	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.8

Cisco VOIP teleworker IP Phone behind Pix 501 with L2L VPN

Asked by chris97b in IP Telephony, Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: cisco, voip, vpn, teleworker

All,

I have been working on setting up a teleworker configuration. We have a UC520 running Call Manager express in the central office, and 20 CP-254G IP phones. I am trying to setup a remote IP phone, using a Pix 501 to establish an ipsec Lan to Lan to the main office.

The office has an ASA5510 firewall, and I have successfully created a tunnel between the ASA and Pix. The tunnel seems to be working fine, and I am able to ping all 3 office subnets. (data, voice, and the UC500 service engine subnet). For whatever reason though, I have been totally unable to get the remote IP Phone to register with call manager.

Initially, I set DHCP option 150 on the Pix to point to 10.1.1.1 (the call manager IP address), but this resulted in the inability of the phone to pull files from TFTP. The TFTP requests were received by CME, but the data never made it back. A bit of digging revealed that an option was set on the UC520 for the tftp source address, pointing to 10.1.10.2. I repointed the DHCP option 150 to this IP, and the phone was able to TFTP files down from CME. I assume this is a result of the requests going to CME at 10.1.1.1 and CME then responding from a source IP of 10.1.10.2. I really am not certain why this would be a problem, but it seems to be mostly working for now.

Using debug tftp packet and debug ephone register, I see the remote phone pull several cnf files from TFTP, then request a file which does not exist. At that point, the phone seems to hang, and nothing happens for several minutes until it restarts and the process begins again.

The last thing I see is:

Dec 31 17:22:28.007: TFTP: read request from host 192.168.2.52(39155) via Vlan1
Dec 31 17:22:28.007: TFTP: Looking for /CP-524S-cfg.xml
Dec 31 17:22:28.007: TFTP: Sending error 1 No such file

I do not think this is a problem however, as I see the same behavior for the onsite phones, which are working fine:

Dec 31 17:21:35.651: TFTP: read request from host 10.1.1.25(14399) via Vlan100
Dec 31 17:21:35.651: TFTP: Looking for /CP-524S-cfg.xml
Dec 31 17:21:35.651: TFTP: Sending error 1 No such file

10.1.1.25 is an onsite IP phone, which has no problems registering.

Can someone please point me to any debugs which might reveal where the process is breaking down; or otherwise have any advice on what else may need to be done to permit this configuration?

Thanks in advance,

Chris

Get your answer NOW

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:
513:
514:
515:
516:
517:
518:
519:
520:
521:
522:
523:
524:
525:
526:
527:
528:
529:
530:
531:
532:
533:
534:
535:
536:
537:
538:
539:
540:
541:
542:
543:
544:
545:
546:
547:
548:
549:
550:
551:
552:
553:
554:
555:
556:
557:
558:
559:
560:
561:
562:
563:
564:
565:
566:
567:
568:
569:
570:
571:
572:
573:
574:
575:
576:
577:
578:
579:
580:
581:
582:
583:
584:
585:
586:
587:
588:
589:
590:
591:
592:
593:
594:
595:
596:
597:
598:
599:
600:
601:
602:
603:
604:
605:
606:
607:
608:
609:
610:
611:
612:
613:
614:
615:
616:
617:
618:
619:
620:
621:
622:
623:
624:
625:
626:
627:
628:
629:
630:
631:
632:
633:
634:
635:
636:
637:
638:
639:
640:
641:
642:
643:
644:
645:
646:
647:
648:
649:
650:
651:
652:
653:
654:
655:
656:
657:
658:
659:
660:
661:
662:
663:
664:
665:
666:
667:
668:
669:
670:
671:
672:
673:
674:
675:
676:
677:
678:
679:
680:
681:
682:
683:
684:
685:
686:
687:
688:
689:
690:
691:
692:
693:
694:
695:
696:
697:
698:
699:
700:
701:
702:
703:
704:
705:
706:
707:
708:
709:
710:
711:
712:
713:
714:
715:
716:
717:
718:
719:
720:
721:
722:
723:
724:
725:
726:
727:
728:
729:
730:
731:
732:
733:
734:
735:
736:
737:
738:
739:
740:
741:
742:
743:
744:
745:
746:
747:
748:
749:
750:
751:
752:
753:
754:
755:
756:
757:
758:
759:
760:
761:
762:
763:
764:
765:
766:
767:
768:
769:
770:
771:
772:
773:
774:
775:
776:
777:
778:
779:
780:
781:
782:
783:
784:
785:
786:
787:
788:
789:
790:
791:
792:
793:
794:
795:
796:
797:
798:
799:
800:
801:
802:
803:
804:
805:
806:
807:
808:
809:
810:
811:
812:
813:
814:
815:
816:
817:
818:
819:
820:
821:
822:
823:
824:
825:
826:
827:
828:
829:
830:
831:
832:
833:
834:
835:
836:
837:
838:
839:
840:
841:
842:
843:
844:
845:
846:
847:
848:
849:
850:
851:
852:
853:
854:
855:
856:
857:
858:
859:
860:
861:
862:
863:
864:
865:
866:
867:
868:
869:
870:
871:
872:
873:
874:
875:
876:
877:
878:
879:
880:
881:
882:
883:
884:
885:
886:
887:
888:
889:
890:
891:
892:
893:
894:
895:
896:
897:
898:
899:
900:
901:
902:
903:
904:
905:
906:
907:
908:
909:
910:
911:
912:
913:
914:
915:
916:
917:
918:
919:
920:
921:
922:
923:
924:
925:
926:
927:
928:
929:
930:
931:
932:
933:
934:
935:
936:
937:
938:
939:
940:
941:
942:
943:
944:
945:

           
           
             Sanitized and trimmed configs follow:
 
 
UC520 (main office):
 
TCADUC520#sh run
Building configuration...
 
Current configuration : 33438 bytes
!
! Last configuration change at 23:20:58 CST Tue Dec 30 2008 by synchadmin
! NVRAM config last updated at 23:40:16 CST Tue Dec 30 2008 by synchadmin
!
version 12.4
parser config cache interface
parser config interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
service compress-config
!
hostname TCADUC520
!
boot-start-marker
boot system flash uc500-advipservicesk9-mz.124-11.XW9
boot-end-marker
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
!
crypto pki trustpoint TP-self-signed-3277290856
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3277290856
 revocation-check none
 rsakeypair TP-self-signed-3277290856
!
!
crypto pki certificate chain TP-self-signed-3277290856
 certificate self-signed 01
  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323737 32393038 3536301E 170D3038 31323239 31333536
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32373732
  39303835 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EA3F 5A7673B5 A8C8168F 9C38B3D6 66496223 2EDE4A33 62EEA7F3 019BA54B
  33E690BB 544D0358 C35D4C23 97F4DA14 8E9787A7 53CE0A70 302CC7E8 8F04C3B9
  B04C02D9 B62C4C92 A5C81BD2 C89A5BFC 6BBF4BE3 4A9765A8 E4657CEF 1649DF5A
  A2843931 3FD5C321 75E74DC4 F66782F6 A0DF2F6C B27C26CA 42C67210 E04C6D1F
  DADF0203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603
  551D1104 0D300B82 09544341 44554335 3230301F 0603551D 23041830 168014E4
  30F19535 9D3A3818 78DA5BD6 3BF03A31 4C02C530 1D060355 1D0E0416 0414E430
  F195359D 3A381878 DA5BD63B F03A314C 02C5300D 06092A86 4886F70D 01010405
  00038181 00C930DC 0CAA082F 2608495B 1EABCDF5 B1AEF302 61488009 20E5FCF2
  A1AE67AC 41FF9227 0D202AEB 264BC94D 330E70FC 46A966E5 EA3EBF1A 8D86DBEE
  9FF08CD3 CCAAC8EE 774F2623 6F633224 5547DDEB 9829B143 19ACF16A BB21EFB7
  7F9F91FE B791C621 EE2F18AE C4DF4167 54AE944F 387E9E05 4DB949CE 1A139C08
  D7042015 20
        quit
!
!
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool phone
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.1.1.1
!
!
ip name-server 192.168.1.11
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
multilink bundle-name authenticated
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 supplementary-service h450.12
 sip
  no update-callerid
!
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
!
!
!
!
!
!
!
!
voice register global
 max-dn 160
 max-pool 40
!
!
voice translation-rule 1111
!
voice translation-rule 1112
 rule 1 /^9/ //
!
voice translation-rule 2222
!
!
voice translation-profile CALLER_ID_TRANSLATION_PROFILE
 translate calling 1111
!
voice translation-profile CallBlocking
 translate called 2222
!
voice translation-profile OUTGOING_TRANSLATION_PROFILE
 translate calling 1111
 translate called 1112
!
!
voice-card 0
 no dspfarm
!
!
!
username cisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
archive
 log config
  logging enable
  logging size 600
  hidekeys
!
!
ip tftp source-interface Loopback0
!
!
!
interface Loopback0
 description $FW_INSIDE$
 ip address 10.1.10.2 255.255.255.252
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description $FW_OUTSIDE$
 ip address dhcp
 ip access-group 104 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Integrated-Service-Engine0/0
 description cue is initialized with default IMAP group
 ip unnumbered Loopback0
 ip nat inside
 ip virtual-reassembly
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
!
interface FastEthernet0/1/0
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/1
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/2
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/3
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/4
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/5
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/6
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/7
!
interface FastEthernet0/1/8
 switchport mode trunk
 macro description cisco-switch
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.1.2 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan100
 description $FW_INSIDE$
 ip address 10.1.1.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
!
ip default-gateway 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 69 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq tftp any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 deny   ip 10.1.1.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 10.1.10.0 0.0.0.3 any
access-list 102 deny   ip 10.1.1.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp any 10.1.10.0 0.0.0.3 range 16384 32767
access-list 103 permit udp 10.1.10.0 0.0.0.3 range 16384 32767 any
access-list 103 deny   ip 192.168.10.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 deny   ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 192.168.2.0 0.0.0.255 any
access-list 104 deny   ip any any
snmp-server community public RO
!
!
!
!
tftp-server apps11.8-2-2TR2.sbn
tftp-server apps31.8-2-2TR2.sbn
tftp-server apps41.8-2-2TR2.sbn
tftp-server apps70.8-2-2TR2.sbn
tftp-server cmterm_7936.3-3-13-0.bin
tftp-server cnu11.8-2-2TR2.sbn
tftp-server cnu31.8-2-2TR2.sbn
tftp-server cnu41.8-2-2TR2.sbn
tftp-server cnu70.8-2-2TR2.sbn
tftp-server CP7902080002SCCP060817A.sbin
tftp-server cvm11sccp.8-2-2TR2.sbn
tftp-server cvm31sccp.8-2-2TR2.sbn
tftp-server cvm41sccp.8-2-2TR2.sbn
tftp-server cvm70sccp.8-2-2TR2.sbn
tftp-server dsp11.8-2-2TR2.sbn
tftp-server dsp31.8-2-2TR2.sbn
tftp-server dsp41.8-2-2TR2.sbn
tftp-server dsp70.8-2-2TR2.sbn
tftp-server jar11sccp.8-2-2TR2.sbn
tftp-server jar31sccp.8-2-2TR2.sbn
tftp-server jar41sccp.8-2-2TR2.sbn
tftp-server jar70sccp.8-2-2TR2.sbn
tftp-server P00308000500.bin
tftp-server P00308000500.loads
tftp-server P00308000500.sb2
tftp-server P00308000500.sbn
tftp-server S00105000200.sbn
tftp-server SCCP11.8-2-2SR2S.loads
tftp-server SCCP31.8-2-2SR2S.loads
tftp-server SCCP41.8-2-2SR2S.loads
tftp-server SCCP70.8-2-2SR2S.loads
tftp-server term06.default.loads
tftp-server term11.default.loads
tftp-server term31.default.loads
tftp-server term41.default.loads
tftp-server term61.default.loads
tftp-server term70.default.loads
tftp-server term71.default.loads
tftp-server flash:SCCP42.8-3-2S.loads
tftp-server flash:SCCP45.8-3-2S.loads
tftp-server flash:SCCP75.8-3-2S.loads
tftp-server flash:apps42.8-3-1-22.sbn
tftp-server flash:apps45.8-3-1-22.sbn
tftp-server flash:apps75.8-3-1-22.sbn
tftp-server flash:cnu42.8-3-1-22.sbn
tftp-server flash:cnu45.8-3-1-22.sbn
tftp-server flash:cnu75.8-3-1-22.sbn
tftp-server flash:cvm42sccp.8-3-1-22.sbn
tftp-server flash:cvm45sccp.8-3-1-22.sbn
tftp-server flash:cvm75sccp.8-3-1-22.sbn
tftp-server flash:dsp42.8-3-1-22.sbn
tftp-server flash:dsp45.8-3-1-22.sbn
tftp-server flash:dsp75.8-3-1-22.sbn
tftp-server flash:jar42sccp.8-3-1-22.sbn
tftp-server flash:jar45sccp.8-3-1-22.sbn
tftp-server flash:jar75sccp.8-3-1-22.sbn
tftp-server flash:term42.default.loads
tftp-server flash:term45.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:term65.default.loads
tftp-server flash:term75.default.loads
tftp-server DistinctiveRingList.xml
tftp-server RingList.xml
tftp-server flash:AreYouThereF.raw
tftp-server flash:Bass.raw
tftp-server flash:CallBack.raw
tftp-server flash:Chime.raw
tftp-server flash:Classic1.raw
tftp-server flash:Classic2.raw
tftp-server flash:ClockShop.raw
tftp-server flash:Drums1.raw
tftp-server flash:Drums2.raw
tftp-server flash:FilmScore.raw
tftp-server flash:HarpSynth.raw
tftp-server flash:Jamaica.raw
tftp-server flash:KotoEffect.raw
tftp-server flash:MusicBox.raw
tftp-server flash:Piano1.raw
tftp-server flash:Piano2.raw
tftp-server flash:Pop.raw
tftp-server flash:Pulse1.raw
tftp-server flash:Ring1.raw
tftp-server flash:Ring2.raw
tftp-server flash:Ring3.raw
tftp-server flash:Ring4.raw
tftp-server flash:Ring5.raw
tftp-server flash:Ring6.raw
tftp-server flash:Ring7.raw
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
tftp-server flash:Vibe.raw
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
tftp-server flash:CampusNight.png
tftp-server flash:CiscoFountain.png
tftp-server flash:Fountain.png
tftp-server flash:MorroRock.png
tftp-server flash:NantucketFlowers.png
tftp-server flash:TN-CampusNight.png
tftp-server flash:TN-CiscoFountain.png
tftp-server flash:TN-Fountain.png
tftp-server flash:TN-MorroRock.png
tftp-server flash:TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:cp524g-08-01-12.bin
tftp-server flash:GUI-1.2.1.SBN
tftp-server flash:CP7921G-1.2.1.LOADS
tftp-server flash:TNUXR-1.0.1.SBN
tftp-server flash:SYS-1.0.1.SBN
tftp-server flash:TNUX-1.2.1.SBN
tftp-server flash:APPS-1.2.1.SBN
tftp-server flash:SYS-1.2.1.SBN
tftp-server flash:APPS-1.0.1.SBN
tftp-server flash:TNUX-1.0.1.SBN
tftp-server flash:WLAN-1.0.1.SBN
tftp-server flash:GUI-1.0.1.SBN
tftp-server flash:TNUXR-1.2.1.SBN
tftp-server flash:WLAN-1.2.1.SBN
tftp-server flash:SIP3951.8-0-2-0.zz
tftp-server flash:SIP3951.8-1-2.loads
tftp-server flash:BOOT3951.0-0-0-9.zz
tftp-server flash:DSP3951.0-0-0-2.zz
tftp-server flash:SIP3951.8-1-2-0.zz
!
control-plane
!
!
!
 
...
 
!
sccp local Loopback0
sccp ccm 10.1.1.1 identifier 1
sccp
!
sccp ccm group 1
 associate ccm 1 priority 1
!
dial-peer cor custom
 name internal
 name local
 name domestic
 name international
!
!
 
...
 
!
telephony-service
 video
 load 7960-7940 P00308000500
 load 7914 S00105000200
 load 7902 CP7902080002SCCP060817A
 load 7921 CP7921G-1.2.1
 load 7931 SCCP31.8-2-2SR2S
 load 7941GE SCCP41.8-2-2SR2S
 load 7941 SCCP41.8-2-2SR2S
 load 7961GE SCCP41.8-2-2SR2S
 load 7961 SCCP41.8-2-2SR2S
 load 7975 SCCP75.8-3-2S
 load 7965 SCCP45.8-3-2S
 load 7945 SCCP45.8-3-2S
 load 7942 SCCP42.8-3-2S
 load 7962 SCCP42.8-3-2S
 load 7971 SCCP70.8-2-2SR2S
 load 7970 SCCP70.8-2-2SR2S
 load 7936 cmterm_7936.3-3-13-0
 load 7906 SCCP11.8-2-2SR2S
 load 7911 SCCP11.8-2-2SR2S
 load 521G-524G cp524g-08-01-12
 max-ephones 40
 max-dn 160
 ip source-address 10.1.1.1 port 2000
 max-redirect 20
 auto assign 10 to 43
 auto assign 5 to 8 type anl
 calling-number initiator
 service phone videoCapability 1
 service dnis overlay
 service dnis dir-lookup
 timeouts interdigit 5
 system message Total Cad
 url services http://192.168.1.12:5351/C4Lookup.aspx
 url authentication http://10.1.10.1/voiceview/authentication/authenticate.do
 time-zone 8
 voicemail 300
 max-conferences 8 gain -6
 call-forward pattern .T
 call-forward system redirecting-expanded
 moh music-on-hold.au
 multicast moh 239.10.16.16 port 2000
 web admin system name synchadmin secret 5 $1$khf/$y/dtjfEWfFB6iLerlJZfv1
 dn-webedit
 time-webedit
 transfer-system full-consult dss
 transfer-pattern 9.T
 transfer-pattern .T
 secondary-dialtone 9
 night-service code *3303
 night-service day Sun 00:00 23:59
 night-service day Mon 18:00 07:00
 night-service day Tue 18:00 07:00
 night-service day Wed 18:00 07:00
 night-service day Thu 18:00 07:00
 night-service day Fri 18:00 07:00
 night-service day Sat 00:00 23:59
 create cnf-files version-stamp 7960 Dec 30 2008 23:16:06
!
!
ephone-template  15
 button-layout 7931 2
!
!
 
...
 
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 login local
line vty 5 100
 login local
!
ntp master
 
!
webvpn cef
end
 
 
 
 
 
ASA 5510 (Main office)
 
 
tcadasa# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname tcadasa
domain-name xxxxx
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 nameif outside2
 security-level 10
 ip address 1.2.3.4 255.255.255.240
 ospf cost 10
!
interface Ethernet0/3
 nameif outside
 security-level 10
 ip address 2.3.4.1 255.255.255.248
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.0.0.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd XXXXXXXXXXXXXXX encrypted
boot system disk0:/asa803-k8.bin
boot system disk0:/asa723-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside2
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
 domain-name x
same-security-traffic permit intra-interface
object-group service Exchange_Server tcp
 port-object range 993 993
 port-object eq https
 port-object eq smtp
 port-object range 3389 3389
...
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip any 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list tcadvpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list tcadvpn extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list tcadvpn extended permit ip 10.1.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list tcadvpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
...
access-list DefaultRAGroup_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging monitor warnings
logging buffered warnings
logging asdm warnings
logging mail warnings
mtu inside 1500
mtu outside2 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
...
access-group acl_outside2 in interface outside2
access-group acl_outside in interface outside
...
route inside 10.1.1.0 255.255.255.0 192.168.1.2 1
route inside 10.1.10.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server test protocol radius
aaa-server test host 192.168.1.7
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 21 set pfs
crypto dynamic-map outside_dyn_map 21 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 41 set pfs
crypto dynamic-map outside_dyn_map 41 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside2
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside2
crypto isakmp enable outside
crypto isakmp policy 10
 authentication rsa-sig
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside2
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 10.0.0.2-10.0.0.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
 enable outside2
 enable outside
 svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
 svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.12
 vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.1.11
 dns-server value 192.168.1.11
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tcadvpn
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value tcadsysvpn
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 address-pool tcadsysvpn
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy tcadsys
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect http
  inspect pptp
  inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1345cefbf59364bcb78c367fb2558290
: end
 
 
 
PIX 501 (Remote site)
 
 
tcadpix# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname tcadpix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list acl_outside permit icmp any any
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn_tcad permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_tcad permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpn_tcad permit ip 192.168.2.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list vpn_tcad permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address vpn_tcad
crypto map outside_map 10 set peer 1.2.3.4
crypto map outside_map 10 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.2.50-192.168.2.100 inside
dhcpd dns 192.168.1.11 207.218.192.38
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd domain tcad.int
dhcpd option 150 ip 10.1.10.2
dhcpd enable inside
terminal width 80
Cryptochecksum:22be429d922cbb95d114ab72cf7f75fe
: end

           
         

	Title
1	Cisco PIX blocking voice traffic to off si…
2	Problem with VoIP after upgrading to PI…
3	New Cisco GIG Switch and PIX VPN -…
4	Cisco, PIX, 800 series router, IP …
5	QoS Settings on a Cisco ASA for VoIP …
6	Trying to NAT out and also Use Global …

Cisco VOIP teleworker IP Phone behind Pix 501 with L2L VPN

Asked by chris97b in IP Telephony, Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: cisco, voip, vpn, teleworker

About this solution