Ping Unreachable to the WAN port of UC520

Unanswered Question

We have recently upgraded our UC520 with resetting the default sittings to the latest version UC520-8-0 Everything went very good and the configuration was successful except three things:

1- The redial button is not active on some phones especially the 7940, 7941, and 7942

2- We have configured a static IP address from the ISP on the WAN port, the strange thing is when access through the Easy_VPN it pass through, and even the internet on the local users s working fine, but whenever  need to telnet the UC520 or ping that real IP address, it get destination net unreachable

3- when accessing the CUE website it dosn't connect to the CME and always refuse the configuring of username and password.

Anybody can help me know what the solution for this issue is.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aaronc123 Mon, 04/26/2010 - 06:07

This is intentional. There are a set of ACLs applied to the wan interface. It allows some traffic in, but not others. Pings are being discarded to mask the device. Bad guys won't be able to find it as easily ...

aaronc123 Tue, 04/27/2010 - 09:20

The best thing is to connect via VPN,  then connect to the system. This would keep everything protected.

Also, don't use telnet ... use SSH

That said ... if you really want to start poking holes in the firewall you can. My demo unit is going out today, so I can't look at the exact config, but you'll need to find the ACL associated with the WAN port. Then update it to permit the traffic that you need. If you are going to do this, pleae try to be as specific as possible, don't let anyone SSH to the box from anywhere, limit it as much as possible.

The static NAT mapping can be done via CCA very easily.  Take a look at it. It should be easy. Of course, be careful, I've not had to change the securtity part of the UC500 too much, but with the SR520 router, CCA likes to over right your manul ACL changes ...

Hello again,

I have tried the Static Nat via the CCA but it wasn't succesful with me.

I have configuered a static NAT for remote desktop to a server on port 3389 and didn't work.

Note: just for test I configured also static nat for telnet on port 23 to the same local IP of the UC and it works succesfully, but any other static natting to the internal server like SMTP, Remote desktop, Web server didn't work, and I can ping all the server from the UC.

Any Ideas ??

Hello again,

I'm using CCA 2.2 (2), and by the way I have resolved the ping issue after investigating the issue.

The issue was that the Fastethernet interfac has a command to use IP access-group 104 in, I have searched for this access-group and I coudn't find it, and I found 107, once I changed it to use access group 107 in everything worked fine.

I don't know if this was the solution, but it works fine.

now we still have the problem to connect the CUE to the CME as when I access the CUE web and check the history report, it syas can not connect to the call manager express.

Thanks again

Marcos Hernandez Wed, 05/05/2010 - 08:11

If you have a WAN port with no ACL you are exposing your site. This is a serious security flaw. You should edit the ACL to allow the traffic you want, not delete it completely. We can help you with the ACL configuration.



This Discussion