10-02-2014 12:13 PM - edited 03-11-2019 09:51 PM
Hello,
I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6. I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.
The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio. It's as if no audio is going back and forth. When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.
Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?
clock timezone PST -8 0
clock summer-time PST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.8.1 192.168.8.19
!
ip dhcp pool owhvoip
network 192.168.8.0 255.255.248.0
default-router 192.168.8.1
option 150 ip 192.168.8.1
lease 30
!
!
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-ni
!
!
crypto pki server cme_root
database level complete
grant auto
lifetime certificate 7305
lifetime ca-certificate 7305
crypto pki token default removal timeout 0
!
crypto pki trustpoint cme_root
enrollment url http://192.168.8.1:80
revocation-check none
rsakeypair cme_root
!
crypto pki trustpoint cme_cert
enrollment url http://192.168.8.1:80
revocation-check none
!
crypto pki trustpoint TP-self-signed-2736782807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2736782807
revocation-check none
rsakeypair TP-self-signed-2736782807
!
!
voice-card 0
dspfarm
dsp services dspfarm
!
!
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
vpn-group 1
vpn-gateway 1 https://66.111.111.111/SSLVPNphone
vpn-trustpoint 1 trustpoint cme_cert leaf
vpn-profile 1
host-id-check disable
!
voice class codec 1
codec preference 1 g711ulaw
!
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
!
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 50 200 50 200 50
!
!
!
!
voice translation-rule 1
rule 1 /9400/ /502/
rule 2 /9405/ /215/
rule 3 /9410/ /500/
!
voice translation-rule 2
rule 1 /.*/ /541999999/
!
voice translation-rule 100
rule 1 /^9/ // type any unknown plan any isdn
!
!
voice translation-profile Inbound_Calls_To_CUE
translate called 1
!
voice translation-profile InternationalType
translate called 100
!
voice translation-profile Local-CLID
translate calling 2
!
!
license udi pid CISCO2911/K9 sn FTX1641AHX3
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
hw-module sm 1
!
!
!
username routeradmin password 7 091649040910450B41
username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51
redundancy
!
!
!
!
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-12,24
!
!
class-map type inspect match-any sslvpn
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
!
!
policy-map type inspect firewall-policy
class type inspect sslvpn
inspect
class class-default
drop
policy-map type inspect outside-to-router-policy
class type inspect router-access
inspect
class class-default
drop
!
zone security trusted
zone security internet
zone-pair security trusted-to-internet source trusted destination internet
service-policy type inspect firewall-policy
zone-pair security untrusted-to-trusted source internet destination trusted
service-policy type inspect outside-to-router-policy
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.17.1 255.255.248.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet
ip address dhcp
no ip redirects
no ip proxy-arp
zone-member security internet
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.8.1 255.255.248.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
!
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 192.168.17.2 255.255.248.0
!Application: CUE Running on NME
service-module ip default-gateway 192.168.17.1
no keepalive
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
zone-member security trusted
!
ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-8.6.0
!
ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
!
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
!
!
!
!
!
!
tftp-server flash:apps31.9-3-1ES26.sbn
!
!
!
control-plane
!
!
voice-port 0/0/0:23
!
voice-port 0/3/0
!
voice-port 0/3/1
!
!
!
mgcp profile default
!
sccp local GigabitEthernet0/1
sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0
sccp
!
sccp ccm group 1
bind interface GigabitEthernet0/1
associate ccm 1 priority 1
associate profile 1 register CME-CONF
!
dspfarm profile 1 conference
codec g729br8
codec g729r8
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 4
associate application SCCP
!
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:192.168.17.2
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 10 pots
description Incoming Calls To AA
translation-profile incoming Inbound_Calls_To_CUE
incoming called-number .
port 0/0/0:23
!
dial-peer voice 20 pots
description local 10 digit dialing
translation-profile outgoing Local-CLID
destination-pattern 9[2-9].........
incoming called-number .
port 0/0/0:23
forward-digits 10
!
dial-peer voice 30 pots
description long distance dialing
translation-profile outgoing Local-CLID
destination-pattern 91..........
incoming called-number .
port 0/0/0:23
forward-digits 11
!
dial-peer voice 40 pots
description 911
destination-pattern 911
port 0/0/0:23
forward-digits all
!
dial-peer voice 45 pots
description 9911
destination-pattern 9911
port 0/0/0:23
forward-digits 3
!
dial-peer voice 50 pots
description international dialing
translation-profile outgoing InternationalType
destination-pattern 9T
incoming called-number .
port 0/0/0:23
!
dial-peer voice 650 pots
huntstop
destination-pattern 650
fax rate disable
port 0/3/0
!
!
!
!
gatekeeper
shutdown
!
!
telephony-service
protocol mode ipv4
sdspfarm units 5
sdspfarm tag 1 CME-CONF
conference hardware
moh-file-buffer 90
no auto-reg-ephone
authentication credential cmeadmin tshbavsp$$4
max-ephones 50
max-dn 200
ip source-address 192.168.8.1 port 2000
service dnis dir-lookup
timeouts transfer-recall 30
system message Oregon's Wild Harvest
url services http://192.168.17.2/voiceview/common/login.do
url authentication http://192.168.8.1/CCMCIP/authenticate.asp
cnf-file location flash:
cnf-file perphone
load 7931 SCCP31.9-3-1SR4-1S.loads
load 7936 cmterm_7936.3-3-21-0.bin
load 7942 SCCP42.9-3-1SR4-1S.loads
load 7962 SCCP42.9-4-2-1S.loads
time-zone 5
time-format 24
voicemail 500
max-conferences 8 gain -6
call-park system application
call-forward pattern .T
moh moh.wav
web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
dn-webedit
transfer-digit-collect orig-call
transfer-system full-consult
transfer-pattern .T
fac standard
create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
ephone-template 1
softkeys connected Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
button-layout 7931 2
!
!
ephone-template 2
softkeys idle Dnd Gpickup Pickup Mobility
softkeys connected Hold Park Confrn Mobility Trnsfer TrnsfVM
button-layout 7931 2
!
!
ephone-dn 1 dual-line
number 200
label Lisa
name Lisa Ziomkowsky
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 2 dual-line
number 201
label Dylan
name Dylan Elmer
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 3 dual-line
number 202
label Kimberly
name Kimberly Krueger
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 4 dual-line
number 203
label Randy
name Randy Buresh
mobility
snr calling-number local
snr 915035042317 delay 5 timeout 15 cfwd-noan 500
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 5 dual-line
number 204
label Mark
name Mark McBride
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 6 dual-line
number 205
label Susan
name Susan Sundin
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 7 dual-line
number 206
label Rebecca
name Rebecca Vaught
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 8 dual-line
number 207
label Ronnda
name Ronnda Daniels
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 9 dual-line
number 208
label Matthew
name Matthew Creswell
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 10 dual-line
number 209
label Nate
name Nate Couture
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 11 dual-line
number 210
label Sarah
name Sarah Smith
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 12 dual-line
number 211
label Janis
name Janis McFerren
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 13 dual-line
number 212
label Val
name Val McBride
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 14 dual-line
number 213
label Shorty
name Arlene Haugen
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 15 dual-line
number 214
label Ruta
name Ruta Wells
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 16 dual-line
number 215
label 5415489405
name OWH Sales
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 17 dual-line
number 216
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 18 dual-line
number 217
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 19 dual-line
number 218
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 20 dual-line
number 219
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 21 dual-line
number 220
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 22 dual-line
number 221
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 23 dual-line
number 222
label Pam
name Pam Buresh
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 24 dual-line
number 223
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 25 dual-line
number 224
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 26 dual-line
number 225
label Elaine
name Elaine Mahan
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 27 octo-line
number 250
label Shipping
name Shipping
!
!
ephone-dn 28 dual-line
number 251
label Eli
name Eli Nourse
call-forward busy 500
call-forward noan 500 timeout 10
!
!
ephone-dn 29 dual-line
number 252
!
!
ephone-dn 30 dual-line
number 253
!
!
ephone-dn 31 octo-line
number 100
label Customer Service
name Customer Service
call-forward busy 500
call-forward noan 500 timeout 12
!
!
ephone-dn 32 octo-line
number 101
label Sales
name Sales
call-forward busy 214
call-forward noan 214 timeout 12
!
!
ephone-dn 33 dual-line
number 260
label Conference Room
name Conference Room
call-forward busy 100
call-forward noan 100 timeout 12
!
!
ephone-dn 100
number 300
park-slot timeout 20 limit 2 recall
description Park Slot For All Company
!
!
ephone-dn 101
number 301
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
!
!
ephone-dn 102
number 302
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
!
!
ephone-dn 103
number 700
name All Company Paging
paging ip 239.1.1.10 port 2000
!
!
ephone-dn 104
number 8000...
mwi on
!
!
ephone-dn 105
number 8001...
mwi off
!
!
ephone-dn 106 octo-line
number A00
description ad-hoc conferencing
conference ad-hoc
!
!
ephone-dn 107 octo-line
number A01
description ad-hoc conferencing
conference ad-hoc
!
!
ephone-dn 108 octo-line
number A02
description ad-hoc conferencing
conference ad-hoc
!
!
ephone 1
device-security-mode none
mac-address 001F.CA34.88AE
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:2 2:31
!
!
!
ephone 2
device-security-mode none
mac-address 001F.CA34.8A03
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:12
!
!
!
ephone 3
device-security-mode none
mac-address 001F.CA34.898B
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
!
!
!
ephone 4
device-security-mode none
mac-address 001F.CA34.893F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
!
!
!
ephone 5
device-security-mode none
mac-address 001F.CA34.8A71
ephone-template 1
max-calls-per-button 2
username "susan"
paging-dn 103
type 7931
button 1:6
!
!
!
ephone 6
device-security-mode none
mac-address 001F.CA34.8871
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:7 2:31 3:32
!
!
!
ephone 7
device-security-mode none
mac-address 001F.CA34.8998
ephone-template 1
max-calls-per-button 2
username "matthew"
paging-dn 103
type 7931
button 1:9
!
!
!
ephone 8
device-security-mode none
mac-address 001F.CA36.8787
ephone-template 1
max-calls-per-button 2
username "nate"
paging-dn 103
type 7931
button 1:10
!
!
!
ephone 9
device-security-mode none
mac-address 001F.CA34.8805
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:5
!
!
!
ephone 10
device-security-mode none
mac-address 001F.CA34.880C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:14
!
!
!
ephone 11
device-security-mode none
mac-address 001F.CA34.8935
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:3
!
!
!
ephone 12
device-security-mode none
mac-address 001F.CA34.8995
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:8 2:31
!
!
!
ephone 13
device-security-mode none
mac-address 0021.5504.1796
ephone-template 2
max-calls-per-button 2
paging-dn 103
type 7931
button 1:4
!
!
!
ephone 14
device-security-mode none
mac-address 001F.CA34.88F7
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:23
!
!
!
ephone 15
device-security-mode none
mac-address 001F.CA34.8894
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:26
!
!
!
ephone 16
device-security-mode none
mac-address 001F.CA34.8869
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:28 2:27
!
!
!
ephone 17
device-security-mode none
mac-address 001F.CA34.885F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:11
!
!
!
ephone 18
device-security-mode none
mac-address 001F.CA34.893C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
!
!
!
ephone 19
device-security-mode none
mac-address 001F.CA34.8873
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
!
!
!
ephone 20
device-security-mode none
mac-address A456.3040.B7DD
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:13
!
!
!
ephone 21
device-security-mode none
mac-address A456.30BA.5474
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:15 2:16 3:32
!
!
!
ephone 22
device-security-mode none
mac-address A456.3040.B72E
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:1
!
!
!
ephone 23
device-security-mode none
mac-address 00E0.75F3.D1D9
paging-dn 103
type 7936
button 1:33
!
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 216.228.192.69
!
webvpn gateway sslvpn_gw
ip address 66.111.111.111 port 443
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint cme_cert
inservice
!
webvpn context sslvpn_context
ssl encryption 3des-sha1 aes-sha1
ssl authenticate verify all
!
!
policy group SSLVPNphone
functions svc-enabled
hide-url-bar
svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
svc default-domain "bendbroadband.com"
virtual-template 1
default-group-policy SSLVPNphone
gateway sslvpn_gw domain SSLVPNphone
authentication certificate
ca trustpoint cme_root
inservice
!
end
10-03-2014 03:49 AM
I think your ACL could be the culprit.
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
Would you be able to change the entry to permit ip any any (just for testing purpose) and then test to see if the calls function properly. If they work fine then we know that we need to open som ports there.
--
Please remember to select a correct answer and rate helpful posts
10-03-2014 07:32 PM
Hello. I tried that and no luck. I'm wondering if that interface is the issue or is it another one? The remote phones which are connected via vpn will ring but no audio goes back and forth.
10-04-2014 10:15 AM
You could try to add the permit IP any any to the trusted zone policy and see if that sorts things out.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide