Solved: Re: Cannot Upload files between Vlan +ASA Firewall

Manojy · ‎12-20-2023

Hello,

We have set up separate VLANs for phones and data, with the phone VLAN2 and Data on a native VLAN. I am able to access the phones and UCM IPPBX GUI from the native VLAN, which is on my 192.168.0.0 subnet, to the voice VLAN, which is on the 192.168.70.0 subnet.

Before separating the VLANs, I was able to upload firmware on our IP phones, but after isolating the voice VLAN, I am unable to do so. We have an ASA firewall with two interfaces, one on the 192.168.0.0 and the second one for voice on the 192.168.70.0 subnet. The security levels are the same, and I am able to ping and access the GUI of phones and IPPBX.

Are there any extra commands that I need to add to enable traffic from one subnet to another for uploading the firmware?

Snapshot of the Phone and uploading path attached.

Please assist and advise.

paul driver · ‎12-21-2023

Hello @Manojy
I have since managed to check for you, it does indeed suggest local upgrade needs to be LAN specific - please se below.. page 5 ( also a screen snippet attached)

https://www.grandstream.com/hubfs/Product_Documentation/Firmware_Upgrade_Guide.pdf

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

myabrownn876 · ‎12-20-2023

To enable firmware uploads from your native VLAN to the voice VLAN, consider checking the ASA firewall rules. Ensure that traffic is allowed between the subnets 192.168.0.0 and 192.168.70.0 specifically for the port used during firmware uploads.

If the firewall settings are confirmed, you might also want to verify any network ACLs or VLAN access restrictions that could be affecting the firmware upload path.

Myaa

Manojy · ‎12-20-2023

There are currently no restrictions set between the two subnets, but the only restriction is that NAT is not allowed for IP phones outside the network. The UCM uses port 8090, however, it is currently not possible to see the HTTP port for the Grandstream phones via web browser. The acl is also applied from any to any.I have reached out to the help desk team to inquire if there are any available ports. I am waiting for their response.

paul driver · ‎12-20-2023

Hello
where is the source of the http connection originating from - internal or external

can you post the run cfg of the asa?
I assume this is the same topology from your last OP correct!

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Manojy · ‎12-20-2023

where is the source of the http connection originating from - Internal

can you post the run cfg of the asa? sure will do
I assume this is the same topology from your last OP correct! yes

i am trying to upgrade the firmware of the phones from my pc which is on 192.168.0.0 subnet.i am able to access the phones GUI from my pc and when i click upload the firmware located at my computer folder nothing happens..but before isolating the vlan for voice i was able to do that because vlan was not in the picture.

Native Vlan 192.168.0.0  Voice Vlan 192.168.70.0

Regards

Manoj

Manojy · ‎12-20-2023

Pls find asa Config as you requested

MHM Cisco World · ‎12-20-2023

you apply access list (only allow ICMP) to direction IN to both Inside and IPPhone interface,
this ACL will override same secuirty level permit intra/inter interface
so you need to allow HTTP to make client can access server.
or try permit ip any any first to check if ACL is source of issue

MHM

MHM Cisco World · ‎12-20-2023

Hi friend again
so you have success ping but the HTTP is not allow ?
MHM

Manojy · ‎12-20-2023

Yes i ahve success ping from ASA and ping from inside subnet to Voice Vlan

I enabled Http server but still same issue.

I have attached my asa config.pls find below.

MHM Cisco World · ‎12-20-2023

ASA# packet-tracer input ipphone tcp <ip of ipphone host>1025 (ip of inside server) 443 detailed

Share output of above

MHM

Manojy · ‎12-20-2023

Hello,

Please find attached the input from the packet tracer.

Regards

Manoj

paul driver · ‎12-20-2023

Hello
TBH - I dont see anything that stands out on the ASA negating http access between vlans, can you run a PT and share the results please.

ASA

packet-tracer input inside tcp 192.168.0.x http 192.168.70.x http

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Manojy · ‎12-20-2023

Hi,

Please find attached the inputs from the packet tracer.

Regards

Manoj

MHM Cisco World · ‎12-21-2023

ASA# capture capin interface inside match ip host <server IP>
Asa#show capture 
Connect to server and wait then
Asa#no capture capin

Share results here

MHM

paul driver · ‎12-21-2023

Hello
I dont see anything from that PT negating access on the FW , The only thing I can think of is both local http server and client need to be in the same LAN ( a bespoke requirement for this type of process) hence why it worked before you created the additional LAN and relocated the phones.

I would suggest check the manufacturer guidelines for local firmware upgrades

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul