07-14-2011 02:03 PM - edited 03-11-2019 01:59 PM
Tengo el siguiente escenario:
LAN LAN
Voice and Data ---------ASA5505---------Internet-----------Cisco2600 CME----------Voice and Data
CME
Hay una VPN configurada entre el ASA5505 y el router Cisco 2600 que esta funcionando correctamente, el problema es que no se puede realizar una llamada desde la red del router 2600 al Call Manager detras del ASA5505, pero si se puede realizar una llamada desde el el Call Manager detras del ASA5505 pero cuando contestan en la red del Cisco2600 se escucha la voz de los que estan detras del ASA pero ellos ni pueden escuchar nada a los que estan detras del Cisco2600. Se que me debe faltar alguna configuración.
La VPN esta confiurada correctamente y funcionando hay ping entre las redes e incluso los telefonos.
Gracias de antemano.
Pongo la configuración de mi ASA5505
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.60.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.XXX.103.194 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list FOR-VPN extended permit ip 10.60.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list NONAT extended permit ip 10.60.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list 100 extended permit tcp 172.16.100.0 255.255.255.0 10.60.0.0 255.255.255.0 eq 2000
access-list 105 extended permit tcp 192.168.2.0 255.255.255.0 172.16.100.0 255.255.255.0 eq 2000
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.87.103.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYTRANS esp-aes-256 esp-sha-hmac
crypto map IPSEC 10 match address FOR-VPN
crypto map IPSEC 10 set pfs group5
crypto map IPSEC 10 set peer 190.XXX.103.195
crypto map IPSEC 10 set transform-set MYTRANS
crypto map IPSEC interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
class-map Voice-OUT
match access-list 105
class-map Voice-IN
match access-list 100
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map Voicepolicy
class Voice-IN
class Voice-OUT
priority
!
service-policy global_policy global
service-policy Voicepolicy interface outside
tunnel-group 190.XXX.103.195 type ipsec-l2l
tunnel-group 190.XXX.103.195 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
prompt hostname context
Cryptochecksum:8daeee5c7d38a18f0ccd341b24730059
: end
07-17-2011 10:05 AM
Saludos Adrian,
Parece que todo esta bien, has visto los logs en el ASA firewall? Que protocolo de Voz estas usando SIP o Skinny? podes hacer un show service-policy y pegarlo aca?
Saludos.
Mike
07-18-2011 07:05 AM
Gracias por la respuesta.
Estoy usando el protocolo skinny, creo que encontre cual es la falla com veras el Router Cisco 2600 es CME y por lo tanto cuando realiza una llamada el telf. IP sale por el CME osea sale con la IP publica con que se conecta al ISP y el trafico interesante para nuestra VPN es entre las redes LAN internas y el CME realiza una llamada con la ip publica y no se logra armar la VPN. Corrigeme si estoy equivocado.
De todas formas aqui esta lo que me solicitas, en los logs no sale nada la VPN esta funcionando solo hay el problema en las llamadas.
ASA-LP# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Interface outside:
Service-policy: Voicepolicy
Class-map: Voice
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
Class-map: Data
Output police Interface outside:
cir 200000 bps, bc 37500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Saludos.
07-18-2011 01:36 PM
Adrian,
Podrias agregar la configuracion del 2600?
Ademas si pudieras sacar un sniffer capture del telefono en el cme hacia el cucm podriamos confirmar los SDP packets para ver las direcciones utilizadas para el trafico del audio.
Gracias,
Luis Sandi
.:|:.:|:.
P.S Please mark this question as answered if it has been resolved. Do rate helpful posts.
07-19-2011 06:50 AM
Coloco la configuracion del router 2600:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SC
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 20
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.100.1 172.16.100.10
!
ip dhcp pool HTC_SC
network 172.16.100.0 255.255.255.0
option 150 ip 172.16.100.1
default-router 172.16.100.1
dns-server 200.58.160.25 200.58.161.25
lease 7
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key ciscohtc address 67.XXX.103.194
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 67.XXX.103.194
set transform-set MYSET
set pfs group5
match address 101
!
!
!
!
interface FastEthernet0/0
ip address 190.XXX.103.195 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
ip address 172.16.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 190.XXX.103.194
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
access-list 101 permit ip 172.16.100.0 0.0.0.255 10.60.0.0 0.0.0.255
access-list 110 deny ip 172.16.100.0 0.0.0.255 10.60.0.0 0.0.0.255
access-list 110 permit ip 172.16.100.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
!
!
!
!
tftp-server flash:preahtc2.tcl
tftp-server flash:ivrhtc2.wav
tftp-server flash:preahtc2011.tcl
tftp-server flash:preahtc2011.wav
!
control-plane
!
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
signal groundStart
timeouts ringing 30
description Conexion PSTN
!
voice-port 1/1/1
signal groundStart
!
!
!
!
dial-peer cor custom
!
!
!
dial-peer voice 11 voip
destination-pattern 2..
session target ipv4:XX.103.226.164
ip qos dscp cs5 media
!
dial-peer voice 2001 pots
service preahtc2011
destination-pattern *39.T
port 1/1/0
!
dial-peer voice 100 voip
destination-pattern 1..
! IP del CME detras del ASA 10.60.0.2
session target ipv4:10.60.0.2
ip qos dscp cs5 media
!
!
num-exp 0 305
!
!
!
telephony-service
load 7960-7940 P00308000400
max-ephones 30
max-dn 150
ip source-address 172.16.100.1 port 2000
max-redirect 20
timeouts interdigit 3
timeouts ringing 120
user-locale ES
network-locale ES
time-format 24
date-format dd-mm-yy
create cnf-files version-stamp Jan 01 2002 00:00:00
max-conferences 8 gain -6
call-forward pattern T
moh final1a.wav
transfer-system full-consult
transfer-pattern T
secondary-dialtone 9
directory last-name-first
!
!
ephone-dn 3 dual-line
number 303
call-forward busy 305
call-forward noan 305 timeout 15
!
!
ephone-dn 4 dual-line
number 304
call-forward busy 305
call-forward noan 305 timeout 15
!
!
ephone-dn 5 dual-line
number 305
call-forward busy 303
call-forward noan 303 timeout 15
!
!
ephone 1
keepalive 200
mac-address A40C.C394.B94F
type 7912
button 1:3
!
!
!
ephone 2
keepalive 200
mac-address 0014.1C2E.4536
type 7940
button 1:5
!
!
!
ephone 3
keepalive 200
mac-address A40C.C394.B9FE
type 7912
button 1:4
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 0727354F6D580A0647
transport input ssh
!
ntp clock-period 17180081
ntp server 200.186.125.195
!
end
Gracias por la ayuda saludos.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide