cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
643
Views
25
Helpful
4
Replies

Adding a 2821 Voice/CM Router to network.

aveasystems
Level 1
Level 1

Good Morning!

 

I am looking for a little guidance for how to integrate this piece of equipment into my network. I have a new 2821 router with Call Manger Express and CCX 50 user bundle. I am new to the Cisco voice systems and am building a system to learn it with. So where would this router fit into my network map below? Does it need to be used as a router or can it just serve its VOIP functions behind the ASA? I have searched the web and found way too many configurations that have just confused me even more. Since the 2821 has all the POE ports on the rear for the phones I am assuming it should be on the local LAN behind the ASA? From the limited exposure that I've had with CM & CCX virtual machines running on the UCS servers, I've noted they are behind the firewalls. Any advice and guidance would be appreciated! Have a good day.

mynetworkdiagram.jpeg

4 Replies 4

Jonathan Schulenberg
Hall of Fame
Hall of Fame

Generally speaking, CME should be protected from the public internet by a firewall. Having said that, if you intend to use a SIP trunk across the internet for PSTN calling you need to think through the implications. SIP/SDP embed IP and TCP/UDP port information in the layer seven payload. Even with static/identity NAT you still need to rewrite the IP address. A Cisco ASA can do this with protocol inspection but only if the SIP Trunk isn’t using TLS encryption. Depending on that you may be required to expose the CME directly to the public internet. If you do, ensure that you put ACL on the outside-facing interface. IOS Zones-Based Firewall would be better if you have a security license.

https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-express/107626-cme-toll-fraud.html

https://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html

 

At the end of the day, it’s a router. CME is just a process/feature running on it. As such, general route/switch design logic should prevail.

Jonathan,

 

Thanks for the reply!

 

I will be using SIP for PSTN calling. So perhaps I should put in on a DMZ port on the ASA like shown below? Then just create the necessary rules and open ports to allow SIP traffic in and out? That way it is isolated from the rest of the data network. In addition I can enable the firewall on the router to give it some added protection and only allow necessary traffic through. Or am I totally doing this wrong? lol 

 

Thanks again!

 

nates_network_current.jpeg

The diagram look correct to me.

If you configure the ASA properly:

- static NAT only ports of interested; i.e. SIP

- allow connection only specific IPs (your ITSPs) to access the globally NATed IP used for the SIP trunk

- restrict access from the rest of your internal network, if needed

 

I don't see any point in configuring ZBF on the 2821 itself.

Also, don't forget to turn on SIP inspection on the ASA for SIP trunking to work.

Georgios
Please rate if you find this helpful.

putting the voicegateway in your DMZ is definitely best practice. you would only need to open up port 5060 to your DMZ or 5061 if you use TLS. now you have to remember that RTP will need to be allowed in both directions through the FW as well. so you might need to turn on sip inspection oopen the high ports dynamically.

 

good luck

Please remember to rate useful posts, by clicking on the stars below.