CIPC no voice over Remote Access IPSEC VPN Tunnel

taufique.shaikh · ‎01-22-2013

Dear All,

I am struggling to configure CIPC work over Remote ACCESS IPSEC VPN tunnel, after successfully connecting my laptop thru vpn client am able to ping all the host and CUCM server IP. When I start CIPC it gets registered with CUCM and am able to call all extension and all extension are able to call my CIPC extension. But problem is when the phone rings after call pickup there is no voice hear on either end..!

Anyone came accross such issue, your help is highly apreciated..!

I have check Preference Audio Network setting to the VPN IP.

Thank you.

Aaron Harrison · ‎01-23-2013

Hi

Sounds like either there is some NAT going on that is breaking it or some restrictions on your firewall - .e.g. you cannot route to the voice VLAN subnets due to ACLs or routes not being configured to permit it.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

taufique.shaikh · ‎01-24-2013

Good Day,

Thank you for your reply Aaron, Yesterday night when i disblae inspect from global policy I was able to make call and hear voice, but then sudden after restarting my computer and testing again the voice is having problem...

I am abl to ping voice vlan and Data vlan.

I am able to ping CUCM server.

I am posintg my config for ASA as below

-----------------------------------------------------------------------------------------------

interface Ethernet0/0

description WAN-Interface

nameif outside

security-level 0

ip address MY_IP 255.255.255.252

!

interface Ethernet0/1

description LAN-Interface

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/2

description DMZ-Interface

nameif DMZ

security-level 0

ip address 192.168.240.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name tekskillsinc

same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object 192.168.100.0 255.255.255.0

network-object 192.168.200.0 255.255.255.0

network-object 192.168.205.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.205.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.205.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.15.128 255.255.255.128

access-list USA_TO_IND extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list USA_TO_IND extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list USA_TO_IND extended permit ip 192.168.205.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list USA_TO_IND extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list USA_TO_IND extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list USA_TO_IND extended permit ip 192.168.205.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list WAN_LAN extended permit ip any any

access-list Split_Tunnel standard permit 192.168.100.0 255.255.255.0

access-list Split_Tunnel standard permit 192.168.200.0 255.255.255.0

access-list Split_Tunnel standard permit 192.168.205.0 255.255.255.0

access-list DMZ_access_in extended permit ip any any

access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.15.128 255.255.255.128

access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.200.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.205.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.15.128 255.255.255.128 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1492

mtu inside 1500

mtu DMZ 1500

ip local pool VoIP_Pool 192.168.15.150-192.168.15.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.100.0 255.255.255.0 norandomseq

nat (inside) 1 192.168.200.0 255.255.255.0 norandomseq

nat (inside) 1 192.168.205.0 255.255.255.0 norandomseq

static (DMZ,outside) X.X.X.X 192.168.240.2 netmask 255.255.255.255

access-group WAN_LAN in interface outside

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 ISP_Int_IP 1

route inside 192.168.200.0 255.255.255.0 192.168.100.2 1

route inside 192.168.205.0 255.255.255.0 192.168.100.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set USA_TO_IND esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address USA_TO_IND

crypto map outside_map 1 set peer X.X.X.X

crypto map outside_map 1 set transform-set USA_TO_IND

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

console timeout 0

dhcpd option 150 ip 192.168.100.25

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy VoIP internal

group-policy VoIP attributes

banner value Authorize User Access Only

dns-server value 192.168.15.1 192.168.100.1

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel

default-domain value tekskillsinc

ip-phone-bypass enable

ipv6-address-pools none

username test password pasword encrypted privilege 0

username test attributes

vpn-group-policy VoIP

username test password pasword encrypted privilege 0

username test attributes

vpn-group-policy VoIP

username cisco password Password encrypted

tunnel-group 111.0.0.18 type ipsec-l2l

tunnel-group 111.0.0.18 ipsec-attributes

pre-shared-key *

tunnel-group VoIP type remote-access

tunnel-group VoIP general-attributes

address-pool VoIP_Pool

default-group-policy VoIP

tunnel-group VoIP ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect ip-options

inspect netbios

inspect rsh

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c42f6c8871201ac3bf7956d828b05b34

: end

---------------------------------------------------------------------------------------

I have Site to Site VPN working fine for Data and Voice, Configure REMOTE ACCESS IPSEC VPN for Roaming Users for Data and Voice. For which Voice is not working..!

Look forward for your valuable guidline..!

Thank you.

taufique.shaikh · ‎01-26-2013

Anyone got thru with such scenario..?

Your help is highy appreciated..!

Thank you

dblumberg_butler_cco · ‎07-28-2013

Did you get this resolved? If not, please feel free to direct message or reponse with HQ router config (with any sensitive information blanked out) and also configs for remote access clients.