we have a All-in-One solution for small customers, C881 router with Firewall, NAT, VPN and CCME (SIP phones) enabled. The box is registered to SIP provider (source-interface for control and media is the outside interface, otherwise, we can not register and place a call). Everything works fine for SIP softphones in the LAN. But when the user connects to the network via IPSec VPN, his softphone does not work. The phone rings, but that's all, it is dropped after 7 seconds. It is logical, because during call setup he is instructed to use router's outside IP address for call. And at this moment, the client starts to send packets outside of the IPSec tunnel directly to the internet address of the router.
Is there any way to make this work?
Something like using router outside address for registration to SIP provider and inside address for communication with SIP phones?
Or using sip profiles to modify the messages?
I assume you're using Jabber Client.
In this case you have to add the command :
Voice service voip
bind all source-interface GigabitEthernet 0/0
Or use any other interface which your Voice Vlan is connected.
It is a problem related to CME using a different IP address from SIP traffic than what was used for the endpoint to register.
Sent from Cisco Technical Support Android App
thanks for the reply, but this is not the case. To make the question clear: we have 2 interfaces on the router, Gi0/0 is LAN interface, Gi0/1 is WAN interface. We must use Gi0/1 for communication between router and SIP voice provider, because Gi0/1 has publicly routable IP address. Thats why we already have bind command in the config, specifying the Gi0/1 interface.
On the other side, we must use Gi0/0 for communication between router and internal SIP users, which access the network via IPSec VPN. If the router instruct the users to use the outside interface (inherited from "bind all source-interface Gi0/1"), they start to send the packets outside of the split VPN tunnel, which does not work (security policy).