Solved: Re: Routing voice traffic out of its local gateway

BeckyBoo123 · ‎09-18-2021

Hi all,

I have a Cisco C921-4PLTEGB currently connected to the EE network using its Cellular interface.

I have one VLAN (VLAN10) setup to connect back to our corporate network via a tunnel. All traffic by default should go down this tunnel for DHCP (10.11.18.0/24) and corporate services. This works perfectly.

I am then attempting to setup a separate voice VLAN (VLAN20). There is no point sending this traffic down the tunnel as its just going to be let out at the other end. So my aim is to allow all voice traffic out of the local internet gateway and avoid the tunnel. I have setup a separate VLAN for this and DHCP (192.168.1.0/24) will be allocated by the router.

My next question is, at what point (interface or cryptomap) do I tell any voice traffic (VLAN20) to not go down the tunnel?

Any suggestions would be greatly appreciated.

This is my current config:

Building configuration...

Current configuration : 5950 bytes
!
! Last configuration change at 11:31:19 gmt Sat Sep 18 2021 by administrator
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool vlan20
 network 192.168.1.0 255.255.255.0
 domain-name my-voice.local
 dns-server 8.8.8.8 4.4.4.4
 default-router 192.168.1.254
 lease 5
!
!
!
ip domain name mydomain.local
ip name-server 10.11.2.5
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
license udi pid C921-4PLTEGB sn PSZ25xxxx
!
!
object-group network My-IPs
 host x.x.x.x
 host x.x.x.x
!
!
vtp mode transparent
username administrator privilege 15 secret 5 $1$cqR4$NRzV5quieY0YCexxxx
username xx privilege 2 secret 5 $1$a0Wa$vTpgsppkDxxxxx
!
redundancy
!
crypto ikev2 proposal Prop-HQ-VPN
 encryption aes-cbc-256
 integrity sha256
 group 21
!
crypto ikev2 policy POL-HQ-VPN
 proposal Prop-HQ-VPN
!
crypto ikev2 keyring keyring-1
 peer my-hq
  address x.x.x.x
  pre-shared-key local mykey
  pre-shared-key remote mykey
 !
!
!
crypto ikev2 profile PROFILE-HQ-VPN
 match identity remote address x.x.x.x 255.255.255.255
 identity local fqdn myrouter.mydomain.local
 authentication remote pre-share
 authentication local pre-share
 keyring local keyring-1
!
no crypto ikev2 diagnose error
crypto ikev2 dpd 500 50 on-demand
no crypto ikev2 certificate-cache
!
!
controller Cellular 0
 lte sim data-profile 1 attach-profile 1
 lte modem crash-action boot-and-hold
!
vlan 10,20
!
!
crypto logging ikev2
!
crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 21
crypto isakmp keepalive 10 periodic
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-HQ-VPN esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile PROFILE-ipsec
 set pfs group21
 set ikev2-profile PROFILE-HQ-VPN
!
!
!
crypto map CMAP-MY-HQ 1 ipsec-isakmp
 set peer x.x.x.x
 set security-association lifetime seconds 86400
 set transform-set TS-HQ-VPN
 set ikev2-profile PROFILE-HQ-VPN
 match address VPN-TRAFFIC
!
!
!
!
!
interface Cellular0
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer idle-timeout 0
 dialer string lte
 dialer-group 1
 async mode interactive
 crypto map CMAP-MY-HQ
!
interface GigabitEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 20
 no ip address
!
interface GigabitEthernet3
 switchport mode trunk
 no ip address
!
interface GigabitEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet5
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.11.18.254 255.255.255.0
 ip helper-address 10.11.202.1
 no ip proxy-arp
 ip nbar protocol-discovery
 ip tcp adjust-mss 1452
 load-interval 30
!
interface Vlan20
 ip address 192.168.1.254 255.255.255.0
!
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 0.0.0.0 0.0.0.0 Cellular0
!
ip access-list extended LOCKDOWN-IN
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit gre object-group MY-IPs any
 permit esp object-group MYIPs any
 permit ahp object-group MY-IPs any
 permit ip object-group MY-IPs any
ip access-list extended VPN-TRAFFIC
 permit ip 10.11.18.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
!
snmp-server community my-ro RO
snmp-server location My Office
snmp-server contact Me
snmp-server chassis-id myrouter
!
!
!
control-plane
!
privilege exec level 2 show startup-config
privilege exec level 2 show
banner motd ^C
*************************************************************
*                                                           *
* This device is owned and managed by Me. *
* Unauthorized access is strictly prohibited.               *
*                                                           *
*************************************************************
^C
!
line con 0
 privilege level 15
line 3
 script dialer lte
 no exec
 rxspeed 100000000
 txspeed 50000000
line vty 0 4
 exec-timeout 1440 0
 privilege level 15
 transport input ssh
line vty 5 15
 exec-timeout 1440 0
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
ntp server ntp.mydomain.local source Cellular0
!
end

Giuseppe Larosa · ‎09-20-2021

Hello @BeckyBoo123 ,

>> ip nat source inside list 12 interface Cellular0 overload'

try

ip nat inside source list 12 interface Cellular0 overload

I have made a wrong suggestion on the fly. I apologize for this.

Without the command above with the correct syntax NAT does not happen and your VOIP devices cannot register to VOIP provider.

Test again with the correct commans in place

check

using

show ip nat translations | include 192.168.1.

you should see lines for you internal devices when they attempt to go to the internet

Hope to help

Giuseppe

View solution in original post

Elliot Dierksen · ‎09-18-2021

The ACL VPN-TRAFFIC is what defines the traffic that will be routed over the VPN. Your VLAN 20 source IP addresses aren't listed in that, so they would not be routed over the VPN.

Giuseppe Larosa · ‎09-18-2021

Hello @BeckyBoo123 ,

@Elliot Dierksen is correct it is the extended named ACL VPN-TRAFFIC that in your configuration tells what has to go over the site to VPN tunnel

>>

ip access-list extended VPN-TRAFFIC
 permit ip 10.11.18.0 0.0.0.255 any
!

Just to add, to complete the solution you will need to add NAT statements

interface Vlan 20

ip nat inside

description VOIP

interface Cellular0

ip nat outside

access-list 12 remark NAT for VOIP subnet

access-list 12 permit 192.168.1.0 0.0.0.255

ip nat source inside list 12 interface Cellular0 overload

This would allow Internet access using NAT for users in Vlan 20 the VOIP Vlan.

However, this is not enough to be able to place voice calls via the public internet your VOIP users should register with a SIP server.

Let us know what you would like to do or if you have already planned how to use the internet access for the VOIP VLAN.

Hope to help

Giuseppe

BeckyBoo123 · ‎09-20-2021

Hi @Elliot Dierksen @Giuseppe Larosa

Thank you for your input, much appreciated!

So, my handset now has an IP from the router (192.168.1.1) and detects VLAN20. I have applied all of the config suggested by @Giuseppe Larosa except for 'ip nat source inside list 12 interface Cellular0 overload' as it says "% Invalid input detected at '^' marker" and points the the word inside.

So as expected I think, the phone still does not register with the provider. It fails to contact the ZTP and SNTP fails. I do have a list of required URLs, IP's and ports for this VoIP provider which I had put into some access lists. Is it worth telling the router to specifically denying them down the tunnel and allowing them straight out of the local gateway?

object-group network Masergy-Network
 host 185.60.31.70
 host 185.60.31.71
 host 185.60.31.72
 host 185.60.31.73
 host 185.60.31.74
 host 208.75.11.0
 host 208.75.12.0
 host 208.75.13.0
 host 208.75.14.0
 host 208.75.15.0
 host 208.75.8.0
 host 208.75.8.53
 host 208.75.9.0
 host 64.47.12.0
 host 64.47.12.53
 host 80.241.66.70
 host 80.241.66.71
 host 80.241.66.72
 host 80.241.66.73
 host 80.241.66.74
 host 185.60.31.76
 host 185.60.31.78
 host 185.60.31.79
 host 208.75.11.40
 host 208.75.12.40
 host 208.75.13.40
 host 208.75.14.40
 host 208.75.15.40
 host 208.75.9.40
 host 80.241.66.76
 host 208.75.8.24
 host 64.47.12.26
 host 185.244.195.159
 host 208.75.8.23
 host 99.83.218.79
!
object-group service Masergy-services
 tcp eq 8443
 tcp eq 1081
 tcp range 52644 52645
 tcp eq 5281
 tcp eq 123
 tcp-udp range 1024 3024
 tcp-udp eq 3478
 tcp-udp range 43152 53152
 tcp-udp eq 5050
 tcp-udp eq 5075
 tcp-udp eq 8070
 tcp-udp eq domain
 tcp-udp range 5060 5061
 tcp-udp eq 80
 tcp-udp eq 443

Giuseppe Larosa · ‎09-20-2021

Hello @BeckyBoo123 ,

>> ip nat source inside list 12 interface Cellular0 overload'

try

ip nat inside source list 12 interface Cellular0 overload

I have made a wrong suggestion on the fly. I apologize for this.

Without the command above with the correct syntax NAT does not happen and your VOIP devices cannot register to VOIP provider.

Test again with the correct commans in place

check

using

show ip nat translations | include 192.168.1.

you should see lines for you internal devices when they attempt to go to the internet

Hope to help

Giuseppe

BeckyBoo123 · ‎09-20-2021

Hi @Giuseppe Larosa

That's wonderful, thank you. I entered amended line and didn't see the issues go away but as I was tryoing this up, it must have given the phone time to sync and its working! Awesome!

TThis is the output I get from 'show ip nat translations | include 192.168.1'.

udp 10.182.115.89:1026 192.168.1.1:5060   208.75.12.40:5060  208.75.12.40:5060
udp 10.182.115.89:1024 192.168.1.1:5060   208.75.15.40:5060  208.75.15.40:5060
tcp 10.182.115.89:16672 192.168.1.1:16672 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:20752 192.168.1.1:20752 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:20830 192.168.1.1:20830 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:23146 192.168.1.1:23146 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:27308 192.168.1.1:27308 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:27703 192.168.1.1:27703 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:28859 192.168.1.1:28859 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:30357 192.168.1.1:30357 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:31547 192.168.1.1:31547 185.60.31.76:443   185.60.31.76:443
tcp 10.182.115.89:32200 192.168.1.1:32200 185.60.31.76:443   185.60.31.76:443
udp 10.182.115.89:35304 192.168.1.1:35304 8.8.8.8:53         8.8.8.8:53
udp 10.182.115.89:36697 192.168.1.1:36697 8.8.8.8:53         8.8.8.8:53
udp 10.182.115.89:37095 192.168.1.1:37095 8.8.8.8:53         8.8.8.8:53
udp 10.182.115.89:37728 192.168.1.1:37728 8.8.8.8:53         8.8.8.8:53
udp 10.182.115.89:38398 192.168.1.1:38398 8.8.8.8:53         8.8.8.8:53
udp 10.182.115.89:39090 192.168.1.1:39090 8.8.8.8:53         8.8.8.8:53
tcp 10.182.115.89:39102 192.168.1.1:39102 185.60.31.76:443   185.60.31.76:443
udp 10.182.115.89:43491 192.168.1.1:43491 91.210.190.13:123  91.210.190.13:123
udp 10.182.115.89:45154 192.168.1.1:45154 78.202.249.102:123 78.202.249.102:123
tcp 10.182.115.89:47644 192.168.1.1:47644 185.60.31.76:443   185.60.31.76:443
udp 10.182.115.89:59873 192.168.1.1:59873 8.8.8.8:53         8.8.8.8:53

So to me it looks like everything is working! Thank you so much!

Giuseppe Larosa · ‎09-20-2021

Hello @BeckyBoo123 ,

I am glad that now the phones are registering

By the way the most meaningful lines are:

udp 10.182.115.89:1026 192.168.1.1:5060   208.75.12.40:5060  208.75.12.40:5060
udp 10.182.115.89:1024 192.168.1.1:5060   208.75.15.40:5060  208.75.15.40:5060

Because SIP uses UDP 5060 these should be registration attempts

Best Regards

Giuseppe