Hello, we have been testing a deployment as follows:
1. We have IPSEC VPN´s with third party equipments
2. We put the UC5XX in the central site and phisical or softphones work well
3. We test a ping from the remotes site 1 to the central site and could achieve the management IP address of the UC5XX (in our case 192.168.10.1)
4. But we can´t ping the Voice Vlan interface in the UC and the softphones or phisical phones can´t register to de UC5XX.
5. We have been trying with DHCP from the remote site and static but the result is the same:softphones or phisical phones that was registered in the central site can´t register to de UC5XX remotely.
The questions please:
1. The UC5XX need only an SSL Vpn´s to work as we need or IPSEC VPN´s must also work?
2. If the answer is SSL Vpn´s, can we use the third party equipments?
3. If the answer is only Cisco router in the remote site, wich model could you recommend us only for 5 phones in the remote site? We know about SR-520-T1 but it´s EOL, wath is another option (the most simple and cheapest)?
In the CCA, go to VPN Server. Allow split tunneling, add the networks you need to reach. I always add 10.1.1.0/24, 10.1.10.1/24 and 192.168.10.0/24.
Then your computer must have the Cisco VPN Client installed.
Connect with the VPN Client and make sure your IP Communicatior is configured to use 10.1.1.1 as it's tftp server.
I think the maximum IP-Sec VPN sessions allowed is 10, but I could be wriong about that???
To use the SPA525G2 remotely, you will need to configure the SSL VPN Server. You can have both working. Configure the secondary IP address on the Gig 0/0 interface. You will need to do this in CLI. You need to do this especially if you have port 443 forwarded to the inside network. The SPA phones will use port 443 on the secondary IP address.
It looks like you are doing the VPN between the 3Com devices. What networks are defined as 'interesting traffic' for the VPN? It sounds like from 192.168.70.0 to 192.168.10.0 is working. Do you have IPSec SAs for 192.168.70.0 to 10.1.1.0 (Voice) and 10.1.10.0 (CUE) networks? If so, are the IPSec SAs up and passing traffic?
As long as you have setup the VPN to allow traffic from 192.168.70.0 network to 192.168.10.0, 10.1.1.0 and 10.1.10.0 networks, then you would just need the following routes on these devices:
192.168.70.0 pointing to 192.168.10.3 (sounds like this is there as this traffic is working)
3Com X5 router:
192.168.70.0 pointing to its gateway (sounds like this is there as this traffic is working)
10.1.1.0 pointing to 192.168.10.1
10.1.10.0 pointing to 192.168.10.1
192.168.10.0 pointing to its gateway (sounds like this is there as this traffic is working)
10.1.1.0 pointing to its gateway
10.1.10.0 pointing to its gateway
Also, according to your diagram, the phones are not acquiring TFTP server. Make sure that whatever is providing DHCP for the remote office has option 150 configured to provide 10.1.1.1 for the TFTP server for the phones.
the option 150 is not configured on the UC540 DHCP Server, could you send us some tips to achieve this configuration on the UC540?
on the question about to have IPSec SA:
we have only an IPSec SA tunnel association between the subnet 192.168.70.0 to 192.168.10.0 on the X5 router, as you can see on the next screen capture:
maybe you suggest I must create another IPSec SA tunnel association on the X5 router, between subnet 10.1.1.0 to the subnet 192.168.70.0 with its corresponding configuration on the office connect router on the remote site?
I cannot create another IPSec Association using the subnet 192.168.70.0 because it causes conflict with the other tunnel already created.
What is the DHCP Server at the remote office? That is the device that needs to provide Option 150 for the phones at the remote office.
I'm not familiar with the 3Com X5, but looking at your screenshot, it looks like there is an option for an IP Address Group for Local Networks. Does the remote site's 3Com device have this option? If so, it looks like you may be able to create an IP Address Group with the 192.168.10.0, 10.1.1.0 and 10.1.10.0 networks. You would use that as the Local Networks on the X5 (closest to the UC540) and create one for the Remote Networks on the remote site's 3Com device.
you suggest us to create an IP Address Group respectively with the networks 192.168.10.0, 10.1.1.0 and 10.1.10.0, that is should we create these Local Network options both on the X5 router (central site) as on the office connect router on remote site? We must to make a functionality of IP Address Group on both equipments, the router of central site as the router on remote site?
I am not sure that the remote router (office connect) have this feature of create IP Address Groups or even to be possible to implement the option 150 on it. If I would wish to achieve a connection between the UC540 on central site and a router Cisco on remote site, wich model of router cisco could you recommend us only for 5 phones in the remote site? Taking into account that SR-520-T1 is EOL, wath would be another option (the most simple and cheapest)?
We appreciate your comments about this case, thanks.
Configure Multicast Paging on the Cisco IP Phone 7800 Series or 8800 Series Multiplatform Phone
The Cisco IP Phone 7800 and 8800 Series Multiplatform Phones provide voice communication over an Internet Protocol (IP) network...
Add Call Park on a Cisco 7800 or 8800 Series Multiplatform Phone Key Expansion Module
Call park allows the user of the phone to put an incoming call on hold so that the call can be retrieved on another phone. A call is park...