Hello,

I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6.  I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.

The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio.  It's as if no audio is going back and forth.  When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.

Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?

clock timezone PST -8 0
clock summer-time PST recurring
network-clock-participate wic 0 
network-clock-select 1 T1 0/0/0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.8.1 192.168.8.19
!
ip dhcp pool owhvoip
 network 192.168.8.0 255.255.248.0
 default-router 192.168.8.1 
 option 150 ip 192.168.8.1 
 lease 30
!
!
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-ni
!
!
crypto pki server cme_root
 database level complete
 grant auto
 lifetime certificate 7305
 lifetime ca-certificate 7305
crypto pki token default removal timeout 0
!
crypto pki trustpoint cme_root
 enrollment url http://192.168.8.1:80
 revocation-check none
 rsakeypair cme_root
!
crypto pki trustpoint cme_cert
 enrollment url http://192.168.8.1:80
 revocation-check none
!
crypto pki trustpoint TP-self-signed-2736782807
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2736782807
 revocation-check none
 rsakeypair TP-self-signed-2736782807
!
!
voice-card 0
 dspfarm
 dsp services dspfarm
!
!
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
 vpn-group 1
  vpn-gateway 1 https://66.111.111.111/SSLVPNphone
  vpn-trustpoint 1 trustpoint cme_cert leaf
 vpn-profile 1
  host-id-check disable
!
voice class codec 1
 codec preference 1 g711ulaw
!
voice class custom-cptone jointone
 dualtone conference
  frequency 600 900
  cadence 300 150 300 100 300 50
!
voice class custom-cptone leavetone
 dualtone conference
  frequency 400 800
  cadence 400 50 200 50 200 50
!
!
!
!
voice translation-rule 1
 rule 1 /9400/ /502/
 rule 2 /9405/ /215/
 rule 3 /9410/ /500/
!
voice translation-rule 2
 rule 1 /.*/ /541999999/
!
voice translation-rule 100
 rule 1 /^9/ // type any unknown plan any isdn
!
!
voice translation-profile Inbound_Calls_To_CUE
 translate called 1
!
voice translation-profile InternationalType
 translate called 100
!
voice translation-profile Local-CLID
 translate calling 2
!
!
license udi pid CISCO2911/K9 sn FTX1641AHX3
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
hw-module sm 1
!
!
!
username routeradmin password 7 091649040910450B41
username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51

redundancy
!
!
!
!
controller T1 0/0/0
 cablelength long 0db
 pri-group timeslots 1-12,24
!
!
class-map type inspect match-any sslvpn
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all router-access
 match access-group name router-access
!
!
policy-map type inspect firewall-policy
 class type inspect sslvpn
  inspect 
 class class-default
  drop
policy-map type inspect outside-to-router-policy
 class type inspect router-access
  inspect 
 class class-default
  drop
!
zone security trusted
zone security internet
zone-pair security trusted-to-internet source trusted destination internet
 service-policy type inspect firewall-policy
zone-pair security untrusted-to-trusted source internet destination trusted
 service-policy type inspect outside-to-router-policy
! 
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.17.1 255.255.248.0
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Internet
 ip address dhcp
 no ip redirects
 no ip proxy-arp
 zone-member security internet
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.8.1 255.255.248.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 no cdp enable
!
interface Integrated-Service-Engine1/0
 ip unnumbered Loopback0
 service-module ip address 192.168.17.2 255.255.248.0
 !Application: CUE Running on NME
 service-module ip default-gateway 192.168.17.1
 no keepalive
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 zone-member security trusted
!
ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-8.6.0
!
ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
!
ip access-list extended router-access
 permit tcp any host 66.111.111.111 eq 443
!
!
!
!
!
!
tftp-server flash:apps31.9-3-1ES26.sbn

!
!
!
control-plane
!
!
voice-port 0/0/0:23
!
voice-port 0/3/0
!
voice-port 0/3/1
!
!
!
mgcp profile default
!
sccp local GigabitEthernet0/1
sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0 
sccp
!
sccp ccm group 1
 bind interface GigabitEthernet0/1
 associate ccm 1 priority 1
 associate profile 1 register CME-CONF
!
dspfarm profile 1 conference  
 codec g729br8
 codec g729r8
 codec g729abr8
 codec g729ar8
 codec g711alaw
 codec g711ulaw
 maximum sessions 4
 associate application SCCP
!
dial-peer voice 500 voip
 destination-pattern 5..
 session protocol sipv2
 session target ipv4:192.168.17.2
 dtmf-relay sip-notify
 codec g711ulaw
 no vad
!
dial-peer voice 10 pots
 description Incoming Calls To AA
 translation-profile incoming Inbound_Calls_To_CUE
 incoming called-number .
 port 0/0/0:23
!
dial-peer voice 20 pots
 description local 10 digit dialing
 translation-profile outgoing Local-CLID
 destination-pattern 9[2-9].........
 incoming called-number .
 port 0/0/0:23
 forward-digits 10
!
dial-peer voice 30 pots
 description long distance dialing
 translation-profile outgoing Local-CLID
 destination-pattern 91..........
 incoming called-number .
 port 0/0/0:23
 forward-digits 11
!
dial-peer voice 40 pots
 description 911
 destination-pattern 911
 port 0/0/0:23
 forward-digits all
!
dial-peer voice 45 pots
 description 9911
 destination-pattern 9911
 port 0/0/0:23
 forward-digits 3
!
dial-peer voice 50 pots
 description international dialing
 translation-profile outgoing InternationalType
 destination-pattern 9T
 incoming called-number .
 port 0/0/0:23
!
dial-peer voice 650 pots
 huntstop
 destination-pattern 650
 fax rate disable
 port 0/3/0
!
!
!
!
gatekeeper
 shutdown
!
!
telephony-service
 protocol mode ipv4
 sdspfarm units 5
 sdspfarm tag 1 CME-CONF
 conference hardware
 moh-file-buffer 90
 no auto-reg-ephone
 authentication credential cmeadmin tshbavsp$$4
 max-ephones 50
 max-dn 200
 ip source-address 192.168.8.1 port 2000
 service dnis dir-lookup
 timeouts transfer-recall 30
 system message Oregon's Wild Harvest
 url services http://192.168.17.2/voiceview/common/login.do 
 url authentication http://192.168.8.1/CCMCIP/authenticate.asp  
 cnf-file location flash:
 cnf-file perphone
 load 7931 SCCP31.9-3-1SR4-1S.loads
 load 7936 cmterm_7936.3-3-21-0.bin
 load 7942 SCCP42.9-3-1SR4-1S.loads
 load 7962 SCCP42.9-4-2-1S.loads
 time-zone 5
 time-format 24
 voicemail 500
 max-conferences 8 gain -6
 call-park system application
 call-forward pattern .T
 moh moh.wav
 web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
 dn-webedit 
 transfer-digit-collect orig-call
 transfer-system full-consult
 transfer-pattern .T
 fac standard
 create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
ephone-template  1
 softkeys connected  Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
 button-layout 7931 2
!
!
ephone-template  2
 softkeys idle  Dnd Gpickup Pickup Mobility
 softkeys connected  Hold Park Confrn Mobility Trnsfer TrnsfVM
 button-layout 7931 2
!
!
ephone-dn  1  dual-line
 number 200
 label Lisa
 name Lisa Ziomkowsky
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  2  dual-line
 number 201
 label Dylan
 name Dylan Elmer
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  3  dual-line
 number 202
 label Kimberly
 name Kimberly Krueger
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  4  dual-line
 number 203
 label Randy
 name Randy Buresh
 mobility
 snr calling-number local
 snr 915035042317 delay 5 timeout 15 cfwd-noan 500
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  5  dual-line
 number 204
 label Mark
 name Mark McBride
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  6  dual-line
 number 205
 label Susan
 name Susan Sundin
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  7  dual-line
 number 206
 label Rebecca
 name Rebecca Vaught
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  8  dual-line
 number 207
 label Ronnda
 name Ronnda Daniels
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  9  dual-line
 number 208
 label Matthew
 name Matthew Creswell
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  10  dual-line
 number 209
 label Nate
 name Nate Couture
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  11  dual-line
 number 210
 label Sarah
 name Sarah Smith
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  12  dual-line
 number 211
 label Janis
 name Janis McFerren
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  13  dual-line
 number 212
 label Val
 name Val McBride
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  14  dual-line
 number 213
 label Shorty
 name Arlene Haugen
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  15  dual-line
 number 214
 label Ruta
 name Ruta Wells
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  16  dual-line
 number 215
 label 5415489405
 name OWH Sales
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  17  dual-line
 number 216
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  18  dual-line
 number 217
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  19  dual-line
 number 218
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  20  dual-line
 number 219
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  21  dual-line
 number 220
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  22  dual-line
 number 221
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  23  dual-line
 number 222
 label Pam
 name Pam Buresh
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  24  dual-line
 number 223
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  25  dual-line
 number 224
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  26  dual-line
 number 225
 label Elaine
 name Elaine Mahan
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  27  octo-line
 number 250
 label Shipping
 name Shipping
!
!
ephone-dn  28  dual-line
 number 251
 label Eli
 name Eli Nourse
 call-forward busy 500
 call-forward noan 500 timeout 10
!
!
ephone-dn  29  dual-line
 number 252
!
!
ephone-dn  30  dual-line
 number 253
!
!
ephone-dn  31  octo-line
 number 100
 label Customer Service
 name Customer Service
 call-forward busy 500
 call-forward noan 500 timeout 12
!
!
ephone-dn  32  octo-line
 number 101
 label Sales
 name Sales
 call-forward busy 214
 call-forward noan 214 timeout 12
!
!
ephone-dn  33  dual-line
 number 260
 label Conference Room
 name Conference Room
 call-forward busy 100
 call-forward noan 100 timeout 12
!
!
ephone-dn  100
 number 300
 park-slot timeout 20 limit 2 recall
 description Park Slot For All Company
!
!
ephone-dn  101
 number 301
 park-slot timeout 20 limit 2 recall
 description Park Slot for All Company
!
!
ephone-dn  102
 number 302
 park-slot timeout 20 limit 2 recall
 description Park Slot for All Company
!
!
ephone-dn  103
 number 700
 name All Company Paging
 paging ip 239.1.1.10 port 2000
!
!
ephone-dn  104
 number 8000...
 mwi on
!
!
ephone-dn  105
 number 8001...
 mwi off
!
!
ephone-dn  106  octo-line
 number A00
 description ad-hoc conferencing
 conference ad-hoc
!
!
ephone-dn  107  octo-line
 number A01
 description ad-hoc conferencing
 conference ad-hoc
!
!
ephone-dn  108  octo-line
 number A02
 description ad-hoc conferencing
 conference ad-hoc
!
!
ephone  1
 device-security-mode none
 mac-address 001F.CA34.88AE
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:2 2:31
!
!
!
ephone  2
 device-security-mode none
 mac-address 001F.CA34.8A03
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:12
!
!
!
ephone  3
 device-security-mode none
 mac-address 001F.CA34.898B
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
!
!
!
ephone  4
 device-security-mode none
 mac-address 001F.CA34.893F
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
!
!
!
ephone  5
 device-security-mode none
 mac-address 001F.CA34.8A71
 ephone-template 1
 max-calls-per-button 2
 username "susan"
 paging-dn 103
 type 7931
 button  1:6
!
!
!
ephone  6
 device-security-mode none
 mac-address 001F.CA34.8871
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:7 2:31 3:32
!
!
!
ephone  7
 device-security-mode none
 mac-address 001F.CA34.8998
 ephone-template 1
 max-calls-per-button 2
 username "matthew"
 paging-dn 103
 type 7931
 button  1:9
!
!
!
ephone  8
 device-security-mode none
 mac-address 001F.CA36.8787
 ephone-template 1
 max-calls-per-button 2
 username "nate"
 paging-dn 103
 type 7931
 button  1:10
!
!
!
ephone  9
 device-security-mode none
 mac-address 001F.CA34.8805
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:5
!
!
!
ephone  10
 device-security-mode none
 mac-address 001F.CA34.880C
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:14
!
!
!
ephone  11
 device-security-mode none
 mac-address 001F.CA34.8935
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:3
!
!
!
ephone  12
 device-security-mode none
 mac-address 001F.CA34.8995
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:8 2:31
!
!
!
ephone  13
 device-security-mode none
 mac-address 0021.5504.1796
 ephone-template 2
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:4
!
!
!
ephone  14
 device-security-mode none
 mac-address 001F.CA34.88F7
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:23
!
!
!
ephone  15
 device-security-mode none
 mac-address 001F.CA34.8894
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:26
!
!
!
ephone  16
 device-security-mode none
 mac-address 001F.CA34.8869
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:28 2:27
!
!
!
ephone  17
 device-security-mode none
 mac-address 001F.CA34.885F
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:11
!
!
!
ephone  18
 device-security-mode none
 mac-address 001F.CA34.893C
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:27
!
!
!
ephone  19
 device-security-mode none
 mac-address 001F.CA34.8873
 ephone-template 1
 max-calls-per-button 2
 paging-dn 103
 type 7931
 button  1:27
!
!
!
ephone  20
 device-security-mode none
 mac-address A456.3040.B7DD
 paging-dn 103
 type 7942
 vpn-group 1
 vpn-profile 1
 button  1:13
!
!
!
ephone  21
 device-security-mode none
 mac-address A456.30BA.5474
 paging-dn 103
 type 7942
 vpn-group 1
 vpn-profile 1
 button  1:15 2:16 3:32
!
!
!
ephone  22
 device-security-mode none
 mac-address A456.3040.B72E
 paging-dn 103
 type 7942
 vpn-group 1
 vpn-profile 1
 button  1:1
!
!
!
ephone  23
 device-security-mode none
 mac-address 00E0.75F3.D1D9
 paging-dn 103
 type 7936
 button  1:33
!
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 67
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 transport input all
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 216.228.192.69
!
webvpn gateway sslvpn_gw
 ip address 66.111.111.111 port 443  
 ssl encryption 3des-sha1 aes-sha1
 ssl trustpoint cme_cert
 inservice
 !
webvpn context sslvpn_context
 ssl encryption 3des-sha1 aes-sha1
 ssl authenticate verify all
 !
 !
 policy group SSLVPNphone
   functions svc-enabled
   hide-url-bar
   svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
   svc default-domain "bendbroadband.com"
 virtual-template 1
 default-group-policy SSLVPNphone
 gateway sslvpn_gw domain SSLVPNphone
 authentication certificate
 ca trustpoint cme_root
 inservice
!
end