Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3815
Views
0
Helpful
31
Replies

UC520 Behind ASA 5505 w/VPN to RVS4000

Go to solution
Jesse Shumaker
Level 1
Level 1

‎11-29-2010 02:22 PM - edited ‎03-21-2019 03:19 AM

First Let me show you the physical  setup of my network.

UC520 ------ ASA5505 ------ INTERNET --------  RVS4000 -------- SPA504 IP phones

Is there a way to get the two SPA504 IP  phones from inside the RVS4000 remote office to tie into the UC520  through a VPN tunnel? So that they would appear as two other extensions  on the phones. Or must I have two public IP's and make the UC520 a firewall as well with a Public IP, and connect the remote spa504g phone over the internet?

What is the best solution for this kind of setup?

thanks

jesse

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to Jesse Shumaker

‎12-01-2010 07:34 PM

your fine.  you have just one teleworker.

you can have max SKU supported host users, that doesnt eat into the WAN interconnect budget for VPN

The UC500 doesnt need a firewall in front of it since it has its own.

View solution in original post

0 Helpful

Go to solution
Nathan Compton
Level 4
Level 4
In response to Jesse Shumaker

‎12-02-2010 04:40 AM

You are correct Jesse.  The phones would get a local IP address, and the TFTP option would point to the Voice VLAN IP for the UC520.  I would also recommend allowing 10.1.10.0/30 subnet for voicemail.  The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address.  It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware.

As far as the ASA vs. UC520 firewall goes, if all you are wanting to do is terminate VPNs, Steve is spot on.  The ASA can support more VPN connections if you pay for the licensing, but the UC520 would handle this scenario well.  Have you thought about moving the ASA to the remote site instead of the RVS4000?

Adam Compton

View solution in original post

0 Helpful

Go to solution
Nathan Compton
Level 4
Level 4
In response to Jesse Shumaker

‎12-02-2010 12:49 PM

Nathan (Straight out of) Compton can I change these 10.1.10.2 voicemail settings on the uc520 so everything is 10.0.0.1, or is this hardcoded? currently the network is setup that way and it would be nice to keep all the IP settings the same with the uc520.

Changing the CUE IP address is not recommended, because it mess up a lot of things with CCA and voicemail.  If you must change it, do so at your own risk.

I will be testing all of this first in my lab. do you think I can plug a crossover between the wan links on the asa 5505 and the uc520 with a /30 subnet and then setup a vpn between the two for testing? would this work?

That should work just fine for testing.

Adam (Straight out the Trailer) Compton

View solution in original post

0 Helpful
31 Replies 31

Go to solution
Nathan Compton
Level 4
Level 4

‎11-30-2010 12:23 PM

You can setup a IPSEC vpn between the ASA and RVS4000.  Make sure that your voice vlan (by default 10.1.1.0/24) is set to as traffic that will go over the vpn.  Then you can set the TFTP address on the 504G phone to be the CME IP address (normally 10.1.1.1)

Adam Compton

0 Helpful

Go to solution
Jesse Shumaker
Level 1
Level 1
In response to Nathan Compton

‎11-30-2010 08:59 PM

so will I just use one of the ethernet jacks to the uc520 and give it a local internal IP that matches my LAN? currently we are on 10.0.0.0/24.

0 Helpful

Go to solution
Nathan Compton
Level 4
Level 4

‎12-01-2010 04:37 AM

Use the 520 as the "core" of the network.  Plug the WAN interface of the UC520 into the "inside" interface on the ASA.  The link between the UC520 and the ASA will have its own subnet, something like 172.16.1.0/30 or whatever you choose.  Turn off the firewall and NAT in the UC520.  ASA will have all NAT settings.  When you set up your VPN between two sites, you have to specify ACLs for what traffic will traverse the VPN.  so make sure that traffic between the phone vlan subnet and the remote subnet will traverse the VPN.  If you can ping your phone vlan default gateway from the remote subnet, you should have connectivity.

Adam Compton

0 Helpful

Go to solution
Jesse Shumaker
Level 1
Level 1
In response to Nathan Compton

‎12-01-2010 07:36 AM

I also have phones on the side of the ASA 5505 LAN that need to connect into the UC520 and be setup. What kind of IP settings should these grab? Is this diagram how it should look? When you say the uc520 should be the core do you mean that it should be all of it's LAN ip's default gateway and hand out DHCP to the phones and workstations?

SPA504G PHONES and Workstations ------ SWITCH ----- 10.0.0.1/24 UC520 172.16.1.1/30 ------ 172.16.1.2/30 ASA5505 98.x.x.x/28 ---------- INTERNET ---------- RVS4000 --------- SWITCH --------- REMOTE SPA504G PHONE

thanks for your help

0 Helpful

Go to solution
Nathan Compton
Level 4
Level 4
In response to Jesse Shumaker

‎12-01-2010 07:52 AM

This looks correct on the diagram.  Have all of the workstations and phones get DHCP from the UC520 and let the UC520 be the default gateway.  With this setup, you can segment your network into VLANs without affecting the 5505.  The 5505 will perform firewall for the internet, and VPN connections.  All internal routing will be performed by the UC520.

Adam Compton

0 Helpful

Go to solution
Jesse Shumaker
Level 1
Level 1
In response to Nathan Compton

‎12-01-2010 04:00 PM

On second thought why don't I just take out the asa 5505 and have the uc520 do everything. What issues would you see with this? are there user licensing concerns or a maximum # of IP sessions it allows?

0 Helpful

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to Jesse Shumaker

‎12-01-2010 05:18 PM

From a support standpoint, the RVS isn't a qualified remote teleworker router in the SBCS product suite

If you want to take advantage of a great deal (big discount), buy SPA525 and use them with a built in SSL client capability to connect from anywhere directly to the UC500. Ask your SBAM about the program I believe we may be running. This is supported and you don't need the ASA in front of the UC.

Unless you have requirements that we don't know about? The UC500 has the traditional IOS Firewall and NAT which is very sea worthy. It also is the SSL server in this case for SPA525.

If you want to depreciate the assets you currently have, then purchase a SBCS grade teleworker router, namely the SR 520.

Steve DiStefano

Technical Solutions Architect - Partner Sales,

0 Helpful

Go to solution
Jesse Shumaker
Level 1
Level 1
In response to Steven DiStefano

‎12-01-2010 05:58 PM

yah we have already bought the equipment nice sales pitch (kidding ;)). and the  rvs4000 can make an ipsec vpn which is all we need. this remote site has around 5 users and one remote spa504g phone.

I just wanted to verify that the uc520 can do the entire job without the help of an asa 5505.

0 Helpful

Go to solution
Jesse Shumaker
Level 1
Level 1
In response to Steven DiStefano

‎12-01-2010 06:43 PM

Is there a limitation on the number of connections out of a uc520 or any type of traffic limitation I should be concerned about?

0 Helpful

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to Jesse Shumaker

‎12-01-2010 06:52 PM

yep, 10 total teleworkers (routers or clients).

0 Helpful

Go to solution
Jesse Shumaker
Level 1
Level 1
In response to Steven DiStefano

‎12-01-2010 07:12 PM

so a total of 10 ip enabled devices can be used, either a workstation or a phone?

0 Helpful

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to Jesse Shumaker

‎12-01-2010 07:18 PM

Can be 10 teleworker router connections with IPsec (EACH WITH UP TO 5 PHONES), 10 individual EZVPN PCs with CIPC connecting to UC500, 10 SSL VPN SPA525 SSL client connections, OR ANY MIX OF THE ABOVE not to exceed 10.

UC560 will do 20

Ask about Cisco’s 0% financing offer for UC540 and UC560

0 Helpful

Go to solution
Jesse Shumaker
Level 1
Level 1
In response to Steven DiStefano

‎12-01-2010 07:30 PM

I will have 5 employees who run windows xp and each one will have a spa504g phone. I will also have a remote spa504g phone from another office that will conncet into the uc520. will I be over the limit?

Is it the preferred way to use another firewall like an asa 5505 behind an uc500 device for internet access?

0 Helpful

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to Jesse Shumaker

‎12-01-2010 07:34 PM

your fine.  you have just one teleworker.

you can have max SKU supported host users, that doesnt eat into the WAN interconnect budget for VPN

The UC500 doesnt need a firewall in front of it since it has its own.

0 Helpful
Customers Also Viewed These Support Documents