cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1579
Views
5
Helpful
16
Replies

Configure Cisco 2801 behind firewall

2cooltek1
Level 1
Level 1

A customer of mine recently purchased a cisco 2801 phone system from a vendor. They have three locations and a 2801 at each, all tied together with a VPN between them in order to transfer calls from one location to another.

The vendor setup the devices in each location with the 2801 as the direct connection to the internet on 0/1  and the internal IP address on 0/0.

While this works fine for what they were trying to accomplish, it would be ideal to put the systems behind a firewall so that they can use things such as using NAT for remoting into a server from one of their other public static IP addresses through a firewall.

Question is... first,is this possible and/or supported,  and two, would the current external facing port 0/1  use an internal IP address to face the firewall, and if so, the same range as the internal IP's?

I can post a config if someone wishes to view and advise.

Thank you.

16 Replies 16

Hello,

Internet- router-firewall-voice

Firewall can be placed behind the router. In this way, firewall can be connected to the internal interface of the router with private IP address. Most of the firewall also can be configured transparent so there is no need to change the network topology.

**************

internet-firewall-router-voice

If firewall is placed before the router(face to internet), some firewall features may not work properly since traffic is encrypted. It depends which firewall feature you need to implement;however, it works fine if you need to enable only NAT and port ACL.

****************

Another way is terminating VPN on the firewall if firewall supports that.

internet-firewall-voice

Hope it helps,

Masoud

post the 2801 configuration. How many public IP  Addresses do you have at each site? this really determines what you can do.

Richard, 

Thank you for your reply. 

One location has 5 public/static IP's, the other each have one, but I am authorized by the customer to add more to the two locations that only have 1 each if necessary.

This is one of the locations' config output.  If the second and third location config is needed, I can provide.

I believe I have nulled out the appropriate username/passwords and IP addresses. Please yell if I missed something that should have been x'd out. 

The third location is what started this question... It has a Centurylink DSL connection with PPPoE which the vendor does not seem to know how to deal with. I've also tried researching different articles on how to do so, tried some of them and was never able to get PPPoE to work with the 2801, (with the modem in passthrough/Bridge Mode) thus I started down the path of putting at least that one behind a firewall so that the PPPoE connection could be authenticated before it hit the Cisco 2801.   Again, this raises the other poster's response, what features of the phone system might not be passed through correctly, VPN issues, etc.

Thank you,

Tim

-------------------

Location 2 config

-------------------------------------------------

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DA-PBX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
memory-size iomem 15
clock timezone CST -6 0
clock summer-time DST recurring
dot11 syslog
ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.30.1 192.168.30.20
!
ip dhcp pool voip_dhcp
   network 192.168.30.0 255.255.255.0
   dns-server 75.75.75.75 75.75.76.76
   option 150 ip 192.168.30.1
   default-router 192.168.30.1
!
!
ip cef
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
trunk group main
!
!
trunk group ld
!
!
voice service voip
 ip address trusted list
  ipv4 172.16.0.1
  ipv4 192.168.20.1
 allow-connections h323 to h323
 allow-connections sip to sip
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2801 sn xxxxxxxxxxxxxxxx
username  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
interface Tunnel0
 ip address 172.16.0.2 255.255.255.0
 ip mtu 1500
 ip tcp adjust-mss 1360
 tunnel source 7x.xx.xx.xx (PUBLIC IP ADDRESS)
 tunnel destination 1xx.xxx.xxx.xxx   (Second location IP ADDRESS)
!
interface FastEthernet0/0
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 7x.xx.xx.xx (PUBLIC IP ADDRESS) 255.255.255.192
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 7x.xx.xx.xx  (WAN GATEWAY)
ip route 192.168.20.0 255.255.255.0 172.16.0.1
!
logging esm config
access-list 1 permit 192.168.30.0 0.0.0.255
!
!
tftp-server flash:Desktops/320x212x12/List.xml.

(List of ringtones, etc removed to make config shorter)

tftp-server flash:Analog2.raw
!
control-plane
!
!
voice-port 0/0/0
 trunk-group main
 timeouts call-disconnect 2
 timeouts ringing infinity
 timeouts wait-release 5
 connection plar 2051
 description PSTN 555-555-1212  (Main Phone line)
 caller-id enable
!
voice-port 0/0/1
 trunk-group main
 timeouts call-disconnect 2
 timeouts ringing infinity
 timeouts wait-release 5
 connection plar 2052
 description PSTN 555-555-1213  (second lncoming line)
 caller-id enable
!
voice-port 0/0/2
 shutdown
!
voice-port 0/0/3
 shutdown
!
!
!
dial-peer voice 11 pots
 trunkgroup main
 destination-pattern [2-9]......
 no digit-strip
!
dial-peer voice 200 voip
 destination-pattern 2[012]00
 b2bua
 session protocol sipv2
 session target ipv4:192.168.20.5
 dtmf-relay sip-notify
 codec g711ulaw
 no vad
!
dial-peer voice 20 pots
 trunkgroup main
 destination-pattern 1..........
 no digit-strip
!
dial-peer voice 30 pots
 trunkgroup main
 destination-pattern [2-9]11
 no digit-strip
!
dial-peer voice 100 voip
 destination-pattern 10[05][0-9]
 b2bua
 session protocol sipv2
 session target ipv4:192.168.20.1
 dtmf-relay sip-notify
 codec g711ulaw
!
!
sip-ua
 mwi-server ipv4:192.168.30.5 expires 3600 port 5060 transport udp
!
!
gatekeeper
 shutdown
!
!
telephony-service
 max-ephones 30
 max-dn 32
 ip source-address 192.168.30.1 port 2000
 calling-number initiator
 system message Generic company office 2
 cnf-file location flash:
 load 7914 S00105000400
 load 7916-24 B016-1-0-4
 load 7960-7940 P00308010200
 load 7941 SCCP41.9-1-1SR1S
 load 7961 SCCP41.9-1-1SR1S
 load 7971 SCCP70.8-3-3S.loads
 load 7975 SCCP75.8-3-3S
 time-zone 8
 voicemail 2000
 mwi relay
 max-conferences 8 gain -6
 call-forward pattern .T
 moh music-on-hold.au
 multicast moh 239.2.2.2 port 2000
 web admin system name SOMEUSER password SOMEPASSWORD
 dn-webedit
 time-webedit
 transfer-system full-consult
 transfer-pattern .T
 create cnf-files version-stamp 7960 Oct 14 2015 15:14:45
!
!
ephone-dn  1  dual-line
 number 2001
 label JANE
 name JANE
 call-forward busy 2000
 call-forward noan 2000 timeout 10
 mwi sip
!
!
ephone-dn  2  dual-line
 number 2002
 label JOHN
 name JOHN
 call-forward busy 2000
 call-forward noan 2000 timeout 12
 mwi sip
!
!
ephone-dn  3  dual-line
 number 2003
 label PETE
 name PETE
 call-forward busy 2000
 call-forward noan 2000 timeout 12
 mwi sip
!
!
ephone-dn  4  dual-line
 number 2004
 label Conf. Room
 name  Conf. Room
 call-forward busy 2000
 call-forward noan 2000 timeout 12
 mwi sip
!
!
ephone-dn  25
 number 2051
 label 555-555-1212
 name 555-555-1212
 call-forward noan 2100 timeout 16
 mwi sip
!
!
ephone-dn  26
 number 2052
 label 555-555-1212
 name 555-555-1212
 call-forward noan 2100 timeout 16
!
!
ephone-dn  30
 number 6000
 label Paging
 description Paging
 name Paging
 paging ip 239.1.1.10 port 2000
!
!
ephone-dn  31
 number 8000....
 mwi on
!
!
ephone-dn  32
 number 8001....
 mwi off
!
!
ephone  1
 device-security-mode none
 mac-address 2893.FEA3.9243
 paging-dn 30
 type 7960
 button  1:1 3:25 4:26
!
!
!
ephone  2
 device-security-mode none
 mac-address 0012.0154.5D1B
 paging-dn 30
 type 7960
 button  1:2 3:25 4:26
!
!
!
ephone  3
 device-security-mode none
 mac-address A8B1.D4FA.EF75
 paging-dn 30
 type 7960
 button  1:3 3:25 4:26
!
!
!
ephone  4
 device-security-mode none
 mac-address 0015.2BF9.1AE4
 paging-dn 30
 type 7940
 button  1:4 3:25 4:26
!
!
!
ephone  5
 device-security-mode none
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
 transport input telnet
!
scheduler allocate 20000 1000
ntp peer 192.168.30.1
ntp server 216.xxx.xxx.xx
end

seeing Masoud's reply below

if you have the firewall on the inside it will make it easier to control the traffic so it would be Inside-Firewall- Router- Internet. As you have more than one public address then NAT the your traffic to a different address to the router. This will help to control traffic to the router itself

Thank you both for your answers.

That does sound like a better solution than my initial idea and having to worry about the features all working on the phone system.

Would you be able to give an example of how to pass one of the external IP addresses via NAT to a firewall on the inside of the the 2801 based on the config above?  Does it get passed to a certain port on the 2801 for the firewall to connect to?

NAT is done by your router, so you can leave it in this way. I suppose your VOIP server IP is in the range of 192.168.30.1 and I know sometimes it is difficult to change it since it is controlled by 3rd party so connect you server with no change to firewall and change the IP of the router instead.

Firewall inside address 192.168.30.1 255.255.255.0( connects your voip sever)

Firewall outside address 192.168.29.2 255.255.255.0( connects to your router, 29 is just an example)

Router f0/0  192.168.29.1

access-list 1 permit 192.168.29.0 0.0.0.255 ( changing NAT access-list)

And routes on the router will stay the same since you are changing server addresses.

In this configuration firewall does not need to do NAT.

The below configuration is only for firewall management by Public IP from internet. Your firewall will be accessible by public IP. Otherwise, it is not necessary.

IP NAT inside source static 192.168.29.2 7.X.X.X

Just one line of configuration on router.

Masoud

Thank you Massoud, I will give that a try once the outside vendor finishes the final tweaking of the phone system.

Got any pointers on PPPoE for the one location, or is that difficult with the VPN part of it?  I've tried following this person's post:

http://www.dslreports.com/faq/8199

but at the command

router(config-vpdn)#protocol pppoe

appears to be an invalid command

 VPDN is not necessary for the configuration of PPPOE. VPDN is configured on the server. I am not sure what that person is trying to do. Skip the first part.

Masoud

Ok, thank you.

Thank you both for taking the time to help with this!

I will see how it goes!

Glad it helped.

Masoud

Masoud,

I have been experimenting with this some and have it close to working..> I think.

I added the PPPoE  config as shown below.

I get link up, and able to ping outside (google.com, 8.8.8.8, etc.) however, cannot access the outside from the internal network devices connected.

I feel that I am doing something wrong with the inside access to outside access list, but seem to be at a dead end trying to figure it out.

If you would be so kind as to look over the following and advise.

Thank you,

Tim

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-03_PBX
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 15
clock timezone CST -6 0
clock summer-time DST recurring
dot11 syslog
ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.40.1 192.168.40.20
!
ip dhcp pool voip_dhcp
   network 192.168.40.0 255.255.255.0
   dns-server 75.75.75.75 75.75.76.76
   option 150 ip 192.168.40.1
   default-router 192.168.40.1
!
!
ip cef
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
trunk group main
!
!
trunk group ld
!
!
!
voice service voip
 ip address trusted list
  ipv4 192.168.20.1
  ipv4 172.16.1.1
  ipv4 192.168.30.1
  ipv4 172.16.2.1
 allow-connections h323 to h323
 allow-connections sip to sip
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2801 sn XXXXXXXXX
!
redundancy
!
!!
!
interface Tunnel0
 ip address 172.16.1.2 255.255.255.0
 ip mtu 1500
 ip tcp adjust-mss 1360
 tunnel source <MYPUBLICSTATIC IP>
 tunnel destination <SECONDARY SITE IP#1>
!
interface Tunnel1
 ip address 172.16.2.2 255.255.255.0
 ip mtu 1500
 ip tcp adjust-mss 1360
 tunnel source <MY PUBLIC STATIC IP>
 tunnel destination <SECONDARY SITE IP#2>
!
interface FastEthernet0/0
 ip address 192.168.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

!
interface FastEthernet0/1
 no ip address
 ip nat outside
 ip virtual-reassembly in
 speed 100
 half-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address <STATIC PUBLIC IP> 255.255.255.0
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1450
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin optional
 ppp chap hostname <inforemoved>@qwest.net
 ppp chap password 0 <removed>
 ppp pap sent-username <REMOVED>@qwest.net password 0 <REMOVED>
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.20.0 255.255.255.0 172.16.1.1
ip route 192.168.30.0 255.255.255.0 172.16.2.1
!

logging esm config
access-list 1 permit 192.168.40.0 0.0.0.255
!

Hello,

Change interface fastethernet overload to interface dialer1 overload

Hello Masoud,

That appears to have solved the internal network computers getting out to the external.

I tried using a phone to do a site to site call and those however did not work.

Could this be the tunnel that is not configured properly?

This was the setting above, where the tunnel source was my static IP address

-------------------------------

interface Tunnel0
 ip address 172.16.1.2 255.255.255.0
 ip mtu 1500
 ip tcp adjust-mss 1360
 tunnel source <MYPUBLICSTATIC IP>
 tunnel destination <SECONDARY SITE IP#1>
!
interface Tunnel1
 ip address 172.16.2.2 255.255.255.0
 ip mtu 1500
 ip tcp adjust-mss 1360
 tunnel source <MY PUBLIC STATIC IP>
 tunnel destination <SECONDARY SITE IP#2>
!

------------------------------------------------------------

I then tried this with Dialer1 instead of the hard-coded IP, but still no luck.

----------------------------------------

interface Tunnel0
 ip address 172.16.1.2 255.255.255.0
 ip mtu 1500
 ip tcp adjust-mss 1360
 tunnel source Dialer1
 tunnel destination <SECONDARY SITE IP#1>
!
interface Tunnel1
 ip address 172.16.2.2 255.255.255.0
 ip mtu 1500
 ip tcp adjust-mss 1360
 tunnel source Dialer1
 tunnel destination <SECONDARY SITE IP#2>
!

----------------------------------------------------------

Tim

Hello,

Change IP MTU to 1472. It may not work depending on how you have configured your routing because the IP addresses used on tunnels are not in the same range so if you have used Tunnel IP address for the next hop, it is not going to work.

Change the ip addresses of the tunnel interfaces and try to ping the other tunnel to make sure tunnel works.

Use 172.16.1.2 255.255.255.0 for one side and 172.16.1.1 255.255.255.0 for other side and try to ping. If ping works, then pay attention to the routing.

Masoud