Company B uses public IP network B. All Cisco Unified Communications Manager servers and IP phones are reachable from the Internet and communicate with each other.