Solved

Cannot Ping Cisco Callmanager server over VPN Connection

Posted on 2009-05-11
7
967 Views
Last Modified: 2012-05-06
Trying to setup a Cisco Softphone and cannot connect to the Callmanager over the VPN connection.  I am able to use all other network resources fine.  The softphone works fine while connected locally.

I am sure it is a routing issue, but I don't know if it is in the PIX or the Callmanager 2800 router?
0
Comment
Question by:Dennis_Atkins
  • 3
  • 2
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24363850
Do you have a separate voice vlan? How are you routing that VLAN subnet? What is the default route on the call manager?
0
 

Author Comment

by:Dennis_Atkins
ID: 24364108
We have a seperate voice vlan
Data vlan 192.168.125.nnn
Voice vlan 192.168.126.nnn
The voice default gateway is 192.168.126.100
The data gateway is 192.168.125.100
Fron inside the network I can talk with all of the devices on both vlans.  When I connect from a VPN connection, I cannot talk to the 126 subnet.
0
 
LVL 7

Accepted Solution

by:
koszegi earned 500 total points
ID: 24364427
check the ACL for your crypto map.  That mean you don't have a Access Control List to encrypt vpn communication to the voice VLAN.  Check your ACL and make sure your specify the 192.168.126.0 subnet in to be encrypted and send over the VPN link.  

See if you can ping the 192.168.125.0 subnet over a VPN connection.  If so look act the ACL that specify that subnet and add the 192.168.126.0 subnet.
example:

let say you specify that data from you Data vlan to the VPN will be encrypted as such. let's say:
data VLAN = 192.168.125.0
Voice VLAN= 192.168.126.0
VPN VLAN = 192.168.100.0

it would look like this for the ACL to deny NAT for data that need to go through the VPN.

access-list 122 deny   ip 192.168.125.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 122 deny   ip 192.168.126.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 122 deny   ip 192.168.100.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 122 deny   ip 192.168.100.0 0.0.0.255 192.168.126.0 0.0.0.255

This is just a guide to help you see waht may be missing.  Since you already have traffic going over you vpn to you dta vlan you should see ACL statement specifying the either deny or permit to the 192.168.125.0 subnet to the vpn subnet.  Just add an additional statement specifying the voice vlan to those ACL. If the statement specifying the data vlan to the vpn say permit, then add a permit from the voice vlan to the vpn vlan. If the statement specifying the data vlan to the vpn say deny, then add a deny from the voice vlan to the vpn vlan.

This should fix your problem.  Good luck.

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 79

Expert Comment

by:lrmoore
ID: 24370547
Can you post your PIX config?
Do make sure that the 192.168.126.0 network is in your inside_nat0_outbound acl
>The voice default gateway is 192.168.126.100
Is this the PIX or a router?
If it is a router, does that router have a default pointing to the PIX, or at least route the vpn client ip subnet to the PIX?
Do you use a different ip subnet for the VPN clients than the inside or the vlan?
0
 

Author Comment

by:Dennis_Atkins
ID: 24433476
Sorry for taking so long to respond. I have not had a chance to get back into this.
Attached the current PIX config.
It is a PIX that is in question.
: Saved

:

PIX Version 7.2(4) 

!

hostname Firewall

domain-name *.com

enable password ************encrypted

passwd ***************** encrypted

names

name 192.168.125.99 MailServer

name 192.168.125.101 Server2

name 192.168.125.4 Rsvrd-4

name 192.168.125.7 Rsvrd-7

name 192.168.125.6 Rsvrd-6

name 192.168.125.5 Rsvrd-5

name 192.168.125.3 Rsvrd-3

name 192.168.125.8 Rsvrd-8

name 192.168.125.9 Rsvrd-9

name 192.168.125.10 Rsvrd-10

name 192.168.125.98 Snap-Server

name 192.168.126.101 Callmanager

name 192.168.125.11 Rsvrd-11

name 192.168.125.12 Rsvrd-12

name 192.168.125.13 Rsvrd-13

name 192.168.125.14 Rsvrd-14

name 192.168.125.15 Rsvrd-15

name 192.168.125.1 Rsvrd-01

name 192.168.125.2 Rsvrd-02

name 192.168.125.16 Rsvrd-16

name 192.168.125.17 Rsvrd-17

dns-guard

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address *.*.*.2 255.255.255.128 

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address Rsvrd-01 255.255.255.0 

!

interface Ethernet2

 nameif intf2

 security-level 10

 no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name inwood.com

access-list outside_access_in extended permit icmp any any 

access-list outside_access_in extended permit tcp any host *.*.*.3 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.3 eq smtp 

access-list outside_access_in extended permit tcp any host *.*.*.3 eq https 

access-list outside_access_in extended permit tcp any host *.*.*.24 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.4 eq ftp 

access-list outside_access_in extended permit tcp any host *.*.*.23 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.35 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.36 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.22 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.21 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.25 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.26 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.29 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.31 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.32 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.33 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.34 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.20 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.28 eq 3389 

access-list outside_access_in extended permit tcp any host *.*.*.30 eq 3389 

access-list outside_access_in remark HTTPS to Callmanager

access-list outside_access_in extended permit tcp any host *.*.*.125 eq https 

access-list outside_access_in extended permit tcp any host *.*.*.27 eq 3389 

access-list inwoodvpn_splitTunnelAcl extended permit ip 192.168.125.0 255.255.255.0 any 

access-list inside_outbound_nat0_acl extended permit ip 192.168.125.0 255.255.255.0 192.168.225.0 255.255.255.240 

access-list inside_outbound_nat0_acl extended permit ip any 192.168.225.0 255.255.255.240 

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.225.0 255.255.255.240 

pager lines 24

logging enable

logging asdm informational

logging mail informational

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip local pool remoteuserpool 192.168.225.1-192.168.225.15

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-524.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp *.*.*.4 ftp Snap-Server ftp netmask 255.255.255.255 

static (inside,outside) tcp *.*.*.125 https Callmanager https netmask 255.255.255.255 

static (inside,outside) *.*.*.3 MailServer netmask 255.255.255.255 

static (inside,outside) *.*.*.23 Server2 netmask 255.255.255.255 

static (inside,outside) *.*.*.24 Rsvrd-7 netmask 255.255.255.255 

static (inside,outside) *.*.*.22 Rsvrd-02 netmask 255.255.255.255 

static (inside,outside) *.*.*.25 Rsvrd-3 netmask 255.255.255.255 

static (inside,outside) *.*.*.21 Rsvrd-6 netmask 255.255.255.255 

static (inside,outside) *.*.*.26 Rsvrd-5 netmask 255.255.255.255 

static (inside,outside) *.*.*.27 Rsvrd-4 netmask 255.255.255.255 

static (inside,outside) *.*.*.29 Rsvrd-8 netmask 255.255.255.255 

static (inside,outside) *.*.*.31 Rsvrd-9 netmask 255.255.255.255 

static (inside,outside) *.*.*.32 Rsvrd-10 netmask 255.255.255.255 

static (inside,outside) *.*.*.33 Rsvrd-11 netmask 255.255.255.255 

static (inside,outside) *.*.*.34 Rsvrd-12 netmask 255.255.255.255 

static (inside,outside) *.*.*.20 Rsvrd-13 netmask 255.255.255.255 

static (inside,outside) *.*.*.28 Rsvrd-14 netmask 255.255.255.255 

static (inside,outside) *.*.*.30 Rsvrd-15 netmask 255.255.255.255 

static (inside,outside) *.*.*.35 Rsvrd-16 netmask 255.255.255.255 

static (inside,outside) *.*.*.36 Rsvrd-17 netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 12.233.163.1 1

route inside 192.168.126.0 255.255.255.0 192.168.125.100 1

route inside 192.168.127.0 255.255.255.0 192.168.125.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http *.*.*.120 255.255.255.248 outside

http *.*.*.80 255.255.255.248 outside

http 192.168.125.0 255.255.255.0 inside

snmp-server host inside Rsvrd-5 community public

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set pfs group1

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname 

crypto isakmp enable outside

crypto isakmp policy 20

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 65535

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 192.168.125.100 255.255.255.255 inside

telnet 192.168.125.0 255.255.255.255 inside

telnet 192.168.125.170 255.255.255.255 inside

telnet 192.168.125.100 255.255.255.255 intf2

telnet 192.168.125.0 255.255.255.255 intf2

telnet timeout 5

ssh 192.168.125.170 255.255.255.255 inside

ssh timeout 5

console timeout 0

group-policy inwoodvpn internal

group-policy inwoodvpn attributes

 dns-server value 192.168.125.99 192.168.125.101

 vpn-idle-timeout 30

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value inwoodvpn_splitTunnelAcl

 default-domain value inwood

group-policy voip internal

group-policy voip attributes

 wins-server value 192.168.125.101

 dns-server value 192.168.125.101 192.168.125.99

 vpn-tunnel-protocol IPSec 

 default-domain value *

tunnel-group DefaultRAGroup general-attributes

 authentication-server-group (outside) LOCAL

tunnel-group *vpn type ipsec-ra

tunnel-group *vpn general-attributes

 address-pool remoteuserpool

 authentication-server-group (outside) LOCAL

 default-group-policy inwoodvpn

tunnel-group *vpn ipsec-attributes

 pre-shared-key *

tunnel-group voip type ipsec-ra

tunnel-group voip general-attributes

 address-pool remoteuserpool

 default-group-policy voip

tunnel-group voip ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map blobal_policy

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect http 

  inspect ils 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:*: end

asdm image flash:/asdm-524.bin

asdm location MailServer 255.255.255.255 inside

asdm location Server2 255.255.255.255 inside

asdm location *.*.*.120 255.255.255.248 outside

asdm location 192.168.125.0 255.255.255.255 inside

asdm location Rsvrd-01 255.255.255.255 inside

asdm location Rsvrd-02 255.255.255.255 inside

asdm location Rsvrd-3 255.255.255.255 inside

asdm location Rsvrd-5 255.255.255.255 inside

asdm location Rsvrd-6 255.255.255.255 inside

asdm location Rsvrd-7 255.255.255.255 inside

asdm location Rsvrd-4 255.255.255.255 inside

asdm location Rsvrd-8 255.255.255.255 inside

asdm location Rsvrd-9 255.255.255.255 inside

asdm location Rsvrd-10 255.255.255.255 inside

asdm location Snap-Server 255.255.255.255 inside

asdm location 192.168.125.100 255.255.255.255 inside

asdm location 192.168.126.0 255.255.255.0 inside

asdm location Callmanager 255.255.255.255 inside

asdm location 192.168.125.0 255.255.255.255 intf2

asdm location 192.168.125.100 255.255.255.255 intf2

asdm location Rsvrd-11 255.255.255.255 inside

asdm location Rsvrd-12 255.255.255.255 inside

asdm location Rsvrd-13 255.255.255.255 inside

asdm location Rsvrd-14 255.255.255.255 inside

asdm location Rsvrd-15 255.255.255.255 inside

asdm location Rsvrd-16 255.255.255.255 inside

asdm location Rsvrd-17 255.255.255.255 inside

asdm history enable

Open in new window

0
 
LVL 7

Expert Comment

by:koszegi
ID: 24434248
As I mention before, if you take a look at you ACL inside_outbound_nat0_acl you will notice that it is used by nat 0.  Nat 0 specify what traffic that should not be NATed.  You need to add the following.

access-list inwoodvpn_splitTunnelAcl extended permit ip 192.168.126.0 255.255.255.0 any
access-list inside_outbound_nat0_acl extended permit ip 192.168.126.0 255.255.255.0 192.168.225.0 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip any 192.168.226.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.226.0 255.255.255.240  

The gist of the story is add the 192.168.226.0 to any ACL that you see that current have 192.168.225.0 in it.  This will alllow traffic to flow to the voice vlan.

This is were you problem lies.  nat (inside) 0 access-list inside_outbound_nat0_acl is not specifying the 192.168.126.0 subnet.  The above statements will fix that and may add some additional statements, but thats okay.
0
 
LVL 7

Expert Comment

by:koszegi
ID: 24434665
Dennis;

See if you can remove the username and password from the code snippets you posted.  As a matter of fact, if you can remove the whole thing I would.  It provides too much information about your network. IE. ports that are used for Windows Terminal service (RDP), the username and password used to create a vpn connection, public IP of you firewall, etc.  I was trying to see if I could contact you by email or a private message, but I could not.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and so…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now