How do I route a UC560 Wan port through a Cisco ASA perimeter firewall
QWe have been asked by a client to supply a UC560. They wish to place this in an exisitng infrastructure behind an Cisco ASA firewall. Obviously the WAN port of the UC needs to connect to the outside world for SIP trunking and the client is unsure of how to confugure the device. I would appreciate any assistance to allow us to build a solution and get the relevant expertise on site.
ASKER
Ok just to be clear. The client would require (and actually probably has), a number of static public IP addresses. Wan port of UC is given a public IP. Route is created through the ASA to allow the WAN port of the UC to be visible to the outside world. UC is given a fixed IP on the LAN side to communicate with the internal LAN.
Is this correct
Is this correct
The WAN of the UC would have to be given a NAT'd address in a private range since the ASA would be the perimeter.
The perimeter device would have the public ips assigned to it. The perimeter would NAT each public IP to a similar IP in a private range. The UC would be given an IP in THAT private range. It's basically a dual NAT setup.
FYI, as another alternative, you could always setup the ASA in transparent mode just for the traffic inspection. That way the public IPs would go right into the UC.... Not sure if that is do-able in your setup however.
The perimeter device would have the public ips assigned to it. The perimeter would NAT each public IP to a similar IP in a private range. The UC would be given an IP in THAT private range. It's basically a dual NAT setup.
FYI, as another alternative, you could always setup the ASA in transparent mode just for the traffic inspection. That way the public IPs would go right into the UC.... Not sure if that is do-able in your setup however.
ASKER
Ok,
I think I've done this before with a UC540W. Lets say for exmaple the internal LAN behind the ASA was 10.0.0.x. We would simply connect the WAN port of the UC560 to a port on the ASA and assign it to say 192.168.x.x. With the ASA on that port acting as the gateway.
On another note, how easy is it to setup SIP in this scenario
I think I've done this before with a UC540W. Lets say for exmaple the internal LAN behind the ASA was 10.0.0.x. We would simply connect the WAN port of the UC560 to a port on the ASA and assign it to say 192.168.x.x. With the ASA on that port acting as the gateway.
On another note, how easy is it to setup SIP in this scenario
I would look like this
Internet
|
ASA external IP
ASA
ASA internal IP 192.168.10.1
|
UC External IP 192.168.10.2
UC
UC Internal IP 10.0.0.1
The ASA would do a 1 to 1 NAT for any IP block you own. So you would have static for <external IP #1> to 192.168.10.10, <external IP #2> to 192.168.10.11, and so on. The UC would take 192.168.10.10 and nat it to 10.0.0.10. That get the traffic from outside to inside.
SIP will be tricky. I'm not familiar with the UC device. The ASA has a SIP inspect process wher it can rewrite the SIP packets to match the external IP of the ASA. This way, no STUN Services are required. I don't know if the UC has this or not.
Internet
|
ASA external IP
ASA
ASA internal IP 192.168.10.1
|
UC External IP 192.168.10.2
UC
UC Internal IP 10.0.0.1
The ASA would do a 1 to 1 NAT for any IP block you own. So you would have static for <external IP #1> to 192.168.10.10, <external IP #2> to 192.168.10.11, and so on. The UC would take 192.168.10.10 and nat it to 10.0.0.10. That get the traffic from outside to inside.
SIP will be tricky. I'm not familiar with the UC device. The ASA has a SIP inspect process wher it can rewrite the SIP packets to match the external IP of the ASA. This way, no STUN Services are required. I don't know if the UC has this or not.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We had to follow Cisco advice to ensure ongoing future support.
I've setup dual firewalls before. I used this type of plan.
Public internet ->
outside IP & IP block assigned to ASA ->
ASA uses a Static NAT for each IP to an internal IP in a non-routable zone (i.e. 172.16.x.x) ->
The UCS would be assigned one static for the outside IP and the rest become available for 1 to 1 NAT of internal hosts->
UCS uses the internal IP scheme to hit the other hosts on the inside.
The ASA would need SIP inspection turned on to handle outbound SIP registration and calls.