cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1654
Views
0
Helpful
19
Replies

Voice Vlan Question

galaga
Level 1
Level 1

                   Sould someone tell me where I am going wrong?

I keep getting this error from the router trying to communicate with call manager via IP phone

013849: *May  4 14:53:56.302 EST-5: ICMP: dst (192.168.225.223) administratively prohibited unreachable sent to 10.1.105.8

013850: *May  4 14:54:16.090 EST-5: ICMP: redirect sent to 10.1.105.8 for dest 192.168.225.224, use gw 10.1.105.3

I have an ACL error, not seeing where it is.

Thanks for any help

Router config:

dot11 syslog
ip source-route
!
ip dhcp excluded-address 172.24.105.1 192.168.105.10
ip dhcp excluded-address 10.1.105.1 10.1.105.5
!
ip dhcp pool data
   network 172.24.105.0 255.255.255.0
   option 150 ip 172.24.225.224 172.24.225.223
   dns-server 172.24.225.31
   default-router 172.24.105.2
!
ip dhcp pool voice
   network 10.1.105.0 255.255.255.0
   dns-server 172.24.225.31
   option 150 ip 172.24.225.224 172.24.225.223
   default-router 10.1.105.2
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name
ip name-server 172.24.225.30
ip name-server 172.24.225.31
no ipv6 cef
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key vpntest123 address 12.164.100.105
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map ipsec-tunnel 1 ipsec-isakmp
set peer 207.264.100.105
set transform-set esp-3des-sha
match address ipsec-rule
!
!
!
!
archive
log config
  hidekeys
!
!
ip ssh version 1
!
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
!
!
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
    priority percent 70
class AutoQoS-VoIP-Control-Trust
    bandwidth percent 5
class class-default
    fair-queue
!
!
!
!
interface FastEthernet0
ip address 207.264.100.252 255.255.255.0
ip broadcast-address 0.0.0.0
ip access-group abc-in in
ip access-group abc-out out
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
crypto map ipsec-tunnel
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
description uplink to switch
switchport trunk native vlan 105
switchport mode trunk
auto qos voip trust
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.1.105.2 255.255.255.0
!
interface Vlan105
ip address 172.24.105.2 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
--More--
001159: *Apr 26 20:15:35.052 EST-5: RT: NET-REDip route 0.0.0.0 0.0.0.0 207.264.100.1
no ip http server
ip http secure-server
!
!
ip nat inside source list nat-out interface FastEthernet0 overload
!
ip access-list extended abc-in
permit udp host 12.164.100.105 eq isakmp host 12.164.100.252 eq isakmp
permit esp host 12.164.100.105 host 12.164.100.252
deny   ip any any
ip access-list extended abc-out
permit udp host 12.164.100.252 eq isakmp host 12.164.100.105 eq isakmp
permit esp host 12.164.100.252 host 12.164.100.105
deny   ip any any
ip access-list extended ipsec-rule
permit ip 172.24.105.0 0.0.0.255 any
deny   ip any any
ip access-list extended nat-out
deny   ip 172.24.105.0 0.0.0.255 any
deny   ip 10.1.105.0 0.0.0.255 any

permit ip any any

switch config:

Switch#sh run
Building configuration...

Current configuration : 3498 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
system mtu routing 1500
!
!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
!
spanning-tree mode pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport access vlan 105
switchport trunk allowed vlan 10
switchport mode access
switchport voice vlan 10
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
auto qos trust
spanning-tree portfast
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
description uplink to router
switchport trunk native vlan 105
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust cos
auto qos trust
!
interface Vlan1
no ip address
!
interface Vlan105
ip address 172.24.105.10 255.255.255.0
!
ip default-gateway 172.24.105.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
!
line con 0
line vty 5 15
!
end

19 Replies 19

galaga
Level 1
Level 1

Sorry:

Correct error message:

013849: *May 4 14:53:56.302 EST-5: ICMP: dst (172.24.225.223) administratively prohibited unreachable sent to 10.1.105.8

013850: *May 4 14:54:16.090 EST-5: ICMP: redirect sent to 10.1.105.8 for dest 192.168.225.224, use gw 10.1.105.3

Hello Jeff,

your ip phone has Ip address 10.1.105.8 in voice DHCP pool  the call manager should be in the other site

you have IPsec and the ACL that decides what is interesting = what should go on IPsec says:

ip access-list extended ipsec-rule

permit ip 172.24.105.0 0.0.0.255 any

deny   ip any any

add a second line before last line for allowing communication with call manager like

permit ip 10.1.105.0 0.0.0.255 172.24.225.0 0.0.0.255

Hope to help

Giuseppe

Giuseppe,

I addded the line, it did not work.

Do I have to add something to the crypto map on the asa too ?

Thanks fot the help

Hello Jeff,

yes also the other IPSec endpoint's ACL has to be updated with a mirrored statement I've missed to mention in the previous post.

if it was a router you would need a line like (mirrored)

permit ip 172.24.225.0 0.0.0.255 10.1.105.0 0.0.0.255

you need to write the ACL line in the correct syntax for your ASA

Edit:

more specifically ACLs defined on ASA (for example in version 7.2) use network masks instead of wildcard

In the following example, the security appliance applies the IPsec  protections assigned to the crypto map to all traffic flowing from the  10.0.0.0 subnet to the 10.1.1.0 subnet.

access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

see

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html#wp1042707

Hope to help

Giuseppe

Giuseppe,

Here is the ASA config below:

Here is the ACL for the crypto map:

access-list outside_5_cryptomap extended permit ip any vpntest 255.255.255.0

Shoul I add:

access-list outside_5_cryptomap extended permit ip 10.1.105.0 255.255.255.0 vpntest 255.255.255.0

or

access-list outside_5_cryptomap extended permit ip vpntest 255.255.255.0 10.1.105.0 255.255.255.0

name vpntest

ns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 207.164.100.105 255.255.255.0 standby 207.164.100.106
!
interface Ethernet0/1
nameif inside
security-level 99
ip address 172.3.3.1 255.255.255.248 standby 172.3.3.2
!
interface Ethernet0/2
description DMZ Network
speed 100
duplex full
nameif dmz
security-level 50
ip address 172.24.226.1 255.255.255.0 standby 172.24.226.2
!
interface Ethernet0/3
description
speed 100
duplex full
shutdown
nameif dev
security-level 0
ip address 172.24.236.1 255.255.255.0
rip send version 1
!
interface Management0/0
description LAN Failover Interface
!
boot system disk0:/asa823-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup dmz
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Mail_Services tcp
port-object eq pop3
port-object eq smtp
port-object eq imap4
object-group service Web tcp
port-object eq www
port-object eq https
object-group network DNS_Servers
network-object webserv1 255.255.255.255
network-object webserv2 255.255.255.255
object-group network Web_Servers
network-object Addon 255.255.255.255
network-object Webprod 255.255.255.255
object-group service ClientAccess tcp-udp
port-object eq 5555
port-object eq 2001
port-object eq 449
port-object eq 447
port-object eq 446
port-object eq 397
port-object range 8470 8480
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object 172.24.225.0 255.255.255.0
network-object 172.24.226.0 255.255.255.0
network-object IDF_4 255.255.255.0
network-object 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq www
service-object tcp eq https
service-object udp eq domain
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_7 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ssh
object-group service Web_8080 tcp
port-object eq 8080
object-group service DM_INLINE_TCP_2 tcp
group-object Terminal_Servers
port-object eq www
object-group service DM_INLINE_TCP_5 tcp
group-object Terminal_Servers
port-object eq www
access-list inside_pnat_outbound extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any host 207.164.100.176 object-group Terminal_Servers
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 207.164.100.180 object-group Terminal_Servers
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 207.164.100.188 eq https
access-list outside_access_in
access-list outside_access_in extended permit tcp any host 207.164.100.190 eq https
access-list outside_access_in remark TMW Cluster
access-list outside_access_in extended permit tcp any host 207.164.100.202 object-group Terminal_Servers inactive
access-list outside_access_in remark pipeyard
access-list outside_access_in extended permit tcp any host 207.164.100.210 object-group Terminal_Servers inactive
access-list outside_access_in remark AS400 Dashboard
access-list outside_access_in extended permit tcp any host 207.164.100.212 object-group dashboard
access-list outside_access_in remark utsigw4
access-list outside_access_in extended permit tcp any host 207.164.100.50 eq smtp
access-list outside_access_in extended permit udp 172.24.220.0 255.255.255.0 172.24.220.0 255.255.255.0
access-list inside_pnat_outbound_V1 extended permit ip any any
access-list inside_access_in remark Block all traffic to DEV except 3389
access-list inside_access_in extended permit object-group TCPUDP any 172.24.236.0 255.255.255.0 object-group Terminal_Servers
access-list inside_access_in remark Block all DEV traffic
access-list inside_access_in extended deny ip any 172.24.236.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended deny ip any 172.24.236.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list anytodmz extended permit ip any 172.24.226.0 255.255.255.0
access-list any192168 extended permit ip 172.24.0.0 255.255.0.0 172.24.0.0 255.255.0.0
access-list any192168 extended permit ip any IDF_4 255.255.255.192
access-list any192168 extended permit ip host 172.24.225.18 172.24.225.240 255.255.255.240
access-list any192168 extended permit ip 172.24.0.0 255.255.0.0 172.24.225.240 255.255.255.240
access-list any192168 extended permit ip any 172.24.220.32 255.255.255.224
access-list any192168 extended permit ip any 172.24.225.224 255.255.255.240
access-list any192168 extended permit ip any 172.24.220.16 255.255.255.240
access-list any192168 extended permit ip any 172.24.220.0 255.255.255.0
access-list any192168 extended permit ip any host 172.24.220.20
access-list any192168 extended permit ip any host 172.24.225.235
access-list any192168 extended permit ip any 172.24.220.224 255.255.255.224
access-list any192168
access-list any192168 extended permit ip vpntest 255.255.255.0 any
access-list wan_access_in extended permit object-group DM_INLINE_SERVICE_1 172.24.236.0 255.255.255.0 any
access-list local_lan_access standard permit any
access-list dmz_nat0_outbound extended permit ip any 172.24.225.224 255.255.255.240
access-list dmz_nat0_outbound extended permit ip any 172.24.220.16 255.255.255.240
access-list dmz_nat0_outbound extended permit ip any 172.24.220.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any host 172.24.220.20
access-list dmz_nat0_outbound extended permit ip any host 172.24.225.235
access-list dmz_nat0_outbound
a
access-list dmz_nat0_outbound extended permit ip 172.24.226.0 255.255.255.0 vpntest 255.255.255.0
access-list Test_splitTunnelAcl standard permit any
access-list default_rip_in_acl standard deny any
access-list default_rip_out_acl standard permit host 0.0.0.0
access-list default_out_rip_acl standard deny any
access-list outside_5_cryptomap extended permit ip any vpntest 255.255.255.0
access-list outside_cryptomap_5 extended permit ip any vpntest 255.255.255.0
pager lines 24

mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dev 1500

ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit attack action alarm drop
failover
failover lan unit primary
failover lan interface state Management0/0
failover replication http
failover interface ip state 172.24.223.1 255.255.255.0 standby 172.24.223.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin

asdm history enable
arp timeout 14400
nat-control
global (outside) 10 207.164.100.200-12.164.100.230
global (outside) 10 207.164.100.117
nat (outside) 10 vpntest 255.255.255.0
nat (outside) 10 172.24.220.0 255.255.255.0
nat (inside) 0 access-list any192168
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
nat (dev) 0 access-list any192168
nat (dev) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 12.164.100.10  netmask 255.255.255.255
static (dmz,outside) 12.164.100.180  netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group wan_access_in in interface dev
!
router eigrp 100
no auto-summary
eigrp router-id 10.3.3.1
network 10.3.3.0 255.255.255.248
network 172.24.226.0 255.255.255.0
redistribute static metric 1000000 10 255 1 1500
!
route outside 0.0.0.0 0.0.0.0 12.164.100.1 1
route inside 172.24.101.0 255.255.255.0 10.3.3.4 1
route inside 172.24.217.0 255.255.255.0 10.3.3.4 1
route outside 172.24.220.0 255.255.255.0 12.164.100.1 1
route inside IDF_3 255.255.255.0 10.3.3.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

aaa local authentication attempts max-fail 3
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate
http server enable
http 172.24.220.232 255.255.255.255 inside
http 172.24.220.231 255.255.255.255 inside
http 172.24.225.235 255.255.255.255 inside
http 172.24.225.105 255.255.255.255 inside
http 172.24.229.50 255.255.255.255 inside
http 172.24.229.29 255.255.255.255 inside
http 172.24.229.55 255.255.255.255 inside
http 172.24.227.102 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds


crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer
crypto map outside_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 207.164.100.252
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable dmz
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet 172.24.225.105 255.255.255.255 inside
telnet 172.24.220.232 255.255.255.255 inside
telnet 172.24.220.231 255.255.255.255 inside
telnet 172.24.229.55 255.255.255.255 inside
telnet timeout 5
ssh 172.24.229.50 255.255.255.255 inside
ssh 172.24.229.29 255.255.255.255 inside
ssh 172.24.220.232 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside ftp01 /
webvpn
enable outside
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 172.24.225.30 172.24.225.31
vpn-tunnel-protocol IPSec webvpn
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization

tunnel-group 207.64.100.252 type ipsec-l2l
tunnel-group 207.164.100.252 type ipsec-l2l
tunnel-group 207.164.100.252 general-attributes
default-group-policy site-to-site
tunnel-group 207.164.100.252 ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp strict
  inspect ip-options
  inspect sip 
!
service-policy global_policy global
smtp-server 172.24.225.172
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Hello Jeff,

if the ASA in on the HQ where the callmanager is located you need to add a line like

access-list outside_5_cryptomap extended permit ip   255.255.255.0 10.1.105.0 255.255.255.0

the reason is that the ASA examines packets that are sent to the IP phones so subnet 10.1.105.0 must appear in the destination field and not in the source field this is what  I mean with mirrored statement.

172.24.225.0

access-list outside_5_cryptomap extended permit ip  172.24.225.0 255.255.255.0 10.1.105.0 255.255.255.0

note: the more elegant way to perform this is to add network 10.1.105.0 to the network object vpntest (if vpntest is a network object this is my guess I didn't find vpntest definition in your configuation)

Hope to help

Giuseppe

Giuseppe

Thanks for the explaination !!!!

I am still getting this error

046079: *May  7 10:57:31.857 EST-5: ICMP: redirect sent to 10.1.105.8 for dest 192.168.225.224, use gw 10.1.105.3

046080: *May  7 10:57:36.189 EST-5: RT: NET-RED 0.0.0.0/0

046081: *May  7 10:58:33.113 EST-5: ICMP: redirect sent to 10.1.105.8 for dest 192.168.225.224, use gw 10.1.105.3

046082: *May  7 10:58:36.189 EST-5: RT: NET-RED 0.0.0.0/0

046083: *May  7 10:59:34.297 EST-5: ICMP: redirect sent to 10.1.105.8 for dest 192.168.225.224, use gw 10.1.105.3

046084: *May  7 10:59:36.189 EST-5: RT: NET-RED 0.0.0.0/0

Is my static router to 10.1.105.0 on the router in correct ?

Without the route the phone did not seem to get an IP ??

Thanks alot for the help !!!!!

Hello Jeff,

the router needs some routing information in order to send out packets sourced by IP phones with destination = call manager out of interface where the crypto map is applied.

The best way to do this is to use a static route pointing to that interface, the same has to be done for IP phones subnet on the ASA located in HQ.

ip route A.B.C.D 255.255.255.0 fastethernet0 

in the case of the router

This happens because you are using direct IPsec encapsulation instead of GRE over IPSec.

you should find out who is node 10.1.105.3 in your network as it looks like to have a better route for prefix 192.168.225.224 that is the meaning of ICMP redirect : the router tells to the client that there is another router with a better route to the destination with ip address 10.1.105.3

Edit:

what is the IP address of the call manager?

in previous posts it looked like something like 172.x.225.224 the message is related to an attempt to reach 192.168.225.224

Hope to help

Giuseppe

Giuseppe

Thanks again for the replies, I really apprieciate it.

10.1.105.3 is the voice vlan on the switch.

On the router I have a static route pointing to 10.1.105.3, which is on the switch.

I should remove the static route to 10.1.105.3 on the router, and on the router add  ip route 10.1.105.0 255.255.255.0 fastethernet0  ???

and on the ASA add ip route 10.1.105.0 255.255.255.0 to call manger IP ?

We are using eigrp is there a way to avoid the static routes ?

Hello Jeff,

good to know that 10.1.105.3 is the switch SVI.

However, it is not clear your network scenario and what you want to achieve with the IPSEC VPN.

If you are using EIGRP I guess that the IPSEC VPN is a sort of backup and that you have a separate path to HQ where you run EIGRP routing protocol.

Before making other changes I would suggest to post a network diagram and to decide if the IPSEC VPN has to be used for backup purposes only, or you want to move different type of traffic over different paths.

In order to be able to use EIGRP over the VPN you would need a different configuration in which you use a point-to-point GRE tunnel that is then encrypted over IPSEC. This double encapsulation would allow you to run EIGRP over the GRE tunnel like it was a direct link between the router and the other endpoint.

However, this might be not feasible on ASA. I'm afraid it does not support GRE over IPSec.

Hope to help

Giuseppe

Giuseppe,

We have one asa at HQ. At remote site a 1811 router and a switch 2960c, I am trying to get the clients access to the phones behind the switch.

The tunnel works great except for the voice.

The ASA has eigrp on it, no tunnels are configured for GRE. for now IPSEC VPN is for back up at the remote site, there is no eigrp set up at any remote site.

I need the phones to work at the remote site, however, I am being cautions adding routes to the ASA.

Am I correct in doing this: ??

On the router I have a static route pointing to 10.1.105.3, which is on the switch.

I should remove the static route to 10.1.105.3 on the router, and on the router add  ip route 10.1.105.0 255.255.255.0 fastethernet0  ???

and on the ASA add ip route 10.1.105.0 255.255.255.0 to call manger IP ?

Hello Jeff,

here is my understanding:

VOIP phone ------ C1811 ---(IPSEC tunnel) --     Internet -----------------(IPSEC tunnel)----   ASA ---- HQ --- VOIP server

the ASA has EIGRP routing protocol that is used ONLY on the HQ internal network.

The remote site has two network devices: a C1811 that has the IPSec tunnel on it and a C2960C.

According to your first posts, the C2960c is configured for L2 operation ( ip default-gateway command). No EIGRP is running at remote site.

But if it is in this way the IPSEC tunnel is the only way to reach the HQ. So it is NOT for backup purposes only it is the primary link.

You noted that the data IP subnet of the remote site is correctly served by the the IPSec tunnel.

This is your starting point:

ACLs have to be updated in order to handle the IP phones subnet on remote office side and for VOIP server on HQ side

How to modify the ACLs has been discussed previously  (only the VOIP server ip subnet has to be clarified)

.

Static routes may need to be updated.

Again the input data should be:

Ip phone subnet = 10.1.105.0 255.255.255.0   on remote site (vlan 10)

VOIP server = in HQ subnet 172.24.225.0 OR 192.168.225.0 ( this is not clear)

the IP phones are directly connected to C1811 router so there is no need of a static route for subnet 10.1.105.0 on it.

if you have a static route pointing to switch for net 10.1.105.0 it should be removed.

>>>>>>The L2 switch cannot be the next hop for any subnet because it is only working at layer 2

on C1811 you would need a static route for VOIP server IP subnet pointing to fas0 if you haven't already a default static route. (something like ip route 0.0.0.0 0.0.0.0 fastethernet0 )

ip route 172.24.225.0 255.255.255.0 fastethernet0

OR

ip route 192.168.225.0 255.255.255.0 fastethernet0

on the ASA you should need to provide a static route for the remote office IP phones subnet pointing to outside interface

route outside 10.1.105.0 255.255.255.0

without this static route the ASA doesn't know how to route packets from voip server to the IP phones ( destination = 10.1.105.0/24)

WARNING:  these are only suggestions you need to understand your network environment before making changes

Hope to help

Giuseppe

Thanks a lot for the explanations and help however it still does not work

Any other suggestions are much appreciated

Hello Jeff,

from a PC on the data Vlan with ip 172.24.105.X can you reach the VOIP server  172.24.225.224?

I mean can you ping it ?

Can you confirm the topology described in my previous post?

Is the IPSec tunnel the only way for the remote site to communicate with central site?

Why all ICMP related log messages show a device with source 10.1.105.8 attempting to talk with 192.168.225.x instead of 172.24.225.x?

Reviewing all the configuration files you have provided there is something missing like the static routes on the C1811 and what the vpntest object group is on the ASA. There is no appearence of the involved subnets on the ASA configuration 172.24.105.0/24 (it might be defined in object vpntest). The object vpntest appears in multiple places and ideally subnet 10.1.105.0/24 should appear also in all places where vpntest appears

Without knowing on which interface the VOIP server subnet connects to ASA is difficult to make changes on it

May you look for this, how is subnet 172.24.225.0 reached by the ASA? on what interface?.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: