Configuring a no NAT, no firewall UC540W

Unanswered Question
Jun 17th, 2010

Hey guys,

I have a quick configuration question for you.  I have a customer in the government arena with very tight network policies in place where NAT is not allowed.  We are installing a Cisco UC540W along with associated handsets and network switches to provide connectivity to the client's network and to employ SIP trunking for voice.  This is a typical installation for us, except for the no NAT, no firewall requirement, and as I have sat down to engineer the project, I am running into a few questions. We will be replicating this design several times, so I want to be sure that I have it correct.

I have been issued a list of static IPs for the UC540, the switches, and computers and printers that will be connecting to the government network.  For example, 155.6.1.0 for one installation subnet.  I am currently wondering if it is better to do one of the following:

Example 1

UC540W WAN interface = 155.6.1.1/24

UC540 LAN interface = 155.6.1.2/24 w/ default gateway of 155.6.1.1

LAN computers/printers = 155.6.1.10-100/24 w/ default gateway of 155.6.1.1

Telephony = 10.1.1.0 and 10.1.10.0. 

Note: While all data is not NATed, all voice will still be NATed.  I will need to check with the client to make sure that this is not a violation of their network policies.  In the event that this is okay, will I need to program static routes in the WAN port of the UC540W to point all traffic from 10.1.1.1 and 10.1.10.1 from the WAN to the LAN?

Example 2

UC540W WAN interface = no configuration

UC540 LAN interface = 155.6.1.1/24

LAN computers/printers = 155.6.1.10-100/24 w/ default gateway of 155.6.1.1

Telephony = 10.1.1.0 and 10.1.10.0. 

Note:In this case, we would just connect the LAN side of the UC540 to the client network and not worry about passing info through the WAN port at all.  The same question about NATing the voice exists.  Is this a better way of configuring the topology?

If you need any further info, please let me know.

Thanks,

Seth

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
djh278778 Thu, 06/17/2010 - 16:28

The problem with example 1 is that the same subnet (155.6.1.0/24) is on both LAN and WAN interfaces. The router will not let you do this. I am not clear on the voice nat question. Are the SIP Trunks going over the internet or over a private connection? If it is internet then nat should be done on the device that terminates the internet connection and if this device is not the UC, then that device should have your route back to the UC for the voice subnets. If the internet will terminate on the UC, then you should only need your default routes along with nat on the UC and no other voice subnet routes (nat takes care of that when its local). If the SIP trunks are on private connections (VPN's, T1 P2P's, MPLS, etc),  you probably dont need nat at all (depending).

If internet is not terminating on the WAN interface of the UC then go with example 2 but in this case you shouldnt do nat, unless your customer can not route and do nat for your voice subnets and if that is the case and you have to nat on the UC, it could pose a problem with your SIP protocol (double natting) because eventually your customer has to nat out again for their network.

I may be more helpfull if I had more details.

sethschmautz Thu, 07/01/2010 - 09:40

Thanks for the reply.  I'm getting a little closer and understanding the network topology, but am still unsure of exactly how the network will need to be configured.

The client does not allow NAT of the data VLAN on their network, and we are essentially using a leased line to connect these guys from their remote locations to their corporate network.  The SIP trunk provider is also the provider of the leased line, so the voice should land on the ITSP's network prior to travelling over the backhaul back to the corporate network.  I'm going to give examples of the IP addresses so I can hopefully understand how all of this is going to work:

ITSP modem IP: x.y.2.254

UC540W LAN IP: x.y.2.200

Subnet: 255.255.255.0

Default Gateway: x.y..2.254 (ITSP modem IP)

DNS 1: a.b.231.150 (probably corporate DNS server)

DNS 2: c.d.222.62 (probably ITSP DNS servers)

DHCP Server: UC540

My current thought is to connect the UC540 LAN port to the ITSP modem, but I have the following problems/questions:

When a request is made from the a LAN device, it appears as though the request will be made to the ITSP modem and the modem will forward all traffic to the appropriate location without needing to route through the UC540, does that look right to you? 

Here are my existing questions at this time:

1. When I make a phone call using the SIP trunk, will the UC540 know to send the voice traffic out a LAN port rather than a WAN port?

2. When incoming calls come from the SIP trunk (which is effectively on the LAN of the UC540), will the UC540 handle them properly?

If anything in the network above does not make sense, let me know.  I'm going to set this up in my lab to check this out very shortly, but can use all of the help that I can get at this time. 

Thanks in advance,

Seth

djh278778 Thu, 07/01/2010 - 15:56

To quickly answer your questions below for your proposed setup:

On Sip calls your dialpeer will point to a session target (ip address) and as long as you have a route for that remote network pointing to the x.y.2.254 (ITSP modem), and the ITSP has the proper routes as well, then you shouldnt have any problems. In other words there is a look up on the routing table in the UC and as long as the next hop (in this case x.y.2.254) is available, it doesnt matter which interface its on. This kind of depends on a fiew things though:

When you say LAN, are you talking about changing the voice VLAN from a private to a public subnet? is x.y.2.254 a public address?

Is the SIP trunk a seperate ISP offering than the leased line you mentioned, or are you doing your own SIP trunk over the leased line?

sethschmautz Thu, 07/01/2010 - 16:22

Gotcha.

So I would need to build a static route on the UC540 to point traffic to a specific IP (SIP trunk) toward the ITSP modem IP, correct?  I believe that's what you are saying.

When I said "LAN", I was meaning the LAN side of the UC540, i.e. not connected to the WAN port, but to one of the PoE LAN ports on the front of the UC540.

The idea of putting the phones on the public IP subnet (yes, those addresses are public) had occurred to me, but I hadn't really fleshed out that idea yet.  I suppose if I went that route I would need to readdress CME and CUE on the UC540 to this same subnet and change DHCP for VLAN 100, or remove it entirely, correct?

Thanks for your help.

Seth

djh278778 Thu, 07/01/2010 - 16:39

Yes, that is what I am saying but it depends on your SIP impimentation as well. another possibility is to make the ITSP modem the default gateway in the phone (if they will be public like the ITSP modem) since it will be on the same broadcast domain as the phones.

The success of the outgoing and incoming calls also depend on the ougoing and incoming dialpeers as well (sorry to point out the obvious).

sethschmautz Fri, 07/02/2010 - 11:10

Thanks again for your thoughts on this matter.  Most of the time, our configurations are pretty straight forward.  This is the first time that we've used the UC540 in this manner where we are likely going to forwarding the traffic through a LAN port rather than a WAN Port and will not be using the WAN port at all.  That said, I spoke with the ITSP today and I'm going to set up a test on my network to try to mimic this as much as possible with a couple of different scenarios (as follows) while they get the SIP trunk provisioned. 

another possibility is to make the ITSP modem the default gateway in the phone (if they will be public like the ITSP modem) since it will be on the same broadcast domain as the phones.

In the above italicized scenario, would you set only the default gateway in the public IP range or would you also set the IP of the phone statically?  This reveals a bit of a my lack of understanding of exactly how the calls are connected through the UC540 to the appropriate phones. 

I really want to continue to use CUE and CME for this configuration to the use of voicemail, extension dialing, and other features of CME.  To make use of this, I assume that the UC540 has to assign this information What information would be helpful to know to work on configuring the dial peers properly?

Thanks again for your help.

Seth

sethschmautz Fri, 07/02/2010 - 13:55

Hey guys,

Just wanted to let you know that we were able to get things up and running without a hitch.  It is a test, and not on the ITSP's network, but I think that I was able to recreate the network close enough to feel good about things.

I did have to set up a static route to push all data 0.0.0.0 subnet 0.0.0.0 toward the ITSP modem (static IP), but as soon as I did that, everything seemed to fall into place.  Thanks again for your help.

Seth

Actions

This Discussion