cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7151
Views
2
Helpful
19
Replies

Cannot Upload files between Vlan +ASA Firewall

Manojy
Level 1
Level 1

Hello,

We have set up separate VLANs for phones and data, with the phone VLAN2 and Data on a native VLAN. I am able to access the phones and UCM IPPBX GUI from the native VLAN, which is on my 192.168.0.0 subnet, to the voice VLAN, which is on the 192.168.70.0 subnet.

Before separating the VLANs, I was able to upload firmware on our IP phones, but after isolating the voice VLAN, I am unable to do so. We have an ASA firewall with two interfaces, one on the 192.168.0.0 and the second one for voice on the 192.168.70.0 subnet. The security levels are the same, and I am able to ping and access the GUI of phones and IPPBX.

Are there any extra commands that I need to add to enable traffic from one subnet to another for uploading the firmware?

Snapshot of the Phone and uploading path attached.

Please assist and advise.

1 Accepted Solution

Accepted Solutions

Hello @Manojy 
I have since managed to check for you, it does indeed suggest local upgrade needs to be LAN specific  - please se below.. page 5 ( also a screen snippet attached)

https://www.grandstream.com/hubfs/Product_Documentation/Firmware_Upgrade_Guide.pdf


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

19 Replies 19

myabrownn876
Level 1
Level 1

To enable firmware uploads from your native VLAN to the voice VLAN, consider checking the ASA firewall rules. Ensure that traffic is allowed between the subnets 192.168.0.0 and 192.168.70.0 specifically for the port used during firmware uploads.

If the firewall settings are confirmed, you might also want to verify any network ACLs or VLAN access restrictions that could be affecting the firmware upload path.

Myaa

There are currently no restrictions set between the two subnets, but the only restriction is that NAT is not allowed for IP phones outside the network. The UCM uses port 8090, however, it is currently not possible to see the HTTP port for the Grandstream phones via web browser. The acl is also applied from any to any.I have reached out to the help desk team to inquire if there are any available ports. I am waiting for their response.

 

Hello
where is the source of the http connection originating from - internal or external

can you post the run cfg of the asa?
I assume this is the same topology from your last OP correct!


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

where is the source of the http connection originating from - Internal

can you post the run cfg of the asa? sure will do
I assume this is the same topology from your last OP correct! yes

i am trying to upgrade the firmware of the phones from my pc which is on 192.168.0.0 subnet.i am able to access the phones GUI from my pc and when i click upload the firmware located at my computer folder nothing happens..but before isolating the vlan for voice i was able to do that because vlan was not in the picture.

Native Vlan 192.168.0.0  Voice Vlan 192.168.70.0

Regards

Manoj

 

 

 

 

 

 

 

Pls find asa Config as you requested

you apply access list  (only allow ICMP) to direction IN to both Inside and IPPhone interface, 
this ACL will override same secuirty level permit intra/inter interface 
so you need to allow HTTP to make client can access server. 
or try permit ip any any first to check if ACL is source of issue 

MHM

Hi friend again 
so you have success ping but the HTTP is not allow ?
MHM

Yes i ahve success ping from ASA and ping from inside subnet to Voice Vlan

I enabled Http server but still same issue.

I have attached my asa config.pls find below.

 

ASA# packet-tracer input ipphone tcp <ip of ipphone host>1025 (ip of inside server) 443 detailed 

Share output of above 

MHM

Hello,

Please find attached the input from the packet tracer.

Regards

Manoj

Hello
TBH - I dont see anything that stands out on the ASA negating http access between vlans, can you run a PT and share the results please.

ASA

packet-tracer input inside tcp 192.168.0.x http 192.168.70.x http 

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

Please find attached the inputs from the packet tracer.

Regards

Manoj

 

ASA# capture capin interface inside match ip host <server IP>
Asa#show capture
Connect to server and wait then
Asa#no capture capin

 Share results here

MHM

Hello
I dont see anything from that PT negating access on the FW , The only thing I can think of is both local http server and client need to be in the same LAN ( a bespoke requirement for this type of process) hence why it worked before you created the additional LAN and relocated the phones.

I would suggest check the manufacturer guidelines for local firmware upgrades



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul