Question

Cisco VOIP teleworker IP Phone behind Pix 501 with L2L VPN

Asked by: chris97b

All,

I have been working on setting up a teleworker configuration. We have a UC520 running Call Manager express in the central office, and 20 CP-254G IP phones. I am trying to setup a remote IP phone, using a Pix 501 to establish an ipsec Lan to Lan to the main office.

The office has an ASA5510 firewall, and I have successfully created a tunnel between the ASA and Pix. The tunnel seems to be working fine, and I am able to ping all 3 office subnets. (data, voice, and the UC500 service engine subnet). For whatever reason though, I have been totally unable to get the remote IP Phone to register with call manager.

Initially, I set DHCP option 150 on the Pix to point to 10.1.1.1 (the call manager IP address), but this resulted in the inability of the phone to pull files from TFTP. The TFTP requests were received by CME, but the data never made it back. A bit of digging revealed that an option was set on the UC520 for the tftp source address, pointing to 10.1.10.2. I repointed the DHCP option 150 to this IP, and the phone was able to TFTP files down from CME. I assume this is a result of the requests going to CME at 10.1.1.1 and CME then responding from a source IP of 10.1.10.2. I really am not certain why this would be a problem, but it seems to be mostly working for now.

Using debug tftp packet and debug ephone register, I see the remote phone pull several cnf files from TFTP, then request a file which does not exist. At that point, the phone seems to hang, and nothing happens for several minutes until it restarts and the process begins again.

The last thing I see is:

Dec 31 17:22:28.007: TFTP: read request from host 192.168.2.52(39155) via Vlan1
Dec 31 17:22:28.007: TFTP: Looking for /CP-524S-cfg.xml
Dec 31 17:22:28.007: TFTP: Sending error 1 No such file

I do not think this is a problem however, as I see the same behavior for the onsite phones, which are working fine:

Dec 31 17:21:35.651: TFTP: read request from host 10.1.1.25(14399) via Vlan100
Dec 31 17:21:35.651: TFTP: Looking for /CP-524S-cfg.xml
Dec 31 17:21:35.651: TFTP: Sending error 1 No such file

10.1.1.25 is an onsite IP phone, which has no problems registering.


Can someone please point me to any debugs which might reveal where the process is breaking down; or otherwise have any advice on what else may need to be done to permit this configuration?

Thanks in advance,

Chris

Sanitized and trimmed configs follow:
 
 
UC520 (main office):
 
TCADUC520#sh run
Building configuration...
 
Current configuration : 33438 bytes
!
! Last configuration change at 23:20:58 CST Tue Dec 30 2008 by synchadmin
! NVRAM config last updated at 23:40:16 CST Tue Dec 30 2008 by synchadmin
!
version 12.4
parser config cache interface
parser config interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
service compress-config
!
hostname TCADUC520
!
boot-start-marker
boot system flash uc500-advipservicesk9-mz.124-11.XW9
boot-end-marker
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
!
crypto pki trustpoint TP-self-signed-3277290856
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3277290856
 revocation-check none
 rsakeypair TP-self-signed-3277290856
!
!
crypto pki certificate chain TP-self-signed-3277290856
 certificate self-signed 01
  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323737 32393038 3536301E 170D3038 31323239 31333536
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32373732
  39303835 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EA3F 5A7673B5 A8C8168F 9C38B3D6 66496223 2EDE4A33 62EEA7F3 019BA54B
  33E690BB 544D0358 C35D4C23 97F4DA14 8E9787A7 53CE0A70 302CC7E8 8F04C3B9
  B04C02D9 B62C4C92 A5C81BD2 C89A5BFC 6BBF4BE3 4A9765A8 E4657CEF 1649DF5A
  A2843931 3FD5C321 75E74DC4 F66782F6 A0DF2F6C B27C26CA 42C67210 E04C6D1F
  DADF0203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603
  551D1104 0D300B82 09544341 44554335 3230301F 0603551D 23041830 168014E4
  30F19535 9D3A3818 78DA5BD6 3BF03A31 4C02C530 1D060355 1D0E0416 0414E430
  F195359D 3A381878 DA5BD63B F03A314C 02C5300D 06092A86 4886F70D 01010405
  00038181 00C930DC 0CAA082F 2608495B 1EABCDF5 B1AEF302 61488009 20E5FCF2
  A1AE67AC 41FF9227 0D202AEB 264BC94D 330E70FC 46A966E5 EA3EBF1A 8D86DBEE
  9FF08CD3 CCAAC8EE 774F2623 6F633224 5547DDEB 9829B143 19ACF16A BB21EFB7
  7F9F91FE B791C621 EE2F18AE C4DF4167 54AE944F 387E9E05 4DB949CE 1A139C08
  D7042015 20
        quit
!
!
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool phone
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.1.1.1
!
!
ip name-server 192.168.1.11
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
multilink bundle-name authenticated
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 supplementary-service h450.12
 sip
  no update-callerid
!
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
!
!
!
!
!
!
!
!
voice register global
 max-dn 160
 max-pool 40
!
!
voice translation-rule 1111
!
voice translation-rule 1112
 rule 1 /^9/ //
!
voice translation-rule 2222
!
!
voice translation-profile CALLER_ID_TRANSLATION_PROFILE
 translate calling 1111
!
voice translation-profile CallBlocking
 translate called 2222
!
voice translation-profile OUTGOING_TRANSLATION_PROFILE
 translate calling 1111
 translate called 1112
!
!
voice-card 0
 no dspfarm
!
!
!
username cisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
archive
 log config
  logging enable
  logging size 600
  hidekeys
!
!
ip tftp source-interface Loopback0
!
!
!
interface Loopback0
 description $FW_INSIDE$
 ip address 10.1.10.2 255.255.255.252
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description $FW_OUTSIDE$
 ip address dhcp
 ip access-group 104 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Integrated-Service-Engine0/0
 description cue is initialized with default IMAP group
 ip unnumbered Loopback0
 ip nat inside
 ip virtual-reassembly
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
!
interface FastEthernet0/1/0
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/1
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/2
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/3
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/4
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/5
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/6
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/7
!
interface FastEthernet0/1/8
 switchport mode trunk
 macro description cisco-switch
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.1.2 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan100
 description $FW_INSIDE$
 ip address 10.1.1.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
!
ip default-gateway 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 69 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq tftp any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 deny   ip 10.1.1.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 10.1.10.0 0.0.0.3 any
access-list 102 deny   ip 10.1.1.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp any 10.1.10.0 0.0.0.3 range 16384 32767
access-list 103 permit udp 10.1.10.0 0.0.0.3 range 16384 32767 any
access-list 103 deny   ip 192.168.10.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 deny   ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 192.168.2.0 0.0.0.255 any
access-list 104 deny   ip any any
snmp-server community public RO
!
!
!
!
tftp-server apps11.8-2-2TR2.sbn
tftp-server apps31.8-2-2TR2.sbn
tftp-server apps41.8-2-2TR2.sbn
tftp-server apps70.8-2-2TR2.sbn
tftp-server cmterm_7936.3-3-13-0.bin
tftp-server cnu11.8-2-2TR2.sbn
tftp-server cnu31.8-2-2TR2.sbn
tftp-server cnu41.8-2-2TR2.sbn
tftp-server cnu70.8-2-2TR2.sbn
tftp-server CP7902080002SCCP060817A.sbin
tftp-server cvm11sccp.8-2-2TR2.sbn
tftp-server cvm31sccp.8-2-2TR2.sbn
tftp-server cvm41sccp.8-2-2TR2.sbn
tftp-server cvm70sccp.8-2-2TR2.sbn
tftp-server dsp11.8-2-2TR2.sbn
tftp-server dsp31.8-2-2TR2.sbn
tftp-server dsp41.8-2-2TR2.sbn
tftp-server dsp70.8-2-2TR2.sbn
tftp-server jar11sccp.8-2-2TR2.sbn
tftp-server jar31sccp.8-2-2TR2.sbn
tftp-server jar41sccp.8-2-2TR2.sbn
tftp-server jar70sccp.8-2-2TR2.sbn
tftp-server P00308000500.bin
tftp-server P00308000500.loads
tftp-server P00308000500.sb2
tftp-server P00308000500.sbn
tftp-server S00105000200.sbn
tftp-server SCCP11.8-2-2SR2S.loads
tftp-server SCCP31.8-2-2SR2S.loads
tftp-server SCCP41.8-2-2SR2S.loads
tftp-server SCCP70.8-2-2SR2S.loads
tftp-server term06.default.loads
tftp-server term11.default.loads
tftp-server term31.default.loads
tftp-server term41.default.loads
tftp-server term61.default.loads
tftp-server term70.default.loads
tftp-server term71.default.loads
tftp-server flash:SCCP42.8-3-2S.loads
tftp-server flash:SCCP45.8-3-2S.loads
tftp-server flash:SCCP75.8-3-2S.loads
tftp-server flash:apps42.8-3-1-22.sbn
tftp-server flash:apps45.8-3-1-22.sbn
tftp-server flash:apps75.8-3-1-22.sbn
tftp-server flash:cnu42.8-3-1-22.sbn
tftp-server flash:cnu45.8-3-1-22.sbn
tftp-server flash:cnu75.8-3-1-22.sbn
tftp-server flash:cvm42sccp.8-3-1-22.sbn
tftp-server flash:cvm45sccp.8-3-1-22.sbn
tftp-server flash:cvm75sccp.8-3-1-22.sbn
tftp-server flash:dsp42.8-3-1-22.sbn
tftp-server flash:dsp45.8-3-1-22.sbn
tftp-server flash:dsp75.8-3-1-22.sbn
tftp-server flash:jar42sccp.8-3-1-22.sbn
tftp-server flash:jar45sccp.8-3-1-22.sbn
tftp-server flash:jar75sccp.8-3-1-22.sbn
tftp-server flash:term42.default.loads
tftp-server flash:term45.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:term65.default.loads
tftp-server flash:term75.default.loads
tftp-server DistinctiveRingList.xml
tftp-server RingList.xml
tftp-server flash:AreYouThereF.raw
tftp-server flash:Bass.raw
tftp-server flash:CallBack.raw
tftp-server flash:Chime.raw
tftp-server flash:Classic1.raw
tftp-server flash:Classic2.raw
tftp-server flash:ClockShop.raw
tftp-server flash:Drums1.raw
tftp-server flash:Drums2.raw
tftp-server flash:FilmScore.raw
tftp-server flash:HarpSynth.raw
tftp-server flash:Jamaica.raw
tftp-server flash:KotoEffect.raw
tftp-server flash:MusicBox.raw
tftp-server flash:Piano1.raw
tftp-server flash:Piano2.raw
tftp-server flash:Pop.raw
tftp-server flash:Pulse1.raw
tftp-server flash:Ring1.raw
tftp-server flash:Ring2.raw
tftp-server flash:Ring3.raw
tftp-server flash:Ring4.raw
tftp-server flash:Ring5.raw
tftp-server flash:Ring6.raw
tftp-server flash:Ring7.raw
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
tftp-server flash:Vibe.raw
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
tftp-server flash:CampusNight.png
tftp-server flash:CiscoFountain.png
tftp-server flash:Fountain.png
tftp-server flash:MorroRock.png
tftp-server flash:NantucketFlowers.png
tftp-server flash:TN-CampusNight.png
tftp-server flash:TN-CiscoFountain.png
tftp-server flash:TN-Fountain.png
tftp-server flash:TN-MorroRock.png
tftp-server flash:TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:cp524g-08-01-12.bin
tftp-server flash:GUI-1.2.1.SBN
tftp-server flash:CP7921G-1.2.1.LOADS
tftp-server flash:TNUXR-1.0.1.SBN
tftp-server flash:SYS-1.0.1.SBN
tftp-server flash:TNUX-1.2.1.SBN
tftp-server flash:APPS-1.2.1.SBN
tftp-server flash:SYS-1.2.1.SBN
tftp-server flash:APPS-1.0.1.SBN
tftp-server flash:TNUX-1.0.1.SBN
tftp-server flash:WLAN-1.0.1.SBN
tftp-server flash:GUI-1.0.1.SBN
tftp-server flash:TNUXR-1.2.1.SBN
tftp-server flash:WLAN-1.2.1.SBN
tftp-server flash:SIP3951.8-0-2-0.zz
tftp-server flash:SIP3951.8-1-2.loads
tftp-server flash:BOOT3951.0-0-0-9.zz
tftp-server flash:DSP3951.0-0-0-2.zz
tftp-server flash:SIP3951.8-1-2-0.zz
!
control-plane
!
!
!
 
...
 
!
sccp local Loopback0
sccp ccm 10.1.1.1 identifier 1
sccp
!
sccp ccm group 1
 associate ccm 1 priority 1
!
dial-peer cor custom
 name internal
 name local
 name domestic
 name international
!
!
 
...
 
!
telephony-service
 video
 load 7960-7940 P00308000500
 load 7914 S00105000200
 load 7902 CP7902080002SCCP060817A
 load 7921 CP7921G-1.2.1
 load 7931 SCCP31.8-2-2SR2S
 load 7941GE SCCP41.8-2-2SR2S
 load 7941 SCCP41.8-2-2SR2S
 load 7961GE SCCP41.8-2-2SR2S
 load 7961 SCCP41.8-2-2SR2S
 load 7975 SCCP75.8-3-2S
 load 7965 SCCP45.8-3-2S
 load 7945 SCCP45.8-3-2S
 load 7942 SCCP42.8-3-2S
 load 7962 SCCP42.8-3-2S
 load 7971 SCCP70.8-2-2SR2S
 load 7970 SCCP70.8-2-2SR2S
 load 7936 cmterm_7936.3-3-13-0
 load 7906 SCCP11.8-2-2SR2S
 load 7911 SCCP11.8-2-2SR2S
 load 521G-524G cp524g-08-01-12
 max-ephones 40
 max-dn 160
 ip source-address 10.1.1.1 port 2000
 max-redirect 20
 auto assign 10 to 43
 auto assign 5 to 8 type anl
 calling-number initiator
 service phone videoCapability 1
 service dnis overlay
 service dnis dir-lookup
 timeouts interdigit 5
 system message Total Cad
 url services http://192.168.1.12:5351/C4Lookup.aspx
 url authentication http://10.1.10.1/voiceview/authentication/authenticate.do
 time-zone 8
 voicemail 300
 max-conferences 8 gain -6
 call-forward pattern .T
 call-forward system redirecting-expanded
 moh music-on-hold.au
 multicast moh 239.10.16.16 port 2000
 web admin system name synchadmin secret 5 $1$khf/$y/dtjfEWfFB6iLerlJZfv1
 dn-webedit
 time-webedit
 transfer-system full-consult dss
 transfer-pattern 9.T
 transfer-pattern .T
 secondary-dialtone 9
 night-service code *3303
 night-service day Sun 00:00 23:59
 night-service day Mon 18:00 07:00
 night-service day Tue 18:00 07:00
 night-service day Wed 18:00 07:00
 night-service day Thu 18:00 07:00
 night-service day Fri 18:00 07:00
 night-service day Sat 00:00 23:59
 create cnf-files version-stamp 7960 Dec 30 2008 23:16:06
!
!
ephone-template  15
 button-layout 7931 2
!
!
 
...
 
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 login local
line vty 5 100
 login local
!
ntp master
 
!
webvpn cef
end
 
 
 
 
 
ASA 5510 (Main office)
 
 
tcadasa# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname tcadasa
domain-name xxxxx
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 nameif outside2
 security-level 10
 ip address 1.2.3.4 255.255.255.240
 ospf cost 10
!
interface Ethernet0/3
 nameif outside
 security-level 10
 ip address 2.3.4.1 255.255.255.248
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.0.0.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd XXXXXXXXXXXXXXX encrypted
boot system disk0:/asa803-k8.bin
boot system disk0:/asa723-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside2
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
 domain-name x
same-security-traffic permit intra-interface
object-group service Exchange_Server tcp
 port-object range 993 993
 port-object eq https
 port-object eq smtp
 port-object range 3389 3389
...
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip any 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list tcadvpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list tcadvpn extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list tcadvpn extended permit ip 10.1.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list tcadvpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
...
access-list DefaultRAGroup_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging monitor warnings
logging buffered warnings
logging asdm warnings
logging mail warnings
mtu inside 1500
mtu outside2 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
...
access-group acl_outside2 in interface outside2
access-group acl_outside in interface outside
...
route inside 10.1.1.0 255.255.255.0 192.168.1.2 1
route inside 10.1.10.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server test protocol radius
aaa-server test host 192.168.1.7
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 21 set pfs
crypto dynamic-map outside_dyn_map 21 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 41 set pfs
crypto dynamic-map outside_dyn_map 41 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside2
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside2
crypto isakmp enable outside
crypto isakmp policy 10
 authentication rsa-sig
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside2
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 10.0.0.2-10.0.0.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
 enable outside2
 enable outside
 svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
 svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.12
 vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.1.11
 dns-server value 192.168.1.11
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tcadvpn
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value tcadsysvpn
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 address-pool tcadsysvpn
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy tcadsys
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect http
  inspect pptp
  inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1345cefbf59364bcb78c367fb2558290
: end
 
 
 
PIX 501 (Remote site)
 
 
tcadpix# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname tcadpix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list acl_outside permit icmp any any
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn_tcad permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_tcad permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpn_tcad permit ip 192.168.2.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list vpn_tcad permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address vpn_tcad
crypto map outside_map 10 set peer 1.2.3.4
crypto map outside_map 10 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.2.50-192.168.2.100 inside
dhcpd dns 192.168.1.11 207.218.192.38
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd domain tcad.int
dhcpd option 150 ip 10.1.10.2
dhcpd enable inside
terminal width 80
Cryptochecksum:22be429d922cbb95d114ab72cf7f75fe
: end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:
513:
514:
515:
516:
517:
518:
519:
520:
521:
522:
523:
524:
525:
526:
527:
528:
529:
530:
531:
532:
533:
534:
535:
536:
537:
538:
539:
540:
541:
542:
543:
544:
545:
546:
547:
548:
549:
550:
551:
552:
553:
554:
555:
556:
557:
558:
559:
560:
561:
562:
563:
564:
565:
566:
567:
568:
569:
570:
571:
572:
573:
574:
575:
576:
577:
578:
579:
580:
581:
582:
583:
584:
585:
586:
587:
588:
589:
590:
591:
592:
593:
594:
595:
596:
597:
598:
599:
600:
601:
602:
603:
604:
605:
606:
607:
608:
609:
610:
611:
612:
613:
614:
615:
616:
617:
618:
619:
620:
621:
622:
623:
624:
625:
626:
627:
628:
629:
630:
631:
632:
633:
634:
635:
636:
637:
638:
639:
640:
641:
642:
643:
644:
645:
646:
647:
648:
649:
650:
651:
652:
653:
654:
655:
656:
657:
658:
659:
660:
661:
662:
663:
664:
665:
666:
667:
668:
669:
670:
671:
672:
673:
674:
675:
676:
677:
678:
679:
680:
681:
682:
683:
684:
685:
686:
687:
688:
689:
690:
691:
692:
693:
694:
695:
696:
697:
698:
699:
700:
701:
702:
703:
704:
705:
706:
707:
708:
709:
710:
711:
712:
713:
714:
715:
716:
717:
718:
719:
720:
721:
722:
723:
724:
725:
726:
727:
728:
729:
730:
731:
732:
733:
734:
735:
736:
737:
738:
739:
740:
741:
742:
743:
744:
745:
746:
747:
748:
749:
750:
751:
752:
753:
754:
755:
756:
757:
758:
759:
760:
761:
762:
763:
764:
765:
766:
767:
768:
769:
770:
771:
772:
773:
774:
775:
776:
777:
778:
779:
780:
781:
782:
783:
784:
785:
786:
787:
788:
789:
790:
791:
792:
793:
794:
795:
796:
797:
798:
799:
800:
801:
802:
803:
804:
805:
806:
807:
808:
809:
810:
811:
812:
813:
814:
815:
816:
817:
818:
819:
820:
821:
822:
823:
824:
825:
826:
827:
828:
829:
830:
831:
832:
833:
834:
835:
836:
837:
838:
839:
840:
841:
842:
843:
844:
845:
846:
847:
848:
849:
850:
851:
852:
853:
854:
855:
856:
857:
858:
859:
860:
861:
862:
863:
864:
865:
866:
867:
868:
869:
870:
871:
872:
873:
874:
875:
876:
877:
878:
879:
880:
881:
882:
883:
884:
885:
886:
887:
888:
889:
890:
891:
892:
893:
894:
895:
896:
897:
898:
899:
900:
901:
902:
903:
904:
905:
906:
907:
908:
909:
910:
911:
912:
913:
914:
915:
916:
917:
918:
919:
920:
921:
922:
923:
924:
925:
926:
927:
928:
929:
930:
931:
932:
933:
934:
935:
936:
937:
938:
939:
940:
941:
942:
943:
944:
945:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-12-31 at 10:00:35ID24018313
Tags

cisco

,

voip

,

vpn

,

teleworker

Topics

IP Telephony

,

Virtual Private Networking (VPN)

,

Cisco PIX Firewall

Participating Experts
2
Points
0
Comments
6

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. IPSec Tunnel from PIX to a PIX that is behind a DLINK
    I used to have a working PIX-to-PIX IPSec tunnel. I recently set up Vonage VoIP and decided to put a DLINK in front of my home PIX. I lost my IPSec tunnel because the other PIX is looking for it's PIX peer, which is no longer there because the external IP is now assigned to...
  2. ipsec tunnel on cisco pix 501
    I have two Cisco pix 501. One is connected to a centric ADSL line which is our main ADSL line and the other pix 501 is connected to the backup ADSL line. Both Cisco pix are running on different public IP address, but internally, they are on the same network connected to the s...
  3. Cisco PIX VPN\IPSEC Tunnel ?
    I am having a hard time getting these 2 pix units to tunnel. I have racked my head and can't figure it out any help would be great. Here are the 2 Configs Division PIX : Written by enable_15 at 00:19:54.785 UTC Sat Jun 10 2006 PIX Version 6.3(4) interface ethernet0 auto i...
  4. IPSEC Tunnel on PIX 515E
    I have PIX 515E HA setup. I would like to setup IPSEC tunnel between my setup to customer end. Customer asked for following setup Tunnel customer end tunnal IP <--------------------> My end tunnel IP(my firewall outside Interface IP) ACL allow public IP(static NAT ...
  5. QoS VoIP PIX-to-PIX VPN
    Background: I have established a pix-to-pix VPN in the following configuration: LAN1 -> 2950XL -> PIX515e -> 1721 -> Internet <- 1721 <- PIX506e <- 2950XL <- LAN2 (LAN1 connects to the Internet via static split T-1 (768K) and LAN2 connects via SDSL (7...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: asavenerPosted on 2008-12-31 at 11:52:21ID: 23272701

Does the call manager have a route back to the remote phones?

 

by: chris97bPosted on 2008-12-31 at 12:01:39ID: 23272757

CME does not specifically have a route to the remote subnet, but it uses the ASA as it's default gateway:

(From the UC520)
ip default-gateway 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.1.1

I can ping the remote phone's IP from the UC520, and can ping Call Manager from a PC behind the remote pix, so I don't think it's related to routing, but I could be wrong.

 

by: lrmoorePosted on 2009-01-01 at 15:51:57ID: 23276885

Under telephony service, you have
>ip source-address 10.1.1.1 port 2000

Can a remote PC ping 10.1.1.1 ?
If no, can the ASA ping 10.1.1.1 ?

I would expect to see the vpn_tcad and tcadvpn access-lists to be mirror images of each other, and I don't see the vpn peer crypto map statements in the ASA config...

 

by: chris97bPosted on 2009-01-05 at 07:33:45ID: 23296099

My apologies, I should have clarified all the crypto ACLs a bit.

The tcadvpn access list on the ASA is actually the split-tunnel ACL for RA VPN. The remote Pix is on a cable connection with a dynamic IP; so rather than explicitly defining the peer address on the ASA it simply lands on the DefaultL2LGroup tunnel group.

The tunnel seems to be working perfectly; and remote PCs are able to ping 10.1.1.1 and 10.1.10.1; and I can also ping the remote phone's IP from the UC520

 

by: chris97bPosted on 2009-01-08 at 15:08:01ID: 23331246

Fixed.

debug skinny on the pix showed a ton of dropped packets for "invalid message ID 32768"

Disabled SCCP inspection (no fixup protocol skinny) on the Pix, and it immediately registered with CME.

 

by: lrmoorePosted on 2009-01-08 at 18:22:04ID: 23332346

Thanks for the update! Glad you got it sorted out.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...