Configure Cisco 2801 behind firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2016 07:18 AM - edited 03-05-2019 03:07 AM
A customer of mine recently purchased a cisco 2801 phone system from a vendor. They have three locations and a 2801 at each, all tied together with a VPN between them in order to transfer calls from one location to another.
The vendor setup the devices in each location with the 2801 as the direct connection to the internet on 0/1 and the internal IP address on 0/0.
While this works fine for what they were trying to accomplish, it would be ideal to put the systems behind a firewall so that they can use things such as using NAT for remoting into a server from one of their other public static IP addresses through a firewall.
Question is... first,is this possible and/or supported, and two, would the current external facing port 0/1 use an internal IP address to face the firewall, and if so, the same range as the internal IP's?
I can post a config if someone wishes to view and advise.
Thank you.
- Labels:
-
Other Routing

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2016 09:03 PM
Hello,
Internet- router-firewall-voice
Firewall can be placed behind the router. In this way, firewall can be connected to the internal interface of the router with private IP address. Most of the firewall also can be configured transparent so there is no need to change the network topology.
**************
internet-firewall-router-voice
If firewall is placed before the router(face to internet), some firewall features may not work properly since traffic is encrypted. It depends which firewall feature you need to implement;however, it works fine if you need to enable only NAT and port ACL.
****************
Another way is terminating VPN on the firewall if firewall supports that.
internet-firewall-voice
Hope it helps,
Masoud

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2016 09:06 PM
post the 2801 configuration. How many public IP Addresses do you have at each site? this really determines what you can do.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2016 09:57 PM
Richard,
Thank you for your reply.
One location has 5 public/static IP's, the other each have one, but I am authorized by the customer to add more to the two locations that only have 1 each if necessary.
This is one of the locations' config output. If the second and third location config is needed, I can provide.
I believe I have nulled out the appropriate username/passwords and IP addresses. Please yell if I missed something that should have been x'd out.
The third location is what started this question... It has a Centurylink DSL connection with PPPoE which the vendor does not seem to know how to deal with. I've also tried researching different articles on how to do so, tried some of them and was never able to get PPPoE to work with the 2801, (with the modem in passthrough/Bridge Mode) thus I started down the path of putting at least that one behind a firewall so that the PPPoE connection could be authenticated before it hit the Cisco 2801. Again, this raises the other poster's response, what features of the phone system might not be passed through correctly, VPN issues, etc.
Thank you,
Tim
-------------------
Location 2 config
-------------------------------------------------
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DA-PBX
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
memory-size iomem 15
clock timezone CST -6 0
clock summer-time DST recurring
dot11 syslog
ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.30.1 192.168.30.20
!
ip dhcp pool voip_dhcp
network 192.168.30.0 255.255.255.0
dns-server 75.75.75.75 75.75.76.76
option 150 ip 192.168.30.1
default-router 192.168.30.1
!
!
ip cef
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
trunk group main
!
!
trunk group ld
!
!
voice service voip
ip address trusted list
ipv4 172.16.0.1
ipv4 192.168.20.1
allow-connections h323 to h323
allow-connections sip to sip
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2801 sn xxxxxxxxxxxxxxxx
username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
ip mtu 1500
ip tcp adjust-mss 1360
tunnel source 7x.xx.xx.xx (PUBLIC IP ADDRESS)
tunnel destination 1xx.xxx.xxx.xxx (Second location IP ADDRESS)
!
interface FastEthernet0/0
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 7x.xx.xx.xx (PUBLIC IP ADDRESS) 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 7x.xx.xx.xx (WAN GATEWAY)
ip route 192.168.20.0 255.255.255.0 172.16.0.1
!
logging esm config
access-list 1 permit 192.168.30.0 0.0.0.255
!
!
tftp-server flash:Desktops/320x212x12/List.xml.
(List of ringtones, etc removed to make config shorter)
tftp-server flash:Analog2.raw
!
control-plane
!
!
voice-port 0/0/0
trunk-group main
timeouts call-disconnect 2
timeouts ringing infinity
timeouts wait-release 5
connection plar 2051
description PSTN 555-555-1212 (Main Phone line)
caller-id enable
!
voice-port 0/0/1
trunk-group main
timeouts call-disconnect 2
timeouts ringing infinity
timeouts wait-release 5
connection plar 2052
description PSTN 555-555-1213 (second lncoming line)
caller-id enable
!
voice-port 0/0/2
shutdown
!
voice-port 0/0/3
shutdown
!
!
!
dial-peer voice 11 pots
trunkgroup main
destination-pattern [2-9]......
no digit-strip
!
dial-peer voice 200 voip
destination-pattern 2[012]00
b2bua
session protocol sipv2
session target ipv4:192.168.20.5
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 20 pots
trunkgroup main
destination-pattern 1..........
no digit-strip
!
dial-peer voice 30 pots
trunkgroup main
destination-pattern [2-9]11
no digit-strip
!
dial-peer voice 100 voip
destination-pattern 10[05][0-9]
b2bua
session protocol sipv2
session target ipv4:192.168.20.1
dtmf-relay sip-notify
codec g711ulaw
!
!
sip-ua
mwi-server ipv4:192.168.30.5 expires 3600 port 5060 transport udp
!
!
gatekeeper
shutdown
!
!
telephony-service
max-ephones 30
max-dn 32
ip source-address 192.168.30.1 port 2000
calling-number initiator
system message Generic company office 2
cnf-file location flash:
load 7914 S00105000400
load 7916-24 B016-1-0-4
load 7960-7940 P00308010200
load 7941 SCCP41.9-1-1SR1S
load 7961 SCCP41.9-1-1SR1S
load 7971 SCCP70.8-3-3S.loads
load 7975 SCCP75.8-3-3S
time-zone 8
voicemail 2000
mwi relay
max-conferences 8 gain -6
call-forward pattern .T
moh music-on-hold.au
multicast moh 239.2.2.2 port 2000
web admin system name SOMEUSER password SOMEPASSWORD
dn-webedit
time-webedit
transfer-system full-consult
transfer-pattern .T
create cnf-files version-stamp 7960 Oct 14 2015 15:14:45
!
!
ephone-dn 1 dual-line
number 2001
label JANE
name JANE
call-forward busy 2000
call-forward noan 2000 timeout 10
mwi sip
!
!
ephone-dn 2 dual-line
number 2002
label JOHN
name JOHN
call-forward busy 2000
call-forward noan 2000 timeout 12
mwi sip
!
!
ephone-dn 3 dual-line
number 2003
label PETE
name PETE
call-forward busy 2000
call-forward noan 2000 timeout 12
mwi sip
!
!
ephone-dn 4 dual-line
number 2004
label Conf. Room
name Conf. Room
call-forward busy 2000
call-forward noan 2000 timeout 12
mwi sip
!
!
ephone-dn 25
number 2051
label 555-555-1212
name 555-555-1212
call-forward noan 2100 timeout 16
mwi sip
!
!
ephone-dn 26
number 2052
label 555-555-1212
name 555-555-1212
call-forward noan 2100 timeout 16
!
!
ephone-dn 30
number 6000
label Paging
description Paging
name Paging
paging ip 239.1.1.10 port 2000
!
!
ephone-dn 31
number 8000....
mwi on
!
!
ephone-dn 32
number 8001....
mwi off
!
!
ephone 1
device-security-mode none
mac-address 2893.FEA3.9243
paging-dn 30
type 7960
button 1:1 3:25 4:26
!
!
!
ephone 2
device-security-mode none
mac-address 0012.0154.5D1B
paging-dn 30
type 7960
button 1:2 3:25 4:26
!
!
!
ephone 3
device-security-mode none
mac-address A8B1.D4FA.EF75
paging-dn 30
type 7960
button 1:3 3:25 4:26
!
!
!
ephone 4
device-security-mode none
mac-address 0015.2BF9.1AE4
paging-dn 30
type 7940
button 1:4 3:25 4:26
!
!
!
ephone 5
device-security-mode none
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
ntp peer 192.168.30.1
ntp server 216.xxx.xxx.xx
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2016 10:54 PM
seeing Masoud's reply below
if you have the firewall on the inside it will make it easier to control the traffic so it would be Inside-Firewall- Router- Internet. As you have more than one public address then NAT the your traffic to a different address to the router. This will help to control traffic to the router itself
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2016 06:45 AM
Thank you both for your answers.
That does sound like a better solution than my initial idea and having to worry about the features all working on the phone system.
Would you be able to give an example of how to pass one of the external IP addresses via NAT to a firewall on the inside of the the 2801 based on the config above? Does it get passed to a certain port on the 2801 for the firewall to connect to?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2016 07:27 AM
NAT is done by your router, so you can leave it in this way. I suppose your VOIP server IP is in the range of 192.168.30.1 and I know sometimes it is difficult to change it since it is controlled by 3rd party so connect you server with no change to firewall and change the IP of the router instead.
Firewall inside address 192.168.30.1 255.255.255.0( connects your voip sever)
Firewall outside address 192.168.29.2 255.255.255.0( connects to your router, 29 is just an example)
Router f0/0 192.168.29.1
access-list 1 permit 192.168.29.0 0.0.0.255 ( changing NAT access-list)
And routes on the router will stay the same since you are changing server addresses.
In this configuration firewall does not need to do NAT.
The below configuration is only for firewall management by Public IP from internet. Your firewall will be accessible by public IP. Otherwise, it is not necessary.
IP NAT inside source static 192.168.29.2 7.X.X.X
Just one line of configuration on router.
Masoud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2016 07:45 AM
Thank you Massoud, I will give that a try once the outside vendor finishes the final tweaking of the phone system.
Got any pointers on PPPoE for the one location, or is that difficult with the VPN part of it? I've tried following this person's post:
http://www.dslreports.com/faq/8199
but at the command
router(config-vpdn)#protocol pppoe
appears to be an invalid command

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2016 07:56 AM
VPDN is not necessary for the configuration of PPPOE. VPDN is configured on the server. I am not sure what that person is trying to do. Skip the first part.
Masoud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2016 08:58 AM
Ok, thank you.
Thank you both for taking the time to help with this!
I will see how it goes!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2016 09:00 AM
Glad it helped.
Masoud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2016 10:46 PM
Masoud,
I have been experimenting with this some and have it close to working..> I think.
I added the PPPoE config as shown below.
I get link up, and able to ping outside (google.com, 8.8.8.8, etc.) however, cannot access the outside from the internal network devices connected.
I feel that I am doing something wrong with the inside access to outside access list, but seem to be at a dead end trying to figure it out.
If you would be so kind as to look over the following and advise.
Thank you,
Tim
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-03_PBX
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 15
clock timezone CST -6 0
clock summer-time DST recurring
dot11 syslog
ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.40.1 192.168.40.20
!
ip dhcp pool voip_dhcp
network 192.168.40.0 255.255.255.0
dns-server 75.75.75.75 75.75.76.76
option 150 ip 192.168.40.1
default-router 192.168.40.1
!
!
ip cef
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
trunk group main
!
!
trunk group ld
!
!
!
voice service voip
ip address trusted list
ipv4 192.168.20.1
ipv4 172.16.1.1
ipv4 192.168.30.1
ipv4 172.16.2.1
allow-connections h323 to h323
allow-connections sip to sip
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2801 sn XXXXXXXXX
!
redundancy
!
!!
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
ip mtu 1500
ip tcp adjust-mss 1360
tunnel source <MYPUBLICSTATIC IP>
tunnel destination <SECONDARY SITE IP#1>
!
interface Tunnel1
ip address 172.16.2.2 255.255.255.0
ip mtu 1500
ip tcp adjust-mss 1360
tunnel source <MY PUBLIC STATIC IP>
tunnel destination <SECONDARY SITE IP#2>
!
interface FastEthernet0/0
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat outside
ip virtual-reassembly in
speed 100
half-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address <STATIC PUBLIC IP> 255.255.255.0
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
dialer-group 1
ppp authentication pap chap callin optional
ppp chap hostname <inforemoved>@qwest.net
ppp chap password 0 <removed>
ppp pap sent-username <REMOVED>@qwest.net password 0 <REMOVED>
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.20.0 255.255.255.0 172.16.1.1
ip route 192.168.30.0 255.255.255.0 172.16.2.1
!
logging esm config
access-list 1 permit 192.168.40.0 0.0.0.255
!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2016 05:17 AM
Hello,
Change interface fastethernet overload to interface dialer1 overload
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2016 07:16 AM
Hello Masoud,
That appears to have solved the internal network computers getting out to the external.
I tried using a phone to do a site to site call and those however did not work.
Could this be the tunnel that is not configured properly?
This was the setting above, where the tunnel source was my static IP address
-------------------------------
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
ip mtu 1500
ip tcp adjust-mss 1360
tunnel source <MYPUBLICSTATIC IP>
tunnel destination <SECONDARY SITE IP#1>
!
interface Tunnel1
ip address 172.16.2.2 255.255.255.0
ip mtu 1500
ip tcp adjust-mss 1360
tunnel source <MY PUBLIC STATIC IP>
tunnel destination <SECONDARY SITE IP#2>
!
------------------------------------------------------------
I then tried this with Dialer1 instead of the hard-coded IP, but still no luck.
----------------------------------------
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
ip mtu 1500
ip tcp adjust-mss 1360
tunnel source Dialer1
tunnel destination <SECONDARY SITE IP#1>
!
interface Tunnel1
ip address 172.16.2.2 255.255.255.0
ip mtu 1500
ip tcp adjust-mss 1360
tunnel source Dialer1
tunnel destination <SECONDARY SITE IP#2>
!
----------------------------------------------------------
Tim

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2016 09:51 AM
Hello,
Change IP MTU to 1472. It may not work depending on how you have configured your routing because the IP addresses used on tunnels are not in the same range so if you have used Tunnel IP address for the next hop, it is not going to work.
Change the ip addresses of the tunnel interfaces and try to ping the other tunnel to make sure tunnel works.
Use 172.16.1.2 255.255.255.0 for one side and 172.16.1.1 255.255.255.0 for other side and try to ping. If ping works, then pay attention to the routing.
Masoud
