Solved: Re: Guest Wi-Fi unable to connect using MiCollab Softphone

steve.steel@nct.org.uk · ‎03-01-2019

Hi everyone,

I wonder if you can help me?

We have several users running the MiCollab Softphone software on their mobile devices and have recently amended our Wi-Fi configuration to include an isolated guest wireless network. This network has no access to internal IP addresses apart from UDP port 53 to our DC for DNS and TCP ports 443 and 3389 to our RDS broker. This is done using an IP Access Control List.

The Staff wireless network has access to all servers across the network.

The problem is that Softphone users on the Guest network cannot connect to the server. I have tried allowing all TCP and UDP traffic to both the internal and external IP of the Mitel server and the firewall on the Guest network, but it is not working.

I’m thinking that the traffic is going out to the external IP of our Mitel server, but is not coming back for some reason. Maybe because it resolves to an internal IP it does not have access to?

Just so you are aware, we are running our network on a Cisco 3560 switch stack and Cisco WAP121 wireless access points. There is no real config in the WAPs for the network as all routing is handled by the switches. Inter VLAN routing is enabled and working fine.

Our config is currently as follows for the relevant areas:

ip dhcp pool GuestWifi
network 192.168.70.0 255.255.255.0
default-router 192.168.70.254
dns-server 192.168.100.1

interface Vlan60
description Internal Wifi
ip address 192.168.60.254 255.255.255.0
ip helper-address 192.168.100.1
!
interface Vlan70
description Wireless Guest Network
ip address 192.168.70.254 255.255.255.0
ip access-group blockguest in

ip access-list extended blockguest
permit tcp any host 192.168.100.130 eq 3389 (RDS Broker)
permit tcp any host 192.168.100.130 eq 443 (RDS Broker)
permit udp any host 192.168.100.1 eq domain (DNS Server)

permit tcp any host 192.168.1.2 (Internal Mitel Server IP1)

permit tcp any host 192.168.1.13 (Internal Mitel Server IP2)
permit tcp any host 222.111.122.770 (External Mitel Server IP)
permit tcp any host 222.111.122.666 (External Firewall IP)
deny ip any 192.168.0.0 0.0.255.255
permit ip any any

Any help you could give in guiding me in the right direction would be very gratefully appreciated!

Many thanks,

Steve

steve.steel@nct.org.uk · ‎03-11-2019

Hey everyone,

So, I figured this one out.. I ran a packet trace and found that the ports the phone company gave me were incorrect. I only needed to allow ports 443 and 36008 over TCP to the Mitel server.

All sorted on both staff and guest networks now.

View solution in original post

luis_cordova · ‎03-01-2019

Hi steve.steel@nct.org.uk ,

Querie:

Do you use some kind of NAT?

Regards

paul driver · ‎03-01-2019

Hello

A couple of ace entries are not correct (in bold) assume they are typos?

Try using a acl that allows only tcp connections initiated from within the guest vlan to be allowed to return

ip access-list extended blockguest
permit tcp host 192.168.100.130 any eq 3389 established
permit tcp host 192.168.100.130 any eq 443 established
permit tcp host 192.168.1.2 any established
permit tcp host 192.168.1.13 any established
permit tcp host 222.111.122.XXX any established
permit tcp host 222.111.122.XXX any established
permit udp host 192.168.100.1 any eq domain
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any

interface Vlan70
description Wireless Guest Network
ip address 192.168.70.254 255.255.255.0
ip access-group blockguest OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

steve.steel@nct.org.uk · ‎03-05-2019

Hi Paul,

Sorry about the delayed reply - for some reason I didn't get notified of your comment.

Anyway, yes, they are typos. I was posting in a hurry at work and just jammed some numbers in without thinking. Nice!

I'm going to add the OUT within the ACL as you mentioned and then try again with the end user when they are in this afternoon following lunch.

Cheers!

steve.steel@nct.org.uk · ‎03-05-2019

Hi Paul,

I amended the VLAN as you mentioned and the guest wi-fi lost internet connection. Plus he still could not connect to MiCollab from the softphone.

Thanks for that, but can you see why else it may be happening?

paul driver · ‎03-09-2019

Hello

Sorry to hear that , maybe the acl is missing something - can you confirm if you temporary remove the acl from vlan 70 you obtain access from your softphones?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

steve.steel@nct.org.uk · ‎03-08-2019

Hopefully I can bump this to see if anyone else has any ideas as we are still experiencing the issue and I can't see how to get around it.

Thanks everyone!

Deepak Kumar · ‎03-09-2019

Hi,

Make some changes as highlighted below:

interface Vlan70
description Wireless Guest Network
ip address 192.168.70.254 255.255.255.0
ip access-group blockguest in

ip access-list extended blockguest
permit tcp any host 192.168.100.130 eq 3389 (RDS Broker)
permit tcp any host 192.168.100.130 eq 443 (RDS Broker)
permit udp any host 192.168.100.1 eq domain (DNS Server)

permit udp host 192.168.100.1 eq domain any ! Allow Reverse DNS traffic.

permit tcp any host 192.168.1.2 (Internal Mitel Server IP1)

permit tcp any host 192.168.1.13 (Internal Mitel Server IP2)
permit tcp any host 222.111.122.770 (External Mitel Server IP)
permit tcp any host 222.111.122.666 (External Firewall IP)
deny ip any 192.168.0.0 0.0.255.255

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

steve.steel@nct.org.uk · ‎03-11-2019

Hi Deepak,

Thanks for that, but unfortunately it still does not work. The softphone is still stating that the MiCollab Client Service host is unreachable.

Deepak Kumar · ‎03-11-2019

Hi,

Just do a test and remove the ACL from the interface. Are you able to get the softphone working? Is normal browsing working for you on this guest network?

What are "MiCollab" IP address and Port number used to communicate with softphone? I think a better Idea to capture the traffic on the Client machine.