Solved

Add a second IP address to a Cisco 501C router

Posted on 2008-10-15
16
314 Views
Last Modified: 2010-04-21
To try to explain:
The phone system is not using SIP it is using a proprietary protocal.

We are a small company - We have a cable internet connection with a Cisco PIX (in our main facility)connected as our gateway.  Currently we have one Stat IP address.  Then that feeds our electronic switch. The servers are connected to the switch.  Our new phone system also connects to the switch for backup and phone system management.  There is only one (right now) VoIP phone that is located 2000 miles away that we would like to connect to the new phone system as thought thie VoIP phone was an extension on our local phone system.  Technical support from the phone provider now indicates that if we have a "2nd Static IP and can pass that IP through to the phone system (locally) that is all they need and the guarantee that the VoIP phone will operate from any internet connection without a tunnel.  I have procured a 2nd Static IP address and I would know like to forward the 2nd Statip Ip through to the Phone System.  Let me know if this sounds possible and what instructions i need to change on the Cisco Router to accomplish that.

Thanks in advance.  
0
Comment
Question by:mikeplastic
  • 10
  • 6
16 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22723149
Quite possible.
Start with the basics.
Create a static nat to map the 2nd public ip to the mvoice server private IP
                                    <public>        <private>
static (inside,outside) 12.34.56.7 192.168.88.99 netmask 255.255.255.255

Create an access-list allowing the proper ports to be used. Since we don't have that information, you can start with allowing "IP" but that will mean your phone server is wide open...
 access-list outside_access_in permit ip any host 12.34.56.7
access-group outside_access_in in interface outside

If you can get the correct port assignment, we can refine the access-list. Here are some examples:

 access-list outside_access_in permit udp any host 12.34.56.7 eq 2000
 access-list outside_access_in permit udp any host 12.34.56.7 range 2001-5200
 access-list outside_access_in permit tcp any host 12.34.56.7 eq sip
 
0
 

Author Comment

by:mikeplastic
ID: 22724256
lrmoore:

Thank you - I will test this solution out tomorrow AM and accept the solution if this works.
0
 

Author Comment

by:mikeplastic
ID: 22727607
Irmoore:
                                                                                 (outside static here)
I submitted to the config above "static (inside,outside) 12.34.56.7 10.0.0.68 netmast 255.255.255.0"

I received the message - "global address overlaps with mask"
any ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22727627
Netmask must be 255.255.255.255 exactly as I demonstrated in my example above.
0
 

Author Comment

by:mikeplastic
ID: 22730148
Thanks!  Will retry.
0
 

Author Comment

by:mikeplastic
ID: 22733099
Irmoore:
This did the trick for th VoIP phone.  However I can no longer obtain remote access using the old Static IP any longer.
The following is the current config  nn.nnn.nnn.nn1 is the old Static Ip to be used as before.  The new Static IP is represented by nn.nnn.nnn.nn2.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cisco-pix
domain-name abby.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.0.0.102 server1
name 10.0.0.103 serversql
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.13 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.11 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.115 10.0.50.0 255.255.255.0
access-list acl-out permit icmp any any
access-list acl-out permit tcp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit udp any host nn.nnn.nn.nn1 eq 3389
access-list outside_access_in permit ip any host nn.nnn.nn.nn2
pager lines 24
logging on
logging buffered errors
logging trap debugging
logging host inside 10.0.0.100
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside nn.nnn.nn.nn1 255.255.255.0
ip address inside 10.0.0.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.50.1-10.0.50.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 abbatrondc1 3389 netmask 255.255.25
255 0 0
static (inside,outside) udp interface 3389 abbatrondc1 3389 netmask 255.255.25
255 0 0
static (inside,outside) nn.nnn.nn.nn2 10.0.0.68 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.154.55.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 206.126.161.196 255.255.255.255 outside
ssh timeout 60
terminal width 80
cisco-pix(config)#

Can I get both working at the same time?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22733668
That may be a question for your ISP.
They may not realize that you will be using both IP's with the same MAC-address

0
 

Author Comment

by:mikeplastic
ID: 22733787
Thanks - i will check!!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:mikeplastic
ID: 22734522
lrmoore:
I did check with the service provider.  They indicated that it should be no problem.

I did a little more research:
When I add this line to the config
"access-group outside_access_in in interface outside" it seems to over write this line

"access-group acl-out in interface outside"

In order to get remote access from outside working I remove the 3 lines you suggested (when I add the 3 lines I can use the VoIP but not the remote access).   and then neither remote access work nor VoIP.  I then looked at the config and "access-group acl-out in interface outside" is missing so in order to resolve this I add  "access-group acl-out in interface outside" back in and remote acces works OK.  

Any ideas?


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22734683
OK, let's try this:

access-list acl-out permit icmp any any
access-list acl-out permit tcp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit udp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit ip any host nn.nnn.nn.nn2

access-group acl-out in interface outside


0
 

Author Comment

by:mikeplastic
ID: 22734764
Insert these five instructions to replace the one "access-group outside_access_in in interface outside"?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22734832
You already have the first 3, so just add the 4th line to the existing acl and apply that acl to the interface..

The only two lines you actually need to add are these:

access-list acl-out permit ip any host nn.nnn.nn.nn2
access-group acl-out in interface outside


0
 

Author Comment

by:mikeplastic
ID: 22734988
Just to make sure I understand properly:  
Current status I removed the 3 lines that you originally gave me -
static (inside,outside) 12.34.56.7 192.168.88.99 netmask 255.255.255.255
access-list outside_access_in permit ip any host 12.34.56.7
access-group outside_access_in in interface outside

Now I wil add :
static (inside,outside) 12.34.56.7 192.168.88.99 netmask 255.255.255.255
access-list outside_access_in permit ip any host 12.34.56.7
access-group outside_access_in in interface outside
access-list acl-out permit ip any host nn.nnn.nn.nn2
access-group acl-out in interface outside
Is this correct?


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22736015
Not quite.

Simply add the two lines in my previous post to what you already have.

It will end up looking like this:

static (inside,outside) nn.nnn.nn.nn2 192.168.88.99 netmask 255.255.255.255
access-list acl-out permit icmp any any
access-list acl-out permit tcp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit udp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit ip any host nn.nnn.nn.nn2

access-group acl-out in interface outside

0
 

Author Comment

by:mikeplastic
ID: 22736292
lrmoore

Thanks- I am restricted from the server right now - i will try it again tomorrow at 10AM edt.

Thanks
0
 

Author Closing Comment

by:mikeplastic
ID: 31506355
Thanks for your help!  It worked beautifully!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

In my office we had 10 Cisco 7940G IP phones that were useless as they were showing PROTOCOL APPLICATION INVALID when started. I searched through Google and worked for a week continuously on those phones, and finally got them working. This is a di…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now