Connect two Cisco UC520 in same site

Answered Question

Hi,

We have two companies in the office each owning a UC520. Since we are sharing the same Internet access, and have limited number of IPs I was wondering if I could setup the UCs with one behind the other one (see attached file, option B). The computers are behind one of the UC, the other one only has the second company's phones connected to it.


What's the optimal setup for this? Should I use two public IPs, make a tunnel between them (option A) or can I make them communicate with each other with one behind the other one.


I want to transfer calls from one UC to the other one...


Thanks!

(If I wasn't clear enough, feel free to ask me more questions. Oh and sorry about my english :)



Mathieu

Attachment: 
Correct Answer by Steven Smith about 7 years 9 months ago

Actually, this is why I mentioned you might want to do it in CCA, because you forgot to add the entries into the ACL's for the ports you want to open.


Something like...


access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_15##
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 deny   ip 192.168.15.0 0.0.0.255 any
access-list 104 permit esp any any
access-list 104 permit gre any any

access-list 104 permit tcp any eq 80

access-list 104 permit tcp any eq 3389
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp host *REMOVED* eq domain any
access-list 104 permit udp host *REMOVED* eq domain any
access-list 104 permit icmp any host *REMOVED* echo-reply
access-list 104 permit icmp any host *REMOVED* time-exceeded
access-list 104 permit icmp any host *REMOVED* unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log

Correct Answer by Steven Smith about 7 years 9 months ago

ip nat inside source static tcp 192.168.10.5 80 interface FastEthernet0/0 80

ip nat inside source static tcp 192.168.10.6 3389 interface FastEthernet0/0 3389


I would use CCA to do this.  It does all of the NAT translations for you and open up the acl's as well.  Under Configure -> Security -> NAT

Correct Answer by Steven Smith about 7 years 9 months ago

Are you using SIP trunks?  If so, I would only do option A.  If not, option B is possible, but there might be problems with firewalls and data security.


Option A is the better option.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Steven Smith Mon, 08/10/2009 - 12:54
User Badges:
  • Gold, 750 points or more

Are you using SIP trunks?  If so, I would only do option A.  If not, option B is possible, but there might be problems with firewalls and data security.


Option A is the better option.

I am using analog lines for each UC (one has 3 lines, the other one has 4).

As for data, I am not too nervous about it. Both companies (owned by my boss and his wife) are using the same servers and data. It was more of knowing if and how option was possible to do...


But as you are recommending option A anyway, I'll do that.


Also, since we are using 2 public IPs, I'll need to configure NAT. Is it possible to forward port 80 to a server, port 3389 (RDP to another server) and SMTP to another one using same public IP? What would be the ip nat command for this?


Thanks!

Correct Answer
Steven Smith Mon, 08/10/2009 - 13:29
User Badges:
  • Gold, 750 points or more

ip nat inside source static tcp 192.168.10.5 80 interface FastEthernet0/0 80

ip nat inside source static tcp 192.168.10.6 3389 interface FastEthernet0/0 3389


I would use CCA to do this.  It does all of the NAT translations for you and open up the acl's as well.  Under Configure -> Security -> NAT

Hello Steven,


Any reasons why this doesn't work?


I've attached the current config file so you can check out what I am doing wrong...

As for doing this in the CCA, I have already a few custom lines in the access-list that I do not want to be deleted so that's why I'm doing this directly in the CLI.


Thanks! :)

Attachment: 
Correct Answer
Steven Smith Tue, 08/11/2009 - 08:16
User Badges:
  • Gold, 750 points or more

Actually, this is why I mentioned you might want to do it in CCA, because you forgot to add the entries into the ACL's for the ports you want to open.


Something like...


access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_15##
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 deny   ip 192.168.15.0 0.0.0.255 any
access-list 104 permit esp any any
access-list 104 permit gre any any

access-list 104 permit tcp any eq 80

access-list 104 permit tcp any eq 3389
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp host *REMOVED* eq domain any
access-list 104 permit udp host *REMOVED* eq domain any
access-list 104 permit icmp any host *REMOVED* echo-reply
access-list 104 permit icmp any host *REMOVED* time-exceeded
access-list 104 permit icmp any host *REMOVED* unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log