cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
798
Views
4
Helpful
5
Replies

Assign public IP to internal server through ASA5510

petercrowe
Level 1
Level 1

I have a client who has recently opened a branch office. He wants the VOIP phones in that office to use the central Toshiba phone server at the HQ.

The Toshiba guys say that a MIPU card on the internal HQ network needs to be assigned a Public IP address.

This being a VOIP issue, how do I allow the traffic to pass directly through the firewall and into that phone server card without any NAT'ing and still not have any data transmission hiccups?

NAT-T?

ASA5510, Ver. 8.2(5)

Thanks all.

5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

Hi,

communication from voip phones with  the server should be using TCP,only communication from phone to phone uses UDP so the communication hiccups will not take effect here as this is only the control plane traffic that will pass from phone to server.if this doesn't work you won't be able to place calls so don't be worried about their quality.

Now is the server on a higher security level interface  than the phone or is it the reverse ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Alain,

The phone engineer has stated that both ends of these connections must have public IP's attached to the actual cards. They have advised my client to not include the firewall in the chain, and instead to breakout the connection from the ISP using a switch which then directly feeds the phone server card.

An awful suggestion, opening up a huge security point of ingress into their network. Yet they have taken the suggestion and are implementing it,

Short of getting a VPN up and running, is there any other way to securely pass traffic straight through the firewall without compromising the config of the ASA5510 (running in routed mode). I can post the config if necessary.

In terms fo the security level, I can set it to whatever level is recommended. There is no DMZ in their current setup (despite my recommendations), so it would be traversing into a higher level.

Thanks Alain.

Peter

They have advised my client to not include the firewall in the chain

It's always the way isn't it

So do the phones need a VPN or is that how you see securing the connection ?   Can the phones actually run a VPN ?

Do you know the IP range of the phones in the branch office ?

You can assign a public IP to the internal server and then just tell the ASA not to NAT it but obviously that public IP needs to be routed internally. You can then add lines to your acl applied on the outside interface of the ASA that allows the phone range through to the internal server. I'm not sure whether you know all this and are looking for a different solution or not ?

Please clarify.

Jon

Jon,

I'm not an experienced Cisco person...but am slowly working my way towards that eventual goal (CCNP with security emphasis). I'm more a Microsoft LAN guy right now.

The branch office has a single phone card (that supplies all the phones at that location) with one Public IP, and that is supposed to end up terminating in the phone server (via another phone card) which is supposed to have another Public IP.

Yes, the VPN would allow them to establish a secure connection into their network, which would then route to that card. A CCIE friend of mine has weighed in that THAT would be the way to do it. My inexperience doesn't allow me to know either way.

Using your method, would I then use one of the 5510 ports to route it directly to the phone card? They have 2 ports free.

Your help is most appreciated.

There are a number of issues here -

1) routing. You cannot just assign a public IP to a device withiin an internal network and hope to be able to route to it. At the very least you would need to use 2 public IPs, one for the device and one for a router/L3 switch etc. So what is the IP address of the phone server in the main office ?

Perhaps i am no understanding the phone setup as i am not a voice person. Does the phone card exist independently of the server ie. is it a standalone device or is it physically connected to the server ? 

If you could clarify that would help.

2) A VPN could be used. Do you know if the cards (or the server if the card is accessed via the server) support VPNs ? If not a site to site VPN could be setup between the firewall in the main site (ASA 5510) and the remote site.

What device is at the remote site ? 

3) How does this site communicate back to HQ anyway ? Do you not have a dedicated WAN connection or do they use the internet and VPNs to connect back. If the communication is between a branch and HQ why do you need public IPs ?

Sorry to just be asking questions (and there may be a few more)  but i'm trying to understand the complete setup.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: