Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 326
  • Last Modified:

Add a second IP address to a Cisco 501C router

To try to explain:
The phone system is not using SIP it is using a proprietary protocal.

We are a small company - We have a cable internet connection with a Cisco PIX (in our main facility)connected as our gateway.  Currently we have one Stat IP address.  Then that feeds our electronic switch. The servers are connected to the switch.  Our new phone system also connects to the switch for backup and phone system management.  There is only one (right now) VoIP phone that is located 2000 miles away that we would like to connect to the new phone system as thought thie VoIP phone was an extension on our local phone system.  Technical support from the phone provider now indicates that if we have a "2nd Static IP and can pass that IP through to the phone system (locally) that is all they need and the guarantee that the VoIP phone will operate from any internet connection without a tunnel.  I have procured a 2nd Static IP address and I would know like to forward the 2nd Statip Ip through to the Phone System.  Let me know if this sounds possible and what instructions i need to change on the Cisco Router to accomplish that.

Thanks in advance.  
0
mikeplastic
Asked:
mikeplastic
  • 10
  • 6
1 Solution
 
lrmooreCommented:
Quite possible.
Start with the basics.
Create a static nat to map the 2nd public ip to the mvoice server private IP
                                    <public>        <private>
static (inside,outside) 12.34.56.7 192.168.88.99 netmask 255.255.255.255

Create an access-list allowing the proper ports to be used. Since we don't have that information, you can start with allowing "IP" but that will mean your phone server is wide open...
 access-list outside_access_in permit ip any host 12.34.56.7
access-group outside_access_in in interface outside

If you can get the correct port assignment, we can refine the access-list. Here are some examples:

 access-list outside_access_in permit udp any host 12.34.56.7 eq 2000
 access-list outside_access_in permit udp any host 12.34.56.7 range 2001-5200
 access-list outside_access_in permit tcp any host 12.34.56.7 eq sip
 
0
 
mikeplasticAuthor Commented:
lrmoore:

Thank you - I will test this solution out tomorrow AM and accept the solution if this works.
0
 
mikeplasticAuthor Commented:
Irmoore:
                                                                                 (outside static here)
I submitted to the config above "static (inside,outside) 12.34.56.7 10.0.0.68 netmast 255.255.255.0"

I received the message - "global address overlaps with mask"
any ideas?
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
lrmooreCommented:
Netmask must be 255.255.255.255 exactly as I demonstrated in my example above.
0
 
mikeplasticAuthor Commented:
Thanks!  Will retry.
0
 
mikeplasticAuthor Commented:
Irmoore:
This did the trick for th VoIP phone.  However I can no longer obtain remote access using the old Static IP any longer.
The following is the current config  nn.nnn.nnn.nn1 is the old Static Ip to be used as before.  The new Static IP is represented by nn.nnn.nnn.nn2.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cisco-pix
domain-name abby.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.0.0.102 server1
name 10.0.0.103 serversql
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.13 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.11 10.0.50.0 255.255.255.0
access-list 101 permit ip host 10.0.0.115 10.0.50.0 255.255.255.0
access-list acl-out permit icmp any any
access-list acl-out permit tcp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit udp any host nn.nnn.nn.nn1 eq 3389
access-list outside_access_in permit ip any host nn.nnn.nn.nn2
pager lines 24
logging on
logging buffered errors
logging trap debugging
logging host inside 10.0.0.100
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside nn.nnn.nn.nn1 255.255.255.0
ip address inside 10.0.0.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.50.1-10.0.50.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 abbatrondc1 3389 netmask 255.255.25
255 0 0
static (inside,outside) udp interface 3389 abbatrondc1 3389 netmask 255.255.25
255 0 0
static (inside,outside) nn.nnn.nn.nn2 10.0.0.68 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.154.55.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 206.126.161.196 255.255.255.255 outside
ssh timeout 60
terminal width 80
cisco-pix(config)#

Can I get both working at the same time?
0
 
lrmooreCommented:
That may be a question for your ISP.
They may not realize that you will be using both IP's with the same MAC-address

0
 
mikeplasticAuthor Commented:
Thanks - i will check!!
0
 
mikeplasticAuthor Commented:
lrmoore:
I did check with the service provider.  They indicated that it should be no problem.

I did a little more research:
When I add this line to the config
"access-group outside_access_in in interface outside" it seems to over write this line

"access-group acl-out in interface outside"

In order to get remote access from outside working I remove the 3 lines you suggested (when I add the 3 lines I can use the VoIP but not the remote access).   and then neither remote access work nor VoIP.  I then looked at the config and "access-group acl-out in interface outside" is missing so in order to resolve this I add  "access-group acl-out in interface outside" back in and remote acces works OK.  

Any ideas?


0
 
lrmooreCommented:
OK, let's try this:

access-list acl-out permit icmp any any
access-list acl-out permit tcp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit udp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit ip any host nn.nnn.nn.nn2

access-group acl-out in interface outside


0
 
mikeplasticAuthor Commented:
Insert these five instructions to replace the one "access-group outside_access_in in interface outside"?
0
 
lrmooreCommented:
You already have the first 3, so just add the 4th line to the existing acl and apply that acl to the interface..

The only two lines you actually need to add are these:

access-list acl-out permit ip any host nn.nnn.nn.nn2
access-group acl-out in interface outside


0
 
mikeplasticAuthor Commented:
Just to make sure I understand properly:  
Current status I removed the 3 lines that you originally gave me -
static (inside,outside) 12.34.56.7 192.168.88.99 netmask 255.255.255.255
access-list outside_access_in permit ip any host 12.34.56.7
access-group outside_access_in in interface outside

Now I wil add :
static (inside,outside) 12.34.56.7 192.168.88.99 netmask 255.255.255.255
access-list outside_access_in permit ip any host 12.34.56.7
access-group outside_access_in in interface outside
access-list acl-out permit ip any host nn.nnn.nn.nn2
access-group acl-out in interface outside
Is this correct?


0
 
lrmooreCommented:
Not quite.

Simply add the two lines in my previous post to what you already have.

It will end up looking like this:

static (inside,outside) nn.nnn.nn.nn2 192.168.88.99 netmask 255.255.255.255
access-list acl-out permit icmp any any
access-list acl-out permit tcp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit udp any host nn.nnn.nn.nn1 eq 3389
access-list acl-out permit ip any host nn.nnn.nn.nn2

access-group acl-out in interface outside

0
 
mikeplasticAuthor Commented:
lrmoore

Thanks- I am restricted from the server right now - i will try it again tomorrow at 10AM edt.

Thanks
0
 
mikeplasticAuthor Commented:
Thanks for your help!  It worked beautifully!
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 10
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now