Solved

How to setup VOIP on site to site VPN

Posted on 2014-04-27
11
1,423 Views
Last Modified: 2014-06-03
I am trying to enable VOIP (NEC SIP port 5060) on an existing site to site VPN in our branch office.

Branch office uses Cisco 1900 router, that connects with main office with a Cisco ASA 5500 FW.

I can manage to login to the VOIP phone and ring other colleagues from the branch and listen to voicemail, but can't hear each other.  How to enable the VOIP traffic on the router and ASA? Should I enable sip, tcp or udp traffic? How? Thanks


here is the extracted config on the Cisco 1900:

crypto map OCA_VPN_BRANCH 10 ipsec-isakmp
 set peer *.*.*.*
 set transform-set ESP-3DES-MD5
 match address 100

ip nat inside source list ACL-NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.188.0.0 255.255.0.0 *.*.*.*
ip route 192.168.0.0 255.255.0.0 192.168.10.2
!
ip access-list extended ACL-NAT
 deny   ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
 permit ip any any
ip access-list extended INTERNET_PROTECT
 permit ip 10.188.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip host *.*.*.* host *.*.*.*
 --More--          permit udp any eq bootps any eq bootpc
 permit gre any any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit tcp any any eq 443
 deny   ip any any
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 11 permit 192.168.11.246
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!

-----------------

Also, here is the extracted config on the ASA:

access-list Internal_to_Switches_access_in extended permit ip any any
access-list Internal_to_Switches_access_in_1 extended permit ip any any
access-list Outside_access_in extended permit ip any any inactive
access-list Internal_to_Switches_nat0_outbound extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list Outside_1_cryptomap extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0

nat (Internal_to_Switches) 0 access-list Internal_to_Switches_nat0_outbound
nat (Internal_to_Switches) 1 10.188.0.0 255.255.0.0
access-group Internal_to_Switches_access_in_1 in interface Internal_to_Switches control-plane
access-group Internal_to_Switches_access_in in interface Internal_to_Switches
access-group Outside_access_in in interface Outside
0
Comment
Question by:tonitoni99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40027289
On the ASA (assuming you have the default inspection setup)

Run the following


policy-map global_policy

class inspection_default

  inspect sip

  inspect skinny

Open in new window


Any Better?

If not (strangely) try it with 'no inspect sip'

PL
0
 

Author Comment

by:tonitoni99
ID: 40028688
tried with 'no inspect sip', doesn't work.

The following is the current setting.

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40028972
On the ASA, do you have the command: sysopt connection permit-vpn in place?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:tonitoni99
ID: 40031206
Hi Ernie,

I dont' have sysopt connection permit-vpn in place, what it is used for? thanks
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 40031366
If this command is in place, the ASA allows VPN traffic regardless of any ACLs.
From the top of my head: when a call is setup, the voice data (RTP) is going through a random selected UDP port within a certain range. For example: astersik uses UDP range 10000-20000 by default.

My gues would be that this is blocked somewhere along the way.

You could check the (ASDM) logs to see if any ports get blocked when you try to initiate a call.
0
 
LVL 78

Expert Comment

by:arnold
ID: 40034432
0
 

Author Comment

by:tonitoni99
ID: 40061580
ok now. I actually missed ACL for the other phone IP address on the main office to talk to each other.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question