Solved

How to setup VOIP on site to site VPN

Posted on 2014-04-27
11
1,313 Views
Last Modified: 2014-06-03
I am trying to enable VOIP (NEC SIP port 5060) on an existing site to site VPN in our branch office.

Branch office uses Cisco 1900 router, that connects with main office with a Cisco ASA 5500 FW.

I can manage to login to the VOIP phone and ring other colleagues from the branch and listen to voicemail, but can't hear each other.  How to enable the VOIP traffic on the router and ASA? Should I enable sip, tcp or udp traffic? How? Thanks


here is the extracted config on the Cisco 1900:

crypto map OCA_VPN_BRANCH 10 ipsec-isakmp
 set peer *.*.*.*
 set transform-set ESP-3DES-MD5
 match address 100

ip nat inside source list ACL-NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.188.0.0 255.255.0.0 *.*.*.*
ip route 192.168.0.0 255.255.0.0 192.168.10.2
!
ip access-list extended ACL-NAT
 deny   ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
 permit ip any any
ip access-list extended INTERNET_PROTECT
 permit ip 10.188.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip host *.*.*.* host *.*.*.*
 --More--          permit udp any eq bootps any eq bootpc
 permit gre any any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit tcp any any eq 443
 deny   ip any any
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 11 permit 192.168.11.246
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!

-----------------

Also, here is the extracted config on the ASA:

access-list Internal_to_Switches_access_in extended permit ip any any
access-list Internal_to_Switches_access_in_1 extended permit ip any any
access-list Outside_access_in extended permit ip any any inactive
access-list Internal_to_Switches_nat0_outbound extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list Outside_1_cryptomap extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0

nat (Internal_to_Switches) 0 access-list Internal_to_Switches_nat0_outbound
nat (Internal_to_Switches) 1 10.188.0.0 255.255.0.0
access-group Internal_to_Switches_access_in_1 in interface Internal_to_Switches control-plane
access-group Internal_to_Switches_access_in in interface Internal_to_Switches
access-group Outside_access_in in interface Outside
0
Comment
Question by:tonitoni99
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
On the ASA (assuming you have the default inspection setup)

Run the following


policy-map global_policy

class inspection_default

  inspect sip

  inspect skinny

Open in new window


Any Better?

If not (strangely) try it with 'no inspect sip'

PL
0
 

Author Comment

by:tonitoni99
Comment Utility
tried with 'no inspect sip', doesn't work.

The following is the current setting.

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
On the ASA, do you have the command: sysopt connection permit-vpn in place?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:tonitoni99
Comment Utility
Hi Ernie,

I dont' have sysopt connection permit-vpn in place, what it is used for? thanks
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
If this command is in place, the ASA allows VPN traffic regardless of any ACLs.
From the top of my head: when a call is setup, the voice data (RTP) is going through a random selected UDP port within a certain range. For example: astersik uses UDP range 10000-20000 by default.

My gues would be that this is blocked somewhere along the way.

You could check the (ASDM) logs to see if any ports get blocked when you try to initiate a call.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
0
 

Author Comment

by:tonitoni99
Comment Utility
ok now. I actually missed ACL for the other phone IP address on the main office to talk to each other.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now