03-19-2015 01:45 AM - edited 03-17-2019 02:22 AM
We are in the process of migrating from Juniper NetScreen firewalls at all of our sites to Cisco ASA's.
I have a IPSec VPN configured between a 5515-x at the main office and a 5505 at a remote branch.
All is working fine for data as file shares, RDP etc. work OK in both directions.
However, I am trying to get some Avaya 1608 phones working on the LAN at the remote branch connecting to an Avaya S8300 media server at the main office.
The handsets can connect to the S8300 and download their configuration and can call and receive calls from other handsets at the main and other remote sites, however, they do not get dial tone and when the call is answered, there is no audio in either direction.
We have had this setup working successfully for some time with the Junipers, but I cannot find a way of getting the handsets working properly with the ASA's.
Has anyone got any experience of doing this, and is there anything else I need to do on the VPN to get them working?
Solved! Go to Solution.
03-19-2015 05:33 AM
Agreed with the above - since you seem to have no-NAT set up, and you have disabled inpection, next I would check your ACLs.
Lack of dial-tone suggests not permitting RTP between server/gateway and the phone - from what I recall being told some years back, with Avaya dial-tone is streamed from the server rather than generated on the handset Cisco-style.
Aaron
03-19-2015 01:54 AM
Hi
Sounds like the ASA may be NATting the traffic.... have you verified you have properly configured no-nat for the VPN traffic?
Aaron
03-19-2015 02:52 AM
Hi Aaron,
Yes I believe that I have no nat configured correctly for the VPN as below for the remote branch:
nat (inside,outside) source static NETWORK_OBJ_10.237.35.192_27 NETWORK_OBJ_10.237.35.192_27 destination static NETWORK_OBJ_10.252.0.0_16 NETWORK_OBJ_10.252.0.0_16
with the equivalent (reversed) at the main office.
I have also tried both including and removing the inspection for h323 (h225 and ras), skinny and sip, but the result is the same in all cases.
Any other ideas would be appreciated
03-19-2015 05:27 AM
Hi,
In general you have to allow traffic between:
Avaya phone and Avaya server; and
Between the two endpoints, calling and called.
In many cases security engineers allow traffic between voice VLANs and servers. But they do not allow between voice VLANs.
03-19-2015 05:33 AM
Agreed with the above - since you seem to have no-NAT set up, and you have disabled inpection, next I would check your ACLs.
Lack of dial-tone suggests not permitting RTP between server/gateway and the phone - from what I recall being told some years back, with Avaya dial-tone is streamed from the server rather than generated on the handset Cisco-style.
Aaron
03-19-2015 06:32 AM
Hi Aaron,
Thanks for the tip - I have now got it working :-)
I ran a wireshark trace on the LAN and saw that the RTP was going to the Avaya G450 rather than the S8300 which was used to register the handsets (I am not an Avaya guy so I am not sure how it all fits together).
Adding a static route to the G450 to route the traffic correctly solved the problem.
I really appreciate your help - I am not sure I would have got there on my own.
Mohammed - thanks also for your input - it was also appreciated
03-19-2015 08:37 AM
Glad you have it resolved :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide