Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1939
Views
0
Helpful
7
Replies

UC 540/560 for 9 sites with 1 or 2 spa525g2 each

Go to solution
hyronike1
Level 1
Level 1

‎04-12-2012 11:44 PM - edited ‎03-21-2019 05:39 AM

Dear Cisco Gurus,

we are planning to buy Cisco UC540 or 560 and some SPA525g2 phones to connect HQ to our 9 remote offices wit one or two spa525g2 phones each.

I read that spa525g2 phones has built in SSL VPN.

My question is:

1. Can the spa525g2 at the remote offices register itself(using ssl vpn) to the UC500 through /behind  a Firewall? As i don't have access to the existing firewall to change the configuration.

2. Or should i  install a Cisco 871 Router and connect the 525g2 phones over its tunnel?

Any help is really appreciated. Thanks!

Regards,

Roni

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Alexander Maroukian
Level 7
Level 7
In response to hyronike1

‎04-13-2012 01:11 AM

Hello Roni,

You should be able to use the SPA525G2 using their built in SSL vpn client behind the firewall of the existing network without the need to make another tunnel using dedicated router - this setup is widely used. If you need more than 10 remote SPA525G2 phones consider UC560 because uC540 can make up to 10 vpn connections.

HTH,

Alex

*Please rate helpful posts

View solution in original post

0 Helpful

Go to solution
Alexander Maroukian
Level 7
Level 7
In response to hyronike1

‎04-13-2012 02:57 PM

Hello Roni,

You do not need to open anything on the side of the SPA525G to connect it using SSL VPN to the UC500. I cannot remember if SPA525 SSL VPN is working correctly with the ASA (it should, but must be checked again). Usually you should not have any issues connecting SPA525 to the UC560 (up to 20 SSL VPN connections), sometimes if you need especially DTLS SSL under 560 you may encounter some issues if this is what you mean.

ASA 5505 is capable of 25 SSL connections and 5510 can do up to 250. You can check this on the following link:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html

Best regards,

Alex

View solution in original post

0 Helpful
7 Replies 7

Go to solution
hyronike1
Level 1
Level 1

‎04-13-2012 12:38 AM

Sorry, to make it clearer,

the UC500 will have static public ip, not behind firewall,but

the spa 525g2 phones at remote offices is sitting behind firewall, will the phones able to register to the uc500 ?

Because previously behind the firewall i tried to connect ipsec or  pptp vpn to a vpn router, but it's no go.

0 Helpful

Go to solution
Alexander Maroukian
Level 7
Level 7
In response to hyronike1

‎04-13-2012 01:11 AM

Hello Roni,

You should be able to use the SPA525G2 using their built in SSL vpn client behind the firewall of the existing network without the need to make another tunnel using dedicated router - this setup is widely used. If you need more than 10 remote SPA525G2 phones consider UC560 because uC540 can make up to 10 vpn connections.

HTH,

Alex

*Please rate helpful posts

0 Helpful

Go to solution
hyronike1
Level 1
Level 1
In response to Alexander Maroukian

‎04-13-2012 01:33 AM

Hello Alex,

thank you very much for your answer.

I just want to be sure, do i need to open specific ports on the existing firewall(because i cannot do this, no password ) in order that the spa525g2 phones to be able to operate without problems sitting behind a firewall.

I also read that, with UC560 we should use an ASA to terminate VPN, instead of using UC560 because of bug, what ASA model would you recommend to handle 9 sites for around 30 SSL tunnels?

Thanks again.

Regards,

Roni

0 Helpful

Go to solution
ChristianHochwarter
Level 1
Level 1
In response to hyronike1

‎04-13-2012 02:24 AM

Hi Hyronike,

we made the experience if you use anyway a separate data traffic it's better do have a permanent VPN Tunnel with an 871 Router at the phone location, to connect the phones over this permanent tunnel and do not use an extra VPN with the internal ssl vpn der SPA525.

Ciao,

CHristian

0 Helpful

Go to solution
hyronike1
Level 1
Level 1
In response to ChristianHochwarter

‎04-16-2012 03:04 PM

Dear Christian,

thanks for sharing your valuable experience.

Best Regards,

Roni

0 Helpful

Go to solution
Alexander Maroukian
Level 7
Level 7
In response to hyronike1

‎04-13-2012 02:57 PM

Hello Roni,

You do not need to open anything on the side of the SPA525G to connect it using SSL VPN to the UC500. I cannot remember if SPA525 SSL VPN is working correctly with the ASA (it should, but must be checked again). Usually you should not have any issues connecting SPA525 to the UC560 (up to 20 SSL VPN connections), sometimes if you need especially DTLS SSL under 560 you may encounter some issues if this is what you mean.

ASA 5505 is capable of 25 SSL connections and 5510 can do up to 250. You can check this on the following link:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html

Best regards,

Alex

0 Helpful

Go to solution
hyronike1
Level 1
Level 1
In response to Alexander Maroukian

‎04-16-2012 03:03 PM

Dear Alex,

thank you for your insight. It is mentioned in here:

https://supportforums.cisco.com/docs/DOC-22991

not to enable dtls, instead use asa to terminate vpn, there is currently a bug that prevents phone from registering.

Best Regards,

Roni

0 Helpful
Customers Also Viewed These Support Documents