Dennis_Atkins
asked on
Cannot Ping Cisco Callmanager server over VPN Connection
Trying to setup a Cisco Softphone and cannot connect to the Callmanager over the VPN connection. I am able to use all other network resources fine. The softphone works fine while connected locally.
I am sure it is a routing issue, but I don't know if it is in the PIX or the Callmanager 2800 router?
I am sure it is a routing issue, but I don't know if it is in the PIX or the Callmanager 2800 router?
Les Moore
Do you have a separate voice vlan? How are you routing that VLAN subnet? What is the default route on the call manager?
ASKER
We have a seperate voice vlan
Data vlan 192.168.125.nnn
Voice vlan 192.168.126.nnn
The voice default gateway is 192.168.126.100
The data gateway is 192.168.125.100
Fron inside the network I can talk with all of the devices on both vlans. When I connect from a VPN connection, I cannot talk to the 126 subnet.
Data vlan 192.168.125.nnn
Voice vlan 192.168.126.nnn
The voice default gateway is 192.168.126.100
The data gateway is 192.168.125.100
Fron inside the network I can talk with all of the devices on both vlans. When I connect from a VPN connection, I cannot talk to the 126 subnet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you post your PIX config?
Do make sure that the 192.168.126.0 network is in your inside_nat0_outbound acl
>The voice default gateway is 192.168.126.100
Is this the PIX or a router?
If it is a router, does that router have a default pointing to the PIX, or at least route the vpn client ip subnet to the PIX?
Do you use a different ip subnet for the VPN clients than the inside or the vlan?
Do make sure that the 192.168.126.0 network is in your inside_nat0_outbound acl
>The voice default gateway is 192.168.126.100
Is this the PIX or a router?
If it is a router, does that router have a default pointing to the PIX, or at least route the vpn client ip subnet to the PIX?
Do you use a different ip subnet for the VPN clients than the inside or the vlan?
ASKER
Sorry for taking so long to respond. I have not had a chance to get back into this.
Attached the current PIX config.
It is a PIX that is in question.
Attached the current PIX config.
It is a PIX that is in question.
: Saved
:
PIX Version 7.2(4)
!
hostname Firewall
domain-name *.com
enable password ************encrypted
passwd ***************** encrypted
names
name 192.168.125.99 MailServer
name 192.168.125.101 Server2
name 192.168.125.4 Rsvrd-4
name 192.168.125.7 Rsvrd-7
name 192.168.125.6 Rsvrd-6
name 192.168.125.5 Rsvrd-5
name 192.168.125.3 Rsvrd-3
name 192.168.125.8 Rsvrd-8
name 192.168.125.9 Rsvrd-9
name 192.168.125.10 Rsvrd-10
name 192.168.125.98 Snap-Server
name 192.168.126.101 Callmanager
name 192.168.125.11 Rsvrd-11
name 192.168.125.12 Rsvrd-12
name 192.168.125.13 Rsvrd-13
name 192.168.125.14 Rsvrd-14
name 192.168.125.15 Rsvrd-15
name 192.168.125.1 Rsvrd-01
name 192.168.125.2 Rsvrd-02
name 192.168.125.16 Rsvrd-16
name 192.168.125.17 Rsvrd-17
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address *.*.*.2 255.255.255.128
!
interface Ethernet1
nameif inside
security-level 100
ip address Rsvrd-01 255.255.255.0
!
interface Ethernet2
nameif intf2
security-level 10
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name inwood.com
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host *.*.*.3 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.3 eq smtp
access-list outside_access_in extended permit tcp any host *.*.*.3 eq https
access-list outside_access_in extended permit tcp any host *.*.*.24 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.4 eq ftp
access-list outside_access_in extended permit tcp any host *.*.*.23 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.35 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.36 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.22 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.21 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.25 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.26 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.29 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.31 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.32 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.33 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.34 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.20 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.28 eq 3389
access-list outside_access_in extended permit tcp any host *.*.*.30 eq 3389
access-list outside_access_in remark HTTPS to Callmanager
access-list outside_access_in extended permit tcp any host *.*.*.125 eq https
access-list outside_access_in extended permit tcp any host *.*.*.27 eq 3389
access-list inwoodvpn_splitTunnelAcl extended permit ip 192.168.125.0 255.255.255.0 any
access-list inside_outbound_nat0_acl extended permit ip 192.168.125.0 255.255.255.0 192.168.225.0 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip any 192.168.225.0 255.255.255.240
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.225.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
logging mail informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip local pool remoteuserpool 192.168.225.1-192.168.225.15
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp *.*.*.4 ftp Snap-Server ftp netmask 255.255.255.255
static (inside,outside) tcp *.*.*.125 https Callmanager https netmask 255.255.255.255
static (inside,outside) *.*.*.3 MailServer netmask 255.255.255.255
static (inside,outside) *.*.*.23 Server2 netmask 255.255.255.255
static (inside,outside) *.*.*.24 Rsvrd-7 netmask 255.255.255.255
static (inside,outside) *.*.*.22 Rsvrd-02 netmask 255.255.255.255
static (inside,outside) *.*.*.25 Rsvrd-3 netmask 255.255.255.255
static (inside,outside) *.*.*.21 Rsvrd-6 netmask 255.255.255.255
static (inside,outside) *.*.*.26 Rsvrd-5 netmask 255.255.255.255
static (inside,outside) *.*.*.27 Rsvrd-4 netmask 255.255.255.255
static (inside,outside) *.*.*.29 Rsvrd-8 netmask 255.255.255.255
static (inside,outside) *.*.*.31 Rsvrd-9 netmask 255.255.255.255
static (inside,outside) *.*.*.32 Rsvrd-10 netmask 255.255.255.255
static (inside,outside) *.*.*.33 Rsvrd-11 netmask 255.255.255.255
static (inside,outside) *.*.*.34 Rsvrd-12 netmask 255.255.255.255
static (inside,outside) *.*.*.20 Rsvrd-13 netmask 255.255.255.255
static (inside,outside) *.*.*.28 Rsvrd-14 netmask 255.255.255.255
static (inside,outside) *.*.*.30 Rsvrd-15 netmask 255.255.255.255
static (inside,outside) *.*.*.35 Rsvrd-16 netmask 255.255.255.255
static (inside,outside) *.*.*.36 Rsvrd-17 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.233.163.1 1
route inside 192.168.126.0 255.255.255.0 192.168.125.100 1
route inside 192.168.127.0 255.255.255.0 192.168.125.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http *.*.*.120 255.255.255.248 outside
http *.*.*.80 255.255.255.248 outside
http 192.168.125.0 255.255.255.0 inside
snmp-server host inside Rsvrd-5 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.125.100 255.255.255.255 inside
telnet 192.168.125.0 255.255.255.255 inside
telnet 192.168.125.170 255.255.255.255 inside
telnet 192.168.125.100 255.255.255.255 intf2
telnet 192.168.125.0 255.255.255.255 intf2
telnet timeout 5
ssh 192.168.125.170 255.255.255.255 inside
ssh timeout 5
console timeout 0
group-policy inwoodvpn internal
group-policy inwoodvpn attributes
dns-server value 192.168.125.99 192.168.125.101
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inwoodvpn_splitTunnelAcl
default-domain value inwood
group-policy voip internal
group-policy voip attributes
wins-server value 192.168.125.101
dns-server value 192.168.125.101 192.168.125.99
vpn-tunnel-protocol IPSec
default-domain value *
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group *vpn type ipsec-ra
tunnel-group *vpn general-attributes
address-pool remoteuserpool
authentication-server-group (outside) LOCAL
default-group-policy inwoodvpn
tunnel-group *vpn ipsec-attributes
pre-shared-key *
tunnel-group voip type ipsec-ra
tunnel-group voip general-attributes
address-pool remoteuserpool
default-group-policy voip
tunnel-group voip ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map blobal_policy
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*: end
asdm image flash:/asdm-524.bin
asdm location MailServer 255.255.255.255 inside
asdm location Server2 255.255.255.255 inside
asdm location *.*.*.120 255.255.255.248 outside
asdm location 192.168.125.0 255.255.255.255 inside
asdm location Rsvrd-01 255.255.255.255 inside
asdm location Rsvrd-02 255.255.255.255 inside
asdm location Rsvrd-3 255.255.255.255 inside
asdm location Rsvrd-5 255.255.255.255 inside
asdm location Rsvrd-6 255.255.255.255 inside
asdm location Rsvrd-7 255.255.255.255 inside
asdm location Rsvrd-4 255.255.255.255 inside
asdm location Rsvrd-8 255.255.255.255 inside
asdm location Rsvrd-9 255.255.255.255 inside
asdm location Rsvrd-10 255.255.255.255 inside
asdm location Snap-Server 255.255.255.255 inside
asdm location 192.168.125.100 255.255.255.255 inside
asdm location 192.168.126.0 255.255.255.0 inside
asdm location Callmanager 255.255.255.255 inside
asdm location 192.168.125.0 255.255.255.255 intf2
asdm location 192.168.125.100 255.255.255.255 intf2
asdm location Rsvrd-11 255.255.255.255 inside
asdm location Rsvrd-12 255.255.255.255 inside
asdm location Rsvrd-13 255.255.255.255 inside
asdm location Rsvrd-14 255.255.255.255 inside
asdm location Rsvrd-15 255.255.255.255 inside
asdm location Rsvrd-16 255.255.255.255 inside
asdm location Rsvrd-17 255.255.255.255 inside
asdm history enable
As I mention before, if you take a look at you ACL inside_outbound_nat0_acl you will notice that it is used by nat 0. Nat 0 specify what traffic that should not be NATed. You need to add the following.
access-list inwoodvpn_splitTunnelAcl extended permit ip 192.168.126.0 255.255.255.0 any
access-list inside_outbound_nat0_acl extended permit ip 192.168.126.0 255.255.255.0 192.168.225.0 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip any 192.168.226.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.226.0 255.255.255.240
The gist of the story is add the 192.168.226.0 to any ACL that you see that current have 192.168.225.0 in it. This will alllow traffic to flow to the voice vlan.
This is were you problem lies. nat (inside) 0 access-list inside_outbound_nat0_acl is not specifying the 192.168.126.0 subnet. The above statements will fix that and may add some additional statements, but thats okay.
access-list inwoodvpn_splitTunnelAcl extended permit ip 192.168.126.0 255.255.255.0 any
access-list inside_outbound_nat0_acl extended permit ip 192.168.126.0 255.255.255.0 192.168.225.0 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip any 192.168.226.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.226.0 255.255.255.240
The gist of the story is add the 192.168.226.0 to any ACL that you see that current have 192.168.225.0 in it. This will alllow traffic to flow to the voice vlan.
This is were you problem lies. nat (inside) 0 access-list inside_outbound_nat0_acl is not specifying the 192.168.126.0 subnet. The above statements will fix that and may add some additional statements, but thats okay.
Dennis;
See if you can remove the username and password from the code snippets you posted. As a matter of fact, if you can remove the whole thing I would. It provides too much information about your network. IE. ports that are used for Windows Terminal service (RDP), the username and password used to create a vpn connection, public IP of you firewall, etc. I was trying to see if I could contact you by email or a private message, but I could not.
See if you can remove the username and password from the code snippets you posted. As a matter of fact, if you can remove the whole thing I would. It provides too much information about your network. IE. ports that are used for Windows Terminal service (RDP), the username and password used to create a vpn connection, public IP of you firewall, etc. I was trying to see if I could contact you by email or a private message, but I could not.