UC520 configured behind ASA will not allow access to its subnets

Unanswered Question
Oct 27th, 2009

I went over every document and walk-through I could find (very few for some reason) and I didnt find an answer to this question.


I used CCA and deleted the firewall and Nat from the UC520.

I assigned 192.168.50.3 to the wan interface of the UC520.

I added a static route in the ASA 5505 pointing SIP traffic, 10.1.1.0, and 10.1.10.0 to 192.168.50.3

When I try to telnet or ping to any address behind the UC520 I get a failure.


I am able to connect to 192.168.50.3 through telnet, ssh, or CCA.


What are the manual settings needed to make this work?


Is there anyway one of the Cisco guys can create a good walk-through for the ASA to UC5XX?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven Smith Tue, 10/27/2009 - 16:25

Deleting NAT and the FW should do it.  What is the default route in on the UC500?  You will also probably need a route to the data VLAN on the UC500, but that shouldn't cause a problem with the voice and cue vlans.


Also, you might want to do a debug ccsip message to see if any of the traffic is actually hitting the UC500.

eoncablewire Tue, 10/27/2009 - 16:29

default route is 0.0.0.0 0.0.0.0 192.168.50.1 (which is the address of the asa)


I didnt make a route to the data vlan as there are no devices on it. I can add it and try to telnet to 192.168.10.1


What routes should the UC520 have when its setup behind an ASA? Just the default?


Sip traffic is working fine (except vm from sip calls). I know traffic is getting in but its terminating on the 192.168.50.3 address not on 10.1.1.1 or 10.1.10.2 or 10.1.10.1. I am fairly certain the traffic is reaching it but I will check.


Any other suggestions?

Steven Smith Tue, 10/27/2009 - 16:32

It should also have a route to the CUE module, but that should be there by default.

ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0


You could post your configs if it is still not working. 

eoncablewire Tue, 10/27/2009 - 17:15

The route for Cue is correct.


I will try to get the config ready to send out soon. Thanks

eoncablewire Tue, 10/27/2009 - 18:50

do I need to add a route in the UC520 to direct the traffic from the wan interface to cme or cue?

Steven Smith Wed, 10/28/2009 - 07:53

No, you don't need to do that.  All connected interfaces are automatically in the routing table.

eoncablewire Mon, 11/09/2009 - 10:04

Well, it doesnt work. Is there a document that spells out exactly what must be done to get this to work properly?

eoncablewire Mon, 11/09/2009 - 10:32

Thanks for the response. I have followed this document and it doesnt work.


I am going to try using CCA 2.1 to default the UC520 and then try it with the ASA 5505 to see if it will work.


Currently the UC520 is unable to provide internet to any pc on the UC520 lan subnet. No PC connected between the ASA and the UC520 has access to ANY subnet behind the UC520 wan interface (192.168.10.0, 10.1.1.0, 10.1.10.0) although I am able to access it by the address given to it on the ASA's lan subnet of 192.168.50.3 (the wan address of the UC520.


So just for fun I put an SR520 in front of it and one thing changed. I was able to access the subnets behind the UC520's wan interface (192.168.10.0, 10.1.1.0, 10.1.10.0) but still no internet for the 192.169.10.0 users.


On the ASA it keeps denyign traffic in the access-list even though the rule says to allow it. It just ignores the allow and denies it. This must be why it works for the SR520 and not the ASA. So what exactly do I enter in for the access rules in the ASA 5505 to allow access to the UC520's local lan subnets?


The other problem is why cant I get internet from behind the UC520? What could possible be blocking it? With the firewall and nat disabled I think it is bypassing all access-lists.


I am out of ideas.


Please see what you can do to clarify this.


Thanks

Steven Smith Mon, 11/09/2009 - 11:02

The steps are simple, but implementations will differ depending on the boxes that are used.


Turn off NAT on the UC500.

Turn off the FW on the UC500.

Add default route to the FW in front of it.


On the firewall...

Add routes to the networks behind the UC500.

Enable the firewall to NAT IP address that are behind the UC500.


The problem is the configs that exist on the firewall.  If you are already blocking IP ranges, you could have problems.  That is why it is hard to say what the exact steps are because everyone's config will be different.

eoncablewire Mon, 11/09/2009 - 11:22

I have followed all of these steps to the best of my knowledge and it doesnt work. IT MUST WORK!!!


I have already called TAC about this and the UC520 team told me the problem is the firewall, the firewall team tells me the problem is the UC520.


How can this be resolved? Whom do I talk to to make this work?



I am desperate to have this working.


I will give one example of how to make it work. There was a document that explained how to make SSL work on the ASA. It was long and super complicated but it went step by step and in the end SSL worked. I couldnt believe it.


I also need to allow ports to pass through the ASA for a game. It turned out that unlike most other routers the port mappign was a 2-step process. I had to create a static nat enty AND an access entry. I had searched the internet for months looking for a document that spelled out the steps to no avail. What I did find told me to 'enable the port to pass', which of course I was unable to translate into CLI or GUI entries.




Looking below you said to 'enable the firewall to Nat IP addresses taht are behind the UC500'. I am not sure what that means. How would I check and/or add this to the ASA? An access entry, static nat, dynamic nat? I have no idea how to implement that.


Thanks for your help so far,


Johnny

BABUL MUKHERJEE Mon, 11/09/2009 - 13:59

I had the same issue with the UC520 behind an ASA.  Here is how I've done it on the ASA:


nat (inside) 2 10.1.10.0 255.255.255.0
static (inside,inside) 10.1.10.1 10.1.10.1 netmask 255.255.255.255 norandomseq nailed
route inside 10.1.10.0 255.255.255.0 [UC520 IP on inside interface] 1


FYI the "nailed" functionality on the static is depreciated.  I haven't had any time to work on the new syntax, but this works!

Albert Wilhelm Tue, 11/10/2009 - 13:57

Hello Johnny,


Here is what I did to have the ASA access to the UC520. This allowed remote users to run the IP Communicator and register with the UC520 as well as the ability to remote manage using SSH or CCA. From your threads, it sounds like you have already configured the UC520 without firewall and NAT.


My ASA IP address is 192.168.75.1 (vlan1) and the UC520 WAN IP address is 192.168.75.2


In the ASA, I configured the following:

nat (inside) 0 access-list nonat (the name of your access-list for inside traffic)
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,inside) 192.168.75.0 192.168.75.0 netmask 255.255.255.0 norandomseq nailed
static (inside,inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 norandomseq nailed


route inside 10.1.1.0 255.255.255.0 192.168.75.2 1
route inside 10.1.10.0 255.255.255.0 192.168.75.2 1


For the remote users:
access-list vpn extended permit ip 10.1.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list vpn extended permit ip 10.1.10.0 255.255.255.0 192.168.11.0 255.255.255.0


If the above does not work, you may want to try the same-security-traffic command. I needed to use this because we have a couple of remote offices that have IP phones and register with the UC520. Not sure you need this though, depending on your topology.


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


To make sure you can ping, you can also add the following:

icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside


For port forwarding, you are correct. You need an access-list and static entries. Here is an example:

access-list outside_access_in remark Port forwarding IMAPS and SMTPS to LINUX server
access-list outside_access_in extended permit tcp any interface outside eq 465 (substitute your gaming port number)
access-list outside_access_in extended permit tcp any interface outside eq 993

static (inside,outside) tcp interface 465 192.168.10.xx 465 netmask 255.255.255.255
static (inside,outside) tcp interface 993 192.168.10.xx 993 netmask 255.255.255.255

access-group outside_access_in in interface outside


Hope this helps. If not, can you post your config for the ASA?


Bert Wilhelm

APW Solutions, Austin TX

Bert


Any chance of getting a topology drawing of your networks. Just a general layout showing where the phones, workstations, servers, etc connect relative to the UC and the ASA.


I tried where the ASA was the public/private interface with the US WAN on the ASA LAN 192.168.16.0/24.

Servers were connected to the 16.0 subnet due to a remote worker via VPN needing access to them.

In house Workstations and phoneswere 'behind' the UC which provided the default LANs (192.168.10.0/24 & 10.1.1.0/24).

UC had NAT and FW completely removed.


Server access by the in-house workstations was erratic.

Workstation access from the 16.0 subnet was zero.


So I'm trying to understand how these setups are configured.

Albert Wilhelm Wed, 11/11/2009 - 09:38

Hello all,


I have attached the topology showing the ASA in front of the UC520 as well as a remote office using an ASA. The ASA in the Main Office is the hub for the outside internet access as well as terminating remote VPN users and S2S remote offices. For now, all servers and workstations are located behind the UC520 on ESW switches. We may eventually move the email server to the ASA on a DMZ interface, but for now, we set up a port forward ACL/Static entry.


All internal  and remote users are able to access internal resources as well as the servers in remote offices.


Not sure how you have your ASA set up, but make sure there are routes to the UC520, NAT is configured on the ASA and STATIC entries for each of the subnets. Can you post your ASA config?


Hope this helps.

Bert Wilhelm

APW Solutions

Actions

This Discussion