cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
656
Views
0
Helpful
3
Replies

Routing issue with ASA and UC540 phone system - at ASA???

Nathan Farrar
Level 1
Level 1

network.png

Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.

Here are some facts:

1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )

2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )

3. The ASA is the default gateway for the PC.

4. I have a route inserted at the asa that is:

               route 10.1.10.1 255.255.255.0 10.19.250.254 1

5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the      ASA.

6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address

7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :

               route add 10.1.10.1 mask 255.255.255.0 10.19.250.254

     Is is only with this route that I am able to get to the web GUI on the phone system.

8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at      10.1.10.1

9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones      are connecting to the system fine.

Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.

Here are the routing tables:

ASA:

Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0

C    xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside

S    172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside

S    10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside

C    10.19.250.0 255.255.254.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside

The UC540 phone system's router side:

Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via xx.xx.xx.xx

      10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks

C        10.1.1.0/24 is directly connected, BVI100

L        10.1.1.1/32 is directly connected, BVI100

C        10.1.10.0/30 is directly connected, Loopback0

S        10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0

L        10.1.10.2/32 is directly connected, Loopback0

C        10.19.250.0/23 is directly connected, BVI1

L        10.19.250.254/32 is directly connected, BVI1

      XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0

L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0

      172.16.0.0/24 is subnetted, 1 subnets

S        172.16.100.0 [1/0] via 10.19.250.1

The UC540's internal CUE server:

Main Routing Table:

           DEST            GATE            MASK                     IFACE

      10.1.10.0            0.0.0.0           255.255.255.252       eth0

        0.0.0.0             10.1.10.2         0.0.0.0                    eth0

Any help appreciated!!!

Thanks!

3 Replies 3

Hello, Nathan.

ASA is not usual router - it's a security device.

You might have missed following command to enable intra-interface communication:

same-security-traffic permit intra-interface

In this instance the ASA is providing the routing for the network. It is a relatively small network. I don't think the intra interface and will help here as the ASA does not have any VLANs configured on it so there is no transfer between security levels, but I'll check tonight. I may be understanding the command incorrectly. The ASA should just be forwarding the traffic to the device at .254. Maybe it is the return traffic that is being blocked? I'll have to run some packet captures when I have the opportunity.

Hello,

Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.

I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.

Here is a info page on the TCP State Bypass:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html

Please let me know how it works out.

Review Cisco Networking for a $25 gift card