cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

2968
Views
0
Helpful
31
Replies
Jesse Shumaker
Beginner

UC520 Behind ASA 5505 w/VPN to RVS4000

First Let me show you the physical  setup of my network.

UC520 ------ ASA5505 ------ INTERNET --------  RVS4000 -------- SPA504 IP phones

Is there a way to get the two SPA504 IP  phones from inside the RVS4000 remote office to tie into the UC520  through a VPN tunnel? So that they would appear as two other extensions  on the phones. Or must I have two public IP's and make the UC520 a firewall as well with a Public IP, and connect the remote spa504g phone over the internet?

What is the best solution for this kind of setup?

thanks

jesse

31 REPLIES 31

ok thanks cool. do you know if there is guide on conencting an spa504g phone over a vpn and into the uc520? Or if the uc520 is on the edge of the network, can you just connect to it's external public IP from the spa504g and have it push the tftp config over the Internet?

Sure.  Smart Designs:  http://www.cisco.com/web/partners/sell/smb/tools_and_resources/smart_business_comm_system.html

Partner Login required.

Look near the bottom (Applicaton note on remote teleworker).

But we dont support RVS (like I mentioned), and that phone needs to be behind an approved teleworker router.

Have a look.

The SPA504 doesnt connect like the SPA525G does.  It needs a router as described in there.

I am east coast so see you tomorrow.

I know it's not technically supported but with using IPSEC VPN between the two sites I would think that traffic would be allowed and the spa504g phone can point to the IP of the UC520.

You are correct Jesse.  The phones would get a local IP address, and the TFTP option would point to the Voice VLAN IP for the UC520.  I would also recommend allowing 10.1.10.0/30 subnet for voicemail.  The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address.  It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware.

As far as the ASA vs. UC520 firewall goes, if all you are wanting to do is terminate VPNs, Steve is spot on.  The ASA can support more VPN connections if you pay for the licensing, but the UC520 would handle this scenario well.  Have you thought about moving the ASA to the remote site instead of the RVS4000?

Adam Compton

View solution in original post

Here will be the plan based off everyones help . thank you all.

5 workstations and 5 spa504g phones -------- switch ------- (10.0.0.1) UC520 (vpn to rvs) ------ INTERNET ------ (vpn to uc520) asa5505 (192.168.50.1) dhcp tftp option set to 10.0.0.1 ------ switch ------ 1 spa504g phone

 "I would also 
recommend allowing 10.1.10.0/30 subnet for voicemail.  The UC520 
typically uses the Loopback interface, 10.1.10.2, as the tftp source IP 
address.  It's a common problem that this traffic is not allowed over 
the VPN, and phones can't download config files and firmware."

Nathan (Straight out of) Compton can I change these 10.1.10.2 voicemail settings on the uc520 so everything is 10.0.0.1, or is this hardcoded? currently the network is setup that way and it would be nice to keep all the IP settings the same with the uc520.

As far as the ASA 
vs. UC520 firewall goes, if all you are wanting to do is terminate VPNs,
 Steve is spot on.  The ASA can support more VPN connections if you pay 
for the licensing, but the UC520 would handle this scenario well.  Have 
you thought about moving the ASA to the remote site instead of the 
RVS4000?

I only need one VPN to the rvs4000 which I will now replace with the asa5505. this is for a small doctor who only has one remote office that needs to connect through the VPN. Yah moving that asa5505 is a good idea and I will incorporate this instead.

I will be testing all of this first in my lab. do you think I can plug a crossover between the wan links on the asa 5505 and the uc520 with a /30 subnet and then setup a vpn between the two for testing? would this work?

everyones help is appreciated

Nathan (Straight out of) Compton can I change these 10.1.10.2 voicemail settings on the uc520 so everything is 10.0.0.1, or is this hardcoded? currently the network is setup that way and it would be nice to keep all the IP settings the same with the uc520.

Changing the CUE IP address is not recommended, because it mess up a lot of things with CCA and voicemail.  If you must change it, do so at your own risk.

I will be testing all of this first in my lab. do you think I can plug a crossover between the wan links on the asa 5505 and the uc520 with a /30 subnet and then setup a vpn between the two for testing? would this work?

That should work just fine for testing.

Adam (Straight out the Trailer) Compton

View solution in original post

CooooowwwwwwBoooooy.

:-)

East coast hood

Steve

The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address.  It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware.

so I would need to ad an acl allowing this traffic on the wan side of my asa 5505 as interesting traffic? where would I make sure this is allowed for things to work?

Here is the next requirement which I need to uc520 to perform besides the site to site vpn. If you have advice on if the uc520 can do this please advise. thank you nathan and steve for your continued guidance. my uc520 is using the lan subnet of 10.0.0.0/24.

company B has completed creating the VPN tunnel on our side. Please provide the VPN parameters below to your IT Professional so that the tunnel may be created. Please have your IT Professional ping the IP addresses below that pertain to your purchase to test a successful connection to company B:

  • Surescripts Host Servers: 192.168.50.83 and 192.168.50.86
  • RxHub Host Server: 192.168.50.85
  • Patient Portal Host Server: 192.168.50.50.

Please update your ticket once complete so that we may contact you to schedule Surescripts software installation and training. I look forward to hearing from you.

Please note that this is a Host to Host configuration and not a Gateway to Gateway.

----------------------------------------------------

Our endpoint is: 66.x.x.x

Our network is: 192.168.50.0 (255.255.255.0)

clinic will need to make ACL from 172.28.175.5  to host 192.168.50.83 and 192.168.50.86, if portal is used 192.168.50.50

clinic will need to NAT interesting traffic to 172.28.175.0 255.255.255.0

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Pre-shared Key: *

Phase2

ESP encryption 3DES

ESP authentication SHA1

Lifetime 28800

When you setup the VPN, you have to define which traffic goes over the VPN in an ACL.  So you will have an ACL on each device permitting "this" source subnet to "that" destination subnet.  Just include the 10.1.10.0/30 in your ACL statements.

As far as the information you've listed about an application, I'm not really sure what your question is.  Are they going to create a VPN between one host on your network to another host on the internet?  If that is the case, then you would just need to ensure that the traffic between the 2 devices is alllowed.  If the VPN is going to terminate on the UC520, you would have to create another VPN tunnel for that purpose.

Adam Compton

Thanks for this comment Steven,

Where is the document that tells me what supported remote routers I can use? I had been searching all through the smart designs and never specifically saw anything untill your comment that stated that you could have 10 remote site routers connected.

I have a similar situation but no phones are needed just data.

Thanks,

Johnny

Well if you just need VPN support than any router that does IPSEC will work.

Steven,

Thanks for the information and the response. I had already gone over those documents but they only refer to the SR520W-FE, SR520-T1, or a UC500 for remote work.

Perhaps a better way would be to find out what Cisco classic routers are supported by CCA for teleworkers.How do I find this out?

I dont want to use an SR520 or SA500. I think there were some 800 series that were part of the solution in the past, have they been dropped?

Thanks,

Johnny

The SA500 series and the SR520 T1 are the only routers that will be supported in CCA. Ive never seen any other router besides these supported in CCA so I am not sure if the 800 series was ever supported, but I know they are not currently supported within CCA. Only Small Business Pro routers are able to be manage through CCA. Hopes this helps.

Brian

This widget could not be displayed.