Hey, Paul - can you clarify the problem you're having? I'm trying to grok what's broken. I gather that you've got a VoIP phone that isn't behaving as intended, but it's hard to tell from your description what all the circumstances are.

I re-ordered your config, removing some lines that I don't think have a significant bearing on the issue, and regrouping other lines to make it easier to see what the config is actually doing. I put some comments inline, more for my sanity as the config was a lot to take in. I think I got the point of the NAT statements correct based on my interpretation of how Cisco documents the commands. Apologies if I overlooked something.

! Traffic destined for 192.168.15.0/24 is routed through this tunnel interface. The tunnel mode is IPSEC, and the traffic will be encapsulated in accordance with the VTI profile. There is no "ip nat" on this interface, so traffic routed through here will not be impacted by the NAT configuration.

interface Tunnel0

ip address 10.254.0.9 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source XXXXXXXXXXXXXXXXXX

tunnel destination XXXXXXXXXXXXXXXXXX

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

crypto ipsec profile VTI

set transform-set TSET

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!

ip route 192.168.15.0 255.255.255.0 Tunnel0

!

!

! This is the public, Internet-facing interface. Interesting traffic for another IPSEC tunnel is defined by the VPNACL access-list (which does not appear in the configuration you pasted, so was presumably redacted).

interface FastEthernet4

description $ES_WAN$

ip address XXXXXXXXXXXXXXXXXXXX

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CTMAP

!

crypto map CTMAP 1 ipsec-isakmp

set peer XXXXXXXXXXXXXX

set transform-set CTLVPNSET

match address VPNACL

!

crypto ipsec transform-set CTLVPNSET esp-3des esp-sha-hmac

!

!

! This is the SVI used to route traffic from the LAN. Traffic that enters here and exits via Fa4 will be subject to the NAT policy.

interface Vlan1

description internal LAN

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

!

!

! Inside traffic that matches access-list 100 (does not appear in configuration) will have the source address translated to the interface IP of Fa4 using PAT overload.

ip nat inside source list 100 interface FastEthernet4 overload

! Inside traffic of 192.168.0.2:443 will have the source address translated to the interface IP of Fa4 statically.

ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443

!

!

! Traffic going from outside to inside destined for the ports listed in the ACL will translate the destination address (presumably the public IP of Fa4) to the inside address specified in the pool. The next 4 NATs all behave in the same way - depending on the port, the traffic will get forwarded to a different inside host.

ip access-list extended PHONE1

permit tcp any any range 6000 6001

permit udp any any range 6000 6001

permit tcp any any eq 9000

permit tcp any any eq 5090

permit udp any any eq 5090

permit tcp any any eq 5003

permit udp any any eq 5003

permit udp any any eq 9000

ip nat inside destination list PHONE1 pool PHONE1

ip nat pool PHONE1 192.168.0.201 192.168.0.201 netmask 255.255.255.0 type rotary

!

!

ip access-list extended PHONE2

permit udp any any range 30000 30031

permit udp any any range 40000 40159

ip nat inside destination list PHONE2 pool PHONE2

ip nat pool PHONE2 192.168.0.202 192.168.0.202 netmask 255.255.255.0 type rotary

!

ip access-list extended PHONE3

permit tcp any any eq telnet

ip nat inside destination list PHONE3 pool PHONE3

ip nat pool PHONE3 192.168.0.203 192.168.0.203 netmask 255.255.255.0 type rotary

!

ip access-list extended SERVER

permit tcp any any eq 443

permit tcp any any eq 987

permit tcp XXXXXXXXXXXXXX 0.0.0.31 hostXXXXXXXXXXXXXXXX eq smtp

ip nat inside destination list SERVER pool SERVER

ip nat pool SERVER 192.168.0.2 192.168.0.2 netmask 255.255.255.0 type rotary

!

!

! These ACLs do not appear to be in use.

ip access-list extended NAT

deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended NAT2

deny   ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 any

First off, thank you so much for the reply. I'm positive you're an extremely busy person, and would not have been offended should you not have replied, especially this is more or less free advice. I'm just not getting much luck in the various forums (this forum, Petri IT, and Experts Exchange). I apologize for not being exactly clear to begin with...my explanation is long winded, and I apologize ahead of time...

I thoroughly enjoy PacketPushers, some of it can be "above my pay grade", but I still enjoy it none-the-less.

My problem is two fold, but both relate to this "VOIP" system of sorts. It's some off-brand phone system that the customer inherited when they purchased another company in their industry, one day they called and said "come make it work". They also inherited these Cisco routers that they want to use....I know enough to be dangerous... So here I am...

I just realized I did not originally post the entire config, so I'll do so in a separate post, perhaps I hit a character limit..

1. I have a S2S VPN between two sites... the site where 192.168.0.0/24 is the LAN, and where 192.168.6.0/24 is the LAN. The tunnel is up, and I can ping through the VPN both ways.

The phone system sits in the 192.168.0.0/24 network

Though the tunnel is up, the phone in the 192.168.6.0/24 network has one way audio only. The 0.0/24 network can hear the person in .6.0/24 , but not the other way around. My hunch is because the router at the .6.0/24 network is double-natted behind the DSL modem, and that's something I inherited unfortunately as well. The site is quite a drive, but I'll go there last resorts to fix that, but I digress.

The "phone guy" who installed the system for them says it's because "i'm not allowing UDP through the VPN". My understanding is that the ACL below covers all ports TPC/IP/UDP

ip access-list extended VPNACL

permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

My second problem is the customer wants to try to run one of these VOIP phones from their home, but they don't have a business class internet at home, so therefore no static IP, and definitely wont flip for a cisco at their house.

So...the phone guy says "Forward these TCP and UDP ports to these private IP's that the phone system uses"  (the phone system has 3 private IP's BTW) and all should be well....some of which are ranges of ports

Well...I was able to get the TCP ports forwarded fine it appears but the UDP , not so much...and since I can't use telnet to test UDP connectivity...i'm stuck

I tried this method here http://evilrouters.net/2010/05/25/port-forwarding-a-range-of-ports-on-cisco-ios/ ...

Then I read online that Cisco IOS doesn't do well with forwarding ranges of UDP ports..at least on the routers..and try a route-map method....

well..the route-map method won't work for me because again the phone system has 3 private IP's that I would have to statically nat to 3 individual pubic IPs..and the phone can only be configured to talk to one public IP...

sorry this is very convuluted

Building configuration...

Current configuration : 6525 bytes

!

! Last configuration change at 14:51:00 EST Wed Jan 2 2013 by ctouch

! NVRAM config last updated at 14:57:46 EST Wed Jan 2 2013 by ctouch

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XXXX

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

clock timezone EST -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2607594268

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2607594268

revocation-check none

rsakeypair TP-self-signed-2607594268

!

!

crypto pki certificate chain TP-self-signed-2607594268

certificate self-signed 02

  3082024B 308201B4 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32363037 35393432 3638301E 170D3131 30373032 30333531

  30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36303735

  39343236 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A3B6 2C48D6E3 3778EEA9 704EB4A3 CDC45D92 A52DADD0 6E4D3576 0B2DBB92

  1BEBE89D 74514A05 E367D13E CCD2685B 11AB6886 0C43202D 99880116 F2940746

  153F6B89 340E0859 9DF52145 3A46F5A6 DEB6DD8D 88A5E425 928DE986 04079AF0

  10FDDE65 57C20BE9 E4DEB432 C6CF88DE 02A3D314 0C0C43BA 2F50BC5E 4361CCCF

  611F0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

  551D1104 17301582 13435449 6E64792E 4354696E 64792E6C 6F63616C 301F0603

  551D2304 18301680 143B64AC 65D3F8E6 F7904C90 F4911F8D 65B2793D D6301D06

  03551D0E 04160414 3B64AC65 D3F8E6F7 904C90F4 911F8D65 B2793DD6 300D0609

  2A864886 F70D0101 04050003 81810029 FAF2A093 69D3730B 40265212 38338B6C

  966CBB6F A7ED4BF5 964B8725 0C973812 B23DAAA9 2404EFAB 2089775C 4459FCF1

  ED56C682 3604EA56 EE34F087 161C55C4 FB612A2A 088DE03F B7C9000B BCF78B49

  BB459CE7 A9CDFE4E E6DE90BB 0B73B8EF C1E96680 B14609CC D75E657E EA7C1279

  A34FD9F8 D5D88B5A A4A034FA 340B50

        quit

dot11 syslog

ip cef

!

!

!

!

ip domain name

!

multilink bundle-name authenticated

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

authentication pre-share

crypto isakmp key XXXXX address XXXXX

crypto isakmp key XXXXX address XXXXX

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set CTLVPNSET esp-3des esp-sha-hmac

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!

crypto ipsec profile VTI

set transform-set TSET

!

!

crypto map CTMAP 1 ipsec-isakmp

set peer XXXXX

set transform-set CTLVPNSET

match address VPNACL

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface Tunnel0

ip address 10.254.0.9 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source XXXXXX

tunnel destination XXXXXX

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$

ip address XXXXXXXXX

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CTMAP

!

interface Vlan1

description internal LAN

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 66.158.172.193

ip route 192.168.15.0 255.255.255.0 Tunnel0

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool SERVER 192.168.0.2 192.168.0.2 netmask 255.255.255.0 type rotary

ip nat pool PHONE1 192.168.0.201 192.168.0.201 netmask 255.255.255.0 type rotary

ip nat pool PHONE2 192.168.0.202 192.168.0.202 netmask 255.255.255.0 type rotary

ip nat pool PHONE3 192.168.0.203 192.168.0.203 netmask 255.255.255.0 type rotary

ip nat inside source list 100 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet4 443

ip nat inside destination list PHONE1 pool PHONE1

ip nat inside destination list PHONE2 pool PHONE2

ip nat inside destination list PHONE3 pool PHONE3

ip nat inside destination list SERVER pool SERVER

!

ip access-list extended NAT

deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended NAT2

deny   ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended PHONE1

permit tcp any any range 6000 6001

permit udp any any range 6000 6001

permit tcp any any eq 9000

permit tcp any any eq 5090

permit udp any any eq 5090

permit tcp any any eq 5003

permit udp any any eq 5003

permit udp any any eq 9000

ip access-list extended PHONE2

permit udp any any range 30000 30031

permit udp any any range 40000 40159

ip access-list extended PHONE3

permit tcp any any eq telnet

ip access-list extended SERVER

permit tcp any any eq 443

permit tcp any any eq 987

permit tcp 205.237.99.160 0.0.0.31 host 66.158.172.194 eq smtp

permit tcp 69.84.129.224 0.0.0.31 host 66.158.172.194 eq smtp

permit tcp 74.94.129.208 0.0.0.15 host 66.158.172.194 eq smtp

permit tcp 69.84.129.224 0.0.0.31 host 66.158.172.194 eq 389

permit tcp 74.94.129.208 0.0.0.15 host 66.158.172.194 eq 389

permit tcp 72.1.146.64 0.0.0.31 host 66.158.172.194 eq 389

permit tcp 72.1.146.64 0.0.0.31 host 66.158.172.194 eq smtp

permit tcp 205.237.99.160 0.0.0.31 host 66.158.172.194 eq 389

ip access-list extended VPNACL

permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

ip access-list extended VPNACL2

permit ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255

!

access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

no cdp run

!

!

!

route-map nonnat permit 10

match ip address NAT

!

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

password cisco

login local

transport input ssh

!

scheduler max-task-time 5000

ntp clock-period 17174982

ntp server 216.171.120.36

end