Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Shoretel SIP Trunks failing to work after migrating internet/firewall

Posted on 2016-11-02
10
Medium Priority
?
121 Views
Last Modified: 2016-11-18
Hi

Need some guidance on this please.  Have a Small Business edition shoretel setup, running HQ, SG90, SG90BRI, E1k and an ingate siperator.

We've migrated the internet and replaced the firewall (cisco asa 5505) and rebuild the config so essentially the same apart from it has new external IP addresses.  However the SIP trunks failed to come online.  
It transpired that the old firewall had an additional wan IP address allocated to the firewall, and this IP was stored in the gamma portal.  So

We've tried using an additional IP address to the firewall and using the current WAN IP of the firewall to Gamma portal, but no joy.

The config on the ingate appears to be configured to point traffic direct to Gamma.  The old and new firewalls had/has an inbound NAT rule from WAN IP internal ingate e.g: nat (inside,outside) source static a-172.16.10.35 a-*.*.*.*

Ideas?
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
10 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 41870042
>>It transpired that the old firewall had an additional wan IP

SO plug that circuit into Ethernet0/3 - then configure VLAN3 with the same public IP the old one had. (you will need a security plus licence on the 5505)

Then statically nat 172.16.10.35 to that interface

YOU will need to crate an ACL to let the traffic in and out as well. Phones are not really my thing so I don't know the ports


Pete
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 41870067
Thats just it, we didnt have anything connected to fe0/3, just had an IP allocated somewhere for the voice to route..  We tried adding new spare IP to the firewall interface (not sure which one) and allowed inbound using: nat (inside,outside) source static a-172.16.10.35 a-*.*.*.*
Is this a valid command to NAT inbound traffic to the Ingate?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 41870306
SO you have replaced the 5505 with a 5505?

Do they both have the same license (show version)?

Was this public IP of the phones in the same range as your public IP?

>>Is this a valid command to NAT inbound traffic to the Ingate?

Heres how to setup a static NAT
Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall
0
[Video] Oticon Case Study

Open office environments can create the dynamics for innovation, but they also bring some challenges. With over 1,000 employees in an open office, Oticon needed a solution that would preserve the environment while mitigating disruptive background noises.

Watch how they did it.

 
LVL 1

Author Comment

by:CHI-LTD
ID: 41870388
correct.
not sure, think the version of the software is newer on the new fwall.
No, the new WAN IPs are completely different, as new ISP.

Thanks for links.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 41870415
>>not sure, think the version of the software is newer on the new fwall.

Check! - the new one should have a 'sec plus' licence or VLAN3 can only be accessed from the outside (which is not what you want!)

>>No, the new WAN IPs are completely different, as new ISP.

Then you need to get the OTHER END to accept traffic form your new public IP?

P
0
 
LVL 31

Accepted Solution

by:
masnrock earned 1000 total points
ID: 41871098
One of the biggest things is that you need the new WAN IP(s) to be in the Gamma portal. Some SIP trunk providers will validate based on an IP address. So if you're going to be using new WAN IPs, Gamma needs records reflecting those IPs.

TCP port 5060 is one of the ports that you'll need to open incoming traffic from Gamma for. There should also be a series of UDP ports that you need to open (I would check with Gamma to verify the specific range). From some online research, I've seen people say that Gamma recommends opening UDP ports 6000-40000, which seems to be an excessively large range.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 41871847
Yes thats one thing we changed.  It now looks like it might be port related.
0
 
LVL 31

Expert Comment

by:masnrock
ID: 41873235
Have you made the changes on your firewall?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 41873687
Tonight
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question