Connecting UC500 and SR520

Unanswered Question
Mar 3rd, 2009

Hi there,

I have a SR520 connected to the ADSL line, with a UC500 behind it.


UC500: and

I have created a static route on the SR5200 so that all traffic for 192.168.10.x

gets forwarded to This works great from the SR520, see the following:

SR520#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is to network

C is directly connected, Vlan75

S [1/0] via is subnetted, 1 subnets

C is directly connected, Dialer0 is subnetted, 1 subnets

S [1/0] via is subnetted, 1 subnets

C is directly connected, Dialer0

S* is directly connected, Dialer0


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
But from the other pc's on the same network I cannot reach the UC500. What am I doing wrong here? Am I firewalling the traffic somehow?
I am attaching the full config file for the router (minus all passwords)
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcos Hernandez Tue, 03/03/2009 - 04:48

Typically, the UC500 has an ACL applied to its WAN interface that prevents RFC1918 Private IP's. When used in combination with the SR520, you need to disable the UC500's firewall.

Refer to the following document:

Let me know if this helps,

Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc.

eljakimit Tue, 03/03/2009 - 05:18

Hi Marcos,

the firewall on the UC500 had already been disabled.

I can reach from the SR520 without any problems:

SR520#telnet 80

Trying, 80 ... Open


WWW-Authenticate: Basic realm="level_15 or view_access"

401 Unauthorized

[Connection to closed by foreign host]

but I cannot reach it from the rest of the network.

Message was edited by: eljakimit to personalize the 'hi'-line

eljakimit Tue, 03/03/2009 - 05:23

Oh --

maybe to clarify:

SR520 connected to outside world

UC500 [WAN] connected to SR520

other pc's connected to SR520

Marcos Hernandez Mon, 03/09/2009 - 08:47


As indicated on our private conversation, the way to proceed here is to open a case with our TAC. This will help us in tracking the issue formally.

Thanks for understanding,


eljakimit Sun, 05/10/2009 - 23:59

Just to close this thread, I finally received some answers from the TAC people. Their

opinion is as follows:

1. The firewall on the SR520 can only be turned on or off on ALL connections. It's impossible to only have the firewall check traffic on specific interfaces.

2. With the firewall turned OFF the connection can be made.

3. With the firewall turned ON a problem occurs: the pc sends packets to the SR520 (default route) which forwards them to the UC500. The UC500 forwards them to the virtual interface. The return packets, however, come through the UC500 and then go straight back to the pc because they're on the same subnet. This causes the SR520 to get confused and start blocking further traffic.

The suggested solution was to change the routing on ALL the pc's to add a static route to add some traffic to the UC500. This is obviously not feasible with the amount of laptops and pc's walking in and out of the office.

So two solutions remain:

1) turn OFF the firewall completely. But this means that all connections to the internet are also no longer protected. So not really an option.

2) put the UC500 on a different VLAN, so return packets can't be sent directly to the pc.

We'll go for option 2.

And hopefully one day the feature set of the SR520 will be expanded to make it possible to turn off the firewall completely for traffic between the two inzones.

John Platts Mon, 05/11/2009 - 08:44

It is possible to make adjustments to the SR520 firewall using Command Line interface.

Information about Zone-Based Policy Firewalls can be found at the following URL:

Sample SR520 firewall configuration:

class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
class type inspect sdm-cls-icmp-access
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-cls-insp-traffic
class type inspect sdm-protocol-http
class type inspect SDM-Voice-permit
class class-default
policy-map type inspect sdm-permit
class type inspect dhcp_out_self
class class-default
policy-map type inspect sdm-inspect-voip-in
  class type inspect SDM-Voice-permit
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in

interface FastEthernet4

ip nat outside
zone-member security out-zone


interface Vlan75

ip nat inside

zone-member security in-zone


access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any


The above firewall settings can be adjusted by modifying or creating class maps and policy maps.


This Discussion