How to setup VOIP on site to site VPN

I am trying to enable VOIP (NEC SIP port 5060) on an existing site to site VPN in our branch office.

Branch office uses Cisco 1900 router, that connects with main office with a Cisco ASA 5500 FW.

I can manage to login to the VOIP phone and ring other colleagues from the branch and listen to voicemail, but can't hear each other.  How to enable the VOIP traffic on the router and ASA? Should I enable sip, tcp or udp traffic? How? Thanks


here is the extracted config on the Cisco 1900:

crypto map OCA_VPN_BRANCH 10 ipsec-isakmp
 set peer *.*.*.*
 set transform-set ESP-3DES-MD5
 match address 100

ip nat inside source list ACL-NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.188.0.0 255.255.0.0 *.*.*.*
ip route 192.168.0.0 255.255.0.0 192.168.10.2
!
ip access-list extended ACL-NAT
 deny   ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
 permit ip any any
ip access-list extended INTERNET_PROTECT
 permit ip 10.188.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip host *.*.*.* host *.*.*.*
 --More--          permit udp any eq bootps any eq bootpc
 permit gre any any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit tcp any any eq 443
 deny   ip any any
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 11 permit 192.168.11.246
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!

-----------------

Also, here is the extracted config on the ASA:

access-list Internal_to_Switches_access_in extended permit ip any any
access-list Internal_to_Switches_access_in_1 extended permit ip any any
access-list Outside_access_in extended permit ip any any inactive
access-list Internal_to_Switches_nat0_outbound extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list Outside_1_cryptomap extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0

nat (Internal_to_Switches) 0 access-list Internal_to_Switches_nat0_outbound
nat (Internal_to_Switches) 1 10.188.0.0 255.255.0.0
access-group Internal_to_Switches_access_in_1 in interface Internal_to_Switches control-plane
access-group Internal_to_Switches_access_in in interface Internal_to_Switches
access-group Outside_access_in in interface Outside
tonitoni99Asked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
If this command is in place, the ASA allows VPN traffic regardless of any ACLs.
From the top of my head: when a call is setup, the voice data (RTP) is going through a random selected UDP port within a certain range. For example: astersik uses UDP range 10000-20000 by default.

My gues would be that this is blocked somewhere along the way.

You could check the (ASDM) logs to see if any ports get blocked when you try to initiate a call.
0
 
Pete LongTechnical ConsultantCommented:
On the ASA (assuming you have the default inspection setup)

Run the following


policy-map global_policy

class inspection_default

  inspect sip

  inspect skinny

Open in new window


Any Better?

If not (strangely) try it with 'no inspect sip'

PL
0
 
tonitoni99Author Commented:
tried with 'no inspect sip', doesn't work.

The following is the current setting.

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Ernie BeekExpertCommented:
On the ASA, do you have the command: sysopt connection permit-vpn in place?
0
 
tonitoni99Author Commented:
Hi Ernie,

I dont' have sysopt connection permit-vpn in place, what it is used for? thanks
0
 
arnoldCommented:
0
 
tonitoni99Author Commented:
ok now. I actually missed ACL for the other phone IP address on the main office to talk to each other.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.