Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1467
Views
0
Helpful
3
Replies

Allowing VOIP traffic direct access to the internet

Group IT
Level 1
Level 1

‎02-25-2020 05:19 AM

I have a Cisco 887VA on site at one of our remote sites. It establishes a VPN to our Cisco ASA using ipsec and a preshared key.

That all works fine and our users can connect to all internal services and internet traffic passes through our internal content filter.

 

The site has a BT cloud based phone system that has been installed. They have provided me with a list of IP addresses that the VOIP system need to reach out to and ports, which I have added to the router configuration.

 

The handsets on site can now connect to the provisioning server, they can make calls but they cannot receive them and the phone company insists its our firewall at fault. I WAS confident that the router rules were working and I was under the impression that no traffic from these handsets were travelling down the VPN tunnel, instead I thought they were going straight out to the internet from the local router on site.

 

That was until I saw this message on the ASA:

4 Feb 25 2020 13:07:16 313005 No matching connection for ICMP error message: icmp src BTnet:10.11.111.10 dst LAN:10.11.2.5 (type 3, code 3) on BTnet interface. Original IP payload: udp src 10.11.2.5/53 dst 10.11.111.10/33898.

 

10.11.111.10 is the IP of one of the remote phone handset and 10.11.2.5 is our DHCP/DNS server.

 

Can anyone assist please?

 

Building configuration...




Current configuration : 8452 bytes
!
! Last configuration change at 13:07:59 gmt Tue Feb 25 2020 by administrator
!
version 15.7
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rtr-h000612
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$Tf3T$0YlkIobS6O5pqJ6jisTZl1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
crypto pki trustpoint TP-self-signed-1063246338
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1063246338
 revocation-check none
 rsakeypair TP-self-signed-1063246338
!
!
crypto pki certificate chain TP-self-signed-1063246338
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303633 32343633 3338301E 170D3139 31323139 31303535
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30363332
  34363333 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AC42 21506E9D 3915B615 8564F971 72405090 BC57FC2F 26F7A962 42DBB115
  2963CA90 E44285BC 15B2C2A7 13F85348 A3388D72 42FF30BE 4A5EE9F5 C21BD6E0
  FA613792 812378EF 06254D40 B4E6E978 188703BD 296B48FE 0535BFAD E84E3EAD
  F79F1D2F FE7EE109 A1072427 8E32564F 4748E466 F42B8D9E 07209CBF FDFF5505
  91BD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 143929A7 496DE5B6 6CD7A3CB 6FEE9657 F2278CC9 8F301D06
  03551D0E 04160414 3929A749 6DE5B66C D7A3CB6F EE9657F2 278CC98F 300D0609
  2A864886 F70D0101 05050003 81810076 71CB9686 7AFCB286 43BFB0AB 5367F0ED
  DE79F96A E64DB660 B1714A50 D6031C83 D917074D 2317920E B8F7953C 3F090A9C
  0A98EE47 BF98E569 7ACE55CB 3384BE06 6630960E 09334378 66C3A4D1 80DA0B45
  463B3DF5 77A38954 B1EA3714 C5E5FC91 6DC5AD6C E4C4D744 FE64D3FF E6F1D733
  0FB3A3BE 0F19E559 31296828 9E1F4C
        quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip domain name xxx.local
ip name-server 10.11.210.3
ip name-server 194.73.82.242
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ2344C21G
!
!
object-group network BT-RANGES
 62.7.201.160 255.255.255.224
 62.7.201.128 255.255.255.224
 213.120.60.128 255.255.255.224
 213.120.60.192 255.255.255.224
 213.120.76.0 255.255.255.224
 213.120.76.32 255.255.255.224
 213.120.76.64 255.255.255.224
 147.152.35.96 255.255.255.248
 147.152.35.104 255.255.255.248
 213.120.60.160 255.255.255.224
 213.120.60.224 255.255.255.224
 host 193.113.10.33
 host 193.113.11.35
 host 193.113.10.34
 host 193.113.11.36
 host 193.113.10.10
 host 193.113.11.10
 host 193.113.10.27
 host 193.113.11.27
 host 193.113.10.11
 host 193.113.11.11
 host 193.113.10.7
 host 193.113.11.7
 host 193.113.10.8
 host 193.113.11.8
 host 193.113.10.12
 host 193.113.11.12
 host 193.113.10.13
 host 193.113.11.13
 host 193.113.10.32
 host 193.113.11.34
 host 92.233.55.99
 62.7.201.136 255.255.255.248
 217.32.186.0 255.255.255.192
 217.32.186.64 255.255.255.192
 217.32.186.128 255.255.255.192
 62.7.201.128 255.255.255.248
 host 194.72.6.57
 host 194.73.82.242
 host 213.121.43.135
 host 68.142.70.29
 host 185.120.34.123
 host 81.7.16.52
!
object-group service BT-SERVICES
 tcp range 5060 5075
 udp range 5060 5075
 tcp eq 8933
 udp eq 8933
 udp range 32766 65535
 tcp eq 123
 udp eq ntp
 tcp eq 443
 tcp eq 5222
 tcp eq 1081
 tcp eq 5281
 tcp eq 5269
 tcp eq 8443
 tcp eq 2209
 tcp eq 8310
 udp eq 8310
 udp eq 443
 tcp eq domain
 udp eq domain
 icmp
!
object-group network GOOGLERANGES
 host 8.8.8.8
 64.18.0.0 255.255.240.0
 64.233.160.0 255.255.224.0
 173.194.0.0 255.255.0.0
 207.126.144.0 255.255.240.0
 209.85.128.0 255.255.128.0
 216.58.32.0 255.255.224.0
 216.58.192.0 255.255.224.0
 216.58.208.0 255.255.240.0
 66.102.0.0 255.255.240.0
 66.249.80.0 255.255.240.0
 72.14.192.0 255.255.192.0
 74.125.0.0 255.255.0.0
 host 92.233.55.99
!
object-group service GOOGLESERVICES
 tcp eq www
 tcp eq 443
 tcp eq 5222
 tcp range 19305 19309
 udp range 19305 19309
 tcp range 5228 5230
 icmp
 udp eq 443
 tcp eq 993
 tcp eq 465
 tcp eq smtp
 udp eq 80
 tcp eq 8310
 udp eq 8310
!
object-group network HGL-IPs
 host xx.xx.xx.xx
 host xx.xx.xx.xx
!
username administrator privilege 15 secret 5 xxx
redundancy
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key xxx address xx.xx.xx.xx
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
 set peer xx.xx.xx.xx
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 switchport access vlan 111
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 switchport access vlan 111
 no ip address
!
interface FastEthernet2
 switchport access vlan 111
 no ip address
!
interface FastEthernet3
 switchport mode trunk
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan111
 description xxx VLAN
 ip address 10.11.111.254 255.255.255.0
 ip helper-address 10.11.202.1
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description Dialer interface for VDSL
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1400
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxx@xxx.com
 ppp chap password 7 xxx
 ppp ipcp address accept
 no cdp enable
 crypto map VPN-TO-HQ
!
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list NATINSIDE interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended LOCKDOWN-IN
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit gre object-group HGL-IPs any
 permit esp object-group HGL-IPs any
 permit ahp object-group HGL-IPs any
 permit ip object-group HGL-IPs any
 permit object-group BT-SERVICES object-group BT-RANGES any
 permit ip object-group GOOGLERANGES any
ip access-list extended LOCKDOWN-OUT
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit ahp any object-group HGL-IPs
 permit esp any object-group HGL-IPs
 permit gre any object-group HGL-IPs
 permit ip any object-group HGL-IPs
 permit object-group GOOGLESERVICES any object-group GOOGLERANGES
 permit object-group BT-SERVICES any object-group BT-RANGES
 permit icmp 0.0.0.10 255.255.255.0 object-group BT-RANGES
 permit icmp 0.0.0.11 255.255.255.0 object-group BT-RANGES
 permit icmp 0.0.0.12 255.255.255.0 object-group BT-RANGES
ip access-list extended NATINSIDE
 permit ip 10.11.111.0 0.0.0.255 object-group GOOGLERANGES
 permit ip 10.11.111.0 0.0.0.255 object-group BT-RANGES
ip access-list extended VPN-TRAFFIC
 permit ip 10.11.111.0 0.0.0.255 any
!
ipv6 ioam timestamp
!
snmp-server community hgp-ro RO
snmp-server location xxx
snmp-server contact Group IT
snmp-server chassis-id rtr-h000612
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
 vstack
privilege exec level 2 show startup-config
privilege exec level 2 show
!
line con 0
 exec-timeout 1440 0
 privilege level 15
 no modem enable
line aux 0
line vty 0 4
 transport input all
!
no scheduler allocate
!
!
!
!
!
!
end

 

Labels:
0 Helpful
3 Replies 3

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎02-25-2020 06:05 AM

Hi,

 

I have notice that in your split tunnel ACL named VPN-traffic, all the traffic from source 10.11.111.0/24 Is going to match and be send over ipsec VPN tunnel.

 

ip access-list extended VPN-TRAFFIC
 permit ip 10.11.111.0 0.0.0.255 any

 Can you modify above ACL to match the specific subnets in destination instead of matching Any ? Also dont forget to modify the ACL at HQ site also.

 

0 Helpful

Group IT
Level 1
Level 1
In response to Muhammad Awais Khan

‎02-25-2020 06:14 AM

@Muhammad Awais Khan 

Thank you for taking the time to reply. Any suggestions are appreciated.

 

Are you saying that because of this entry, its forcing all traffic through the VPN tunnel? Including the phone data?

My DHCP scope for this network is 10.11.111.0/24. All of my devices including phones are using this pool. The three phones on site have been assigned 10.11.111.10 , 10.11.111.11 and 10.11.111.12.

Would it be easier to put my PC pool  into another object group and just allow that group down the tunnel?

 

I need to be careful messing with the router as its not on site and I don't want to lock myself out or disconnect any user.

0 Helpful

Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to Group IT

‎02-25-2020 06:57 AM - edited ‎02-25-2020 07:01 AM

Hi,

 

Yes that's correct, because of that ACL, all the traffic including the Phone-Data traverse the VPN.

 

If there is no VOIP communication required between remote site and your location then I would suggest you to change the Voice Vlan and subnet for the Phones or create the new subnet and VLan for the phones. By doing this, you will not disturb any IPSEC related configuration. Once subnet is changed then Phones will not be using VPN unless you add their new subnet to the ACL.

 

I believe above is the easiest since it will not disrupt any thing. 

 

0 Helpful
Customers Also Viewed These Support Documents