cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Get the latest Cisco news in this February issue of the Cisco Small Business Monthly Newsletter

1093
Views
0
Helpful
0
Replies
Beginner

UC500 Teleworker Via SRP and SA500

I have managed to configure a remote site connection to a UC500 via a Cisco SRP and a SA500.

I the process of setting it all up I did search arround for any documents but they all had the remote end point using a Cisco SR (800).

So as this might help other people I will post what I have done.

*This is probally not the best way, or the most secure way. But this is the best way I have discovered with the restrictions that I had inplace.

So first off you will start with the basic UC500 local deployment, for the data VLAN I am using "10.0.0.0/24" and for voice I am using "10.1.1.0/24"

Rather then having the UC500 as the router/firewall our customer already had a Cisco SA500 and wanted to continue using that device as the main router for VPN and NAT etc... so this is plugged into the an ESW on the Data VLAN.

UC560 DATA - 10.0.0.253 /24

UC560 VOICE - 10.1.1.1 /24

SA500 - 10.0.0.254 /24

SRP DATA - 192.168.15.1 /24

SRP VOICE - 192.168.100.1 /24

So now we create a route on the Cisco SA to the voice network via the UC560

    10.1.1.0 255.255.255.0 10.0.0.253 (LAN Interface)

Check connectivity by pinging the UC Voice interface (10.1.1.1) via the SA's web interface

You can now create a IKE Policy between the Cisco SA and a remote SRP

Create an IPSec Policy to encapsulate the Data VLAN on the UC to the Data VLAN on the SRP

Create a 2nd IPSec Policy to encapsulate the Voice VLAN on the UC to the Voice VLAN on the SRP

Create the VPN and IPSec Policys on the remote SRP and check the VPN is connected.

You should have something that looks like this...

VPN-Data - 10.0.0.0 / 255.255.255.0  192.168.15.0 / 255.255.255.0 SHA-1 AES-128

VPN-Voice - 10.1.1.0 / 255.255.255.0 192.168.100.0 / 255.255.255.0 SHA-1 AES-128

These two IPSec Policys should be attached to the same IKE policy for the Remote site

You will now need to create a route on the UC for the VPN network

     Router(config)# ip route 192.168.15.0 255.255.255.0 10.0.0.254

     Router(config)# ip route 192.168.100.0 255.255.255.0 10.0.0.254

From the Cisco UC you should be able to ping the SRP over the VPN

Now when you plug in a IP Phone is should stuck in the "Downloading Config.xml.cnf" screen while it attempts to connect to the UC and download the its config file. First off all you will need to edit the DHCP scope on the SRP for the Voice VLan and add the IP address for the UC Voice Vlan to the TFTP options. Now the Phone can connect to the UC560 over the VPN to TFTP the config file and firmware, but for some reason the TFTP retuning traffice gets lost as the UC sees it comming in on VLAN100 so you need to add a TFTP Soruce-Interface comand.

           Router(config)#ip tftp source-interface vlan100

I have tested this on the local site and it doesn’t seem to effect the local phones on VLAN100

The Phone should now register and you should be able to make calls.

If I had made any mistakes or have left something completly open, please let me know.

Currently this solution is not in production

--Tularis

Everyone's tags (6)