• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 967
  • Last Modified:

Cisco CME SIP issue

Hi,

I have a Cisco 2811 (CME) and it is registering with an external SIP provider (ITSP) for external calls.

I am also trying to setup SIP extensions to run over a VPN to a remote site. The 2811 ISR is doing the SIP trunk termination, CME SIP registrations and the IPSec VPN Tunnel.  

What is happening, unless I add the command below, the SIP phones cannot register

voice service voip
sip
 bind all source-interface fa0/0.1 (which is the internal VLAN)

However, when I add this command the SIP trunk to the ITSP drops and doesn't work.

Does anyone know how to fix this?

Thanks

Mark
0
mark_06
Asked:
mark_06
  • 4
  • 2
1 Solution
 
lrmooreCommented:
If it is currently bound to the outside interface, just add that address to the IPSEC VPN tunnel access-list so it will be encrypted..
0
 
mark_06Author Commented:
Thanks for the response!

I am not sure I follow 100%.

So I need to configure the public IP of the remote site to the access-list of the VPN tunnel, is that what you are saying?
0
 
lrmooreCommented:
Yes. For example:

bind all source-interface fa0/1  <- WAN Interface

interface fast 0/1
 ip address 1.1.1.1 255.255.255.0

interface fast 0/0.1  <- LAN interface
 ip address 192.168.100.1 255.255.255.0

# Acl 106 defines traffic to be encrypted and applied to the crypto map
access-list 106 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 106 permit ip host 1.1.1.1 192.168.200.0 0.0.0.255
0
Enhanced Intelligibility Without Cable Clutter

Challenge: The ESA office in Brussels wanted a reliable audio conference system for video conferences. Their requirement - No participant must be left out from the conference and the audio quality must not be compromised.

 
mark_06Author Commented:
That has worked. Except I am now getting one way audio. The caller in the remote site cannot hear the person from the main site. However the user at the main site can hear the remote site.

This is the config (assuming WAN IP is 1.1.1.1), the remote site is 192.168.12.0/24

voice register global
 mode cme
 source-address 1.1.1.1 port 5060
 max-dn 10
 max-pool 10
 authenticate register
 voicemail 150
!
voice register dn  1
 number 400
!
voice register pool  1
 id mac 0000.0000.0400
 number 1 dn 1
 username 400 password 1234PW
 codec g711ulaw


access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 118 permit ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 118 permit ip host 1.1.1.1 192.168.12.0 0.0.0.255


In terms of my NAT (as one way voice can often be caused by it) this is what I have. (not there are more subnets as there are multiple VPN sites)

ip nat inside source list 100 interface FastEthernet0/1 overload

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 deny   ip any any
0
 
mark_06Author Commented:
Looking through the SIP debugs it looks as if it's sending the packets over the external WAN rather than through the VPN tunnel.
0
 
mark_06Author Commented:
Technically correct. As all the research I have done supports this. However I am still having some funny issues.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now