05-31-2011 05:16 AM
Hi,
I am facing a problem with transmitting of VoIP traffic through VPN.
Scenario:
I have a 1921 router in my end where two ISP's terminate and load balancing is done over the ISP'S. I also have a site-to-site IPSEC VPN connection to remote location. Also I am having to analog phones connected to the network through an ATA. My Call manager is in the peer end and has public IP assigned to it. The IP phones get registered when coonected to general inernet connection.
Problem:
The loadbalancing and VPN is working fine. Now I need to transmit the VoIP traffic over the VPN. I have configured the same but seems not working. Please helpme with it.
Also providing the configuration
!
!
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FGL1512260T
!
!
!
redundancy
!
!
!
track 100 interface FastEthernet0/0/0 line-protocol
delay down 15 up 10
!
track 200 interface FastEthernet0/0/1 line-protocol
delay down 15 up 10
!
class-map match-all Voice
match access-group 102
!
!
policy-map VoIP
class Voice
bandwidth 128
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cr0sstel address 24.214.31.254 no-xauth
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set nortech esp-3des esp-md5-hmac
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto map vpn 2 ipsec-isakmp
set peer 24.214.31.254
set transform-set STRONG
match address 150
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description LAN CONNECTION
ip address 192.168.12.1 255.255.255.0
ip access-group test in
ip nat inside
ip virtual-reassembly
ip policy route-map phone
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
description RELIANCE CONNECTION
ip address 124.124.99.97 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
service-policy output VoIP
!
interface FastEthernet0/0/1
description ASIANET CONNECTION
ip address 202.88.251.22 255.255.255.252
ip access-group 103 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map asianet interface FastEthernet0/0/1 overload
ip nat inside source route-map reliance interface FastEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 124.124.99.98 track 100
ip route 0.0.0.0 0.0.0.0 202.88.251.21 track 200
ip route 24.214.31.254 255.255.255.255 124.124.99.98
ip route 192.168.0.0 255.255.0.0 124.124.99.98
!
ip access-list extended cap
permit ip host 192.168.12.174 host 192.168.0.26
permit ip host 192.168.0.26 host 192.168.12.174
permit ip any any
ip access-list extended test
permit ip host 192.168.12.98 host 192.168.0.180
permit ip any any
ip access-list extended vpn
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.0.0
!
ip sla 1
icmp-echo 4.2.2.2 source-interface FastEthernet0/0/0
timeout 1000
threshold 40
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet0/0/1
timeout 1000
threshold 40
ip sla schedule 2 life forever start-time now
access-list 99 permit 192.168.12.174
access-list 99 permit 192.168.12.175
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
access-list 102 permit tcp any any eq 5060
access-list 102 permit udp any any eq 5060
access-list 103 deny ip any host 76.73.195.240
access-list 103 permit ip any any
access-list 150 permit ip host 192.168.12.174 host 76.73.195.240
access-list 150 permit ip host 192.168.12.175 host 76.73.195.240
access-list 150 permit ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 198 permit ip host 192.168.12.174 host 192.168.0.26
access-list 198 permit ip host 192.168.0.26 host 192.168.12.174
!
!
!
!
route-map reliance permit 10
match ip address 100
match interface FastEthernet0/0/0
!
route-map asianet permit 20
match ip address 101
match interface FastEthernet0/0/1
!
route-map phone permit 30
match ip address 99
set interface FastEthernet0/0/0
!
!
05-31-2011 12:38 PM
If I understand corectly from your configuration you want the traffic from 192.168.12.174 and 192.168.12.175 towards 76.73.195.240 to go through the VPN tunnel instead of going through internet?
You have setup you access-list 150 correctly to route this traffic though the VPN but you must also exempt this traffic from being routed through your NAT for internet.
Your access-list 100 should look like this:
access-list 100 deny ip host 192.168.12.174 host 76.73.195.240
access-list 100 deny ip host 192.168.12.175 host 76.73.195.240
access-list 100 permit ip 192.168.12.0 0.0.0.255 any
And you access list 101 should look like this:
access-list 101 deny ip host 192.168.12.174 host 76.73.195.240
access-list 101 deny ip host 192.168.12.175 host 76.73.195.240
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
06-01-2011 03:09 AM
I tried the said configuration. But still the calls were generating but no voice could be heard.
06-01-2011 03:16 AM
I guess the RTP traffic is not going through the VPN back towards your phones but through the internet.
Is the other end of your VPN tunnel configured correctly to route the traffic through the VPN?
07-11-2011 05:00 AM
The remote end configuration is as follows:
name 192.168.0.170 DBserver
name 24.214.31.145 AS1_Outside
name 192.168.1.12 MS1_Inside description bw mail server
name 24.214.31.146 MS1_Outside description BW mail server
name 192.168.1.10 AS1_Inside
name 192.168.1.11 NS1_Inside
name 24.214.31.147 NS1_Outside
name 24.214.31.149 WB1_Outside
name 192.168.1.14 WB1_Inside
name 192.168.1.16 PS1_Inside
name 24.214.31.155 PS1_Outside
name 192.168.1.17 XSP1_Inside
name 24.214.31.156 XSP1_Outside
name 24.214.31.139 NetFlow_Outside
name 192.168.1.15 CS1_Inside
name 24.96.139.157 CS1_Outside
name 192.168.0.145 CROSSDC1
name 172.31.255.252 ibbs description ibbs
name 24.214.31.212 franto description franto
name 172.31.255.0 ibbs2 description ibbs2tunnel
!
interface GigabitEthernet0/0
description Public Side
nameif outside
security-level 50
ip address 24.214.31.254 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
ospf cost 10
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.0.145
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DBServer tcp
port-object range 15118 15118
object-group service Sehion tcp
port-object eq www
port-object eq ftp
port-object eq https
object-group service divine tcp
port-object eq www
port-object eq https
port-object range domain domain
object-group service crosstel tcp
port-object eq www
port-object eq ftp
port-object eq ftp-data
object-group service dvnonline tcp
port-object eq www
port-object eq https
object-group service alert tcp
description m6
port-object eq www
port-object eq ftp
port-object eq ftp-data
port-object eq telnet
port-object eq 8010
object-group service M6LAB tcp
description Ports for M6 LAB switch DB server
port-object eq 8010
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq telnet
object-group service Netflow-SNMP tcp-udp
description Receive Netflow and SNMP to Monitors
port-object eq 161
port-object eq 162
port-object eq 9996
port-object eq 22
port-object eq 20001
port-object eq 25
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service India_VPN tcp
port-object eq 500
port-object eq 8080
object-group service broadworks tcp
port-object eq ssh
port-object eq www
port-object eq https
object-group service Alerts tcp
port-object eq www
port-object eq ssh
object-group service BW_API tcp
port-object eq 2208
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
group-object BW_API
port-object eq 2208
port-object eq 2205
port-object eq sip
port-object eq 2207
port-object eq 843
port-object eq ssh
object-group service AS_10001 tcp
description smdi
port-object eq 10001
port-object eq www
port-object eq https
port-object eq ssh
port-object eq 11234
object-group service DivineTVTest tcp
port-object range 1930 1940
port-object eq www
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_2
network-object host 24.214.31.155
network-object host 24.214.31.156
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq ssh
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq ssh
object-group service DM_INLINE_TCP_6 tcp
port-object eq 7025
port-object eq 7443
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_SERVICE_1
service-object tcp eq 10001
service-object tcp eq 2205
service-object tcp eq 2208
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object udp eq ntp
service-object udp eq snmp
service-object udp eq snmptrap
object-group network DM_INLINE_NETWORK_3
network-object host 24.214.31.145
network-object host 24.214.31.146
network-object host 24.214.31.147
network-object host 24.214.31.149
network-object host 24.214.31.155
network-object host 24.214.31.156
network-object host 24.96.139.157
object-group network DM_INLINE_NETWORK_4
network-object host 24.214.31.145
network-object host 24.214.31.146
network-object host 24.214.31.147
network-object host 24.214.31.149
network-object host 24.214.31.155
network-object host 24.214.31.156
network-object host 24.96.139.157
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_8 tcp
port-object eq 6667
port-object eq 7000
port-object eq irc
object-group service DM_INLINE_TCP_9 tcp
port-object eq 8080
port-object eq 8081
object-group service DM_INLINE_TCP_7 tcp
port-object eq ftp
port-object eq https
object-group service DM_INLINE_TCP_10 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_UDP_1 udp
group-object Netflow-SNMP
port-object eq syslog
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq https
object-group service smtp tcp
port-object eq smtp
object-group service mail tcp
port-object eq smtp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_12 tcp
port-object eq 8080
port-object eq www
access-list outside_in extended deny tcp any any object-group DM_INLINE_TCP_8
access-list outside_in extended permit tcp any host 24.214.31.170 object-group DBServer
access-list outside_in extended permit tcp any host 24.214.31.190 object-group Sehion
access-list outside_in extended permit tcp any host 24.214.31.191 object-group divine
access-list outside_in extended permit tcp any host 24.214.31.180 object-group crosstel
access-list outside_in extended permit tcp any host 24.214.31.192 object-group crosstel
access-list outside_in extended permit tcp any host 24.214.31.183 object-group crosstel
access-list outside_in extended permit tcp any host 24.214.31.194 eq www
access-list outside_in extended permit tcp any host 24.214.31.195 object-group crosstel
access-list outside_in extended permit tcp any host 24.214.31.196 object-group dvnonline
access-list outside_in extended permit tcp any host 24.214.31.140 object-group alert
access-list outside_in remark M6 LAB Switch Broadsoft access
access-list outside_in remark M6 LAB Switch Broadsoft access
access-list outside_in remark OpManager and Netflow external access
access-list outside_in extended permit tcp any host 24.214.31.153 object-group alert
access-list outside_in remark Receive Netflow and SNMP to monitors on the internal network
access-list outside_in remark OpManager and Netflow external access
access-list outside_in extended permit tcp any host 24.214.31.139 object-group DM_INLINE_TCP_9
access-list outside_in remark Allow IPSEC and Management from VPN in India
access-list outside_in remark Receive Netflow and SNMP to monitors on the internal network
access-list outside_in remark Access to Alert servers from outside
access-list outside_in extended permit udp any host 24.214.31.139 object-group DM_INLINE_UDP_1
access-list outside_in remark Access to Alert servers from outside
access-list outside_in extended deny tcp any host 24.214.31.139 object-group smtp
access-list outside_in remark Access to Alert servers from outside
access-list outside_in extended permit tcp any host 24.214.31.205 object-group Alerts
access-list outside_in remark Access to Alert servers from outside
access-list outside_in extended permit tcp any host 24.214.31.206 object-group Alerts
access-list outside_in extended permit tcp any host 24.214.31.210 object-group DivineTVTest
access-list outside_in extended permit tcp any host 24.214.31.181 object-group DM_INLINE_TCP_2
access-list outside_in extended permit tcp any host 24.214.31.182 object-group DM_INLINE_TCP_12
access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host 24.214.31.145
access-list outside_in extended permit tcp any host 24.214.31.146 object-group DM_INLINE_TCP_6
access-list outside_in extended permit tcp any host 24.214.31.149 object-group DM_INLINE_TCP_1
access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_3
access-list outside_in extended permit tcp any host 24.96.139.157 object-group DM_INLINE_TCP_5
access-list outside_in extended permit tcp any host 24.214.31.147 object-group DM_INLINE_TCP_4
access-list outside_in extended permit tcp any host 24.214.31.177 eq www
access-list outside_in remark SEPB-Crossoft
access-list outside_in extended permit tcp any host 24.214.31.185 object-group DM_INLINE_TCP_7
access-list outside_in extended permit tcp any host 24.214.31.29 object-group DivineTVTest
access-list outside_in remark Daivashabdam web
access-list outside_in extended deny icmp any object-group DM_INLINE_NETWORK_3
access-list outside_in extended deny icmp object-group DM_INLINE_NETWORK_4 any
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 24.214.31.130 object-group DM_INLINE_TCP_10
access-list outside_in remark SEPB-Crossoft
access-list outside_in extended permit tcp any host 24.214.31.112 eq www
access-list outside_in extended permit tcp any host 24.214.31.199 object-group DM_INLINE_TCP_11
access-list outside_in remark Daivashabdam web
access-list outside_in extended permit tcp any host 24.214.31.211 object-group Sehion
access-list outside_in remark Ditto PCL client
access-list outside_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 24.214.31.42
access-list outside_in remark crosssoft testing
access-list outside_in extended permit tcp any host 24.214.31.43 eq www
access-list outside_in remark testing uc 500
access-list outside_in extended permit ip any host 24.214.31.30
access-list outside_in remark test
access-list outside_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 24.214.31.44 object-group Netflow-SNMP
access-list outside_in remark fr anto's website
access-list outside_in extended permit tcp any host 24.214.31.212 eq www
access-list outside_in remark evalution module
access-list outside_in extended permit tcp any host 24.214.31.185 eq www
access-list outside_in remark security camera
access-list outside_in extended permit tcp any host 24.214.31.40 eq www
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.170.171.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list nonat remark offshore
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonat remark Warren ASA
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.12.0 255.255.255.0
access-list nonat remark ibbs tunnel
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.255.252 255.255.255.252
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split extended permit ip 192.168.0.0 255.255.255.0 any
access-list CR-VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list CR-VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list CR-VPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list CR-VPN_splitTunnelAcl standard permit 192.168.40.0 255.255.255.0
access-list CR-VPN_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 10.170.171.0 255.255.255.0
access-list 101 extended permit ip host 192.168.0.84 any
access-list 101 extended permit ip any host 192.168.0.84
access-list DEV-VPN standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.0.0 255.255.255.0 172.31.255.252 255.255.255.252
access-list netflow-hosts extended permit ip any any
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.12.0 255.255.255.0
access-list outside_cryptomap extended permit ip host 76.73.195.240 host 192.168.12.174
access-list outside_cryptomap extended permit ip host 76.73.195.240 host 192.168.12.175
access-list outside_cryptomap_1 extended permit ip 192.168.254.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.0.0 255.255.0.0 192.168.40.0 255.255.255.0
access-list 199 extended permit ip host 192.168.0.177 host 192.168.12.24
access-list 188 extended permit ip host 192.168.12.20 host 192.168.2.10
access-list 188 extended permit ip host 192.168.2.10 host 192.168.12.20
access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.0.0 10.100.0.0 255.255.255.0
access-list cap extended permit ip host 192.168.0.146 host 172.31.255.254
access-list cap extended permit ip host 172.31.255.254 host 192.168.0.146
access-list VPN_FILTER extended permit ip 172.31.255.252 255.255.255.252 host 192.168.0.146
access-list VPN_FILTER extended permit ip 172.31.255.252 255.255.255.252 host 192.168.0.147
access-list VPN_FILTER extended permit ip 172.31.255.252 255.255.255.252 host 192.168.0.156
access-list VPN_FILTER extended permit ip 172.31.255.252 255.255.255.252 host 192.168.0.180
access-list test extended permit ip host 192.168.12.175 any
access-list test extended permit ip any host 192.168.12.175
access-list test1 extended permit ip host 192.168.0.26 any log
access-list test1 extended permit ip any host 192.168.0.26 log
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered debugging
logging trap emergencies
logging history emergencies
logging asdm informational
logging host inside 192.168.0.145
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.0.145 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.254.1-192.168.254.100 mask 255.255.255.0
ip local pool caleapool 192.168.253.1-192.168.253.10 mask 255.255.255.0
ip local pool devpool 192.168.252.1-192.168.252.10
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
nat (outside) 1 192.168.12.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 24.214.31.185 192.168.0.147 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.170 192.168.0.170 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.190 192.168.0.192 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.191 192.168.0.193 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.192 192.168.0.191 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.183 192.168.0.182 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.194 192.168.0.194 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.195 192.168.0.195 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.196 192.168.0.196 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.140 192.168.0.140 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.153 192.168.2.4 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.145 192.168.1.10 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.146 192.168.1.12 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.147 192.168.1.11 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.205 192.168.0.205 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.206 192.168.0.206 netmask 255.255.255.255 dns
static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandomseq nailed
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandomseq nailed
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandomseq nailed
static (inside,outside) 24.214.31.149 192.168.1.14 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.139 192.168.0.232 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.210 192.168.0.210 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.181 192.168.0.148 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.155 192.168.1.16 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.156 192.168.1.17 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.182 192.168.0.149 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.29 192.168.0.129 netmask 255.255.255.255 dns
static (inside,outside) 24.96.139.157 192.168.1.15 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.177 192.168.0.177 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.130 192.168.0.101 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.112 192.168.0.112 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.199 192.168.0.199 netmask 255.255.255.255 dns
static (inside,outside) 24.214.31.211 192.168.0.200 netmask 255.255.255.255
static (inside,outside) 24.214.31.43 192.168.0.156 netmask 255.255.255.255
static (inside,outside) 24.96.139.30 192.168.0.211 netmask 255.255.255.255
static (inside,outside) 24.214.31.44 192.168.0.180 netmask 255.255.255.255
static (inside,outside) 24.214.31.212 192.168.0.202 netmask 255.255.255.255
static (inside,outside) 24.214.31.40 192.168.0.135 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 24.214.31.1 1
route inside 192.168.1.0 255.255.255.0 192.168.0.253 1
route inside 192.168.2.0 255.255.255.0 192.168.0.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
http 192.168.254.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
snmp-server host inside 192.168.0.145 community ***** version 2c
snmp-server location CORP - West Point, GA
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection preserve-vpn-flows
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set reverse-route
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 30 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 30 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 124.124.99.97 202.88.251.22
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 98.159.193.18
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 24.38.175.19
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set peer 204.174.23.213
crypto map outside_map 4 set transform-set myset
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 24.96.139.10
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-session-limit 750
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.0.120 255.255.255.255 inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns 192.168.0.145
dhcpd lease 86400
dhcpd update dns both
!
dhcpd address 192.168.0.20-192.168.0.99 inside
dhcpd dns 192.168.0.145 8.8.8.8 interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.1.10 source inside prefer
ntp server 24.214.63.165 source outside prefer
webvpn
group-policy CR-VPN internal
group-policy CR-VPN attributes
vpn-filter none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CR-VPN_splitTunnelAcl
group-policy DEV-VPN internal
group-policy DEV-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DEV-VPN
default-domain value crosstel.com
group-policy RA_VPN internal
group-policy RA_VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
ip-phone-bypass enable
group-policy IBBS internal
group-policy IBBS attributes
vpn-filter value VPN_FILTER
service-type remote-access
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool vpnpool
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *****
tunnel-group CR-VPN type remote-access
tunnel-group CR-VPN general-attributes
address-pool vpnpool
default-group-policy CR-VPN
tunnel-group CR-VPN ipsec-attributes
pre-shared-key *****
tunnel-group CR-CALEA type ipsec-l2l
tunnel-group CR-CALEA general-attributes
default-group-policy RA_VPN
tunnel-group CR-CALEA ipsec-attributes
pre-shared-key *****
tunnel-group 24.96.139.10 type ipsec-l2l
tunnel-group 24.96.139.10 ipsec-attributes
pre-shared-key *****
tunnel-group DEV-VPN type remote-access
tunnel-group DEV-VPN general-attributes
address-pool devpool
default-group-policy DEV-VPN
tunnel-group DEV-VPN ipsec-attributes
pre-shared-key *****
tunnel-group 124.124.99.97 type ipsec-l2l
tunnel-group 124.124.99.97 ipsec-attributes
pre-shared-key *****
tunnel-group 98.159.193.18 type ipsec-l2l
tunnel-group 98.159.193.18 ipsec-attributes
pre-shared-key *****
tunnel-group 24.38.175.19 type ipsec-l2l
tunnel-group 24.38.175.19 ipsec-attributes
pre-shared-key *****
tunnel-group 202.88.251.22 type ipsec-l2l
tunnel-group 202.88.251.22 ipsec-attributes
pre-shared-key *****
tunnel-group 204.174.23.213 type ipsec-l2l
tunnel-group 204.174.23.213 general-attributes
default-group-policy IBBS
tunnel-group 204.174.23.213 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map NetFlow-traffic
match access-list netflow-hosts
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect http
inspect ip-options
inspect pptp
class NetFlow-traffic
flow-export event-type all destination 192.168.0.145
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
Please check and give me a solution.
07-25-2011 10:43 AM
Hi,
Are your phones using SIP? If so, you might want to enable "inspect sip" on the ASA.
Thanks and Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide