Solved

Shoretel SIP Trunks failing to work after migrating internet/firewall

Posted on 2016-11-02
10
35 Views
Last Modified: 2016-11-18
Hi

Need some guidance on this please.  Have a Small Business edition shoretel setup, running HQ, SG90, SG90BRI, E1k and an ingate siperator.

We've migrated the internet and replaced the firewall (cisco asa 5505) and rebuild the config so essentially the same apart from it has new external IP addresses.  However the SIP trunks failed to come online.  
It transpired that the old firewall had an additional wan IP address allocated to the firewall, and this IP was stored in the gamma portal.  So

We've tried using an additional IP address to the firewall and using the current WAN IP of the firewall to Gamma portal, but no joy.

The config on the ingate appears to be configured to point traffic direct to Gamma.  The old and new firewalls had/has an inbound NAT rule from WAN IP internal ingate e.g: nat (inside,outside) source static a-172.16.10.35 a-*.*.*.*

Ideas?
0
Comment
Question by:CHI-LTD
  • 4
  • 3
  • 2
10 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
Comment Utility
>>It transpired that the old firewall had an additional wan IP

SO plug that circuit into Ethernet0/3 - then configure VLAN3 with the same public IP the old one had. (you will need a security plus licence on the 5505)

Then statically nat 172.16.10.35 to that interface

YOU will need to crate an ACL to let the traffic in and out as well. Phones are not really my thing so I don't know the ports


Pete
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
Thats just it, we didnt have anything connected to fe0/3, just had an IP allocated somewhere for the voice to route..  We tried adding new spare IP to the firewall interface (not sure which one) and allowed inbound using: nat (inside,outside) source static a-172.16.10.35 a-*.*.*.*
Is this a valid command to NAT inbound traffic to the Ingate?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
Comment Utility
SO you have replaced the 5505 with a 5505?

Do they both have the same license (show version)?

Was this public IP of the phones in the same range as your public IP?

>>Is this a valid command to NAT inbound traffic to the Ingate?

Heres how to setup a static NAT
Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
correct.
not sure, think the version of the software is newer on the new fwall.
No, the new WAN IPs are completely different, as new ISP.

Thanks for links.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
Comment Utility
>>not sure, think the version of the software is newer on the new fwall.

Check! - the new one should have a 'sec plus' licence or VLAN3 can only be accessed from the outside (which is not what you want!)

>>No, the new WAN IPs are completely different, as new ISP.

Then you need to get the OTHER END to accept traffic form your new public IP?

P
0
 
LVL 20

Accepted Solution

by:
masnrock earned 250 total points
Comment Utility
One of the biggest things is that you need the new WAN IP(s) to be in the Gamma portal. Some SIP trunk providers will validate based on an IP address. So if you're going to be using new WAN IPs, Gamma needs records reflecting those IPs.

TCP port 5060 is one of the ports that you'll need to open incoming traffic from Gamma for. There should also be a series of UDP ports that you need to open (I would check with Gamma to verify the specific range). From some online research, I've seen people say that Gamma recommends opening UDP ports 6000-40000, which seems to be an excessively large range.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
Yes thats one thing we changed.  It now looks like it might be port related.
0
 
LVL 20

Expert Comment

by:masnrock
Comment Utility
Have you made the changes on your firewall?
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
Tonight
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now