I recently setup a S2S VPN network between my MX67 and one of my Z3 Gateways. The MX 67 is sitting behind a NAT'ed Fortigate firewall. My Test Z3 is at my home office. Through my Z3, I can get to all of my corporate resources, files, servers etc. I can also connect Jabber and my test Cisco IP Phone. It's with the Jabber and Phone that I am stumped on. I am not able to receive incoming calls to Jabber or the phone but can call out to my cell phone as a test. I understand how traffic should be flowing and I understand that NAT may have to do with signaling going South, but maybe some help from the community will steer me in the right direction on where to look for the block/packet drop. Note: I can ping all of my internal resources from my Z3 to the corporate net, but I am not able to ping or RDP say to my test laptop that is connected to my test Z3. Thanks - JM
MX: Set to Route mode, and is the VPN Hub
Z3: Set to Route Mode, and is a Spoke using the MX67 Hub
These two devices can ping each other all day......
@ctx505 : Check this put the NAT rule to allow the incoming calls
@ctx505 do you have an on-site CUCM server? We run exactly your setup (except the enterprise edge firewalls are a different brand) and Cisco SIP desk phones work just fine connected to an MX/Z3 in a user's home.
@cmr, no the CUCM servers are on an external VLAN that is hosted with a third party. Our core switch routes VOIP to their servers through a VLAN. We do have internal routes on our switch and Firewall for the VOIP traffic and all phones on the corporate LAN can receive calls just fine.
@ctx505 just thinking out loud here, so play along and see if there is something that makes sense (or not).
If you can make an outbound call then your phone is registered, and signaling from your Jabber/phone is working. Did the audio channels also come up successfully? So the traffic is going from your Z3 over the AutoVPN to the MX64 then out the MX64 LAN interface to the core switch then off to the CUCM hosted environment.
If inbound calls can't be setup, but all the routing is working (since the above worked), then my thought is that there is likely a stateful firewall somewhere which is blocking traffic. The above path potentially works as you are on the 'trusted' side of the firewall, and so state is established, thus allowing return traffic. In the other direction (i.e. an inbound call) maybe there is a firewall rule that is blocking the path?
Do you have any rules for the Site-to-Site Outbound Firewall for the AutoVPN? Are there any other firewalls in the path, between your network and the CUCM hosted environment for instance?
I like the thought experiment here, and it is correct. I do have a Fortigate sitting in between the MX and Z3 and the external VLAN for VOIP. I do not have any firewall rules at the moment that speak to the inbound/outbound traffic to the MX/Z3. I am dedicating today to testing some of these theories and hopefully coming to a solution. I will post my results here, thanks all for you help 🙂
All, the solution for us turned out to be static routing open our core router and firewall policies on our corporate firewall. As for the MX67 and the Z3 devices, the solutions are as follows:
(Placed behind our NAT'd Fortigate)
MX67: Assign corporate LAN static IP, Set as Passthrough Mode or VPN Concentrator and Client Tracking set to IP, S2SVPN set as Hub and added Local Networks (In my case there were 8 local subnets that I wanted my remote clients to see over VPN) to advertise over VPN to Z3s, NAT set to Automatic.
(Placed behind home office internet router (Google Fiber in my case))
Z3: Let the device grab an IP address on the router via DHCP, no need to set a static IP here, Set as Routed Mode and Client Tracking to IP, S2SVPN set as Spoke and selected my MX as the Hub and checked box for Default route (I want all traffic going through my network), Set NAT to automatic.
Setup static routing for my Z3 subnets (total 10, 5 for LAN and 5 for VOIP) to point to the internal static IP address of my MX67. The MX67 handles all routing automatically after that, so no need to add static routes here or on my Z3s.
Setup two firewall policies:
1. Policy for VOIP, basically letting my Z3 Jabber and IP Phone enabled devices contact our call manager servers using VOIP protocols.
ANY ANY Z3 GROUPS ALL ALWAYS VOIP ACCEPT NO-NAT
2. Policy for access to corporate LAN, basically giving the Z3 subnets access to my corporate subnets.
ANY LAN Z3 GROUPS ALL ALWAYS ALL ACCEPT NAT
Testing: I can receive calls on my Z3 clients using Jabber and my Cisco IP Phone. Calls in and out are clear, no drops or static. Calls between Jabber clients remotely and locally are good. Calls between Cisco IP phones locally and remotely are good.
I hope this helps anyone out there deciding to setup an MX/Z3 Telework network behind a Fortigate/Cisco network.