Solved

Shoretel SIP Trunks failing to work after migrating internet/firewall

Posted on 2016-11-02
10
85 Views
Last Modified: 2016-11-18
Hi

Need some guidance on this please.  Have a Small Business edition shoretel setup, running HQ, SG90, SG90BRI, E1k and an ingate siperator.

We've migrated the internet and replaced the firewall (cisco asa 5505) and rebuild the config so essentially the same apart from it has new external IP addresses.  However the SIP trunks failed to come online.  
It transpired that the old firewall had an additional wan IP address allocated to the firewall, and this IP was stored in the gamma portal.  So

We've tried using an additional IP address to the firewall and using the current WAN IP of the firewall to Gamma portal, but no joy.

The config on the ingate appears to be configured to point traffic direct to Gamma.  The old and new firewalls had/has an inbound NAT rule from WAN IP internal ingate e.g: nat (inside,outside) source static a-172.16.10.35 a-*.*.*.*

Ideas?
0
Comment
Question by:CHI-LTD
  • 4
  • 3
  • 2
10 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41870042
>>It transpired that the old firewall had an additional wan IP

SO plug that circuit into Ethernet0/3 - then configure VLAN3 with the same public IP the old one had. (you will need a security plus licence on the 5505)

Then statically nat 172.16.10.35 to that interface

YOU will need to crate an ACL to let the traffic in and out as well. Phones are not really my thing so I don't know the ports


Pete
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 41870067
Thats just it, we didnt have anything connected to fe0/3, just had an IP allocated somewhere for the voice to route..  We tried adding new spare IP to the firewall interface (not sure which one) and allowed inbound using: nat (inside,outside) source static a-172.16.10.35 a-*.*.*.*
Is this a valid command to NAT inbound traffic to the Ingate?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41870306
SO you have replaced the 5505 with a 5505?

Do they both have the same license (show version)?

Was this public IP of the phones in the same range as your public IP?

>>Is this a valid command to NAT inbound traffic to the Ingate?

Heres how to setup a static NAT
Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:CHI-LTD
ID: 41870388
correct.
not sure, think the version of the software is newer on the new fwall.
No, the new WAN IPs are completely different, as new ISP.

Thanks for links.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41870415
>>not sure, think the version of the software is newer on the new fwall.

Check! - the new one should have a 'sec plus' licence or VLAN3 can only be accessed from the outside (which is not what you want!)

>>No, the new WAN IPs are completely different, as new ISP.

Then you need to get the OTHER END to accept traffic form your new public IP?

P
0
 
LVL 24

Accepted Solution

by:
masnrock earned 250 total points
ID: 41871098
One of the biggest things is that you need the new WAN IP(s) to be in the Gamma portal. Some SIP trunk providers will validate based on an IP address. So if you're going to be using new WAN IPs, Gamma needs records reflecting those IPs.

TCP port 5060 is one of the ports that you'll need to open incoming traffic from Gamma for. There should also be a series of UDP ports that you need to open (I would check with Gamma to verify the specific range). From some online research, I've seen people say that Gamma recommends opening UDP ports 6000-40000, which seems to be an excessively large range.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 41871847
Yes thats one thing we changed.  It now looks like it might be port related.
0
 
LVL 24

Expert Comment

by:masnrock
ID: 41873235
Have you made the changes on your firewall?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 41873687
Tonight
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question