Installing an SR-520W (Fast Ethernet) in front of a UC520 with a Cbeyond SIP Trunk

Unanswered Question
Oct 1st, 2009
User Badges:

I recently installed a UC520 with a SIP Trunk from Cbeyond Communications at a customer of mine.  I had also purchased an SR-520W for this customer for SSL-VPN and wireless networking, as well as additional security.  I have NOT yet installed the SR-520W because I wanted to get things up and running with the UC520 first.  My preference is to do everything in CCA and to avoid CLI whenever possible.  I have a few questions that I've had trouble getting answers to through the normal channels, so I wanted to see if someone could help me out here.

1. Apparently, when you install an SR-520 in front of a UC520, you have to disable the firewall on the UC520 since the SR-520 will be handling NAT, etc.  I've spoken with Cbeyond and they're pretty sure the SR-520 will work fine with their SIP trunk, but they're not 100% sure.  They are recommending that I back up the UC520 configuration first so if necessary I can just put things back the way they were (since everything is working fine through the UC520).  So, my first question here is what's the best way to backup the UC520 so that it can be restored (through CCA, through TFTP with CLI)?  What needs to be backed up and how do you restore everything.

2. My next question would be, is it advisable to put an SR-520 or SR-520W in front of a UC520?  What protection does the SR-520 provide that the UC520 doesn't?  Essentially, I'd like to know why the customer should spend an additional $500.00 for the SR-520.  The people I've spoken to at Cisco have suggested, "you could put an SR-520 in front of a UC520", but no one has really told me why I should do it or why I shouldn't do it.  Are there additional security benefits to having the SR-520W in a UC520 solution (beyond the ability to do wireless and SSL-VPN)?  Traditionally, I would have a firewall (such as a Cisco Pix or ASA, or  SonicWALL) protecting my data network.  What's the best way to protect the voice and data network when everything is behind the UC520, or is it better to separate out the data network?

3. Is it possible to utilize the SSL-VPN and wireless features of the SR-520W without putting it in front of the UC520, i.e. by plugging it into the LAN?

4. Are there any known issues with having the UC520 behind the SR-520W, especially as it relates to voice, with a SIP trunk?

5. I've attached two PDF documents that I obtained from Cisco.  The "UC500SR500" document was provided to me by PDI when I asked them about installing the SR-520W in front of the UC520.  The document was written for CCA 1.9, but I was told I could use this as a reference.  The second document I obtained from Cbeyond, but apparently it was created mostly by Cisco.  This document was also written for CCA 1.9, and it only discusses installing the UC520 with Cbeyond's SIP product.  It specifically says any other components are outside the scope of the document.  These seem to be the latest documents available, and I'm wondering if Cisco has any plans to release updated documents written for CCA 2.1.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tomoo Esaka Fri, 10/02/2009 - 19:57
User Badges:
  • Cisco Employee,

Hi Adam,

Pls see below for my response:

1. You can use CCA Maintenance > Configuration Archive > Backup to backup UC500 config. Same tool can be used for restore

As a fallback, you can also collect troubleshooting log which will include the config of UC500

Help > Support Information > Troubleshooting Log

2. SR520 supports Intrusion Prevention (IPS) and URL filtering in addition to firewall and SSL-VPN capabilities.


3. In theory, yes, but SR500 was designed as a WAN termination/Security router. If you just want LAN-side AP or SSL-VPN server, UC540W can do the trick as well.

4. SR520 will simply forward incoming SIP traffic to UC500, so as long as your routing and FW settings are correct, should be OK

5. The docs should still be applicable for CCA 2.1. Some of the menu placement and help text may have changed, but the SIP trunk configs for Cbeyond should be the same.


This Discussion