Solved

How to setup VOIP on site to site VPN

Posted on 2014-04-27
11
1,346 Views
Last Modified: 2014-06-03
I am trying to enable VOIP (NEC SIP port 5060) on an existing site to site VPN in our branch office.

Branch office uses Cisco 1900 router, that connects with main office with a Cisco ASA 5500 FW.

I can manage to login to the VOIP phone and ring other colleagues from the branch and listen to voicemail, but can't hear each other.  How to enable the VOIP traffic on the router and ASA? Should I enable sip, tcp or udp traffic? How? Thanks


here is the extracted config on the Cisco 1900:

crypto map OCA_VPN_BRANCH 10 ipsec-isakmp
 set peer *.*.*.*
 set transform-set ESP-3DES-MD5
 match address 100

ip nat inside source list ACL-NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.188.0.0 255.255.0.0 *.*.*.*
ip route 192.168.0.0 255.255.0.0 192.168.10.2
!
ip access-list extended ACL-NAT
 deny   ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
 permit ip any any
ip access-list extended INTERNET_PROTECT
 permit ip 10.188.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip host *.*.*.* host *.*.*.*
 --More--          permit udp any eq bootps any eq bootpc
 permit gre any any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit tcp any any eq 443
 deny   ip any any
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 11 permit 192.168.11.246
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!

-----------------

Also, here is the extracted config on the ASA:

access-list Internal_to_Switches_access_in extended permit ip any any
access-list Internal_to_Switches_access_in_1 extended permit ip any any
access-list Outside_access_in extended permit ip any any inactive
access-list Internal_to_Switches_nat0_outbound extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list Outside_1_cryptomap extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0

nat (Internal_to_Switches) 0 access-list Internal_to_Switches_nat0_outbound
nat (Internal_to_Switches) 1 10.188.0.0 255.255.0.0
access-group Internal_to_Switches_access_in_1 in interface Internal_to_Switches control-plane
access-group Internal_to_Switches_access_in in interface Internal_to_Switches
access-group Outside_access_in in interface Outside
0
Comment
Question by:tonitoni99
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40027289
On the ASA (assuming you have the default inspection setup)

Run the following


policy-map global_policy

class inspection_default

  inspect sip

  inspect skinny

Open in new window


Any Better?

If not (strangely) try it with 'no inspect sip'

PL
0
 

Author Comment

by:tonitoni99
ID: 40028688
tried with 'no inspect sip', doesn't work.

The following is the current setting.

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40028972
On the ASA, do you have the command: sysopt connection permit-vpn in place?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:tonitoni99
ID: 40031206
Hi Ernie,

I dont' have sysopt connection permit-vpn in place, what it is used for? thanks
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 40031366
If this command is in place, the ASA allows VPN traffic regardless of any ACLs.
From the top of my head: when a call is setup, the voice data (RTP) is going through a random selected UDP port within a certain range. For example: astersik uses UDP range 10000-20000 by default.

My gues would be that this is blocked somewhere along the way.

You could check the (ASDM) logs to see if any ports get blocked when you try to initiate a call.
0
 
LVL 77

Expert Comment

by:arnold
ID: 40034432
0
 

Author Comment

by:tonitoni99
ID: 40061580
ok now. I actually missed ACL for the other phone IP address on the main office to talk to each other.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
configuring snmp v2 or v3 on Cisco switches 2 49
Is this QoS Correct on this  CISCO 3825 Router 1 35
Cisco Supervisor upgrade to 2T 3 49
HSRP not working on N7K-c7018 3 44
Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now