Cisco CME SIP issue

Hi,

I have a Cisco 2811 (CME) and it is registering with an external SIP provider (ITSP) for external calls.

I am also trying to setup SIP extensions to run over a VPN to a remote site. The 2811 ISR is doing the SIP trunk termination, CME SIP registrations and the IPSec VPN Tunnel.  

What is happening, unless I add the command below, the SIP phones cannot register

voice service voip
sip
 bind all source-interface fa0/0.1 (which is the internal VLAN)

However, when I add this command the SIP trunk to the ITSP drops and doesn't work.

Does anyone know how to fix this?

Thanks

Mark
LVL 6
mark_06Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
If it is currently bound to the outside interface, just add that address to the IPSEC VPN tunnel access-list so it will be encrypted..
0
mark_06Author Commented:
Thanks for the response!

I am not sure I follow 100%.

So I need to configure the public IP of the remote site to the access-list of the VPN tunnel, is that what you are saying?
0
lrmooreCommented:
Yes. For example:

bind all source-interface fa0/1  <- WAN Interface

interface fast 0/1
 ip address 1.1.1.1 255.255.255.0

interface fast 0/0.1  <- LAN interface
 ip address 192.168.100.1 255.255.255.0

# Acl 106 defines traffic to be encrypted and applied to the crypto map
access-list 106 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 106 permit ip host 1.1.1.1 192.168.200.0 0.0.0.255
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

mark_06Author Commented:
That has worked. Except I am now getting one way audio. The caller in the remote site cannot hear the person from the main site. However the user at the main site can hear the remote site.

This is the config (assuming WAN IP is 1.1.1.1), the remote site is 192.168.12.0/24

voice register global
 mode cme
 source-address 1.1.1.1 port 5060
 max-dn 10
 max-pool 10
 authenticate register
 voicemail 150
!
voice register dn  1
 number 400
!
voice register pool  1
 id mac 0000.0000.0400
 number 1 dn 1
 username 400 password 1234PW
 codec g711ulaw


access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 118 permit ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 118 permit ip host 1.1.1.1 192.168.12.0 0.0.0.255


In terms of my NAT (as one way voice can often be caused by it) this is what I have. (not there are more subnets as there are multiple VPN sites)

ip nat inside source list 100 interface FastEthernet0/1 overload

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 deny   ip any any
0
mark_06Author Commented:
Looking through the SIP debugs it looks as if it's sending the packets over the external WAN rather than through the VPN tunnel.
0
mark_06Author Commented:
Technically correct. As all the research I have done supports this. However I am still having some funny issues.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Voice Over IP

From novice to tech pro — start learning today.