11-29-2010 02:22 PM - edited 03-21-2019 03:19 AM
First Let me show you the physical setup of my network.
UC520 ------ ASA5505 ------ INTERNET -------- RVS4000 -------- SPA504 IP phones
Is there a way to get the two SPA504 IP phones from inside the RVS4000 remote office to tie into the UC520 through a VPN tunnel? So that they would appear as two other extensions on the phones. Or must I have two public IP's and make the UC520 a firewall as well with a Public IP, and connect the remote spa504g phone over the internet?
What is the best solution for this kind of setup?
thanks
jesse
Solved! Go to Solution.
12-01-2010 08:05 PM
ok thanks cool. do you know if there is guide on conencting an spa504g phone over a vpn and into the uc520? Or if the uc520 is on the edge of the network, can you just connect to it's external public IP from the spa504g and have it push the tftp config over the Internet?
12-01-2010 08:13 PM
Sure. Smart Designs: http://www.cisco.com/web/partners/sell/smb/tools_and_resources/smart_business_comm_system.html
Partner Login required.
Look near the bottom (Applicaton note on remote teleworker).
But we dont support RVS (like I mentioned), and that phone needs to be behind an approved teleworker router.
Have a look.
The SPA504 doesnt connect like the SPA525G does. It needs a router as described in there.
I am east coast so see you tomorrow.
12-01-2010 08:36 PM
I know it's not technically supported but with using IPSEC VPN between the two sites I would think that traffic would be allowed and the spa504g phone can point to the IP of the UC520.
12-02-2010 04:40 AM
You are correct Jesse. The phones would get a local IP address, and the TFTP option would point to the Voice VLAN IP for the UC520. I would also recommend allowing 10.1.10.0/30 subnet for voicemail. The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address. It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware.
As far as the ASA vs. UC520 firewall goes, if all you are wanting to do is terminate VPNs, Steve is spot on. The ASA can support more VPN connections if you pay for the licensing, but the UC520 would handle this scenario well. Have you thought about moving the ASA to the remote site instead of the RVS4000?
Adam Compton
12-02-2010 08:26 AM
Here will be the plan based off everyones help . thank you all.
5 workstations and 5 spa504g phones -------- switch ------- (10.0.0.1) UC520 (vpn to rvs) ------ INTERNET ------ (vpn to uc520) asa5505 (192.168.50.1) dhcp tftp option set to 10.0.0.1 ------ switch ------ 1 spa504g phone
"I would also recommend allowing 10.1.10.0/30 subnet for voicemail. The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address. It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware."
Nathan (Straight out of) Compton can I change these 10.1.10.2 voicemail settings on the uc520 so everything is 10.0.0.1, or is this hardcoded? currently the network is setup that way and it would be nice to keep all the IP settings the same with the uc520.
As far as the ASA vs. UC520 firewall goes, if all you are wanting to do is terminate VPNs, Steve is spot on. The ASA can support more VPN connections if you pay for the licensing, but the UC520 would handle this scenario well. Have you thought about moving the ASA to the remote site instead of the RVS4000?
I only need one VPN to the rvs4000 which I will now replace with the asa5505. this is for a small doctor who only has one remote office that needs to connect through the VPN. Yah moving that asa5505 is a good idea and I will incorporate this instead.
I will be testing all of this first in my lab. do you think I can plug a crossover between the wan links on the asa 5505 and the uc520 with a /30 subnet and then setup a vpn between the two for testing? would this work?
everyones help is appreciated
12-02-2010 12:49 PM
Nathan (Straight out of) Compton can I change these 10.1.10.2 voicemail settings on the uc520 so everything is 10.0.0.1, or is this hardcoded? currently the network is setup that way and it would be nice to keep all the IP settings the same with the uc520.
Changing the CUE IP address is not recommended, because it mess up a lot of things with CCA and voicemail. If you must change it, do so at your own risk.
I will be testing all of this first in my lab. do you think I can plug a crossover between the wan links on the asa 5505 and the uc520 with a /30 subnet and then setup a vpn between the two for testing? would this work?
That should work just fine for testing.
Adam (Straight out the Trailer) Compton
12-02-2010 01:03 PM
CooooowwwwwwBoooooy.
:-)
East coast hood
Steve
12-02-2010 05:27 PM
The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address. It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware.
so I would need to ad an acl allowing this traffic on the wan side of my asa 5505 as interesting traffic? where would I make sure this is allowed for things to work?
12-02-2010 11:00 PM
Here is the next requirement which I need to uc520 to perform besides the site to site vpn. If you have advice on if the uc520 can do this please advise. thank you nathan and steve for your continued guidance. my uc520 is using the lan subnet of 10.0.0.0/24.
company B has completed creating the VPN tunnel on our side. Please provide the VPN parameters below to your IT Professional so that the tunnel may be created. Please have your IT Professional ping the IP addresses below that pertain to your purchase to test a successful connection to company B:
Please update your ticket once complete so that we may contact you to schedule Surescripts software installation and training. I look forward to hearing from you.
Please note that this is a Host to Host configuration and not a Gateway to Gateway.
----------------------------------------------------
Our endpoint is: 66.x.x.x
Our network is: 192.168.50.0 (255.255.255.0)
clinic will need to make ACL from 172.28.175.5 to host 192.168.50.83 and 192.168.50.86, if portal is used 192.168.50.50
clinic will need to NAT interesting traffic to 172.28.175.0 255.255.255.0
Phase 1
Authentication: Pre-Shared
Encryption: 3DES
Hash: SHA
DH: 1
Lifetime: 86400 sec
Pre-shared Key: *
Phase2
ESP encryption 3DES
ESP authentication SHA1
Lifetime 28800
12-03-2010 05:28 AM
When you setup the VPN, you have to define which traffic goes over the VPN in an ACL. So you will have an ACL on each device permitting "this" source subnet to "that" destination subnet. Just include the 10.1.10.0/30 in your ACL statements.
As far as the information you've listed about an application, I'm not really sure what your question is. Are they going to create a VPN between one host on your network to another host on the internet? If that is the case, then you would just need to ensure that the traffic between the 2 devices is alllowed. If the VPN is going to terminate on the UC520, you would have to create another VPN tunnel for that purpose.
Adam Compton
01-05-2011 06:32 PM
Thanks for this comment Steven,
Where is the document that tells me what supported remote routers I can use? I had been searching all through the smart designs and never specifically saw anything untill your comment that stated that you could have 10 remote site routers connected.
I have a similar situation but no phones are needed just data.
Thanks,
Johnny
01-05-2011 06:47 PM
Well if you just need VPN support than any router that does IPSEC will work.
01-06-2011 07:03 AM
01-06-2011 07:25 AM
Steven,
Thanks for the information and the response. I had already gone over those documents but they only refer to the SR520W-FE, SR520-T1, or a UC500 for remote work.
Perhaps a better way would be to find out what Cisco classic routers are supported by CCA for teleworkers.How do I find this out?
I dont want to use an SR520 or SA500. I think there were some 800 series that were part of the solution in the past, have they been dropped?
Thanks,
Johnny
01-06-2011 07:51 AM
The SA500 series and the SR520 T1 are the only routers that will be supported in CCA. Ive never seen any other router besides these supported in CCA so I am not sure if the 800 series was ever supported, but I know they are not currently supported within CCA. Only Small Business Pro routers are able to be manage through CCA. Hopes this helps.
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide