01-22-2013 11:41 PM - edited 03-16-2019 03:18 PM
Dear All,
I am struggling to configure CIPC work over Remote ACCESS IPSEC VPN tunnel, after successfully connecting my laptop thru vpn client am able to ping all the host and CUCM server IP. When I start CIPC it gets registered with CUCM and am able to call all extension and all extension are able to call my CIPC extension. But problem is when the phone rings after call pickup there is no voice hear on either end..!
Anyone came accross such issue, your help is highly apreciated..!
I have check Preference Audio Network setting to the VPN IP.
Thank you.
01-23-2013 12:38 AM
Hi
Sounds like either there is some NAT going on that is breaking it or some restrictions on your firewall - .e.g. you cannot route to the voice VLAN subnets due to ACLs or routes not being configured to permit it.
Aaron
01-24-2013 02:39 AM
Good Day,
Thank you for your reply Aaron, Yesterday night when i disblae inspect from global policy I was able to make call and hear voice, but then sudden after restarting my computer and testing again the voice is having problem...
I am abl to ping voice vlan and Data vlan.
I am able to ping CUCM server.
I am posintg my config for ASA as below
-----------------------------------------------------------------------------------------------
interface Ethernet0/0
description WAN-Interface
nameif outside
security-level 0
ip address MY_IP 255.255.255.252
!
interface Ethernet0/1
description LAN-Interface
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
description DMZ-Interface
nameif DMZ
security-level 0
ip address 192.168.240.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name tekskillsinc
same-security-traffic permit inter-interface
object-group network DM_INLINE_NETWORK_1
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 192.168.205.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.205.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.205.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.15.128 255.255.255.128
access-list USA_TO_IND extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list USA_TO_IND extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list USA_TO_IND extended permit ip 192.168.205.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list USA_TO_IND extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list USA_TO_IND extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list USA_TO_IND extended permit ip 192.168.205.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WAN_LAN extended permit ip any any
access-list Split_Tunnel standard permit 192.168.100.0 255.255.255.0
access-list Split_Tunnel standard permit 192.168.200.0 255.255.255.0
access-list Split_Tunnel standard permit 192.168.205.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.15.128 255.255.255.128
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.200.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.205.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.15.128 255.255.255.128 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside 1500
mtu DMZ 1500
ip local pool VoIP_Pool 192.168.15.150-192.168.15.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 norandomseq
nat (inside) 1 192.168.200.0 255.255.255.0 norandomseq
nat (inside) 1 192.168.205.0 255.255.255.0 norandomseq
static (DMZ,outside) X.X.X.X 192.168.240.2 netmask 255.255.255.255
access-group WAN_LAN in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 ISP_Int_IP 1
route inside 192.168.200.0 255.255.255.0 192.168.100.2 1
route inside 192.168.205.0 255.255.255.0 192.168.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set USA_TO_IND esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address USA_TO_IND
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set USA_TO_IND
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
console timeout 0
dhcpd option 150 ip 192.168.100.25
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VoIP internal
group-policy VoIP attributes
banner value Authorize User Access Only
dns-server value 192.168.15.1 192.168.100.1
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
default-domain value tekskillsinc
ip-phone-bypass enable
ipv6-address-pools none
username test password pasword encrypted privilege 0
username test attributes
vpn-group-policy VoIP
username test password pasword encrypted privilege 0
username test attributes
vpn-group-policy VoIP
username cisco password Password encrypted
tunnel-group 111.0.0.18 type ipsec-l2l
tunnel-group 111.0.0.18 ipsec-attributes
pre-shared-key *
tunnel-group VoIP type remote-access
tunnel-group VoIP general-attributes
address-pool VoIP_Pool
default-group-policy VoIP
tunnel-group VoIP ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect ip-options
inspect netbios
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c42f6c8871201ac3bf7956d828b05b34
: end
---------------------------------------------------------------------------------------
I have Site to Site VPN working fine for Data and Voice, Configure REMOTE ACCESS IPSEC VPN for Roaming Users for Data and Voice. For which Voice is not working..!
Look forward for your valuable guidline..!
Thank you.
01-26-2013 09:09 AM
Anyone got thru with such scenario..?
Your help is highy appreciated..!
Thank you
07-28-2013 01:11 PM
Did you get this resolved? If not, please feel free to direct message or reponse with HQ router config (with any sensitive information blanked out) and also configs for remote access clients.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide