?
Solved

Cannot Ping Cisco Callmanager server over VPN Connection

Posted on 2009-05-11
7
Medium Priority
?
987 Views
Last Modified: 2012-05-06
Trying to setup a Cisco Softphone and cannot connect to the Callmanager over the VPN connection.  I am able to use all other network resources fine.  The softphone works fine while connected locally.

I am sure it is a routing issue, but I don't know if it is in the PIX or the Callmanager 2800 router?
0
Comment
Question by:Dennis_Atkins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24363850
Do you have a separate voice vlan? How are you routing that VLAN subnet? What is the default route on the call manager?
0
 

Author Comment

by:Dennis_Atkins
ID: 24364108
We have a seperate voice vlan
Data vlan 192.168.125.nnn
Voice vlan 192.168.126.nnn
The voice default gateway is 192.168.126.100
The data gateway is 192.168.125.100
Fron inside the network I can talk with all of the devices on both vlans.  When I connect from a VPN connection, I cannot talk to the 126 subnet.
0
 
LVL 7

Accepted Solution

by:
koszegi earned 2000 total points
ID: 24364427
check the ACL for your crypto map.  That mean you don't have a Access Control List to encrypt vpn communication to the voice VLAN.  Check your ACL and make sure your specify the 192.168.126.0 subnet in to be encrypted and send over the VPN link.  

See if you can ping the 192.168.125.0 subnet over a VPN connection.  If so look act the ACL that specify that subnet and add the 192.168.126.0 subnet.
example:

let say you specify that data from you Data vlan to the VPN will be encrypted as such. let's say:
data VLAN = 192.168.125.0
Voice VLAN= 192.168.126.0
VPN VLAN = 192.168.100.0

it would look like this for the ACL to deny NAT for data that need to go through the VPN.

access-list 122 deny   ip 192.168.125.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 122 deny   ip 192.168.126.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 122 deny   ip 192.168.100.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 122 deny   ip 192.168.100.0 0.0.0.255 192.168.126.0 0.0.0.255

This is just a guide to help you see waht may be missing.  Since you already have traffic going over you vpn to you dta vlan you should see ACL statement specifying the either deny or permit to the 192.168.125.0 subnet to the vpn subnet.  Just add an additional statement specifying the voice vlan to those ACL. If the statement specifying the data vlan to the vpn say permit, then add a permit from the voice vlan to the vpn vlan. If the statement specifying the data vlan to the vpn say deny, then add a deny from the voice vlan to the vpn vlan.

This should fix your problem.  Good luck.

0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 79

Expert Comment

by:lrmoore
ID: 24370547
Can you post your PIX config?
Do make sure that the 192.168.126.0 network is in your inside_nat0_outbound acl
>The voice default gateway is 192.168.126.100
Is this the PIX or a router?
If it is a router, does that router have a default pointing to the PIX, or at least route the vpn client ip subnet to the PIX?
Do you use a different ip subnet for the VPN clients than the inside or the vlan?
0
 

Author Comment

by:Dennis_Atkins
ID: 24433476
Sorry for taking so long to respond. I have not had a chance to get back into this.
Attached the current PIX config.
It is a PIX that is in question.
: Saved
:
PIX Version 7.2(4) 
!
hostname Firewall
domain-name *.com
enable password ************encrypted
passwd ***************** encrypted
names
name 192.168.125.99 MailServer
name 192.168.125.101 Server2
name 192.168.125.4 Rsvrd-4
name 192.168.125.7 Rsvrd-7
name 192.168.125.6 Rsvrd-6
name 192.168.125.5 Rsvrd-5
name 192.168.125.3 Rsvrd-3
name 192.168.125.8 Rsvrd-8
name 192.168.125.9 Rsvrd-9
name 192.168.125.10 Rsvrd-10
name 192.168.125.98 Snap-Server
name 192.168.126.101 Callmanager
name 192.168.125.11 Rsvrd-11
name 192.168.125.12 Rsvrd-12
name 192.168.125.13 Rsvrd-13
name 192.168.125.14 Rsvrd-14
name 192.168.125.15 Rsvrd-15
name 192.168.125.1 Rsvrd-01
name 192.168.125.2 Rsvrd-02
name 192.168.125.16 Rsvrd-16
name 192.168.125.17 Rsvrd-17
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address *.*.*.2 255.255.255.128 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address Rsvrd-01 255.255.255.0 
!
interface Ethernet2
 nameif intf2
 security-level 10
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name inwood.com
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any host *.*.*.3 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.3 eq smtp 
access-list outside_access_in extended permit tcp any host *.*.*.3 eq https 
access-list outside_access_in extended permit tcp any host *.*.*.24 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.4 eq ftp 
access-list outside_access_in extended permit tcp any host *.*.*.23 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.35 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.36 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.22 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.21 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.25 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.26 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.29 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.31 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.32 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.33 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.34 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.20 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.28 eq 3389 
access-list outside_access_in extended permit tcp any host *.*.*.30 eq 3389 
access-list outside_access_in remark HTTPS to Callmanager
access-list outside_access_in extended permit tcp any host *.*.*.125 eq https 
access-list outside_access_in extended permit tcp any host *.*.*.27 eq 3389 
access-list inwoodvpn_splitTunnelAcl extended permit ip 192.168.125.0 255.255.255.0 any 
access-list inside_outbound_nat0_acl extended permit ip 192.168.125.0 255.255.255.0 192.168.225.0 255.255.255.240 
access-list inside_outbound_nat0_acl extended permit ip any 192.168.225.0 255.255.255.240 
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.225.0 255.255.255.240 
pager lines 24
logging enable
logging asdm informational
logging mail informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip local pool remoteuserpool 192.168.225.1-192.168.225.15
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp *.*.*.4 ftp Snap-Server ftp netmask 255.255.255.255 
static (inside,outside) tcp *.*.*.125 https Callmanager https netmask 255.255.255.255 
static (inside,outside) *.*.*.3 MailServer netmask 255.255.255.255 
static (inside,outside) *.*.*.23 Server2 netmask 255.255.255.255 
static (inside,outside) *.*.*.24 Rsvrd-7 netmask 255.255.255.255 
static (inside,outside) *.*.*.22 Rsvrd-02 netmask 255.255.255.255 
static (inside,outside) *.*.*.25 Rsvrd-3 netmask 255.255.255.255 
static (inside,outside) *.*.*.21 Rsvrd-6 netmask 255.255.255.255 
static (inside,outside) *.*.*.26 Rsvrd-5 netmask 255.255.255.255 
static (inside,outside) *.*.*.27 Rsvrd-4 netmask 255.255.255.255 
static (inside,outside) *.*.*.29 Rsvrd-8 netmask 255.255.255.255 
static (inside,outside) *.*.*.31 Rsvrd-9 netmask 255.255.255.255 
static (inside,outside) *.*.*.32 Rsvrd-10 netmask 255.255.255.255 
static (inside,outside) *.*.*.33 Rsvrd-11 netmask 255.255.255.255 
static (inside,outside) *.*.*.34 Rsvrd-12 netmask 255.255.255.255 
static (inside,outside) *.*.*.20 Rsvrd-13 netmask 255.255.255.255 
static (inside,outside) *.*.*.28 Rsvrd-14 netmask 255.255.255.255 
static (inside,outside) *.*.*.30 Rsvrd-15 netmask 255.255.255.255 
static (inside,outside) *.*.*.35 Rsvrd-16 netmask 255.255.255.255 
static (inside,outside) *.*.*.36 Rsvrd-17 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.233.163.1 1
route inside 192.168.126.0 255.255.255.0 192.168.125.100 1
route inside 192.168.127.0 255.255.255.0 192.168.125.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http *.*.*.120 255.255.255.248 outside
http *.*.*.80 255.255.255.248 outside
http 192.168.125.0 255.255.255.0 inside
snmp-server host inside Rsvrd-5 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.125.100 255.255.255.255 inside
telnet 192.168.125.0 255.255.255.255 inside
telnet 192.168.125.170 255.255.255.255 inside
telnet 192.168.125.100 255.255.255.255 intf2
telnet 192.168.125.0 255.255.255.255 intf2
telnet timeout 5
ssh 192.168.125.170 255.255.255.255 inside
ssh timeout 5
console timeout 0
group-policy inwoodvpn internal
group-policy inwoodvpn attributes
 dns-server value 192.168.125.99 192.168.125.101
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value inwoodvpn_splitTunnelAcl
 default-domain value inwood
group-policy voip internal
group-policy voip attributes
 wins-server value 192.168.125.101
 dns-server value 192.168.125.101 192.168.125.99
 vpn-tunnel-protocol IPSec 
 default-domain value *
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) LOCAL
tunnel-group *vpn type ipsec-ra
tunnel-group *vpn general-attributes
 address-pool remoteuserpool
 authentication-server-group (outside) LOCAL
 default-group-policy inwoodvpn
tunnel-group *vpn ipsec-attributes
 pre-shared-key *
tunnel-group voip type ipsec-ra
tunnel-group voip general-attributes
 address-pool remoteuserpool
 default-group-policy voip
tunnel-group voip ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map blobal_policy
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect ils 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:*: end
asdm image flash:/asdm-524.bin
asdm location MailServer 255.255.255.255 inside
asdm location Server2 255.255.255.255 inside
asdm location *.*.*.120 255.255.255.248 outside
asdm location 192.168.125.0 255.255.255.255 inside
asdm location Rsvrd-01 255.255.255.255 inside
asdm location Rsvrd-02 255.255.255.255 inside
asdm location Rsvrd-3 255.255.255.255 inside
asdm location Rsvrd-5 255.255.255.255 inside
asdm location Rsvrd-6 255.255.255.255 inside
asdm location Rsvrd-7 255.255.255.255 inside
asdm location Rsvrd-4 255.255.255.255 inside
asdm location Rsvrd-8 255.255.255.255 inside
asdm location Rsvrd-9 255.255.255.255 inside
asdm location Rsvrd-10 255.255.255.255 inside
asdm location Snap-Server 255.255.255.255 inside
asdm location 192.168.125.100 255.255.255.255 inside
asdm location 192.168.126.0 255.255.255.0 inside
asdm location Callmanager 255.255.255.255 inside
asdm location 192.168.125.0 255.255.255.255 intf2
asdm location 192.168.125.100 255.255.255.255 intf2
asdm location Rsvrd-11 255.255.255.255 inside
asdm location Rsvrd-12 255.255.255.255 inside
asdm location Rsvrd-13 255.255.255.255 inside
asdm location Rsvrd-14 255.255.255.255 inside
asdm location Rsvrd-15 255.255.255.255 inside
asdm location Rsvrd-16 255.255.255.255 inside
asdm location Rsvrd-17 255.255.255.255 inside
asdm history enable

Open in new window

0
 
LVL 7

Expert Comment

by:koszegi
ID: 24434248
As I mention before, if you take a look at you ACL inside_outbound_nat0_acl you will notice that it is used by nat 0.  Nat 0 specify what traffic that should not be NATed.  You need to add the following.

access-list inwoodvpn_splitTunnelAcl extended permit ip 192.168.126.0 255.255.255.0 any
access-list inside_outbound_nat0_acl extended permit ip 192.168.126.0 255.255.255.0 192.168.225.0 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip any 192.168.226.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.226.0 255.255.255.240  

The gist of the story is add the 192.168.226.0 to any ACL that you see that current have 192.168.225.0 in it.  This will alllow traffic to flow to the voice vlan.

This is were you problem lies.  nat (inside) 0 access-list inside_outbound_nat0_acl is not specifying the 192.168.126.0 subnet.  The above statements will fix that and may add some additional statements, but thats okay.
0
 
LVL 7

Expert Comment

by:koszegi
ID: 24434665
Dennis;

See if you can remove the username and password from the code snippets you posted.  As a matter of fact, if you can remove the whole thing I would.  It provides too much information about your network. IE. ports that are used for Windows Terminal service (RDP), the username and password used to create a vpn connection, public IP of you firewall, etc.  I was trying to see if I could contact you by email or a private message, but I could not.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question