Migrating from Cisco ASA5505 to Meraki MX67C-WW, PBX on prem and VoIP

AndrejRistovsk
Here to help

Migrating from Cisco ASA5505 to Meraki MX67C-WW, PBX on prem and VoIP

Hi there,

 

I was wondering if somebody can help me out and tell me if i am thinking the right way.

 

I have a old Cisco ASA 5505 and will need to be replaced with Meraki MX67C-WW.

 

On the site i have one PBX server on prem with IP: 192.168.XX.21 and 25 VoIP phones.

 

In my Cisco ASA on the WAN side i have an IP: 82.33.XX.201

When the PBX server on prem is communicating with the VoIP provider it is coming out via 82.33.XX.204 (on of the public IP addresses that are available from my ISP).

I have the following object and access list

 

 

object network Public_VoIP

 host 82.33.XX.204

 

object network Net_VoIP_Provider

 subnet 89.184.XX.0 255.255.XX.0

 

object network Srv_VoIP_PBX

 host 192.168.XX.21

 

And the following access-list

 

access-list Outside_FO_access_in extended permit object-group DM_INLINE_SERVICE_2 any object Srv_VoIP_PBX

his is what is under DM_INLINE_SERVICE_2

DM_INLINE_SERVICE_2.png

 

access-list Outside_FO_access_in extended permit udp any object Srv_VoIP_PBX range 10000 20000

 

access-list Vlan_Users_access_in_1 extended permit object-group DM_INLINE_SERVICE_4 object Srv_VoIP_PBX object Net_VoIP_Provider

This is what is under DM_INLINE_SERVICE_4

Srv_VoIP_PBX to Net_VoIP_Provider.png

 

2019-11-14 12_49_08-Netherdlands - Zaltbommel - Word.png

 

Now NAT in Cisco Meraki is a bit different than in Cisco ASA (as far as i can see).

 

On my Cisco Meraki i have done the following settings in 1:1 NAT

2019-11-14 12_44_28-Firewall Configuration - Meraki Dashboard.png

 

Will the current settings that i have on the 1:1 NAT in the new Cisco Meraki work with for the PBX and the VoIP system?

 

 

Many thanks in advanced.

Kind regards

Andrej

 
4 Replies 4
Nash
Kind of a big deal

Could you tell us what your port list is on the ASA?

 

Specifically what's under the hood on object-group DM_INLINE_SERVICE_2 and object-group DM_INLINE_SERVICE_4.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

The 1:1 NAT is the correct thing to use but there is not enough information to comment on the port list.

 

If you know the IP address(s) used by the VoIP provider they could you could just allow all ports from their IP addresses.

AndrejRistovsk
Here to help

Hi there,
From the old Cisco ASA firewall i am able to see that the VoIP provider subnet is 89.184.XX.0 255.255.XX.0.

So i believe that in the 1:1 NAT in the Remote IPs i will need to replace any with 89.184.XX.0 255.255.XX.0 ?

AndrejRistovsk
Here to help

Hi there,

For the DM_INLINE_SERVICE_2

DM_INLINE_SERVICE_2.png

 

For the DM_INLINE_SERVICE_4.

Srv_VoIP_PBX to Net_VoIP_Provider.png

I also updated the post :).

 

Thanks in advance.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels