?
Solved

How to setup VOIP on site to site VPN

Posted on 2014-04-27
11
Medium Priority
?
1,524 Views
Last Modified: 2014-06-03
I am trying to enable VOIP (NEC SIP port 5060) on an existing site to site VPN in our branch office.

Branch office uses Cisco 1900 router, that connects with main office with a Cisco ASA 5500 FW.

I can manage to login to the VOIP phone and ring other colleagues from the branch and listen to voicemail, but can't hear each other.  How to enable the VOIP traffic on the router and ASA? Should I enable sip, tcp or udp traffic? How? Thanks


here is the extracted config on the Cisco 1900:

crypto map OCA_VPN_BRANCH 10 ipsec-isakmp
 set peer *.*.*.*
 set transform-set ESP-3DES-MD5
 match address 100

ip nat inside source list ACL-NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.188.0.0 255.255.0.0 *.*.*.*
ip route 192.168.0.0 255.255.0.0 192.168.10.2
!
ip access-list extended ACL-NAT
 deny   ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
 permit ip any any
ip access-list extended INTERNET_PROTECT
 permit ip 10.188.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip host *.*.*.* host *.*.*.*
 --More--          permit udp any eq bootps any eq bootpc
 permit gre any any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit tcp any any eq 443
 deny   ip any any
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 11 permit 192.168.11.246
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.188.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!

-----------------

Also, here is the extracted config on the ASA:

access-list Internal_to_Switches_access_in extended permit ip any any
access-list Internal_to_Switches_access_in_1 extended permit ip any any
access-list Outside_access_in extended permit ip any any inactive
access-list Internal_to_Switches_nat0_outbound extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list Outside_1_cryptomap extended permit ip 10.188.0.0 255.255.0.0 192.168.0.0 255.255.0.0

nat (Internal_to_Switches) 0 access-list Internal_to_Switches_nat0_outbound
nat (Internal_to_Switches) 1 10.188.0.0 255.255.0.0
access-group Internal_to_Switches_access_in_1 in interface Internal_to_Switches control-plane
access-group Internal_to_Switches_access_in in interface Internal_to_Switches
access-group Outside_access_in in interface Outside
0
Comment
Question by:tonitoni99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40027289
On the ASA (assuming you have the default inspection setup)

Run the following


policy-map global_policy

class inspection_default

  inspect sip

  inspect skinny

Open in new window


Any Better?

If not (strangely) try it with 'no inspect sip'

PL
0
 

Author Comment

by:tonitoni99
ID: 40028688
tried with 'no inspect sip', doesn't work.

The following is the current setting.

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40028972
On the ASA, do you have the command: sysopt connection permit-vpn in place?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tonitoni99
ID: 40031206
Hi Ernie,

I dont' have sysopt connection permit-vpn in place, what it is used for? thanks
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 40031366
If this command is in place, the ASA allows VPN traffic regardless of any ACLs.
From the top of my head: when a call is setup, the voice data (RTP) is going through a random selected UDP port within a certain range. For example: astersik uses UDP range 10000-20000 by default.

My gues would be that this is blocked somewhere along the way.

You could check the (ASDM) logs to see if any ports get blocked when you try to initiate a call.
0
 
LVL 80

Expert Comment

by:arnold
ID: 40034432
0
 

Author Comment

by:tonitoni99
ID: 40061580
ok now. I actually missed ACL for the other phone IP address on the main office to talk to each other.
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question