setting up remote IP phone w/ 871 router

Hey Folks...I am trying to set up a remote user in our organization with a 7961 phone in his remote office via a 871 router. The idea is that the router should set up a VPN connection to our call manager express router (Cisco 2811) and be able to download its  configuration and make calls. I have PAT set up on the 871 router translating one static public IP address to a block of private IP addresses inside. I set up the EZVPN in client mode and I can see the VPN connection to our firewall (ASA 5505) but the connection keeps tearing itself down. I dont believe that the ASA supports server mode so I am wondering if i should be setting up an IPSEC tunnel directly to the 2811 router which hosts the call manager express. I am thinking now that my entire approach to this is wrong. As you probably can tell, this is my first time doing this so any help that anyone can offer would be much appreciated.

Here is the config right now...

sg ho run
Building configuration...

Current configuration : 7707 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname M.Vogel-871
logging buffered 51200 warnings
no logging console
enable secret 5 $1$Rwu1$jqfvx9f.BzeLU5.xqvgxy0
no aaa new-model
resource policy
ip subnet-zero
 --More--         ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp pool sdm-pool
   import all
   option 150 ip
   lease 0 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
 --More--         ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip domain name
ip name-server
crypto pki trustpoint TP-self-signed-436793851
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-436793851
 revocation-check none
 rsakeypair TP-self-signed-436793851
crypto pki certificate chain TP-self-signed-436793851
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34333637 39333835 31301E17 0D303230 33303130 30303634
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3433 36373933
  38353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
 --More--           ACDAF494 54AFB19B 7C12B6C8 DDBCA6B4 5FFE2368 65FAB1C7 09E24333 6F53075E
  DE89D8B6 3E3E0814 480FC305 2091403D 3ED34435 28DA80A1 8F3B1464 4F9FB26F
  0AFDE646 8FA80913 20EF0D45 B0D3977C E5F14C57 B1A198E4 35AF62D3 7098054F
  0D22B93D F6EF7F73 06E798E6 6CAEA42E 657F38FD 36711B1A DC1F3984 78873921
  02030100 01A37A30 78300F06 03551D13 0101FF04 05300301 01FF3025 0603551D
  11041E30 1C821A4D 2E566F67 656C2D38 37312E79 6F757264 6F6D6169 6E2E636F
  6D301F06 03551D23 04183016 8014B0C4 5465DEB7 93AEDDAB 5973DA28 EA1DBE32
  C05B301D 0603551D 0E041604 14B0C454 65DEB793 AEDDAB59 73DA28EA 1DBE32C0
  5B300D06 092A8648 86F70D01 01040500 03818100 7202FC7C B434CD19 5776F99E
  9B98F3BC 5E66AD91 43B8E9AB 3E0B4201 E586AD4D A58FB94B BEC2DB64 19F548AF
  2091524A 891C4F70 451C5223 6AD95D19 AAC11CBA 428DA63D 49C77D18 27229F9F
  F79CF898 1C446EAB 5946AB48 53282518 F46E6FC6 0F8EBCB0 43799CDC E8705D8A
  EA0890CF 916D236A 8931E8D2 7CDB280B 5F294413
username admin privilege 15 password 7 13310543055D10337A757972
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 84600
 crypto isakmp keepalive 30 10
crypto isakmp client configuration group rtr-remote
 key xxxxxxx
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set test esp-3des esp-sha-hmac
crypto ipsec client ezvpn abvvpn1
 connect auto
 group abvvpn1 key btpbtp123456
 mode client
 peer 205.XXX.XXX.XXX (ASA outside interface)
 xauth userid mode interactive
crypto dynamic-map dynmap 1
 set transform-set test
 --More--         !
crypto map 1 client configuration address respond
crypto map dynmap isakmp authorization list rtr-remote
crypto map static-map 1 ipsec-isakmp dynamic dynmap
interface Tunnel1
 no ip address
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address 71.XXX.XXX.xXX
 --More--          ip access-group 101 in
 ip verify unicast reverse-path
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto ipsec client ezvpn abvvpn1
interface Vlan1
 ip address
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 crypto ipsec client ezvpn abvvpn1 inside
ip local pool dynpool group rtr-remote
ip classless
ip route 71.XXX.XXX.XXX
ip http server
 --More--         ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flas
ip nat pool translate 71.XXX.XXX.XXX 71.XXX.XXX.XXX prefix-length 24
ip nat source list 23 interface FastEthernet4 overload
ip nat inside source list 23 pool translate overload
access-list 23 permit
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 71.XXX.XXX.0 any
access-list 100 deny   ip host any
access-list 100 deny   ip any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip any
access-list 101 permit icmp any host echo-reply
access-list 101 permit icmp any host time-exceeded
 --More--         access-list 101 permit icmp any host unreachable
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip host any
access-list 101 deny   ip host any
access-list 101 deny   ip any any
no cdp run
banner exec ^C
% Password expiration warning.
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 --More--         It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
banner login ^C
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to 
line con 0
 password 7 08155E1F0748110E435A5D45
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
scheduler max-task-time 5000

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

wingateslConnect With a Mentor Commented:
The solution is to set up a GRE tunnel between the 877 and the CME device. Then set your TFTP setting  on the phone to the private address on the CME router.
Basic unencrypted GRE config is here:
interface tunnel 0
ip address
tunnel source gigabitethernet 0/0    <put your internet side interface here>
tunnel destination *.*.*.* <put your 877 ip address here>

interface tunnel 0
ip address
tunnel source fastethernet 4
tunnel destination *.*.*.* <2811 public address here>

you will then need to set up some kind of routing to get back and forth
ip route 1

ip route <CME Network> <CME subnet mask> 1

that will get the two communicating, and you can test. When satisfied you can then put some crypto maps in place to encrypt the traffic
I thought the idea was for the phone to make the VPN connection tot he ezvpn server on the router?
carloshidalgoAuthor Commented:
the idea is for the phone (which is connected to the 871 router) to be able to make the connection to the remote call manager express router and be able to download its config and make calls. To do this i need to to be able to set the TFTP option on the phone to the call manager IP address (which is a private IP).
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

ok - so the vpn option to the call manager router>
carloshidalgoAuthor Commented:
exactly...what im thinking is that maybe i should put a public ip on the call manager and either set up ezvpn server/client or an IPSEC just not sure which one and whether either one will work
wingateslConnect With a Mentor Commented:
obviously you will have to forward GRE packets through the ASA
carloshidalgoAuthor Commented:
why do i need to forward gre packets through asa again? this pont the asa is not even a part of the equation, if there is a tunnel built directly from the 2811 to the 871- that is unless i am misunderstanding how this is supposed to be connected...
wingateslConnect With a Mentor Commented:
The GRE packets need to be forwarded if the ASA sits between your CME and the internet
All Courses

From novice to tech pro — start learning today.