cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2008
Views
0
Helpful
7
Replies

UC320W WAN Greyfield with ASA 5505

BellAdmin
Level 1
Level 1

I am having trouble with WAN port connectivity. I am using the Greyfield Scenario (UC320W Routes voice only). My preference would be to simply use the DATA LAN (VLAN1) to give the UC320W WAN an IP address, or statically assign one in the LAN network, but I haven’t been successful at that either. This seems overly complicated, but maybe I am just making it that way.

Here is the equipment I am using:

UC320W firmware v 2.3.2 (or 2.2.2)

SF300-24p firmware v 1.2.776

ASA5505 firmware v 8.4(4)1

Connections:

UC320W LAN (VLAN1) 10.0.0.0/24 ---> connected to SF300 g/1

UC320W WAN 172.16.1.0/24 ---> connected to ASA5505 e/5

UC320W Voice_VLAN (VLAN 100) default 10.1.1.0

SF300 Auto Voice VLAN 100

ASA5505 e/1 connected to SF300 g/2 (ASA e/0 to ISP, ASA e/5 to UC320 WAN)

We only have 1 usable IP address, so the WAN and VPN and Internet share the same Outside IP address.

ASA Configuration:

interface Ethernet0/5

switchport access vlan 4

interface Vlan4

no forward interface Vlan1

nameif UC320-WAN

security-level 50

ip address 172.16.1.1 255.255.255.0

object network obj_UC320-WAN

subnet 172.16.1.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object object obj_UC320-WAN

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

object network obj_UC320-WAN

nat (UC320-WAN,outside) static obj_UC320-WAN

IP phones correctly get DHCP from UC320W. PCs connected to IP phone switch port correctly get DHCP from ASA. VPN routes correctly. Internet traffic to PCs works correctly. UC320W and IP phones work perfectly – no echo.

The only problem is the WAN port and getting NTP and connectivity to the Cloud. I have tried connecting the WAN to the SF300 and setting it to DHCP. It does connect to the clout and NTP, but after a short while the whole network becomes unavailable and to fix I have to reboot the UC320, so I am sure there is a loop.

If possible I would sure like to use the UC320 WAN as a DHCP address on the LAN. I have > than 30 of these configurations about to be deployed. Easier is ALWAYS better.

Any help please.

7 Replies 7

Hi,

Before I start a full disclaimer:  I'm not an ASA expert and only know enough to be dangerous.   Only a partial config was provided.  I suspect the NAT need some additional work in your config.   It also isn't clear if you are using FXO rof SIP trunks in your configs, so there are some additional lines if you are using SIP trunks below. Here is a framework that should help point you in the right direction:

Make sure you either have a DHCP pool for 172.16.1.0/24 network or you staticly assign an IP to the UC320W WAN (preferred).

interface Vlan1

description Outside

nameif Outside

security-level 0

ip address dhcp setroute

interface Vlan2

description Inside

nameif Inside

security-level 100

ip address 10.0.0.1 255.255.255.0

interface Vlan 4

no forward interface VLAN1

nameif VOIP

security-level 50

ip address 172.16.1.1 255.255.255.0

object service SO-SIP-TCP-5060-5080

service tcp source range sip 5080 destination range sip 5080

object service SO-SIP-UDP-5060-5080

service udp source range sip 5080 destination range sip 5080

object network NAT-UC320

host 172.32.254.254

object network NAT-VLAN100-Data

subnet 10.0.0.0 255.255.255.0

!  These two NAT statements are for OUtbound-->In Static Mapping for inbound Sip.  Control Access by ACL.

nat (Outside,VOIP) source static any any destination static interface NAT-UC320 service SO-SIP-UDP-5060-5080 SO-SIP-UDP-5060-5080

nat (Outside,VOIP) source static any any destination static interface NAT-UC320 service SO-SIP-TCP-5060-5080 SO-SIP-TCP-5060-5080

!  These two NAT statements are allowing the UC320 & Data VLAN Internet Access

object network UC320-NAT

nat (VOIP,Outside) dynamic interface

object network NAT-VLAN100-Data

nat (Inside,Outside) dynamic interface dns

!Also make sure that SIP is being inspected for RTP Media connections.   It's ok to have other stuff in here too!

policy-map global_policy

class inspection_default

  inspect sip 

Hope this helps.

Chris

Thanks for the help.  I am certainly not an ASA guy either. This is my first time to work with the UC320W.

I should have mentioned that only FXO was used, no SIP.  The UC320 WAN has a static IP 172.16.1.2.  The NAT was there

Your configuration:

object network UC320-NAT

  nat (VOIP,Outside) dynamic interface

Mine:

object network obj_UC320-WAN

  nat (UC320-WAN,outside) static obj_UC320-WAN

I gave changing the static obj_UC320-WAN to dynamic interface, but that didn't work.  It used to be easier, but the new syntax for ASA 8.2 and above changed the way routing, ACL and NAT are written.  I still must be missing somethiing. Using Packet tracer in ASDM, it shows 172.16.1.2 successfully routing to 8.8.8.8.

In the release notes for the UC320W Firmware 2.3.2, it noted that you can use DHCP on the DATA_VLAN if there was a bandwidth issue. If I could do that, I could get rid of all the ASA configuration for the extra VLAN (172.16.1.0) and not worry about it. Unfortunately I haven't made that work.  Has anyone you know of? If so, what's the trick?

Just confirming, you have two NAT lines one for the PC subnet (10.0.0.x) and one for UC320 172.16.1.x?

How are you trying to verify the WAN connectivity on the UC320W?  Are you logging into the UC320W Configuration Utility and using the Ping utility under Status -> Support Tools and trying to hit an IP address on the public internet?

Do you have other ACLs that might be blocking the traffic?

The ASA isn't part of the Cisco Small Business product portfolio.  In the portfolio we would suggest the Security Appliance 500 series (SA 500).  You might put a call into Cisco TAC for support on the ASA configuration.

Chris

Chris, thank you again for your help. I think you're right about calling TAC. I really wanted to figure this out, and your on the right track, I am sure. 

I do have both network objects NATed, and I don't see any ACL that would block the traffic. But then since the syntax change, I am a little lost - okay, more than a little.

I was testing the ASA using ADSM and the packet tracer. It shows the packet passes, but from the UC230, I can not ping out to 4.2.2.3 for example. The clock is not correct and I can not connect to the cloud. I do show packets in and out on the UC320 WAN status pages.

Location-Name-ASA # sho run object

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network VPN_NETWK

subnet 10.1.0.0 255.255.0.0

object network obj_Location-Name

subnet 10.0.0.0 255.255.255.0

object network obj_UC320-WAN

subnet 172.16.1.0 255.255.255.0

Location-Name-ASA# sho run nat

nat (inside,outside) source static obj_Location-Name obj_Location-Name destination static VPN_NETWK VPN_NETWK route-lookup

nat (inside,outside) source dynamic obj_Location-Name interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj_Location-Name

nat (inside,outside) dynamic interface

object network obj_UC320-WAN

nat (UC320-WAN,outside) static obj_UC320-WAN

Location-Name-ASA# sho run access-list

access-list netflow-export extended permit ip any any

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 object VPN_NETWK

access-list UC320-WAN_access_in extended permit ip any 12.x.x.x 255.255.255.248

I am still unclear why the WAN port on the UC230 is required to have it's own network/subnet. Do you have any insight on why it is that way?

I have just taken over this "project" and the ASAs are already purchased and in place with the VPN's connected. Tunnels are up.

Much appreciation.

HI,

The UC320W is built as a small simple all in one router/AP/PBX/switch.  As such the WAN interface is the device's default gateway for all traffic originating on the device (ping, NTP, SIP, etc).  The WAN and LAN are different routed interfaces and hence must be on different subnets.  To help keep costs down and the device simple to configure, there is no CLI interface to configure the routing.

Chris

BrownKA
Level 1
Level 1

So I have a similar configuration although I have multiple external IP's.  The way I got this to work is by doing it this way:

On the ASA5505, you essentially have 3 vlan's (unless you have the top level license for it) those vlan's are external, internal, and DMZ.  The DMZ can either talk to the internal network or external network, but not both on the basic license.  So I have my netwok configured this way:

ASA 5505 port 0 to cable modem and is on external vlan

ASA 5505 port 1 is on DMZ vlan and plugged into WAN port on UC320W

ASA 5505 port 2 is plugged into port 26 on SG200-26P switch and is on Internal vlan

DMZ vlan is configured to talk only to External

UC320W switch port 1 is connected to SG200-26P port 25

Phones connect to POE port on switch and auto register on VLAN 100.  Switch recognizes UC-320W on both Vlan1 and Vlan100.  Phones are automatically sent to vlan 100 and gain IP address from UC320W.  PC's connected to the phones register on Vlan 1 and get IP address from ASA.

Static IP set on UC320W wan port and is the IP range set for the DMZ vlan.  We are using a SIP trunk and have a complete IP NAT'd to the UC320W wan interface, but that I belive could be just a PAT and only use port 5060.  This probably won't be your situation since you aren't using SIP.

Kevin, Yes, that configuration is the Greyfield configuration. Perfect example. Other than the port numbers on the ASA and you have SIP, I have FXO, there isn't any difference in our setups.  My problem is, I am now understanding, is the configuration of the ASA5505 with v8.4.4 syntax.  I have not been able to successfully make the "DMZ vlan is configured to talk only to External".

Perhaps this is now a discussion that should be continued on another forum (for ASA5500's).  Chris's answer, that it's pretty much impossible to have the UC230 WAN port on the same network as the DATA LAN.

So i'ts time to concentrate on the ASA config.   Ugh.

Thanks to all - It's a learning curve.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: