ā10-31-2013 01:53 AM - edited ā02-21-2020 07:17 PM
Hi,
Anyconnect and Cisco IP Communicator - I can't register CIPC phones over anyconnect. I can ping CME server, but can't register IP communicator! How can I solved this problem?
ASA configuration is below!
ASA Version 9.1(1)
!
hostname ASA
domain-name xxx.xx
names
ip local pool VPN_CLIENT_POOL 192.168.12.1-192.168.12.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface GigabitEthernet0/1
description Interface_to_VPN
nameif outside
security-level 0
ip address 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name www.ww
same-security-traffic permit intra-interface
object network LAN
subnet 192.168.11.0 255.255.255.0
description LAN
object network SSLVPN_POOL
subnet 192.168.12.0 255.255.255.0
access-list VPN_CLIENT_ACL standard permit 192.168.11.0 255.255.255.0
access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0
access-list VPN_CLIENT_ACL standard permit 192.168.60.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static SSLVPN_POOL SSLVPN_POOL destination static LAN LAN
route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list none
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
email user@domain.com
subject-name CN=ASA
ip-address 111.222.333.444
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
fqdn vpn.domain.com
email user@domain.com
subject-name CN=vpn.domain.com
ip-address 111.222.333.444
keypair sslvpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint6
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd address 192.168.5.2-192.168.5.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint6 outside
webvpn
enable outside
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy VPN_CLIENT_POLICY internal
group-policy VPN_CLIENT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 5
vpn-session-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value mycomp.local
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect dtls compression lzs
anyconnect modules value vpngina
customization value DfltCustomization
group-policy IT_POLICY internal
group-policy IT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 3
vpn-session-timeout 120
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value company.com
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect dtls compression lzs
customization value DfltCustomization
username vpnuser password PA$$WORD encrypted
username vpnuser attributes
vpn-group-policy VPN_CLIENT_POLICY
service-type remote-access
username vpnuser2 password PA$$W encrypted
username vpnuser2 attributes
service-type remote-access
username admin password ADMINPA$$ encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy VPN_CLIENT_POLICY
tunnel-group VPN webvpn-attributes
authentication aaa certificate
group-alias VPN_to_R enable
tunnel-group IT_PROFILE type remote-access
tunnel-group IT_PROFILE general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
authentication aaa certificate
group-alias IT enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
ā10-31-2013 06:36 AM
Hi,
Doesn't CIPC require DHCP to provide a TFTP server (like a regular phone) that is the CUCM's IP address?
The IP local pool does not assign a TFTP server...
http://www.cisco.com/en/US/docs/voice_ip_comm/cipc/2_0/english/administration/guide/CADovr.html
Cisco recommends that you use DHCP custom option 150. With this method, you configure the TFTP server IP address as the option value. For additional supported DCHP configurations, refer to Cisco Unified CallManager System Guide
Patrick
ā10-31-2013 10:51 PM
Hi, Thank you for your reply!
I use CME and all CIPC have static IP addresses, and CME use as TFTP server. CME have IP address 192.168.11.241 and this network(192.168.11.0/24) add to ASA as split tunnel.
May be, there is another solution?
Have any idea?
ā11-22-2013 01:08 PM
did you ever get this resolved?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide