sundance-communications.com/forum Forums TDM Business Telephone Systems Toshiba Telephones & Systems MIPU and public IP's question

Cool, I'll be looking forward to your update.

Here's the latest on this:

Basic networking tells us that in order to get two "separate" networks to talk to each other, you need a router.

In order to get vlan1 where my vpn tunnel resides, to talk to vlan10, where my phones and mipu cards reside, I'll need to route between them.

My theory is that if I configure a router to route between the vlans and then configure a seperate vpn tunnel that goes only to the vlan10 subnet, I can take my pix firewall at the remote end, access said tunnel, connect the phone to it with a static ip address from vlan10, and it should be able to find the MIPU and connect.

I may be moving in the wrong direction, but I know that the inter-vlan routing has to happen before I can even think about having a vpn tunnel to the vlan10 subnet.

Any thoughts are welcome!

I'm not the best at Vlans. We have a few in our office. Yes, you will need some way to route between vlans, as they will be on different networks. Each network also needs a gateway. . In most cases Vlan10 in building A can not have the same network address of vlan10 in building B, unless the router can act like bridge in some way.

I am not 100% sure how the vlans are connected at our office, but I think I will ask tomorrow now that I am thinking about it.

I have worked with the vlans at my office, but my personal opinion is that for samll offices vlans cause more headachs then they cure. But I know a lot of IT guys swear by them. We have used them in several VoIP installs.

I did find out that our one router is the gateway to the internet, and the gateway between vlans to connect all the vlans together.

Interesting. I actually got my inter-vlan routing working, or "router on a stick" yesterday.

Although it's not completely working if you add a static route on a computer that's on vlan1 and try to ping say like the MIPU's or something. It will ping all of the phone system's processors but no MIPU's, and no phones.

When I log into the router and ping the MIPU's I get responses every time. I can ping the whole range(whatever hosts are on) of vlan10 from there.

I'm thinking it may have to do with the switch config, but I've found nothing that convinces me of that yet.

In any case I'm pretty sure I'm still a long way from getting a remote phone to work. As I see it, I would need to be able to ping an MIPU over the VPN from like say my home computer before I could even think about it. And I'm not near that point yet sadly.

Today I'm going to spend some time investigating the vlan routing issue.

Just another update here.

Today it hit my why my inter vlan routing wasn't working although I'm still trying to find solutions to get it working.

Basically when the Adtran switches were configured they were set up with a default gateway of 192.168.4.10 which resides on vlan1 however the router I used for the inter vlan routing is also a gateway since it's a router, but not the default gateway the adtrans are on obviously, which is why I can talk to virtually nothing on vlan10 and the other way around through the router. Duh...I should have known that one.

So, I'm guessing some static routes will be needed somewhere, the question is just how to do it.

The Adtran managed switches I have(NetVanta 1224 series) don't seem to support static routing!! Awesome!

So here I am stuck again at this point. I'll add more later. The saga continues....

Yet more info here!

Sorry to keep posting but I want to keep some documentation up here for those following this issue.

I realized the default gateway on the switches more than likely has nothing to do with why I can't reach the IPU's over my inter vlan router connection.

I believe the problem is the default gateway that is being dished out by DHCP on vlan 10 by the Adtran Netvanta switches. That default gateway is: 192.168.14.10. Strangely enough, that is the Stratagy voicemail system, not a router at all, and certainly not the gateway it would need to be if I was wanting to communicate to a device on vlan 10 over the Cisco 1710 inter vlan router from vlan 1.

I briefly gave my own phone a static IP so that I could change the "Default Router Address" to the sub interface of my inter vlan router that corresponds to vlan 10, which is 192.168.14.5.

The phone restarted and came back up, and I then did an IP scan(with Angry IP scanner) from my PC which has a route to vlan 10, but mainly resides on vlan 1. This time, my phone's IP came up as being alive, meaning that the route I have on my PC that looks like the following...

destination- 192.168.14.0 mask- 255.255.255.0 gateway 192.168.4.25

...was working properly now that the host on the other side actually had a way to retun the pings BACK through the router! Whew!

So now I'm thinking I can probably re-configure the switches to give DHCP to vlan 10 that features a default gateway of 192.168.14.5 instead of 192.168.14.10.

The only thing I'm wondering is, do the IPU's receive a default gateway from DHCP? Looking in my eManager at their config, I notice they have no default gateway defined.

I'm not sure what changing the default gateways on these would really do.

The IPU gets nothing from DHCP. Everything must be set with a static IP and gateway. For a local connection on the same LAN you would not need a gateway, but going through the router, it is a must for it to work.

When you add the gateway the IPU card will briefly reset, so make sure no one is using IP phones at the time. The local connection should come right back up.

Awesome, thanks for that info. Well, I think I've got this whole thing possibly figured out then!

I'll post details later, but here's what I'm planning on using to make remote IP phones possible:

On the LAN side I'm going to use a Cisco 1711 rotuer. This router has the capability to do the VPN and the inter vlan routing. Best of all since the intervlan routing is there and the VPN is too, I can make a tunnel right to vlan 10 where the phones are.

On the remote user side I'll probably be using a PIX 501 firewall, I can get those cheap off ebay, and if not those eventually an ASA5505.

Well, All I have to do is start configuring...

Got a bit of work ahead of me.

Thanks for everyone's help and advice thus far!

Of course I'll be back with more info about this like I said!

Well here we are, the finish line!

I got a remote phone working and I'll explain how it was done.

First there are three phone systems. A CIX 670, and two CIX 40's. They are VoIP systems.

First, to allow inter vlan routing.

I used an existing Cisco 1710 security access router that we already had and put together a configuration that would allow vpn connections to both vlan 1 and 10.

I did this by assigning the outside interface to the internet like normal, but instead of doing just one inside fast Ethernet interface, I split it into two interfaces like this:

interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address x.x.x.x 255.255.255.248
ip access-group 110 in
ip mtu 1492
ip nat outside
ip inspect myfw out
half-duplex
crypto map cm_Chi
!
interface FastEthernet0
no ip address
ip nat inside
ip policy route-map nonat
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip policy route-map nonat
!
interface FastEthernet0.10
encapsulation dot1Q 10
ip address 192.168.14.4 255.255.255.0
ip nat inside
ip policy route-map nonat


Next I configured my access lists to allow traffic to both vlans from the other side. This allows for the remote user to have access to data and voice.

access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny ip 192.168.14.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 permit ip 192.168.14.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 106 permit ip 192.168.14.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 106 permit ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255

Access list 106 is associated with a cryptomap just for reference.

When I was through configuring the 1710, I then set up my PIX 501 firewall on the remote side.

I set up a cryptomap for connectivity with the remote 1710, and then basically set up my access list on the PIX as follows:

names
name 192.168.4.0 DATA
name 192.168.14.0 VoIP
access-list inside_nat0_outbound permit ip 192.168.6.0 255.255.255.0 DATA 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.6.0 255.255.255.0 VoIP 255.255.255.0
access-list access_out permit tcp 192.168.6.0 255.255.255.0 any eq www
access-list outside_cryptomap_20 permit ip 192.168.6.0 255.255.255.0 DATA 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.6.0 255.255.255.0 VoIP 255.255.255.0

After all that, I then went into eManager and assigned default gateways to the IPU cards on all of my phone systems. They previously did not have a default gateway assigned, and in order to allow connectivity to them over my vpn, I gave them a default gateway of 192.168.14.4, which is the inside sub-interface for vlan 10, on my 1710 router.

After doing this, I went into my remote PC, and added static routes like this:

route /p add 192.168.14.0 mask 255.255.255.0 192.168.6.1

route /p add 192.168.4.0 mask 255.255.255.0 192.168.6.1

I then confirmed I could ping IPU cards on vlan 10 and success!!

I could also ping servers and other hosts on the data vlan.

Then, I needed to make sure my phone was set up properly in eManager. I went back into eManager and went to Advanced Config>IP Telephony>IPT Data> and clicked on the extension number for the remote phone. For 02 Station IP address type I chose "Fix" and I typed in a LOCAL address for the remote lan. This was 192.168.6.5. I clicked submit.

Finally, it's time to program the phone.

1. Change IP Address Mode Set to 1:Manual.
2. Press next key up and change the IP address to a local address for the remote user eg: 192.168.x.x
3. Subnet mask should be in accordance with the local network. In my case it's a 24 bit mask.
4. Default Router address should be the inside address of the pix firewall or vpn appliance.
5.Station ID is whatever extension it is.
6.IPU mode set should be manual
7.Press the next key up and enter the primary IPU address only. This is the address of whatever IPU card this extension is associated with.
8.Disable VLAN
9. Press the next key up and Phone VLAN ID should be 1.
10. Press Hold twice and pick up then hang up the phone. It should restart.


That was it! Whew!

The phone works great over the vpn. I was quite suprised. I can assign DID's to it, use voicemail, look at the directory, anything. Call quality sounds good too.