Shoretel SIP Trunks failing to work after migrating internet/firewall

Hi

Need some guidance on this please.  Have a Small Business edition shoretel setup, running HQ, SG90, SG90BRI, E1k and an ingate siperator.

We've migrated the internet and replaced the firewall (cisco asa 5505) and rebuild the config so essentially the same apart from it has new external IP addresses.  However the SIP trunks failed to come online.  
It transpired that the old firewall had an additional wan IP address allocated to the firewall, and this IP was stored in the gamma portal.  So

We've tried using an additional IP address to the firewall and using the current WAN IP of the firewall to Gamma portal, but no joy.

The config on the ingate appears to be configured to point traffic direct to Gamma.  The old and new firewalls had/has an inbound NAT rule from WAN IP internal ingate e.g: nat (inside,outside) source static a-172.16.10.35 a-*.*.*.*

Ideas?
LVL 1
CHI-LTDAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
masnrockConnect With a Mentor Commented:
One of the biggest things is that you need the new WAN IP(s) to be in the Gamma portal. Some SIP trunk providers will validate based on an IP address. So if you're going to be using new WAN IPs, Gamma needs records reflecting those IPs.

TCP port 5060 is one of the ports that you'll need to open incoming traffic from Gamma for. There should also be a series of UDP ports that you need to open (I would check with Gamma to verify the specific range). From some online research, I've seen people say that Gamma recommends opening UDP ports 6000-40000, which seems to be an excessively large range.
0
 
Pete LongConnect With a Mentor Technical ConsultantCommented:
>>It transpired that the old firewall had an additional wan IP

SO plug that circuit into Ethernet0/3 - then configure VLAN3 with the same public IP the old one had. (you will need a security plus licence on the 5505)

Then statically nat 172.16.10.35 to that interface

YOU will need to crate an ACL to let the traffic in and out as well. Phones are not really my thing so I don't know the ports


Pete
0
 
CHI-LTDAuthor Commented:
Thats just it, we didnt have anything connected to fe0/3, just had an IP allocated somewhere for the voice to route..  We tried adding new spare IP to the firewall interface (not sure which one) and allowed inbound using: nat (inside,outside) source static a-172.16.10.35 a-*.*.*.*
Is this a valid command to NAT inbound traffic to the Ingate?
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Pete LongConnect With a Mentor Technical ConsultantCommented:
SO you have replaced the 5505 with a 5505?

Do they both have the same license (show version)?

Was this public IP of the phones in the same range as your public IP?

>>Is this a valid command to NAT inbound traffic to the Ingate?

Heres how to setup a static NAT
Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall
0
 
CHI-LTDAuthor Commented:
correct.
not sure, think the version of the software is newer on the new fwall.
No, the new WAN IPs are completely different, as new ISP.

Thanks for links.
0
 
Pete LongConnect With a Mentor Technical ConsultantCommented:
>>not sure, think the version of the software is newer on the new fwall.

Check! - the new one should have a 'sec plus' licence or VLAN3 can only be accessed from the outside (which is not what you want!)

>>No, the new WAN IPs are completely different, as new ISP.

Then you need to get the OTHER END to accept traffic form your new public IP?

P
0
 
CHI-LTDAuthor Commented:
Yes thats one thing we changed.  It now looks like it might be port related.
0
 
masnrockCommented:
Have you made the changes on your firewall?
0
 
CHI-LTDAuthor Commented:
Tonight
0
All Courses

From novice to tech pro — start learning today.