ASA 5510 Site to Site for VoIP

I am having issues with a site to site setup.

I have a Voip Server at site 1 in subnet 10.0.0.1/24 that is working just fine.

I have added a new site and I need to setup a site to site for routing VoIP traffic from Site 2 to the Site 1 VoIP Subnet.

I have been building the VPN via ASDM so I would prefer to keep it in that setup
Main-Office.txt
site2.txt
cyexxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

anoopkmrCommented:
from the config I  understand that VOIP subnet is valn 33 and the interface is shutdown state ; correct me if I am wrong

also any special reason for  putting that vlan interface shut down ?

from your Question VOIP Server IP  is 10.0.0.1/24  , but I can see the same  IP is assigned to  vlan 33 ... is it a type error ?

also can see the below route  to 10.0.0.0/24 via other interface .. why ?


route PUBEDGE_NET 10.0.0.0 255.255.255.0 10.0.1.2

__________________________________________________________________________________________

now come to the Mainsite Config

from your Mainsite ASA  config " name 10.0.0.254 site1--PBX description site1--PBX" ..So I assume this is the VOIP server ,...

please add the following commands in Main Site 2

no route PUBEDGE_NET 10.0.0.0 255.255.255.0 10.0.1.2  <<<< because its the local subnet for vlan 33)

name 10.0.0.254 site1-PBX description site1--PBX
no nat (Management,ComcastEDI) source static site1--PBX site1--PBX destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24
sysopt connection permit-vpn
crypto isakmp nat-traversal 60
nat (VoIPNet,ComcastEDI) source static site1-PBX site1-PBX destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24

--------------------------------------------------

still not working , please show the  output
show crypto ipsec sa peer 72.x.x.
0
LibipappachenCommented:
Hi,

     1st things 1st. backup all the configurations.

In ASA put the voip ip subnet in your existing vpn access-list that is already working with site 2.

And in site 2 router put a static route for voip ip subnet pointing to your vpn tunnel endpoint IP.

I guess all other routing done properly.

Let me know any help need.

BR,
Libi
0
cyexxAuthor Commented:
Looks like the config scrub junked it up a bit.

Voip Server is 10.0.0.254 in main site on vlan 33

Setup remote office in 192.168.x.x subnet in order to not deal with subnet conflict.

Need to be able to route voip phones at remote office back to main office since main office holds the Asterisk server and our PRI backend.

The interface is up so the no for no shutdown probably got nuked off of the config
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

anoopkmrCommented:
Try the following
 and then connect

name 10.0.0.254 site1-PBX description site1--PBX
no nat (Management,ComcastEDI) source static site1--PBX site1--PBX destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24
sysopt connection permit-vpn
crypto isakmp nat-traversal 60
nat (VoIPNet,ComcastEDI) source static site1-PBX site1-PBX destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24
0
cyexxAuthor Commented:
ok still not working properly

I have attached the configs with only the passwords removed.

now the IP address of the phone system is 10.0.0.254

It is an astrisk phone system so we have the phone system ready for the translation just the ASA units are not building a VPN tunnel.
Duluth-ASA.txt
Main-Office-asa.txt
0
cyexxAuthor Commented:
Main Site - ASA 5510 - 8.3(1) - ASDM 6.3(1)

Remote Site - ASA 5510 - 9.1(1) - ASDM 7.1(1)
0
cyexxAuthor Commented:
5|Sep 13 2013|22:24:23|713904|||||IP = 199.227.88.5, Received encrypted packet with no matching SA, dropping
4|Sep 13 2013|22:24:23|113019|||||Group = 199.227.88.5, Username = 199.227.88.5, IP = 199.227.88.5, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Sep 13 2013|22:24:23|713259|||||Group = 199.227.88.5, IP = 199.227.88.5, Session is being torn down. Reason: Phase 2 Mismatch
3|Sep 13 2013|22:24:23|713902|||||Group = 199.227.88.5, IP = 199.227.88.5, Removing peer from correlator table failed, no match!
3|Sep 13 2013|22:24:23|713902|||||Group = 199.227.88.5, IP = 199.227.88.5, QM FSM error (P2 struct &0xaf89b4a0, mess id 0xca0a4f3)!
5|Sep 13 2013|22:24:23|713904|||||Group = 199.227.88.5, IP = 199.227.88.5, All IPSec SA proposals found unacceptable!
5|Sep 13 2013|22:24:23|713119|||||Group = 199.227.88.5, IP = 199.227.88.5, PHASE 1 COMPLETED
6|Sep 13 2013|22:24:23|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 199.227.88.5
6|Sep 13 2013|22:24:23|302021|199.227.88.5|0|NPES-PBX|0|Teardown ICMP connection for faddr 199.227.88.5/0 gaddr PUB-npes-pbx/0 laddr NPES-PBX/0
0
cyexxAuthor Commented:
Dump from Duluth Site ASA

5|Sep 13 2013|23:33:53|750001|||||Local:199.227.88.5:500 Remote:50.201.184.70:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.10.74-192.168.10.74 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.0.0.254-10.0.0.254 Protocol: 0 Port Range: 0-65535
4|Sep 13 2013|23:33:51|113019|||||Group = 50.201.184.70, Username = 50.201.184.70, IP = 20.200.108.174, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
5|Sep 13 2013|23:33:51|713259|||||Group = 50.201.184.70, IP = 50.201.184.70, Session is being torn down. Reason: User Requested
3|Sep 13 2013|23:33:51|713902|||||Group = 50.201.184.70, IP = 50.201.184.70, Removing peer from correlator table failed, no match!
5|Sep 13 2013|23:33:51|713050|||||Group = 50.201.184.70, IP = 50.201.184.70, Connection terminated for peer 50.201.184.70.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
5|Sep 13 2013|23:33:51|713068|||||Group = 50.201.184.70, IP = 50.201.184.70, Received non-routine Notify message: No proposal chosen (14)
5|Sep 13 2013|23:33:51|713119|||||Group = 50.201.184.70, IP = 50.201.184.70, PHASE 1 COMPLETED
6|Sep 13 2013|23:33:51|113009|||||AAA retrieved default group policy (GroupPolicy_50.201.184.70) for user = 50.201.184.70
5|Sep 13 2013|23:33:51|713041|||||IP = 50.201.184.70, IKE Initiator: New Phase 1, Intf Lan, IKE Peer 50.201.184.70  local Proxy Address 192.168.10.0, remote Proxy Address 10.0.0.0,  Crypto map (TWTelecomEDI_map)
4|Sep 13 2013|23:33:51|750003|||||Local:199.227.88.5:500 Remote:50.201.184.70:500 Username:50.201.184.70 Negotiation aborted due to ERROR: Maximum number of retransmissions reached
5|Sep 13 2013|23:31:50|750001|||||Local:199.227.88.5:500 Remote:50.201.184.70:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.10.74-192.168.10.74 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.0.0.254-10.0.0.254 Protocol: 0 Port Range: 0-65535
4|Sep 13 2013|23:31:49|113019|||||Group = 50.201.184.70, Username = 50.201.184.70, IP = 20.200.108.174, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
5|Sep 13 2013|23:31:49|713259|||||Group = 50.201.184.70, IP = 50.201.184.70, Session is being torn down. Reason: User Requested
3|Sep 13 2013|23:31:49|713902|||||Group = 50.201.184.70, IP = 50.201.184.70, Removing peer from correlator table failed, no match!
5|Sep 13 2013|23:31:49|713050|||||Group = 50.201.184.70, IP = 50.201.184.70, Connection terminated for peer 50.201.184.70.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
5|Sep 13 2013|23:31:49|713068|||||Group = 50.201.184.70, IP = 50.201.184.70, Received non-routine Notify message: No proposal chosen (14)
5|Sep 13 2013|23:31:49|713119|||||Group = 50.201.184.70, IP = 50.201.184.70, PHASE 1 COMPLETED
6|Sep 13 2013|23:31:49|113009|||||AAA retrieved default group policy (GroupPolicy_50.201.184.70) for user = 50.201.184.70
5|Sep 13 2013|23:31:49|713041|||||IP = 50.201.184.70, IKE Initiator: New Phase 1, Intf Lan, IKE Peer 50.201.184.70  local Proxy Address 192.168.10.0, remote Proxy Address 10.0.0.0,  Crypto map (TWTelecomEDI_map)
4|Sep 13 2013|23:31:49|750003|||||Local:199.227.88.5:500 Remote:50.201.184.70:500 Username:50.201.184.70 Negotiation aborted due to ERROR: Maximum number of retransmissions reached
5|Sep 13 2013|23:29:46|750001|||||Local:199.227.88.5:500 Remote:50.201.184.70:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.10.74-192.168.10.74 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.0.0.254-10.0.0.254 Protocol: 0 Port Range: 0-65535
4|Sep 13 2013|23:29:42|113019|||||Group = 50.201.184.70, Username = 50.201.184.70, IP = 20.200.108.174, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
5|Sep 13 2013|23:29:42|713259|||||Group = 50.201.184.70, IP = 50.201.184.70, Session is being torn down. Reason: User Requested
3|Sep 13 2013|23:29:42|713902|||||Group = 50.201.184.70, IP = 50.201.184.70, Removing peer from correlator table failed, no match!
5|Sep 13 2013|23:29:42|713050|||||Group = 50.201.184.70, IP = 50.201.184.70, Connection terminated for peer 50.201.184.70.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
5|Sep 13 2013|23:29:42|713068|||||Group = 50.201.184.70, IP = 50.201.184.70, Received non-routine Notify message: No proposal chosen (14)
5|Sep 13 2013|23:29:42|713119|||||Group = 50.201.184.70, IP = 50.201.184.70, PHASE 1 COMPLETED
6|Sep 13 2013|23:29:42|113009|||||AAA retrieved default group policy (GroupPolicy_50.201.184.70) for user = 50.201.184.70
5|Sep 13 2013|23:29:42|713041|||||IP = 50.201.184.70, IKE Initiator: New Phase 1, Intf Lan, IKE Peer 50.201.184.70  local Proxy Address 192.168.10.0, remote Proxy Address 10.0.0.0,  Crypto map (TWTelecomEDI_map)
4|Sep 13 2013|23:29:42|750003|||||Local:199.227.88.5:500 Remote:50.201.184.70:500 Username:50.201.184.70 Negotiation aborted due to ERROR: Maximum number of retransmissions reached
0
cyexxAuthor Commented:
ok I got the Tunnel to Build one side had PFS and the other did not, but I am not getting the Traffic to route.
0
cyexxAuthor Commented:
5      Sep 14 2013      00:08:40      305013      NPES-PBX      5060                  Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src ComcastEDI:192.168.10.74/50382 dst PUBEDGE_NET:NPES-PBX/5060 denied due to NAT reverse path failure
0
anoopkmrCommented:
Try the connectivity after adding the below commands on ASA 8.3.. (MAIN SITE)

object-group network DM_INLINE_NETWORK_19
 network-object 10.0.0.0 255.255.255.0
no  group-object VoIPNet

no nat (VoIPNet,ComcastEDI) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24


nat (PUBEDGE_NET,ComcastEDI) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24
0
cyexxAuthor Commented:
commands have bad syntax

I have also attached the new configs after fixing the RSA and PFS
Duluth-ASA-v3.txt
Main-Office-asa-v3.txt
0
anoopkmrCommented:
let me know the syntax error details..


also  try cahnging the security level of below interface to  50
interface Ethernet0/2
 description PUBEDGE_NET
 nameif PUBEDGE_NET
 security-level 0
 ip address 10.0.1.1 255.255.255.0


and also add below commands

no nat (VoIPNet,ComcastEDI) source static any any destination static Duluth-LAN Duluth-LAN
no nat (VoIPNet,ComcastEDI) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static Duluth-LAN Duluth-LAN
 nat (PUBEDGE_NET,ComcastEDI) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static Duluth-LAN Duluth-LAN
0
cyexxAuthor Commented:
no nat (VoIPNet,ComcastEDI) source static any any destination static Duluth-LAN Duluth-LAN

ERROR: % Unrecognized command
0
anoopkmrCommented:
You have to try those commands on ASA 8.3
0
cyexxAuthor Commented:
that was on the 8.3 via SSH into the 8.3 unit
0
cyexxAuthor Commented:
ok I have disabled the 2 no nat rules and I have built out the other rule, also I have enable traffic between two or more interfaces which are configured with same security levels.

also the remote site can ping the outside interface of the main site but cannot ping 10.0.0.1 which is the main ASA nor can it ping the PBX 10.0.0.254
Main-Office-asa-v4.txt
0
cyexxAuthor Commented:
ok Both sites are showing traffic but still dealing with a NAT rule issue.

I am not able to ping the 10.0.0.2 of the VoIP interface on the main site or anything on that subnet from the remote site.
Duluth-ASA-09.16.2013.txt
Main-ASA-09.16.2013.txt
0
cyexxAuthor Commented:
Hello

Anyone out there


Its still some Nat Issue.

5      Sep 21 2013      12:16:40      305013      NPES-PBX                        Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src ComcastEDI:192.168.10.62 dst VoIPNet:NPES-PBX (type 8, code 0) denied due to NAT reverse path failure
0
cyexxAuthor Commented:
ok have nat working and I can surf the main office subnet but the tunnel is dropping the VoIP UDP Traffic
0
cyexxAuthor Commented:
Show Sip

call-id 5007263364283f79197f6b1b7d8fe542@10.0.0.254
    CSeq: UNKNOWN
From: sip:Unknown@10.0.0.254;as226024bf
To: sip:2001@192.168.10.74:5060;
    state Call init, timeout 0:03:00 idle 0:02:38
        Transaction                    State                 Timeout  Idle
        Cseq 102 UNKNOWN               Transaction Unknown   0:03:00  0:02:38

call-id 07a013916451695942c72b0a073fbddf@10.0.0.254
    CSeq: UNKNOWN
From: sip:Unknown@10.0.0.254;as6b19938c
To: sip:2001@192.168.10.74:5060;
    state Call init, timeout 0:03:00 idle 0:00:13
        Transaction                    State                 Timeout  Idle
        Cseq 102 UNKNOWN               Transaction Unknown   0:03:00  0:00:13
0
cyexxAuthor Commented:
ok phones are set to NAT

also canreinvite is set to no
0
cyexxAuthor Commented:
I figured it out closing this out
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cyexxAuthor Commented:
Had to solve on my own
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.