Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1495
Views
8
Helpful
4
Replies

Problema con ASA VPN y VoIP

Adrian Caba Gutierrez
Level 1
Level 1

‎07-14-2011 02:03 PM - edited ‎03-11-2019 01:59 PM

Tengo el siguiente escenario:

LAN                                                                                                              LAN

Voice and Data ---------ASA5505---------Internet-----------Cisco2600 CME----------Voice and Data

CME

Hay una VPN configurada entre el ASA5505 y el router Cisco 2600 que esta funcionando correctamente, el problema es que no se puede realizar una llamada desde la red del router 2600 al Call Manager detras del ASA5505, pero si se puede realizar una llamada desde el el Call Manager detras del ASA5505 pero cuando contestan en la red del Cisco2600 se escucha la voz de los que estan detras del ASA pero ellos ni pueden escuchar nada a los que estan detras del Cisco2600. Se que me debe faltar alguna configuración.

La VPN esta confiurada correctamente y funcionando hay ping entre las redes e incluso los telefonos.

Gracias de antemano.

Pongo la configuración de mi ASA5505

ASA Version 8.0(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.60.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 67.XXX.103.194 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list FOR-VPN extended permit ip 10.60.0.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list NONAT extended permit ip 10.60.0.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list 100 extended permit tcp 172.16.100.0 255.255.255.0 10.60.0.0 255.255.255.0 eq 2000

access-list 105 extended permit tcp 192.168.2.0 255.255.255.0 172.16.100.0 255.255.255.0 eq 2000

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.87.103.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYTRANS esp-aes-256 esp-sha-hmac

crypto map IPSEC 10 match address FOR-VPN

crypto map IPSEC 10 set pfs group5

crypto map IPSEC 10 set peer 190.XXX.103.195

crypto map IPSEC 10 set transform-set MYTRANS

crypto map IPSEC interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

priority-queue outside

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

class-map Voice-OUT

match access-list 105

class-map Voice-IN

match access-list 100

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

policy-map Voicepolicy

class Voice-IN

class Voice-OUT

  priority

!

service-policy global_policy global

service-policy Voicepolicy interface outside

tunnel-group 190.XXX.103.195 type ipsec-l2l

tunnel-group 190.XXX.103.195 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 30 retry 5

prompt hostname context

Cryptochecksum:8daeee5c7d38a18f0ccd341b24730059

: end

Labels:
0 Helpful
4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

‎07-17-2011 10:05 AM

Saludos Adrian,

Parece que todo esta bien, has visto los logs en el ASA firewall? Que protocolo de Voz estas usando SIP o Skinny? podes hacer un show service-policy y pegarlo aca?

Saludos.

Mike

Mike

Adrian Caba Gutierrez
Level 1
Level 1
In response to Maykol Rojas

‎07-18-2011 07:05 AM

Gracias por la respuesta.

Estoy usando el protocolo skinny, creo que encontre cual es la falla com veras el Router Cisco 2600 es CME y por lo tanto cuando realiza una llamada el telf. IP sale por el CME osea sale con la IP publica con que se conecta al ISP y el trafico interesante para nuestra VPN es entre las redes LAN internas y el CME realiza una llamada con la ip publica y no se logra armar la VPN. Corrigeme si estoy equivocado.

De todas formas aqui esta lo que me solicitas, en los logs no sale nada la VPN esta funcionando solo hay el problema en las llamadas.

ASA-LP# show service-policy

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0

      Inspect: ftp, packet 0, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

      Inspect: netbios, packet 0, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 0, drop 0, reset-drop 0

      Inspect: skinny , packet 0, drop 0, reset-drop 0

      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

      Inspect: sqlnet, packet 0, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

      Inspect: tftp, packet 0, drop 0, reset-drop 0

      Inspect: sip , packet 0, drop 0, reset-drop 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Interface outside:

  Service-policy: Voicepolicy

    Class-map: Voice

      Priority:

        Interface outside: aggregate drop 0, aggregate transmit 0

    Class-map: Data

      Output police Interface outside:

        cir 200000 bps, bc 37500 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

Saludos.

0 Helpful

lusandi
Level 1
Level 1
In response to Adrian Caba Gutierrez

‎07-18-2011 01:36 PM

Adrian,

Podrias agregar la configuracion del 2600?

Ademas si pudieras sacar un sniffer capture del telefono en el cme hacia el cucm podriamos confirmar los SDP packets para ver las direcciones utilizadas para el trafico del audio.

Gracias,

Luis Sandi

.:|:.:|:.

P.S Please mark this question as answered if it has been resolved. Do rate helpful posts.

Adrian Caba Gutierrez
Level 1
Level 1
In response to lusandi

‎07-19-2011 06:50 AM

Coloco la configuracion del router 2600:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SC

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 20

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.100.1 172.16.100.10

!

ip dhcp pool HTC_SC

   network 172.16.100.0 255.255.255.0

   option 150 ip 172.16.100.1

   default-router 172.16.100.1

   dns-server 200.58.160.25 200.58.161.25

   lease 7

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key ciscohtc address 67.XXX.103.194

!

!

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 67.XXX.103.194

set transform-set MYSET

set pfs group5

match address 101

!

!

!

!

interface FastEthernet0/0

ip address 190.XXX.103.195 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 172.16.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 190.XXX.103.194

!

!

ip http server

no ip http secure-server

ip nat inside source route-map nonat interface FastEthernet0/0 overload

!

access-list 101 permit ip 172.16.100.0 0.0.0.255 10.60.0.0 0.0.0.255

access-list 110 deny   ip 172.16.100.0 0.0.0.255 10.60.0.0 0.0.0.255

access-list 110 permit ip 172.16.100.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 110

!

!

!

control-plane

!

!

!

!

!

!

tftp-server flash:preahtc2.tcl

tftp-server flash:ivrhtc2.wav

tftp-server flash:preahtc2011.tcl

tftp-server flash:preahtc2011.wav

!

control-plane

!

!

!

voice-port 1/0/0

!

voice-port 1/0/1

!

voice-port 1/1/0

signal groundStart

timeouts ringing 30

description Conexion PSTN

!

voice-port 1/1/1

signal groundStart

!

!

!

!

dial-peer cor custom

!

!

!

dial-peer voice 11 voip

destination-pattern 2..

session target ipv4:XX.103.226.164

ip qos dscp cs5 media

!

dial-peer voice 2001 pots

service preahtc2011

destination-pattern *39.T

port 1/1/0

!

dial-peer voice 100 voip

destination-pattern 1..

! IP del CME detras del ASA 10.60.0.2

session target ipv4:10.60.0.2      

ip qos dscp cs5 media

!

!

num-exp 0 305

!

!

!

telephony-service

load 7960-7940 P00308000400

max-ephones 30

max-dn 150

ip source-address 172.16.100.1 port 2000

max-redirect 20

timeouts interdigit 3

timeouts ringing 120

user-locale ES

network-locale ES

time-format 24

date-format dd-mm-yy

create cnf-files version-stamp Jan 01 2002 00:00:00

max-conferences 8 gain -6

call-forward pattern T

moh final1a.wav

transfer-system full-consult

transfer-pattern T

secondary-dialtone 9

directory last-name-first

!

!

ephone-dn  3  dual-line

number 303

call-forward busy 305

call-forward noan 305 timeout 15

!

!

ephone-dn  4  dual-line

number 304

call-forward busy 305

call-forward noan 305 timeout 15

!

!

ephone-dn  5  dual-line

number 305

call-forward busy 303

call-forward noan 303 timeout 15

!

!

ephone  1

keepalive 200

mac-address A40C.C394.B94F

type 7912

button  1:3

!

!

!

ephone  2

keepalive 200

mac-address 0014.1C2E.4536

type 7940

button  1:5

!

!

!

ephone  3

keepalive 200

mac-address A40C.C394.B9FE

type 7912

button  1:4

!

!

!

line con 0

line aux 0

line vty 0 4

password 7 0727354F6D580A0647

transport input ssh

!

ntp clock-period 17180081

ntp server 200.186.125.195

!

end

Gracias por la ayuda saludos.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card