Jason Buscema

I had the opportunity recently to help my friends over at Richard Realty Group in Carlsbad move their corporate office. They went from a small 1,100 sq ft office to a 3,200 sq ft office with approximately 20+ employees. I was contacted by them to consult and install their data and voice systems. Right up my alley!

The first order of business was to research and purchase a phone system. Realtors are on the phone quite a bit and they needed a rock solid phone system to meet their needs and come in under budget. Management of the phone system for add/moves/changes was also something we took under consideration. Who wants to pay $50 every time an extension needs to be moved or a new employee comes on board? No thanks! We decided on the 3Com NBX V3000 VoIP platform. This system is feature rich, very easy to install and the management is done via a web GUI. Just connect each phone to a Cat5 jack and make sure the other end is terminated on a PoE switch and we’re done! This system has been discontinued by 3Com, however it is rock solid and fits within our budget. It also helped that I had previous successful experience with this system.

Criteria we used for selecting a phone system:

• Support 20 phones immediately w/ room to grow
• 8 POT lines for starters with scalability to add more POTs or a PRI as needed
• Simple management
• Simple installation
• Features such as auto attendant, hunt group, voicemail, call forwarding, conference calling, music on hold, etc.
• Cost

AT&T is the voice provider for the office. I’ve bashed them before (PacBell days) but to my surprise they were really great during this transition. RRG was assigned a project coordinator for the telephone line moves and she was fairly quick to respond via email. As always there were some communication issues between the AT&T branch office and the workers sent out to do the actual work but in the end, everything is working as it should be and was done on time.

For the network we went with a used Cisco ASA 5505 with unlimited users. After my recent PIX experience, setting up the ASA was a cakewalk! The ASA would be our router, firewall and VPN server. Should the company ever need/want to have a remote office or have employees work from home, the 3Com phones can be easily connected over a VPN tunnel. A Cisco PIX 501 for the remote user can be connected to the ASA, then the 3Com NBX phone would simply plug into the PIX 501 and it would work just the same as if it was at the office.

I went with a new APC Smart-UPS 1500 for the battery backup system. This unit is a bit overkill and barely fits in the rack but we wanted to have a good amount of runtime and the unit could not take up more than 2U of rack space. In addition, we were a little concerned about the potential heat in the room where the equipment rack is installed so we added a temperature probe to the UPS to help monitor the environment.

Internet for the office is provided by AT&T business class DSL. There were no affordable options at the new office location. The service is actually pretty good. They are seeing around 6Mbps down, 1Mbps up which is “respectable” for business class DSL services.

To come in under the $6,000 budget, I turned to eBay for almost everything! Here is the full list of items purchased for the office setup:

• Cisco ASA 5505, unlimited users (eBay – $414.30)
• 3Com NBX V3000, 26 group  2 license
• 3Com NBX V5000 expansion chasis
• 3Com NBX 4port analog line card
• 20 3102 business phones w/ cords
• 4 port 400hr voicemail (eBay – $4065)
• NetGear GS724TP ProSafe 24PT Gigabit PoE switch (eBay – $360)
• APC 13U wall mount rack unit (Used – $250))
• APC Smart-UPS 1500VA RM UPS (New GHA Technologies – $517.92)
• APC 9619 management card w/ temp probe (eBay – $50)
• 25x 25′, 25x 10′, 25x 3′, 10x 5′ Cat5e patch shielded cables (CablestoGo.com – $222.92)
• TOTAL $5,880.14

The downside of buying the equipment via eBay is there is no warranty. We took this under consideration however the cost of used vs new far out weighed the lack of warranty and support. A few of the 3102 phones did not work but the eBay vendor I used was quick to exchange them for me. Knock on wood but I’ve bought many used Cisco items on eBay over the past 6+ years and have yet to have one of them fail on me.

After a week in the office, everything is running very smoothly. With the VPN in place, I am able to remote in and adjust any settings on the phone system as it gets some real use. This was a great project to work on and an easy client to work with. Everyone is happy!

If you would like to know the specific eBay vendors I used for the purchases I will be more than happy to post those for you. I’ve used many of these vendors before and they are great eBay sellers.

APC 13U Wall Rack

Equipment and terminations in wall rack unit

I’ve done more Cisco configuration in the past month then I have done in my entire 10 year stint at Lambesis. I’ve found the Cisco IOS can be very daunting at times (all the time) but once you’ve got a handle on it, it’s incredibly powerful and robust. One project that I’ve had on my plate for quite some time now has been a firewall upgrade for both the main office (HQ) and our datacenter. This was not a simple project as I couldn’t screw up any of the VPN tunnels currently in place between the locations. Our existing VPN setup used the Cisco Concentrator 3000 Series. This is a great VPN device but it’s just that and no firewall. I was looking at the Cisco ASA 5510 or better however the price tag is insanely high. It is a great device but not worth the money over what you can get with a used PIX. Just like all technology there is a premium for the latest and greatest.

I turned to eBay to purchase all of the gear. I went with a PIX 515E Unrestricted Failover Pair w/ VAC+, 512MB ram at the datacenter, a single PIX 515E w/ VAC+, 512MB RAM at our headquarters, and the PIX 506e for all remote locations. The PIX 515E VAC+ can handle 190Mbps cleartext throughput and 135Mbps IPSec VPN throughput. Our datacenter is on a 100Mbps pipe and our HQ is currently on a 6Mbps pipe with plans to push it over 40Mbps within the next 6 months. I’ll eventually add a Failover PIX at the headquarters office to be on the safe side. Just for comparison’s sake, a comparable new ASA 5510 runs around $3,500/each while the above PIX configuration ran around $600/each. I was able to purchase three PIX 515E units and three 506e units for around $1000 less than the price of a single new ASA 5510 device. Note: there is no warranty or Cisco support on these devices.

First off, I am not a Cisco certified engineer or anything close to it. I learn by trial and error and luckily I have the opportunity most of the time to do just that. Our existing system was not cutting it and I’m too embarrassed to even tell you what it was. I will tell you that our Cisco 3620 router was doing NAT for us and had some aggressive ACLs. I was asking the router to do way too much and anytime I would fire up an rsync session over the VPN, the router would just crap out.

With a little help from a good friend at Nextlevel Internet, I was able to get the PIX 515e setup at our headquarters and start testing the setup. Keep in mind I have remote locations and users connected over the VPN back to our headquarters. If I changed the gateway to the newly installed PIX, it would cripple those remote locations as they would not be able to see the DNS servers for starters.

Here is what I did:

1. Configure PIX 515e at headquarters and setup an unused private IP for testing
2. Setup a couple test machines on our local network and use the PIX 515e for the gateway
3. Once happy with results, I had to work on the datacenter setup because of the VPN tunnel between the two locations
4. Replaced the 506e firewall at the datacenter with the PIX 515e FO pair
5. Establish a PTP tunnel back to the PIX 515e at the HQ
6. Configure remote VPN capabilities on PIX 515e at HQ for software VPN clients
7. Add a Guest network at HQ with access only to the public interface
8. Remove the private LAN, NAT and the ACL from the Cisco 3620 router at HQ
9. Change the IP of the PIX 515e at HQ to be the gateway IP
10. Go home (ok, I was already there actually)

There are definitely some differences between the PIX IOS and the Cisco Concentrator 3000 configuration which gave me some trouble. On the Concentrator my VPN client IP pool was the same subnet as my private LAN which worked fine for many years. On the PIX, I had to create a new subnet for my VPN clients and ensure my ACLs are setup correctly for proper routing and access. In addition I discovered I need to have separate ACLs for each PTP or remote VPN configuration which was different then how the Concentrator 3000 was configured.

One thing that bite me the hardest was arp. After I moved a server from the 506E to the 515E at the datacenter it no longer worked. Turns out that I needed to have my ISP for the datacenter run a “clear arp” on the uplink router. Once I figured that out I was able to coordinate all my upgrades with them for zero downtime.

After a lot of trial and error, I am happy to report a very successful stable firewall/VPN upgrade. My Cisco 3620 router is happy once again just routing.

What I still have to do:

1. Enable hairpin routing to work so all VPN locations and traverse one another. This will allow an authorized user to VPN into HQ and get into the Datacenter, for example.
2. Setup AAA against our Mac OS X 10.5 Leopard server (Open Directory) for the remote VPN clients (software)
3. Setup proper QoS for voice traffic across all devices
4. Add a PIX 515 FO unit to HQ and configure accordingly.