cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12982
Views
0
Helpful
19
Replies

SPA525G & SSL VPN

pro4ianyc
Level 1
Level 1

Is there an updated guide for the SPA525G that can explain how to use the new features such as the SSL VPN?

For example, what is the correct format of entering the "VPN Server"?  is it just an IP address?  https://? what are the requirements?  is a certificate a requirement?

19 Replies 19

Why not use the VPN setup Wizard included in CCA 2.2?


Marcos

Does the wizard also step you through on how to connect a SPA525G to the system?

Yes, it configures everything on the SPA525G phone.

Marcos, Thanks for the info.  I will try the wizard.

I am working on setting this up in our office to take the 525G to a site for a demo.  The phone will get plugged into their network and come up as an extension on our system.  That is the way it is intended to work.  The problem is we have a 3rd party firewall in the mix.  The WAN port of the UC500 has an IP on the LAN side (10.10.2.20) of the 3rd party firewall.  There is a public IP mapped to the UC500 WAN private IP through the firewall.  I am guessing when the 525G gets plugged in remotely,  it will try to connect to the 10.10.2.20 instead of the mapped public IP.  Can I change the phone to point to the other address?

Is it possible to use the SPA525G's internal VPN capabilities when the UC520's external/WAN IP address is not static?  My WAN IP is obtained from our ISP via DHCP, and I in turn use DDNS to ensure that the DNS name is current.

Tried using CCA 2.2(2) with UC SW Pack 8.0(2) Phone VPN Wizard, and it didn't like the DHCP WAN.  Is there some CLI workaround to configure SSLVPN using a hostname (DDNS) to define the UC520 head-end?  Don't see why it wouldn't be possible to then configure the SPA525G with a hostname instead of static WAN IP to allow itself to call home and setup the voice connection.

Thanks, Kirk

Has anyone successfully authenticated a SPA525G's SSL VPN to any other devices besides the UC500?

For example, in my setup, I have a Cisco ASA 5505 as our firewall/gateway.  I can't seem to get the phone to establish a VPN connectivity on the ASA 5505..

This phone has only been tested against UC500 inside Cisco, using SSL VPN Server with a static IP.


Thanks,


Marcos

I'm currently having the same issue, I can't get my SPA525G IP Phone to connect with my Cisco ASA 5510 with an AIP-SSM10 module externally using the SSL VPN.  Has anyone been able to successfully connect a SPA525G IP phone using the SSL VPN to a Cisco ASA firewall?

In a recent ASA lab I brought the SPA525G and successfully connected the SSL tunnel to a ASA 5505.

As i do not have access to the ASA anymore I can't give you the details but it worked.

I was able to get the SPA525G phone to connect remotely to our network using SSL VPN, the primary document I used to get it to work was found at https://supportforums.cisco.com/docs/DOC-9124.  Because networks are not all created out of the same mold there were some modifications I had to make to get the solution to work in my network.  The primary item I was missing was creating a dedicated Tunnel Group on the ASA which Tunnels all traffic (no split-tunneling). Also on the SPA525G I had to input the fully qualified name of the VPN server, including the tunnel group name (i.e.  https://mytest.test.com/PhoneTunnel instead of just the URL of the outside interface of the ASA).  In my case I also had to manually setup the SPA525G phone to use SCCP rather than the default SIP.  I disregarded this SCCP setting at first because I had the setting enabled which auto detects SCCP, but I may have understood that out of context.  I'm not an expert by any means on the SPA525G IP Phone, my successes have come from trial and error and a strong understanding of the ASA firewall.

Hey Corey,

Thanks for your info.  I read over the documents and it mentions that "AnyConnect for Cisco VPN Phone"  license must be enabled on the ASA.  I'm running 8.2(1) and I do not see that licensing option when I run a show ver.  Do you have that option?

Got it working.  Had to create a new vpn tunnel-group dedicated for this purpose w/o any split tunneling.. added a url and it worked great. thanks.

Marcos,

I know it has only been tested with a static, but some ISP's here use DHCP reservation for giving out "Statics", is there a way around this as a customer of ours uses this ISP and they have several 525's they want to use for Teleworkers.

Thanks in advance,

Bob James

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: