Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

UC520 Behind ASA 5505 w/VPN to RVS4000

First Let me show you the physical  setup of my network.

UC520 ------ ASA5505 ------ INTERNET --------  RVS4000 -------- SPA504 IP phones

Is there a way to get the two SPA504 IP  phones from inside the RVS4000 remote office to tie into the UC520  through a VPN tunnel? So that they would appear as two other extensions  on the phones. Or must I have two public IP's and make the UC520 a firewall as well with a Public IP, and connect the remote spa504g phone over the internet?

What is the best solution for this kind of setup?

thanks

jesse

3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

your fine.  you have just one teleworker.

you can have max SKU supported host users, that doesnt eat into the WAN interconnect budget for VPN

The UC500 doesnt need a firewall in front of it since it has its own.

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

You are correct Jesse.  The phones would get a local IP address, and the TFTP option would point to the Voice VLAN IP for the UC520.  I would also recommend allowing 10.1.10.0/30 subnet for voicemail.  The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address.  It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware.

As far as the ASA vs. UC520 firewall goes, if all you are wanting to do is terminate VPNs, Steve is spot on.  The ASA can support more VPN connections if you pay for the licensing, but the UC520 would handle this scenario well.  Have you thought about moving the ASA to the remote site instead of the RVS4000?

Adam Compton

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Nathan (Straight out of) Compton can I change these 10.1.10.2 voicemail settings on the uc520 so everything is 10.0.0.1, or is this hardcoded? currently the network is setup that way and it would be nice to keep all the IP settings the same with the uc520.

Changing the CUE IP address is not recommended, because it mess up a lot of things with CCA and voicemail.  If you must change it, do so at your own risk.

I will be testing all of this first in my lab. do you think I can plug a crossover between the wan links on the asa 5505 and the uc520 with a /30 subnet and then setup a vpn between the two for testing? would this work?

That should work just fine for testing.

Adam (Straight out the Trailer) Compton

31 REPLIES

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

You can setup a IPSEC vpn between the ASA and RVS4000.  Make sure that your voice vlan (by default 10.1.1.0/24) is set to as traffic that will go over the vpn.  Then you can set the TFTP address on the 504G phone to be the CME IP address (normally 10.1.1.1)

Adam Compton

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

so will I just use one of the ethernet jacks to the uc520 and give it a local internal IP that matches my LAN? currently we are on 10.0.0.0/24.

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Use the 520 as the "core" of the network.  Plug the WAN interface of the UC520 into the "inside" interface on the ASA.  The link between the UC520 and the ASA will have its own subnet, something like 172.16.1.0/30 or whatever you choose.  Turn off the firewall and NAT in the UC520.  ASA will have all NAT settings.  When you set up your VPN between two sites, you have to specify ACLs for what traffic will traverse the VPN.  so make sure that traffic between the phone vlan subnet and the remote subnet will traverse the VPN.  If you can ping your phone vlan default gateway from the remote subnet, you should have connectivity.

Adam Compton

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

I also have phones on the side of the ASA 5505 LAN that need to connect into the UC520 and be setup. What kind of IP settings should these grab? Is this diagram how it should look? When you say the uc520 should be the core do you mean that it should be all of it's LAN ip's default gateway and hand out DHCP to the phones and workstations?

SPA504G PHONES and Workstations ------ SWITCH ----- 10.0.0.1/24 UC520 172.16.1.1/30 ------ 172.16.1.2/30 ASA5505 98.x.x.x/28 ---------- INTERNET ---------- RVS4000 --------- SWITCH --------- REMOTE SPA504G PHONE

thanks for your help

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

This looks correct on the diagram.  Have all of the workstations and phones get DHCP from the UC520 and let the UC520 be the default gateway.  With this setup, you can segment your network into VLANs without affecting the 5505.  The 5505 will perform firewall for the internet, and VPN connections.  All internal routing will be performed by the UC520.

Adam Compton

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

On second thought why don't I just take out the asa 5505 and have the uc520 do everything. What issues would you see with this? are there user licensing concerns or a maximum # of IP sessions it allows?

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

From a support standpoint, the RVS isn't a qualified remote teleworker router in the SBCS product suite

If you want to take advantage of a great deal (big discount), buy SPA525 and use them with a built in SSL client capability to connect from anywhere directly to the UC500. Ask your SBAM about the program I believe we may be running. This is supported and you don't need the ASA in front of the UC.

Unless you have requirements that we don't know about? The UC500 has the traditional IOS Firewall and NAT which is very sea worthy. It also is the SSL server in this case for SPA525.

If you want to depreciate the assets you currently have, then purchase a SBCS grade teleworker router, namely the SR 520.

Steve DiStefano

Technical Solutions Architect - Partner Sales,

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

yah we have already bought the equipment nice sales pitch (kidding ;)). and the  rvs4000 can make an ipsec vpn which is all we need. this remote site has around 5 users and one remote spa504g phone.

I just wanted to verify that the uc520 can do the entire job without the help of an asa 5505.

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Is there a limitation on the number of connections out of a uc520 or any type of traffic limitation I should be concerned about?

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

yep, 10 total teleworkers (routers or clients).

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

so a total of 10 ip enabled devices can be used, either a workstation or a phone?

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Can be 10 teleworker router connections with IPsec (EACH WITH UP TO 5 PHONES), 10 individual EZVPN PCs with CIPC connecting to UC500, 10 SSL VPN SPA525 SSL client connections, OR ANY MIX OF THE ABOVE not to exceed 10.

UC560 will do 20

Ask about Cisco’s 0% financing offer for UC540 and UC560

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

I will have 5 employees who run windows xp and each one will have a spa504g phone. I will also have a remote spa504g phone from another office that will conncet into the uc520. will I be over the limit?

Is it the preferred way to use another firewall like an asa 5505 behind an uc500 device for internet access?

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

your fine.  you have just one teleworker.

you can have max SKU supported host users, that doesnt eat into the WAN interconnect budget for VPN

The UC500 doesnt need a firewall in front of it since it has its own.

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

ok thanks cool. do you know if there is guide on conencting an spa504g phone over a vpn and into the uc520? Or if the uc520 is on the edge of the network, can you just connect to it's external public IP from the spa504g and have it push the tftp config over the Internet?

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Sure.  Smart Designs:  http://www.cisco.com/web/partners/sell/smb/tools_and_resources/smart_business_comm_system.html

Partner Login required.

Look near the bottom (Applicaton note on remote teleworker).

But we dont support RVS (like I mentioned), and that phone needs to be behind an approved teleworker router.

Have a look.

The SPA504 doesnt connect like the SPA525G does.  It needs a router as described in there.

I am east coast so see you tomorrow.

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

I know it's not technically supported but with using IPSEC VPN between the two sites I would think that traffic would be allowed and the spa504g phone can point to the IP of the UC520.

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

You are correct Jesse.  The phones would get a local IP address, and the TFTP option would point to the Voice VLAN IP for the UC520.  I would also recommend allowing 10.1.10.0/30 subnet for voicemail.  The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address.  It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware.

As far as the ASA vs. UC520 firewall goes, if all you are wanting to do is terminate VPNs, Steve is spot on.  The ASA can support more VPN connections if you pay for the licensing, but the UC520 would handle this scenario well.  Have you thought about moving the ASA to the remote site instead of the RVS4000?

Adam Compton

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Here will be the plan based off everyones help . thank you all.

5 workstations and 5 spa504g phones -------- switch ------- (10.0.0.1) UC520 (vpn to rvs) ------ INTERNET ------ (vpn to uc520) asa5505 (192.168.50.1) dhcp tftp option set to 10.0.0.1 ------ switch ------ 1 spa504g phone

 "I would also 
recommend allowing 10.1.10.0/30 subnet for voicemail.  The UC520 
typically uses the Loopback interface, 10.1.10.2, as the tftp source IP 
address.  It's a common problem that this traffic is not allowed over 
the VPN, and phones can't download config files and firmware."

Nathan (Straight out of) Compton can I change these 10.1.10.2 voicemail settings on the uc520 so everything is 10.0.0.1, or is this hardcoded? currently the network is setup that way and it would be nice to keep all the IP settings the same with the uc520.

As far as the ASA 
vs. UC520 firewall goes, if all you are wanting to do is terminate VPNs,
 Steve is spot on.  The ASA can support more VPN connections if you pay 
for the licensing, but the UC520 would handle this scenario well.  Have 
you thought about moving the ASA to the remote site instead of the 
RVS4000?

I only need one VPN to the rvs4000 which I will now replace with the asa5505. this is for a small doctor who only has one remote office that needs to connect through the VPN. Yah moving that asa5505 is a good idea and I will incorporate this instead.

I will be testing all of this first in my lab. do you think I can plug a crossover between the wan links on the asa 5505 and the uc520 with a /30 subnet and then setup a vpn between the two for testing? would this work?

everyones help is appreciated

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Nathan (Straight out of) Compton can I change these 10.1.10.2 voicemail settings on the uc520 so everything is 10.0.0.1, or is this hardcoded? currently the network is setup that way and it would be nice to keep all the IP settings the same with the uc520.

Changing the CUE IP address is not recommended, because it mess up a lot of things with CCA and voicemail.  If you must change it, do so at your own risk.

I will be testing all of this first in my lab. do you think I can plug a crossover between the wan links on the asa 5505 and the uc520 with a /30 subnet and then setup a vpn between the two for testing? would this work?

That should work just fine for testing.

Adam (Straight out the Trailer) Compton

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

CooooowwwwwwBoooooy.

:-)

East coast hood

Steve

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

The UC520 typically uses the Loopback interface, 10.1.10.2, as the tftp source IP address.  It's a common problem that this traffic is not allowed over the VPN, and phones can't download config files and firmware.

so I would need to ad an acl allowing this traffic on the wan side of my asa 5505 as interesting traffic? where would I make sure this is allowed for things to work?

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Here is the next requirement which I need to uc520 to perform besides the site to site vpn. If you have advice on if the uc520 can do this please advise. thank you nathan and steve for your continued guidance. my uc520 is using the lan subnet of 10.0.0.0/24.

company B has completed creating the VPN tunnel on our side. Please provide the VPN parameters below to your IT Professional so that the tunnel may be created. Please have your IT Professional ping the IP addresses below that pertain to your purchase to test a successful connection to company B:

  • Surescripts Host Servers: 192.168.50.83 and 192.168.50.86
  • RxHub Host Server: 192.168.50.85
  • Patient Portal Host Server: 192.168.50.50.

Please update your ticket once complete so that we may contact you to schedule Surescripts software installation and training. I look forward to hearing from you.

Please note that this is a Host to Host configuration and not a Gateway to Gateway.

----------------------------------------------------

Our endpoint is: 66.x.x.x

Our network is: 192.168.50.0 (255.255.255.0)

clinic will need to make ACL from 172.28.175.5  to host 192.168.50.83 and 192.168.50.86, if portal is used 192.168.50.50

clinic will need to NAT interesting traffic to 172.28.175.0 255.255.255.0

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Pre-shared Key: *

Phase2

ESP encryption 3DES

ESP authentication SHA1

Lifetime 28800

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

When you setup the VPN, you have to define which traffic goes over the VPN in an ACL.  So you will have an ACL on each device permitting "this" source subnet to "that" destination subnet.  Just include the 10.1.10.0/30 in your ACL statements.

As far as the information you've listed about an application, I'm not really sure what your question is.  Are they going to create a VPN between one host on your network to another host on the internet?  If that is the case, then you would just need to ensure that the traffic between the 2 devices is alllowed.  If the VPN is going to terminate on the UC520, you would have to create another VPN tunnel for that purpose.

Adam Compton

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Thanks for this comment Steven,

Where is the document that tells me what supported remote routers I can use? I had been searching all through the smart designs and never specifically saw anything untill your comment that stated that you could have 10 remote site routers connected.

I have a similar situation but no phones are needed just data.

Thanks,

Johnny

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Well if you just need VPN support than any router that does IPSEC will work.

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

Steven,

Thanks for the information and the response. I had already gone over those documents but they only refer to the SR520W-FE, SR520-T1, or a UC500 for remote work.

Perhaps a better way would be to find out what Cisco classic routers are supported by CCA for teleworkers.How do I find this out?

I dont want to use an SR520 or SA500. I think there were some 800 series that were part of the solution in the past, have they been dropped?

Thanks,

Johnny

New Member

Re: UC520 Behind ASA 5505 w/VPN to RVS4000

The SA500 series and the SR520 T1 are the only routers that will be supported in CCA. Ive never seen any other router besides these supported in CCA so I am not sure if the 800 series was ever supported, but I know they are not currently supported within CCA. Only Small Business Pro routers are able to be manage through CCA. Hopes this helps.

Brian

2597
Views
0
Helpful
31
Replies
CreatePlease to create content