Mitel Forums - The Unofficial Source
Mitel Forums => MiVoice Office 250/Mitel 5000 => Topic started by: SteAnnesIT on January 10, 2014, 10:40:30 AM
-
I've tried and tried and I just can't seem to get teleworker, working. My provider 'provided' the ports to have open and that's as far as they would go to help me. I asked them to contact Mitel for assistance with giving me/us a 'basic default' ASA config that would work and I could go from there with configuring the Cisco ASA5505 but they returned to me saying Mitel has no experience with a Cisco ASA and Teleworker. I find this kind of hard to believe they've never ran across a Cisco ASA before.... Anywho.
I've gone as far as opening *ALL* ports to the PBX in the ASA. No firewall, just 1:1NAT. The thing with the Cisco ASA stuff is you have to have your configuration specifically set for it to pass all data wanted. For instance, you can't even trace route correctly out of the box, you have to fiddle with packet inspection etc. The very best I've been able to achieve is Teleworker connection to our PBX, and audio out from our PBX to the Teleworker, but *no* audio back in from the Teleworker to the PBX. Logically, It leads me to believe it is the Cisco ASA but I just can not get any further.
Any help would be greatly appreciated!
-
SteAnnesIT,
Sorry to be a pain here, but when you say Teleworker do you mean that you are using the Mitel Border Gateway (MBG) to allow for secure connections back to the 5000 or do you just have a person with a phone outside of your LAN trying to connect to the 5000 directly?
Thanks,
TE
-
I have a Mitel 5330 IP Handset configured to connect via teleworker. Holding down the down arrow when the phone is booting.. "Configure Teleworker" Yes.. Enter the IP address (the public IP address in our public subnet that is 1:1 NATed to the private IP address of our Mitel 5000 "PBX A"). And then there is an extension configured specifically to allow NAT for that 5330 or something to that extent which is assigned to that phone. Provider doesn't exactly explain it all clearly.
-
1:1 NAT is not required for the 5000.
Standard port forwarding will suffice. There are plenty of existing threads on here that specify what ports are needed.
Like
http://mitelforums.com/forum/index.php/topic,4031.msg17040.html#msg17040
-
SteAnnesIT,
Since you already have the 1:1 NAT set up in your ASA you can start with that, but I suggest locking it down to only use the ports needed for the phones to work. As for the 5000 programming that needs to be in place.
System > Devices and Feature Codes > IP Connection > {any PXXX connection that doesn't have a red X through it} > NAT IP Address [change this from 255.255.255.255 to your Public IP]
Note: Make sure that if you have more than one that you do both of them or it make only work intermittently. Also depending on whether you are using Differentiates Services or IP Precedence you may want to change the Audio RTP Type of Service and Data Type of Service. By default they are set for IP Precedence : 0, but if you are using Differentiates Services then you will want to set both to 184.
Now you will want to make sure the remote phone (teleworker) is set for NAT instead of Native. Go to System > Devices and Feature Codes > Phones > Ext {xxxx} > IP Settings and make sure the NAT Address Type is set to NAT; by default it is Native.
Once you get it working then lock down the ASA utilizing these ports which is also shown on the link that Sarond provided in his post.
UDP: 69, 20001, 6004-6261, 50098-50508
TCP: 3998-3999, 6800-6802
Oh, you may have noticed that I did not send you to System > IP Settings > System NAT IP Address to make the change there. This is for SIP Gateways and Trunks and is not needed for the 5330 to work, but it doesn't hurt to change it if you do or will have SIP devices out there at a future date, but you will then need to add Port 5060 to your ASA. If you are having trouble with your SIP Device staying connected then also setup Port 5061 as well.
Hope that helps,
TE
-
Okay I've looked through your instructions.
We have two PBXs, PBX A and PBX B. PBX A is where our IP sets connect as well as any Teleworker sets should connect. It has a dedicated public IP address 1:1NATed to it's internal IP address. While following your instructions.
System > Devices and Feature Codes > IP Connection > {any PXXX connection that doesn't have a red X through it} > NAT IP Address [change this from 255.255.255.255 to your Public IP]
It was indeed 255.255.255.255 and I changed it to the public IP address for which it has 1:1NAT.
I checked.
System > IP Settings > System NAT IP Address
And it seems our provider had already configured his to be the public IP address of our PBX A.
Question: If our Teleworker phones are configured to be connected to PBX A, do I need to alter these settings on PBX B as well? I am confused about where you say.
Note: Make sure that if you have more than one that you do both of them or it may only work intermittently.
Thank you.
-
SteAnnesIT,
PBX B will have to have its own Public IP address or use another set of ports, which would have to be programmed in both your ASA and the PBX B controller to work properly. So, in other words no you would not programmed the public IP address for PBX A into PBX B.
What I was referring to is that the controller can have multiple IP Connections as well as internal IP addresses based on whether or not the system has a PEC-1 or a PS-1 attached to it.
As for where your vendor put the Public IP Address it would not have worked for you regardless of how you set up the ASA since that location [System > IP Settings > NAT IP Address] is for SIP Gateways and Trunks and not IP Phones.
Hopefully that clears it up a little for you.
Thanks,
TE
-
Our PBXs use only 1 single network connection each, so I can disregard the "Note: Make sure that if you have more than one that you do both of them or it may only work intermittently." part then.
Thank you. Still working on it!
-
SteAnnesIT,
Here is a picture of what I am talking about so there is no more confusion here. There is only one connection on a Mitel 5000 if it is a base system or one with a PEC-1.
Base = 1 Connection and 1 IP Address
PEC-1 = 1 Connection and 2 IP Addresses
PS-1 = 2 Connections and 3 IP Addresses <- This is actually a seperate server
So in this picture you will see P6000 and P6001. If yours has a second connection here and it does not have a RED X through it then it is in use and needs to have the Public IP Address setup on it.
Thanks,
TE
-
Right mine look like that picture, other than the fact that there is 2 5000s in our phone system so I have to first select local device then I see the P6001, and the P6101 below it with a big red X through it.
-
SteAnnesIT,
Then you are on the right track with the phone system programming, as far as the ASA goes you may need to eliminate it from the equation to verify that the phone system programming is correct. Then you know that the problem is in the ASA. Hopefully you have another Layer 3 device to do the routing.
Thanks,
TE
-
SteAnnesIT,
I know you said you set up a 1:1 NAT, but can you put up a copy of your Cisco ASA config so I can see if there is something wrong with it? That is if you don't have it working yet.
Thanks,
TE
-
IPs have been changed but here it is:
ASA Version 9.1(2)
!
hostname SteAnnesASA
domain-name steannes.local
enable password ************** encrypted
passwd ************* encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,15,35
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.36.1 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.18 255.255.255.240
!
interface Vlan15
nameif guestnet
security-level 50
ip address 192.168.15.1 255.255.255.0
!
interface Vlan35
nameif phonesys
security-level 100
ip address 192.168.35.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name steannes.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network guest_net
subnet 0.0.0.0 0.0.0.0
object network phone_sys
subnet 0.0.0.0 0.0.0.0
object network mailserver_in
host 192.168.37.14
object network webserv1_in
host 192.168.37.17
object network webserv2_in
host 192.168.37.24
object network telework_in
host 192.168.35.11
object network uca_in
host 192.168.35.13
object network mailserver_out
host 10.10.10.20
object network webserv1_out
host 10.10.10.21
object network webserv2_out
host 10.10.10.22
object network telework_out
host 10.10.10.23
object network uca_out
host 10.10.10.24
object network dns_primary
host 192.168.37.16
object network dns_secondary
host 192.168.37.11
access-list outside_in extended permit tcp any object mailserver_in eq smtp
access-list outside_in extended permit tcp any object mailserver_in eq 465
access-list outside_in extended permit tcp any object mailserver_in eq 993
access-list outside_in extended permit tcp any object webserv2_in eq www
access-list outside_in extended permit tcp any object webserv2_in eq https
access-list outside_in extended permit tcp any object webserv1_in eq www
access-list outside_in extended permit tcp any object webserv1_in eq https
access-list outside_in extended permit ip any object uca_in
access-list outside_in extended permit ip any object telework_in
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any unreachable
access-list guestnet_in extended permit udp 192.168.15.0 255.255.255.0 object dns_primary eq domain
access-list guestnet_in extended permit udp 192.168.15.0 255.255.255.0 object dns_secondary eq domain
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object mailserver_in eq smtp
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object mailserver_in eq 465
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object mailserver_in eq 993
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object webserv2_in eq www
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object webserv2_in eq https
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object webserv1_in eq www
access-list guestnet_in extended permit tcp 192.168.15.0 255.255.255.0 object webserv1_in eq https
access-list guestnet_in extended deny ip any 192.168.36.0 255.255.252.0
access-list guestnet_in extended deny ip any 192.168.35.0 255.255.255.0
access-list guestnet_in extended permit ip 192.168.15.0 255.255.255.0 any
access-list phonesys_in extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
mtu guestnet 1500
mtu phonesys 1500
no failover
icmp unreachable rate-limit 10 burst-size 5
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network guest_net
nat (guestnet,outside) dynamic interface
object network phone_sys
nat (phonesys,outside) dynamic interface
object network mailserver_in
nat (inside,outside) static mailserver_out
object network webserv2_in
nat (inside,outside) static webserv2_out
object network webserv1_in
nat (inside,outside) static webserv1_out
object network telework_in
nat (phonesys,outside) static telework_out
object network uca_in
nat (phonesys,outside) static uca_out
access-group outside_in in interface outside
access-group guestnet_in in interface guestnet
access-group phonesys_in in interface phonesys
route outside 0.0.0.0 0.0.0.0 10.10.10.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.36.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.36.0 255.255.252.0 inside
telnet timeout 60
ssh 192.168.36.0 255.255.252.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 192.168.37.16 192.168.37.11
dhcpd lease 43200
dhcpd domain steannes.guest
!
dhcpd address 192.168.15.50-192.168.15.250 guestnet
dhcpd enable guestnet
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.37.16 source inside prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect mgcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d2f615b5981c3848ed429facf7e29405
: end
(Yes, we have Unlimited Hosts and Security+ Licenses for this ASA)
-
SteAnnesIT,
I am going to go out on a limb here and say that you used the GUI to program this so I am not sure how to explain what I would normally see, but here it goes.
First off I would make a static route between your Public IP Address and the Phone System. I see you have a Teleworker_In and Teleworker_Out, but I assume that is for actual workers and not the IP Endpoint.
The only NAT that I do see is this:
object network telework_in
nat (phonesys,outside) static telework_out
Now normally I only create and inside and outside object, but it looks as though you wanted to segregate your network a little more than I normally do for mine so take what I am showing you that works for me and find the path you need to take with your NAT setup.
Anyway this is how my static NAT would look.
static (inside,outside) {Public IP} {Phone System IP} netmask 255.255.255.255
Public IP: 97.90.122.70
Phone System IP: 192.168.101.1/24
This would be my actually static NAT.
static (inside,outside) 97.90.122.70 192.168.101.1 netmask 255.255.255.255
I am not sure how well you understand the different types of NAT in a Cisco ASA, but here is an address you can go to that should help you finish out your configuration.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html
Thanks,
TE
-
No I learned and created the config all in CLI not the GUI interface.
You've linked to .../asa80/... which is a much older CLI version than we're using. After 8.3 there were a lot of syntax changes.
We're using ASA Version 9.1.2
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html#wp1106703
-
SteAnnesIT,
Sorry I haven't programmed one in a year or so now, but the Static NAT is the way to go and I believe from the little I read you are trying to use Dynamic NAT instead.
I don't see many differences here in the concepts between the two documents so the path I provided should still work, but the syntax may need to change a little. Did you try to set it up as a Static NAT to see if it would work?
Thanks,
Steven
-
This same syntax works for all of my dedicated servers, email, web, vpn.
Define the IP address of telework_in (the private IP address)
object network telework_in
host 192.168.35.11
Define the IP address of telework_out (the public IP address)
object network telework_out
host 10.10.10.23
Define a static 1:1 NAT for 192.168.35.11 <-> 10.10.10.23
object network telework_in
nat (phonesys,outside) static telework_out
ASA 8.4+ is very object oriented. This is saying basically:
object network 192.168.35.11
nat (phonesys,outside) static 10.10.10.23
I'm pretty sure that a PAT statement would be something like:
object network 192.168.35.11
nat (phonesys,outside) dynamic 10.10.10.23
-
SteAnnesIT,
Hmm, well it could be an inspection condition that is causing the issue. I am going to look at your original problem though.
Is the phone connecting up to the system? Yes
Audio both way? No
Audio from System to Endpoint? Yes
Audio from Endpoint to System? No
Is Peer Audio turned on for that phones network group?
System > Devices and Feature Codes > Phones > Ext XXXX > Network Group P?XX
If Peer to Peer Audio is on then you will not get 2-way audio, but I don't see where we asked that question before. I was under the mindset lately that the phone was connecting at all to the system; sorry.
Thanks,
TE
-
Okay for me it goes...
System > Devices and Feature Codes > Phones > Local (PBX A) > {Teleworker Extension} > IP Settings > Network Group: PP029
So then I go to:
System > Devices and Feature Codes > Network Groups: PP029 | Default Network GRP | EXT PP029 | No (Use Peer-To-Peer Audio).
So I'm assuming, No, Peer-To-Peer Audio isn't on.
-
SteAnnesIT,
Well at this point I would be breaking out Wireshark and getting captures of the whole process up to and including the fail point.
What you would be looking for is the break down in the communication path from the Endpoint to the System since the audio is lost going in that direction. This means you need to set up on the Endpoint side and do the capture there to see where the packets are going to. If you see them going to the correct location then the problem is in the ASA dropping the packets most likely through its inspection state.
After you find that you will probably need to contact Cisco to find out how to set up your ASA to allow for the Endpoint to communicate properly.
Thanks,
TE