09-15-2010 02:53 AM - edited 03-04-2019 09:46 AM
Hello,
I'm having trouble splitting voip traffic from the data traffic. I am using a 5505 asa and 3560 switches
ASA 5505 > catalyst 3560 > IP phone > laptop
on the ASA 5505
------------------------
I configured 4 Vlan's
1 for management
1 for outside
interface Vlan200 (data)
nameif Inside
security-level 100
ip address 10.0.31.15 255.255.255.0
!
interface Vlan400 (voice)
nameif VOIP
security-level 100
ip address 10.20.31.15 255.255.255.0
I configured one trunk port on a non-POE port 0/2
interface Ethernet0/2
description Trunk port to SW1
switchport access vlan 400
switchport trunk allowed vlan 200,400
switchport trunk native vlan 200
switchport mode trunk
On the 3560 switch
I configured one trunk on a POE port that connects to the ASA 5505
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport trunk allowed vlan 200,400
switchport mode trunk
I configured another POE port where I m connecting the IP phone (Cisco 7940 or Polycom soundpoint 501)
description Trunk port IPTEL_DATA
switchport access vlan 200
switchport mode access
switchport voice vlan 400
When connecting the IP phone to that port and connecting a laptop on the phone's switch port, the phone and PC get the correct Vlan and IP assigned but I'm not able to register the phone with our provider.
When connecting the IP phone directly on a different port on the ASA 5505 (default vlan 1) The phone immediately gets the config file and registers.
Did I trunk correctly using trunk mode for the asa 5505 to catalyst3560 and access mode for the catalyst3560 to ip-phone?
Any help is more than welcome
martin
Solved! Go to Solution.
09-15-2010 04:11 AM
OK.
I think that it's not a switch problem.
Let's back to the ASA:
As you mentioned, when you connect the IP phone to a default ASA port (Vlan 1) if works without problem.
And now you're connecting it on a Vlan400 port.
Can you please provide the related configuration for the Vlan 1 also. (or provide the complete config omitting the public IPs and keys)
09-15-2010 03:21 AM
Can you check in the switch that the VLANs are up!
show vlan brief
09-15-2010 03:24 AM
Martin,
First, is the Polycom IP Phone configured manually to use the VLAN 400 and perform 802.1Q VLAN tagging? The Cisco IP phones get their Voice VLAN ID via CDP but I doubt that the Polycom supports CDP, so most probably, it has to be configured for the VLAN 400 manually.
Second, do not change the native VLAN on the trunks to 200. Leave the VLAN 1 as the native VLAN. Make sure that both the VLAN 200 and VLAN 400 are tagged on all trunks between your switches and between a switch and the ASA box. The native VLAN is a different concept that should not be confused here with the data VLAN and frankly, it should not be used for any user traffic (data or voice) at all.
Can you perform these verifications and modifications?
Best regards,
Peter
09-15-2010 03:32 AM
You said that the phone is getting an IP address. Is it true? is it a correct IP from the vlan 400 pool?
If it's the case.. than Vlan 400 for the access side is working and still to focus on the ASA-Switch side.
Also, where the DHCP server is located?
09-15-2010 03:45 AM
@omar - yes the vlan's are up on the switch
- Yes the phone get's the correct vlan and IP (cisco and polycom) and if i plug in a pc on the phone's switch port it get's the correct vlan and IP.
- the DHCP is located on the ASA
- Let's focus on the cisco then, but polycom supports CDP (both get correct vlan and IP when connecting on the switch ports)
- vlan1 is the default vlan which for the moment is configured on all remaining ports
- I chose 200 as my native vlan on the trunk, vlan1 isn't trunked from the asa to the catalyst switch
@peter
09-15-2010 03:48 AM
Good than
Please provide: show interface trunk
09-15-2010 04:01 AM
SW1#show interface trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 200
Port Vlans allowed on trunk
Gi0/1 200,400
Port Vlans allowed and active in management domain
Gi0/1 200,400
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 200,400
no such command on firewall
this is output for show switch vlan
FW1(config-if)# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 Management up Et0/1, Et0/4, Et0/5, Et0/6
Et0/7
100 Outside up Et0/0
200 Inside up Et0/2, Et0/3
300 DMZ down
400 VOIP up Et0/2, Et0/3
do you need output of show interfaces?
09-15-2010 04:11 AM
OK.
I think that it's not a switch problem.
Let's back to the ASA:
As you mentioned, when you connect the IP phone to a default ASA port (Vlan 1) if works without problem.
And now you're connecting it on a Vlan400 port.
Can you please provide the related configuration for the Vlan 1 also. (or provide the complete config omitting the public IPs and keys)
09-15-2010 05:14 AM
: Saved
: Written by enable_15 at 01:29:53.977 UTC Wed Sep 15 2010
!
ASA Version 8.2(2)
!
hostname FW1
domain-name domain.local
enable password r2.d52YOdvbTM6/l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan100
nameif Outside
security-level 0
ip address 10.10.10.1 255.255.255.240
!
interface Vlan200
nameif Inside
security-level 100
ip address 20.20.20.1 255.255.255.0
!
interface Vlan300
nameif DMZ
security-level 50
ip address 30.30.30.1 255.255.255.0
!
interface Vlan400
nameif VOIP
security-level 100
ip address 40.40.40.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 100
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
description Trunk port to SW1
switchport access vlan 400
switchport trunk allowed vlan 200,400
switchport trunk native vlan 200
switchport mode trunk
!
interface Ethernet0/3 = (testing with this interface right now)
description Trunk port to SW4
switchport trunk allowed vlan 200,400
switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_out_in extended permit tcp any interface Outside eq www
access-list acl_out_in extended permit tcp any interface Outside eq 5000
access-list no_nat extended permit ip 200.200.200.0 255.255.255.0 50.50.50.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Management 1500
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu VOIP 1500
ip local pool SSLClientPool 50.50.50.50-50.50.50.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Management) 1 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list no_nat
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface www 10.0.31.22 www netmask 255.255.255.255
static (Inside,Outside) tcp interface 5000 10.0.31.97 5000 netmask 255.255.255.255
access-group acl_out_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 87.236.7.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
enrollment self
fqdn vpnfgdn.dns.com
subject-name CN=vpnfqdn.dns.com
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate 2097644c
308201fb 30820164 a0030201 02020420 97644c30 0d06092a 864886f7 0d010105
05003042 311c301a 06035504 03131376 706e6272 6564612e 69746573 736f2e6e
69746573 736f2e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 818100c0 7c562d66 47588291 2ddca190 2e8f52b3 7f50c7f1 5945d606
9ff63a2e 432d0602 162710c8 818d152d e2467645 96e7da33 8b39bacf f01e42ad
44ae2f2a 6bd6a9ab 024d47b6 273e720b 7263b0e9 8f24bf80 515e268e eace994e
d882ea36 fe8893d2 44d5cdb1 15f298b4 c26d5eff 6839ed68 6a13f453 fe35635e
c67ae205 da3ae502 03010001 300d0609 2a864886 f70d0101 05050003 81810068
bfae1b4d c1850c56 5826edfb ff86e504 e5e4be95 10f9e674 a3c7997e 96db735a
864176af 04fdae5d 4f401a32 dcadb213 857fda06 9a8764f1 1fcf0a31 76c6af20
9cd09e68 63e6efb9 61098b81 60d72f2d 9b71b127 5282cd9f 234d49d7 d29bd56e
d2b83698 bfb97cd7 a259593f f79b9694 7cce9fef c5fd79e0 4d89ae23 0e4c94
quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config Outside
!
dhcpd address 192.168.1.2-192.168.1.254 Management
dhcpd dns 1.2.3.4 5.6.7.8 interface Management
dhcpd enable Management
!
dhcpd address 20.20.20.50-20.20.20.200 Inside
dhcpd dns 20.20.20.9 20.20.20.10 interface Inside
dhcpd domain domain.local interface Inside
dhcpd enable Inside
!
dhcpd address 30.30.30.50-30.30.30.200 DMZ
dhcpd enable DMZ
!
dhcpd address 40.40.40.50-40.40.40.200 VOIP
dhcpd dns 40.1.2.3 40.4.5.7 interface VOIP
dhcpd enable VOIP
!
priority-queue Outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust Outside
webvpn
enable Outside
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 10.0.31.9
vpn-tunnel-protocol svc
default-domain value htcp.local
address-pools value SSLClientPool
username user1 TEkjf52Nn3sTy/S9 encrypted
username user1 attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9ff3725cc876e650c4dd8706b71db402
09-15-2010 05:28 AM
it looks like the problem was that i didn't NAT out for the VOIP interface
nat (VOIP) 1 0.0.0.0 0.0.0.0
sorry guys, thanks a lot for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide