New implementation questions

Unanswered Question
Nov 10th, 2009

Starting a new UC520 multi site implementation and have a few questions in regards to what is and what is not supported now in CCA. We have done most of this before without using CCA but would prefer to use CCA if possible.

2 Sites

Site 1 - 48 user with PRI and 100 DIDs and 2 POTs for failover

Site 2 - 24 user with SIP Trunk and 25 DIDs and 2 POTs for failover

Not using the integrated firewalls at either locations. Using an existing firewall solution at both sites. Need to configure site to site extension dialing.

Of the above items can I do all of this now with CCA. It sounds like I can, but it also appears that the multi-site function in CCA is only if I am using the integrated firewall.

Thanks...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven Smith Tue, 11/10/2009 - 11:47

If the existing firewalls were SR520's, this would work.  Other than that, I believe you are correct.  You would need the UC to have its existing firewall.

stephen.hand Tue, 11/10/2009 - 11:54

So can you point me to a configuration example for configuring multi-site without the the integrated or SR520 firewall?

Steven Smith Tue, 11/10/2009 - 11:59

https://supportforums.cisco.com/docs/DOC-9488

Ignore the IPSEC portions.  You can also change the dial-peers and translation patterns to be more to your liking if you so choose.

When you ignore the IPSEC portions, it would be good for you to have IPSEC between your firewalls so that the devices can communicate.

John Platts Tue, 11/10/2009 - 12:13

The multisite manager in CCA 2.1 will work only if:

  • You have a UC520 at all of the sites that need to be managed by the multisite manager
  • The UC520 is either directly connected to the Internet or placed behind a SR520-T1

Future versions of the multisite manager will support UC520 units placed behind a SR520-ADSL, SR520-FE, or SA500.

If you cannot use the multisite manager, but all of your sites have IOS-based VPN routers, you can set up VPNs using tunnel interfaces. Tunnel interfaces is the easiest way to do VPNs when you cannot use the CCA multisite manager.

Advantages of tunnel interfaces:

  • No need for a crypto map on your WAN interface
  • Multicast traffic can be sent through tunnel interfaces, if you are using PIM-capable routers
  • Traffic sent through tunnel interfaces are not blocked by WAN interface firewall rules
  • Easiest method to configure VPNs between IOS-based endpoints (such as the UC520, UC540, SR520, and ISRs)
  • Traffic to be sent through tunnel interfaces is specified through ip route commands
  • WAN interface only needs ACL entries to allow IPsec traffic
  • Can avoid modifying NAT entries as long as the following are true:
    • IP subnets to be connected by the tunnel interfaces are unique
    • The correct entries are added to the routing tables at each of the sites

Disadvantages of tunnel interfaces:

  • IPsec static tunnel interfaces will not work for VPN endpoints that are not running IOS (such as the ASA 5500 series or SA500 series)
  • Requires that each site has a static IP address or DDNS is used, except for DMVPN spokes

Here is how to set up a IPsec static tunnel interface:

  1. Configure a crypto keyring for each site with the correct pre-shared key.
  2. Configure one or more crypto ISAKMP policies. The recommended policy, supported on all of the routers with tunnel interface support, is 3DES encryption, group 2, and pre-shared key.
  3. Configure a ISAKMP profile for each tunnel. If dynamic DNS is used, you need to use self-identity fqdn command on the router that has DDNS configured, and match identity on the other router. You must have both a match identity statement and a keyring configured in the ISAKMP profile.
  4. Configure one or more IPsec transforms for each tunnel. You must use IPsec tunnel mode for these transforms. You must not use IPSec transport mode for these transforms. The transform normally used is ESP with 3DES and SHA-HMAC in IPsec tunnel mode.
  5. Configure a IPSec profile for each tunnel. You must specify one or more transforms that use ESP and IPsec tunnel mode and the ISAKMP profile used in the IPsec profile.
  6. Configure a tunnel interface. The tunnel interface must:
    • have an ip unnumbered statement. This specifies the IP address that will be used for the tunnel interface. The interface whose IP address will be used for the tunnel interface is specified in the ip unnumbered statement. ip unnumbered BVI1 or ip unnumbered Vlan1 should normally be used here.
    • have a tunnel source statement. The tunnel source must be set to your WAN interface.
    • have a tunnel destination statement. The tunnel destination must be set to the IP address or DDNS hostname of the other endpoint.
    • have tunnel mode ipsec ipv4 set. This is very important as this sets up an IPsec over IPv4 tunnel.
    • tunnel protection ipsec profile must be set to the correct IPsec profile. This specifies the ISAKMP and IPsec settings that will be used by this tunnel interface
  7. Add routes to the subnets that need to be accessed using the ip route command.

IPsec static tunnel interfaces are the easiest to set up. I have also tested the configuration at many of our customer sites, and I know that this configuration behaves correctly. All of the software releases on UC500 units support this feature, and as far as I know, the IPsec tunnel interface behaves correctly on all of the IOS versions supported on the UC500 platform.

CCA does not currently support tunnel interfaces for site-to-site VPNs. However, CCA 1.9 and later will support dynamic tunnel interfaces for Easy VPN.

Steven DiStefano Fri, 04/16/2010 - 05:24

No, we cant.  Not today.    Requires a CCA platform enhanement in Multisite Manager.

Steven DiStefano Fri, 04/16/2010 - 06:00

Thats the way I get Remote teleworkers to connect to the UC500 direct (passthru the SA500), but I never tied it on multisite since the MSM doesnt recognize the SA500.