Cisco, PIX, 800 series router, IP Phone, 501, 857, 7960, CCM on separate range to data LAN, Remote, VPN

Thanks for the quick response, I'll apply what has been suggested and get back to you.

Dave

Ok, I have amended ACL's at the 857 end and can ping 10.1.10.252 (second IP assigned to a 11.11.11.0 server for testing traffic flow)

Access list on 857 as follows: (public IP's are 1.1.1.1 to the 11.11.11.0 network, 2.2.2.2 to a separate VPN - 10.2.1.0)

access-list 100 remark --- Outside In ---
access-list 100 remark SDM_ACL Category=17
access-list 100 permit ip 10.1.10.0 0.0.0.255 10.2.2.0 0.0.0.255 log
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 100 permit udp host 1.1.1.1 any eq non500-isakmp
access-list 100 permit udp host 1.1.1.1 any eq isakmp
access-list 100 permit esp host 1.1.1.1 any
access-list 100 permit ahp host 1.1.1.1 any
access-list 100 permit ip 11.11.11.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 100 permit udp host 2.2.2.2 any eq non500-isakmp
access-list 100 permit udp host 2.2.2.2 any eq isakmp
access-list 100 permit esp host 2.2.2.2 any
access-list 100 permit ahp host 2.2.2.2 any
access-list 100 permit tcp any any eq 3389
access-list 100 permit tcp any any eq 15555
access-list 100 permit tcp any any eq 554
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit tcp any any eq www
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any echo
access-list 100 deny   ip any any
access-list 101 remark --- 11.11.11.0 network ---
access-list 101 permit ip 10.2.2.0 0.0.0.255 11.11.11.0 0.0.0.255
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.10.0 0.0.0.255 log
access-list 102 remark --- 10.2.1.0 network ---
access-list 102 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 110 remark --- NAT ---
access-list 110 deny   ip 10.2.2.0 0.0.0.255 10.1.10.0 0.0.0.255 log
access-list 110 deny   ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 11.11.11.0 0.0.0.255
access-list 110 permit ip 10.2.2.0 0.0.0.255 any
access-list 110 deny   ip any any

The PIX 501 inside interface is 11.11.11.1 and this is connected to the same PoE switch that talks to the phone system.  The PIX does not have a 10.1.10.x inside address.

The 7960 phone now has an IP address and tftp is pointing to 10.1.10.1, just keep getting
Configuring CM List
and then
Opening 10.1.10.1

I can obviously ping the 10.1.10.0 network across the VPN but I don't think it knows where to go to get to the 10.1.10.1 host (CCM).

Any ideas?

Thanks,

Dave

it might be best to put a laptop on the voice vlan at the remote site and do some pings and traces to see where it is failing. the interesting bit about the VPN is that you have to deny the voice traffic as interesting at the remote end, and confiure it as legitimate and routable at the main site. Here are the things to look at.

at the remote site, does traffic destined for the ccm go over the vpn, set up a ping and watch the stats on the vpn tunnel, if it is working the rx and tx will match but if one is growing and the other isn't it will help yo uidentify if it is an access issue or a routing issue.

at the main site can you ccm ping to the voice vllan at the remote site, does it route approriately. try to ping the device on the voice vlan at the remote site from the ccm and watch your counters on both sides, are they both incrimenting or is one side not in one direction.

Thinkng about when is required on both sides should help,

I hope this does.

-t

On the Pix 501, do you have a route to the 10.1.10.0 network?

route (inside) 10.1.10.0 255.255.255.0 11.11.11.x

???

For some reason, I am unable to ping 10.1.10.1 (CCM) from any machine at the main site.  This is possibly by design, not 100% sure as I didn't install the phone system.  Below are snippets from the CCM config detailing the ethernet interfaces:

controller E1 0/0/0
 pri-group timeslots 1-31
!
class-map match-all L3-to-L2_VoIP-Cntrl
 match ip dscp af31
class-map match-all L3-to-L2_VoIP-RTP
 match ip dscp ef
!
!
policy-map output-L3-to-L2
 class L3-to-L2_VoIP-RTP
  set cos 5
 class L3-to-L2_VoIP-Cntrl
  set cos 3
!
gw-accounting syslog
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 no ip address
 no ip mroute-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.1.10.1 255.255.255.0
 no snmp trap link-status
 service-policy output output-L3-to-L2
!
interface GigabitEthernet0/0.200
 encapsulation dot1Q 200 native
 ip address 192.168.1.1 255.255.255.0
 no snmp trap link-status

The system as I understand works as follows:

1. Phones work off 10.1.10.0/24 network using TFTP to 10.1.10.1 to download boot file.
2. Stonevoice admin is on 192.168.1.0 network, the phone's DNS server points to this network (192.168.1.15/24 - SBS Server DNS)
3. PC's connect to the 11.11.11.0/24 network but can be plugged into the back of any handset and still get 11.11.11.0/24 DHCP addresses.
4. Remote site (10.2.2.0/24) can now ping 192.168.1.0/24 traffic apart from .1 (internal users can ping)
5. Remote site (10.2.2.0/24) can now ping a dual homed server on 10.1.10.252 but cannot ping 10.1.10.1 (neither can internal users)

Cisco Phone on remote site just waits for CM config.

I think routing is working for 10.1.10.0 and 192.168.1.0 networks over VPN as a tracert shows traffic going directly to specified host.

Bit of a head scratcher!

a couple of questions:
from the pix can you ping the CCM?
on the pix is the 10.2.2.0/24 in the no nat statement?
from the CCM can you ping the remote site? look at the vpn statistics on both sides to confirm traffic is making it out and coming back.

hope this helps,

-t

Thanks decoleur,

I cannot ping CCM from anywhere internally or externally but I can ping 10.1.10.252 (set up for test internally) from the remote 10.2.2.0 site

me thinks this is your issue... if the pix canot get to the CCM i cannot see how the remote phones will, it is essentially the local termination of the remote site's vpn.

Do I need to add a 10.1.10.x address to the PIX?

if the routing doesn't exist on your network to allow that sort of traffic then you have to do something, adding 10.1.10.x to an interface or a trunked subinterface would do.

is this the first remote site that you have connected via vpn?

One of two remote sites.

The PIX 501 does not support trunked subinterfaces from what I understand

I wonder if CCM has ICMP disabled by default as it cannot be reached from anywhere (internal or external) however all internal phones boot an image from it every time.

i think yo uare right about the pixes limitations...

So, ping in the other direction, what happens if you ping from the ccm to the working remote site? compare that with what happens when you ping to the non-working remote site.

if you could include clean versions of the running configs for the routers at the working and non working remote sites as well as the pix i think we can move forward.

Your problem is that you have no route between the router for which you just posted the config and the firewall.  You need to add a trunk sub interface to the router, that is on the same subnet as the PIX firewall and set a route to the remote site that points to the PIX on that router.

See we know that traffic from the remote is getting to the 10.1.10.x subnet.  The issue is that traffic is not getting back.  It works on 10.1.10.252 because that server is dual homed and it has another interface on the data network, where its default route resides.  So it is sending its return traffic not to 10.1.10.1, but to the data subnet default gateway.

I will assume that the DATA or the 11.11.11.x network is on VLAN 1, because you have not provided that info.


Assumptions :

VLAN 1 is your 11.11.11.x subnet
11.11.11.2 is available for use on your router.
The CCM Server is pointing to 10.1.10.1 as its default gateway.

Add this to your router...


interface GigabitEthernet0/0.1
 encapsulation dot1Q 1
 ip address 11.11.11.2 255.255.255.0
 no snmp trap link-status
!

ip route 10.2.2.0 255.255.255.0 11.11.11.1



 

Ok, here's where we are.

Cisco 2821 interfaces configured as follows:

interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 no ip address
 no ip mroute-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.1.10.1 255.255.255.0
 no snmp trap link-status
 service-policy output output-L3-to-L2
!
interface GigabitEthernet0/0.200
 encapsulation dot1Q 200 native
 ip address 192.168.1.1 255.255.255.0
 no snmp trap link-status
!
interface GigabitEthernet0/0.300
 encapsulation dot1Q 1
 ip address 11.11.11.2 255.255.255.0
 no snmp trap link-status
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0:15
 no ip address
 encapsulation hdlc
 isdn switch-type primary-net5
 isdn incoming-voice voice
 no cdp enable
!
ip route 10.2.2.0 255.255.255.0 11.11.11.1

From 10.2.2.0 (remote network) I can ping:
11.11.11.2 but not 10.1.10.1
From 2821 I cannot ping 11.11.11.1 or 10.2.2.0 even though subinterface has 11.11.11.2 as configured address.

Cisco phone at remote site is looping through opening 10.1.10.1 - configuring CM list.

What does service-policy output output-L3-to-L2 mean?  This is set on the GigabitEthernet0/0.100 interface.

Why can I ping 11.11.11.2 from the remote network but not back?

Thanks

Dave

class-map match-all L3-to-L2_VoIP-Cntrl
 match ip dscp af31
class-map match-all L3-to-L2_VoIP-RTP
 match ip dscp ef
!
!
policy-map output-L3-to-L2
 class L3-to-L2_VoIP-RTP
  set cos 5
 class L3-to-L2_VoIP-Cntrl
  set cos 3

That is what the Service policy output L3 to L2 does, it maps DSCP af31 t cos 5 and DSCP ef to cos 3.  It is just a transition of the qos marking from layer 3 DSCP marking to layer 2 COS Marking.  Doesn't really do anything, except let the switch know what traffic is important.

You have to be able to ping 11.11.11.1 from 11.11.11.2.  If you can't do that then your PIX, must not be plugged into VLAN 1 on your switch.

Can you please do a show vlan, and a show int status on the switch and then tell us what ports the pix and router are connected to.

We need the interface that has 11.11.11.1 to be in the same vlan as the PIX.  I am starting to think that you have two subnets overlapping on the same VLAN, which is not a good design, but we could still make this work if we move the 11.11.11.1 to a secondary interface on the 100 vlan.

Do you know if the what VLAN the PIX is connected to?

I have attached a visio diagram of the network, hopefully this should clarify the configuration.

Many thanks

Faith Shield,

On the money!

Cabled GIG 0/1 and assigned IP 11.11.11.2, all is sweet!

Many thanks for your help!

Dave