How do I route a UC560 Wan port through a Cisco ASA perimeter firewall

QWe have been asked by a client to supply a UC560.  They wish to place this in an exisitng infrastructure behind an Cisco ASA firewall.  Obviously the WAN port of the UC needs to connect to the outside world for SIP trunking and the client is unsure of how to confugure the device.  I would appreciate any assistance to allow us to build a solution and get the relevant expertise on site.
kwalker25Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
Will the UCS560 have a single IP on the 'outside'?  

I've setup dual firewalls before.     I used this type of plan.  

Public internet  ->  
outside IP & IP block assigned to  ASA ->
ASA uses a Static NAT for each IP to an internal IP in a non-routable zone (i.e. 172.16.x.x) ->
The UCS would be assigned one static for the outside IP and the rest become available for 1 to 1 NAT of internal hosts->
UCS uses the internal IP scheme to hit the other hosts on the inside.  


The ASA would need SIP inspection turned on to handle outbound SIP registration and calls.  


kwalker25Author Commented:
Ok just to be clear.  The client would require (and actually probably has), a number of static public IP addresses.  Wan port of UC is given a public IP.  Route is created through the ASA to allow the WAN port of the UC to be visible to the outside world.  UC is given a fixed IP on the LAN side to communicate with the internal LAN.

Is this correct
MikeKaneCommented:
The WAN of the UC would have to be given a NAT'd address in a private range since the ASA would be the perimeter.  

The perimeter device would have the public ips assigned to it.     The perimeter would NAT each public IP to a similar IP in a private range.   The UC would be given an IP in THAT private range.       It's basically a dual NAT setup.  

FYI, as another alternative, you could always setup the ASA in transparent mode just for the traffic inspection.   That way the public IPs would go right into the UC....    Not sure if that is do-able in your setup however.  
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

kwalker25Author Commented:
Ok,

I think I've done this before with a UC540W.  Lets say for exmaple the internal LAN behind the ASA was 10.0.0.x.  We would simply connect the WAN port of the UC560 to a port on the ASA and assign it to say 192.168.x.x.  With the ASA on that port acting as the gateway.

On another note, how easy is it to setup SIP in this scenario
MikeKaneCommented:
I would look like this  

Internet
|
ASA external IP
ASA
ASA internal IP 192.168.10.1
|
UC External IP 192.168.10.2
UC
UC Internal IP 10.0.0.1


The ASA would do a 1 to 1 NAT for any IP block you own.  So you would have static for <external IP #1> to 192.168.10.10, <external IP #2> to 192.168.10.11, and so on.  The UC would take 192.168.10.10 and nat it to 10.0.0.10.    That get the traffic from outside to inside.  

SIP will be tricky.   I'm not familiar with the UC device.   The ASA has a SIP inspect process wher it can rewrite the SIP packets to match the external IP of the ASA.  This way, no STUN Services are required.     I don't know if the UC has this or not.  
kwalker25Author Commented:
Just to follow this up.  The client wanted to use the multisite functions which requires a Cisco VPN tunnel.  Cisco were saying they would only provide support where the UC WAN port was external facing and had a fixed public IP address.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kwalker25Author Commented:
We had to follow Cisco advice to ensure ongoing future support.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.