Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6225
Views
0
Helpful
5
Replies

Problem with transmitting of VoIP traffic through VPN

alexageorge
Level 1
Level 1

‎05-31-2011 05:16 AM

Hi,


I am facing a problem with transmitting of VoIP traffic through VPN.


Scenario:

    I have a 1921 router in my end where two ISP's terminate and load balancing is done over the ISP'S. I also have a site-to-site IPSEC VPN connection to remote location. Also I am having to analog phones connected to the network through an ATA. My Call manager is in the peer end and has public IP assigned to it. The IP phones get registered when coonected to general inernet connection.


Problem:

    The loadbalancing and VPN is working fine. Now I need to transmit the VoIP traffic over the VPN. I have configured the same but seems not working. Please helpme with it.

Also providing the configuration

!
!
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FGL1512260T
!
!
!
redundancy
!
!
!
track 100 interface FastEthernet0/0/0 line-protocol
delay down 15 up 10
!
track 200 interface FastEthernet0/0/1 line-protocol
delay down 15 up 10
!
class-map match-all Voice
match access-group 102
!
!
policy-map VoIP
class Voice
    bandwidth 128
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cr0sstel address 24.214.31.254 no-xauth
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set nortech esp-3des esp-md5-hmac
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto map vpn 2 ipsec-isakmp
set peer 24.214.31.254
set transform-set STRONG
match address 150
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description LAN CONNECTION
ip address 192.168.12.1 255.255.255.0
ip access-group test in
ip nat inside
ip virtual-reassembly
ip policy route-map phone
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
description RELIANCE CONNECTION
ip address 124.124.99.97 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
service-policy output VoIP
!
interface FastEthernet0/0/1
description ASIANET CONNECTION
ip address 202.88.251.22 255.255.255.252
ip access-group 103 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map asianet interface FastEthernet0/0/1 overload
ip nat inside source route-map reliance interface FastEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 124.124.99.98 track 100
ip route 0.0.0.0 0.0.0.0 202.88.251.21 track 200
ip route 24.214.31.254 255.255.255.255 124.124.99.98
ip route 192.168.0.0 255.255.0.0 124.124.99.98
!
ip access-list extended cap
permit ip host 192.168.12.174 host 192.168.0.26
permit ip host 192.168.0.26 host 192.168.12.174
permit ip any any
ip access-list extended test
permit ip host 192.168.12.98 host 192.168.0.180
permit ip any any
ip access-list extended vpn
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.0.0
!
ip sla 1
icmp-echo 4.2.2.2 source-interface FastEthernet0/0/0
timeout 1000
threshold 40
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet0/0/1
timeout 1000
threshold 40
ip sla schedule 2 life forever start-time now
access-list 99 permit 192.168.12.174
access-list 99 permit 192.168.12.175
access-list 100 deny   ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 deny   ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
access-list 102 permit tcp any any eq 5060
access-list 102 permit udp any any eq 5060
access-list 103 deny   ip any host 76.73.195.240
access-list 103 permit ip any any
access-list 150 permit ip host 192.168.12.174 host 76.73.195.240
access-list 150 permit ip host 192.168.12.175 host 76.73.195.240
access-list 150 permit ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 198 permit ip host 192.168.12.174 host 192.168.0.26
access-list 198 permit ip host 192.168.0.26 host 192.168.12.174
!
!
!
!
route-map reliance permit 10
match ip address 100
match interface FastEthernet0/0/0
!
route-map asianet permit 20
match ip address 101
match interface FastEthernet0/0/1
!
route-map phone permit 30
match ip address 99
set interface FastEthernet0/0/0
!
!

Labels:
0 Helpful
5 Replies 5

Igor Vojnoski
Level 1
Level 1

‎05-31-2011 12:38 PM

If I understand corectly from your configuration you want the traffic from 192.168.12.174 and 192.168.12.175 towards 76.73.195.240 to go through the VPN tunnel instead of going through internet?

You have setup you access-list 150 correctly to route this traffic though the VPN but you must also exempt this traffic from being routed through your NAT for internet.

Your access-list 100 should look like this:

access-list 100 deny ip host 192.168.12.174 host 76.73.195.240

access-list 100 deny ip host 192.168.12.175 host 76.73.195.240

access-list 100 permit ip 192.168.12.0 0.0.0.255 any

And you access list 101 should look like this:

access-list 101 deny ip host 192.168.12.174 host 76.73.195.240

access-list 101 deny ip host 192.168.12.175 host 76.73.195.240

access-list 101 permit ip 192.168.12.0 0.0.0.255 any

0 Helpful

alexageorge
Level 1
Level 1
In response to Igor Vojnoski

‎06-01-2011 03:09 AM

I tried the said configuration. But still the calls were generating but no voice could be heard.

0 Helpful

Igor Vojnoski
Level 1
Level 1
In response to alexageorge

‎06-01-2011 03:16 AM

I guess the RTP traffic is not going through the VPN back towards your phones but through the internet.

Is the other end of your VPN tunnel configured correctly to route the traffic through the VPN?

0 Helpful

alexageorge
Level 1
Level 1
In response to Igor Vojnoski

‎07-11-2011 05:00 AM

The remote end configuration is as follows:

name 192.168.0.170 DBserver

name 24.214.31.145 AS1_Outside

name 192.168.1.12 MS1_Inside description bw mail server

name 24.214.31.146 MS1_Outside description BW mail server

name 192.168.1.10 AS1_Inside

name 192.168.1.11 NS1_Inside

name 24.214.31.147 NS1_Outside

name 24.214.31.149 WB1_Outside

name 192.168.1.14 WB1_Inside

name 192.168.1.16 PS1_Inside

name 24.214.31.155 PS1_Outside

name 192.168.1.17 XSP1_Inside

name 24.214.31.156 XSP1_Outside

name 24.214.31.139 NetFlow_Outside

name 192.168.1.15 CS1_Inside

name 24.96.139.157 CS1_Outside

name 192.168.0.145 CROSSDC1

name 172.31.255.252 ibbs description ibbs

name 24.214.31.212 franto description franto

name 172.31.255.0 ibbs2 description ibbs2tunnel

!

interface GigabitEthernet0/0

description Public Side

nameif outside

security-level 50

ip address 24.214.31.254 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.5.1 255.255.255.0

ospf cost 10

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.0.145

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DBServer tcp

port-object range 15118 15118

object-group service Sehion tcp

port-object eq www

port-object eq ftp

port-object eq https

object-group service divine tcp

port-object eq www

port-object eq https

port-object range domain domain

object-group service crosstel tcp

port-object eq www

port-object eq ftp

port-object eq ftp-data

object-group service dvnonline tcp

port-object eq www

port-object eq https

object-group service alert tcp

description m6

port-object eq www

port-object eq ftp

port-object eq ftp-data

port-object eq telnet

port-object eq 8010

object-group service M6LAB tcp

description Ports for M6 LAB switch DB server

port-object eq 8010

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq telnet

object-group service Netflow-SNMP tcp-udp

description Receive Netflow and SNMP to Monitors

port-object eq 161

port-object eq 162

port-object eq 9996

port-object eq 22

port-object eq 20001

port-object eq 25

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service India_VPN tcp

port-object eq 500

port-object eq 8080

object-group service broadworks tcp

port-object eq ssh

port-object eq www

port-object eq https

object-group service Alerts tcp

port-object eq www

port-object eq ssh

object-group service BW_API tcp

port-object eq 2208

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

group-object BW_API

port-object eq 2208

port-object eq 2205

port-object eq sip

port-object eq 2207

port-object eq 843

port-object eq ssh

object-group service AS_10001 tcp

description smdi

port-object eq 10001

port-object eq www

port-object eq https

port-object eq ssh

port-object eq 11234

object-group service DivineTVTest tcp

port-object range 1930 1940

port-object eq www

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_2

network-object host 24.214.31.155

network-object host 24.214.31.156

object-group service DM_INLINE_TCP_3 tcp

port-object eq www

port-object eq ssh

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq ssh

object-group service DM_INLINE_TCP_6 tcp

port-object eq 7025

port-object eq 7443

port-object eq www

port-object eq https

port-object eq ssh

object-group service DM_INLINE_SERVICE_1

service-object tcp eq 10001

service-object tcp eq 2205

service-object tcp eq 2208

service-object tcp eq www

service-object tcp eq https

service-object tcp eq ssh

service-object udp eq ntp

service-object udp eq snmp

service-object udp eq snmptrap

object-group network DM_INLINE_NETWORK_3

network-object host 24.214.31.145

network-object host 24.214.31.146

network-object host 24.214.31.147

network-object host 24.214.31.149

network-object host 24.214.31.155

network-object host 24.214.31.156

network-object host 24.96.139.157

object-group network DM_INLINE_NETWORK_4

network-object host 24.214.31.145

network-object host 24.214.31.146

network-object host 24.214.31.147

network-object host 24.214.31.149

network-object host 24.214.31.155

network-object host 24.214.31.156

network-object host 24.96.139.157

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

port-object eq ssh

object-group service DM_INLINE_TCP_8 tcp

port-object eq 6667

port-object eq 7000

port-object eq irc

object-group service DM_INLINE_TCP_9 tcp

port-object eq 8080

port-object eq 8081

object-group service DM_INLINE_TCP_7 tcp

port-object eq ftp

port-object eq https

object-group service DM_INLINE_TCP_10 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_UDP_1 udp

group-object Netflow-SNMP

port-object eq syslog

object-group service DM_INLINE_TCP_11 tcp

port-object eq www

port-object eq https

object-group service smtp tcp

port-object eq smtp

object-group service mail tcp

port-object eq smtp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_12 tcp

port-object eq 8080

port-object eq www

access-list outside_in extended deny tcp any any object-group DM_INLINE_TCP_8

access-list outside_in extended permit tcp any host 24.214.31.170 object-group DBServer

access-list outside_in extended permit tcp any host 24.214.31.190 object-group Sehion

access-list outside_in extended permit tcp any host 24.214.31.191 object-group divine

access-list outside_in extended permit tcp any host 24.214.31.180 object-group crosstel

access-list outside_in extended permit tcp any host 24.214.31.192 object-group crosstel

access-list outside_in extended permit tcp any host 24.214.31.183 object-group crosstel

access-list outside_in extended permit tcp any host 24.214.31.194 eq www

access-list outside_in extended permit tcp any host 24.214.31.195 object-group crosstel

access-list outside_in extended permit tcp any host 24.214.31.196 object-group dvnonline

access-list outside_in extended permit tcp any host 24.214.31.140 object-group alert

access-list outside_in remark M6 LAB Switch Broadsoft access

access-list outside_in remark M6 LAB Switch Broadsoft access

access-list outside_in remark OpManager and Netflow external access

access-list outside_in extended permit tcp any host 24.214.31.153 object-group alert

access-list outside_in remark Receive Netflow and SNMP to monitors on the internal network

access-list outside_in remark OpManager and Netflow external access

access-list outside_in extended permit tcp any host 24.214.31.139 object-group DM_INLINE_TCP_9

access-list outside_in remark Allow IPSEC and Management from VPN in India

access-list outside_in remark Receive Netflow and SNMP to monitors on the internal network

access-list outside_in remark Access to Alert servers from outside

access-list outside_in extended permit udp any host 24.214.31.139 object-group DM_INLINE_UDP_1

access-list outside_in remark Access to Alert servers from outside

access-list outside_in extended deny tcp any host 24.214.31.139 object-group smtp

access-list outside_in remark Access to Alert servers from outside

access-list outside_in extended permit tcp any host 24.214.31.205 object-group Alerts

access-list outside_in remark Access to Alert servers from outside

access-list outside_in extended permit tcp any host 24.214.31.206 object-group Alerts

access-list outside_in extended permit tcp any host 24.214.31.210 object-group DivineTVTest

access-list outside_in extended permit tcp any host 24.214.31.181 object-group DM_INLINE_TCP_2

access-list outside_in extended permit tcp any host 24.214.31.182 object-group DM_INLINE_TCP_12

access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host 24.214.31.145

access-list outside_in extended permit tcp any host 24.214.31.146 object-group DM_INLINE_TCP_6

access-list outside_in extended permit tcp any host 24.214.31.149 object-group DM_INLINE_TCP_1

access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_3

access-list outside_in extended permit tcp any host 24.96.139.157 object-group DM_INLINE_TCP_5

access-list outside_in extended permit tcp any host 24.214.31.147 object-group DM_INLINE_TCP_4

access-list outside_in extended permit tcp any host 24.214.31.177 eq www

access-list outside_in remark SEPB-Crossoft

access-list outside_in extended permit tcp any host 24.214.31.185 object-group DM_INLINE_TCP_7

access-list outside_in extended permit tcp any host 24.214.31.29 object-group DivineTVTest

access-list outside_in remark Daivashabdam web

access-list outside_in extended deny icmp any object-group DM_INLINE_NETWORK_3

access-list outside_in extended deny icmp object-group DM_INLINE_NETWORK_4 any

access-list outside_in extended permit icmp any any

access-list outside_in extended permit tcp any host 24.214.31.130 object-group DM_INLINE_TCP_10

access-list outside_in remark SEPB-Crossoft

access-list outside_in extended permit tcp any host 24.214.31.112 eq www

access-list outside_in extended permit tcp any host 24.214.31.199 object-group DM_INLINE_TCP_11

access-list outside_in remark Daivashabdam web

access-list outside_in extended permit tcp any host 24.214.31.211 object-group Sehion

access-list outside_in remark Ditto PCL client

access-list outside_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 24.214.31.42

access-list outside_in remark crosssoft testing

access-list outside_in extended permit tcp any host 24.214.31.43 eq www

access-list outside_in remark testing uc 500

access-list outside_in extended permit ip any host 24.214.31.30

access-list outside_in remark test

access-list outside_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 24.214.31.44 object-group Netflow-SNMP

access-list outside_in remark fr anto's website

access-list outside_in extended permit tcp any host 24.214.31.212 eq www

access-list outside_in remark evalution module

access-list outside_in extended permit tcp any host 24.214.31.185 eq www

access-list outside_in remark security camera

access-list outside_in extended permit tcp any host 24.214.31.40 eq www

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.170.171.0 255.255.255.0

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.252.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list nonat remark offshore

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat remark Warren ASA

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.100.0.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.12.0 255.255.255.0

access-list nonat remark ibbs tunnel

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.255.252 255.255.255.252

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list split extended permit ip 192.168.0.0 255.255.255.0 any

access-list CR-VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list CR-VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list CR-VPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list CR-VPN_splitTunnelAcl standard permit 192.168.40.0 255.255.255.0

access-list CR-VPN_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 10.170.171.0 255.255.255.0

access-list 101 extended permit ip host 192.168.0.84 any

access-list 101 extended permit ip any host 192.168.0.84

access-list DEV-VPN standard permit 192.168.0.0 255.255.255.0

access-list outside_cryptomap_3 extended permit ip 192.168.0.0 255.255.255.0 172.31.255.252 255.255.255.252

access-list netflow-hosts extended permit ip any any

access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.12.0 255.255.255.0

access-list outside_cryptomap extended permit ip host 76.73.195.240 host 192.168.12.174

access-list outside_cryptomap extended permit ip host 76.73.195.240 host 192.168.12.175

access-list outside_cryptomap_1 extended permit ip 192.168.254.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 192.168.0.0 255.255.0.0 192.168.40.0 255.255.255.0

access-list 199 extended permit ip host 192.168.0.177 host 192.168.12.24

access-list 188 extended permit ip host 192.168.12.20 host 192.168.2.10

access-list 188 extended permit ip host 192.168.2.10 host 192.168.12.20

access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.0.0 10.100.0.0 255.255.255.0

access-list cap extended permit ip host 192.168.0.146 host 172.31.255.254

access-list cap extended permit ip host 172.31.255.254 host 192.168.0.146

access-list VPN_FILTER extended permit ip 172.31.255.252 255.255.255.252 host 192.168.0.146

access-list VPN_FILTER extended permit ip 172.31.255.252 255.255.255.252 host 192.168.0.147

access-list VPN_FILTER extended permit ip 172.31.255.252 255.255.255.252 host 192.168.0.156

access-list VPN_FILTER extended permit ip 172.31.255.252 255.255.255.252 host 192.168.0.180

access-list test extended permit ip host 192.168.12.175 any

access-list test extended permit ip any host 192.168.12.175

access-list test1 extended permit ip host 192.168.0.26 any log

access-list test1 extended permit ip any host 192.168.0.26 log

pager lines 24

logging enable

logging buffer-size 10000

logging monitor debugging

logging buffered debugging

logging trap emergencies

logging history emergencies

logging asdm informational

logging host inside 192.168.0.145

logging permit-hostdown

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination inside 192.168.0.145 9996

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnpool 192.168.254.1-192.168.254.100 mask 255.255.255.0

ip local pool caleapool 192.168.253.1-192.168.253.10 mask 255.255.255.0

ip local pool devpool 192.168.252.1-192.168.252.10

no failover

failover timeout -1

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 1 interface

nat (outside) 1 192.168.12.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 24.214.31.185 192.168.0.147 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.170 192.168.0.170 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.190 192.168.0.192 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.191 192.168.0.193 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.192 192.168.0.191 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.183 192.168.0.182 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.194 192.168.0.194 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.195 192.168.0.195 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.196 192.168.0.196 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.140 192.168.0.140 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.153 192.168.2.4 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.145 192.168.1.10 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.146 192.168.1.12 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.147 192.168.1.11 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.205 192.168.0.205 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.206 192.168.0.206 netmask 255.255.255.255 dns

static (inside,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 norandomseq nailed

static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 norandomseq nailed

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 norandomseq nailed

static (inside,outside) 24.214.31.149 192.168.1.14 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.139 192.168.0.232 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.210 192.168.0.210 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.181 192.168.0.148 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.155 192.168.1.16 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.156 192.168.1.17 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.182 192.168.0.149 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.29 192.168.0.129 netmask 255.255.255.255 dns

static (inside,outside) 24.96.139.157 192.168.1.15 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.177 192.168.0.177 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.130 192.168.0.101 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.112 192.168.0.112 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.199 192.168.0.199 netmask 255.255.255.255 dns

static (inside,outside) 24.214.31.211 192.168.0.200 netmask 255.255.255.255

static (inside,outside) 24.214.31.43 192.168.0.156 netmask 255.255.255.255

static (inside,outside) 24.96.139.30 192.168.0.211 netmask 255.255.255.255

static (inside,outside) 24.214.31.44 192.168.0.180 netmask 255.255.255.255

static (inside,outside) 24.214.31.212 192.168.0.202 netmask 255.255.255.255

static (inside,outside) 24.214.31.40 192.168.0.135 netmask 255.255.255.255

access-group outside_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 24.214.31.1 1

route inside 192.168.1.0 255.255.255.0 192.168.0.253 1

route inside 192.168.2.0 255.255.255.0 192.168.0.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.5.0 255.255.255.0 management

http 192.168.254.0 255.255.255.0 outside

http 192.168.0.0 255.255.255.0 inside

http 192.168.0.0 255.255.0.0 inside

snmp-server host inside 192.168.0.145 community ***** version 2c

snmp-server location CORP - West Point, GA

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps remote-access session-threshold-exceeded

sysopt connection preserve-vpn-flows

sysopt noproxyarp inside

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800

crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set reverse-route

crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 30 set security-association lifetime seconds 28800

crypto dynamic-map dynmap 30 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 124.124.99.97 202.88.251.22

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set peer 98.159.193.18

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set peer 24.38.175.19

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 4 match address outside_cryptomap_3

crypto map outside_map 4 set peer 204.174.23.213

crypto map outside_map 4 set transform-set myset

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 24.96.139.10

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

vpn-sessiondb max-session-limit 750

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 20

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.0.0 255.255.255.0 inside

ssh 192.168.0.120 255.255.255.255 inside

ssh timeout 20

console timeout 0

management-access inside

dhcpd dns 192.168.0.145

dhcpd lease 86400

dhcpd update dns both

!

dhcpd address 192.168.0.20-192.168.0.99 inside

dhcpd dns 192.168.0.145 8.8.8.8 interface inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.1.10 source inside prefer

ntp server 24.214.63.165 source outside prefer

webvpn

group-policy CR-VPN internal

group-policy CR-VPN attributes

vpn-filter none

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CR-VPN_splitTunnelAcl

group-policy DEV-VPN internal

group-policy DEV-VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DEV-VPN

default-domain value crosstel.com

group-policy RA_VPN internal

group-policy RA_VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list none

ip-phone-bypass enable

group-policy IBBS internal

group-policy IBBS attributes

vpn-filter value VPN_FILTER

service-type remote-access

tunnel-group RA_VPN type remote-access

tunnel-group RA_VPN general-attributes

address-pool vpnpool

default-group-policy RA_VPN

tunnel-group RA_VPN ipsec-attributes

pre-shared-key *****

tunnel-group CR-VPN type remote-access

tunnel-group CR-VPN general-attributes

address-pool vpnpool

default-group-policy CR-VPN

tunnel-group CR-VPN ipsec-attributes

pre-shared-key *****

tunnel-group CR-CALEA type ipsec-l2l

tunnel-group CR-CALEA general-attributes

default-group-policy RA_VPN

tunnel-group CR-CALEA ipsec-attributes

pre-shared-key *****

tunnel-group 24.96.139.10 type ipsec-l2l

tunnel-group 24.96.139.10 ipsec-attributes

pre-shared-key *****

tunnel-group DEV-VPN type remote-access

tunnel-group DEV-VPN general-attributes

address-pool devpool

default-group-policy DEV-VPN

tunnel-group DEV-VPN ipsec-attributes

pre-shared-key *****

tunnel-group 124.124.99.97 type ipsec-l2l

tunnel-group 124.124.99.97 ipsec-attributes

pre-shared-key *****

tunnel-group 98.159.193.18 type ipsec-l2l

tunnel-group 98.159.193.18 ipsec-attributes

pre-shared-key *****

tunnel-group 24.38.175.19 type ipsec-l2l

tunnel-group 24.38.175.19 ipsec-attributes

pre-shared-key *****

tunnel-group 202.88.251.22 type ipsec-l2l

tunnel-group 202.88.251.22 ipsec-attributes

pre-shared-key *****

tunnel-group 204.174.23.213 type ipsec-l2l

tunnel-group 204.174.23.213 general-attributes

default-group-policy IBBS

tunnel-group 204.174.23.213 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

class-map NetFlow-traffic

match access-list netflow-hosts

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect http

  inspect ip-options

  inspect pptp

class NetFlow-traffic

  flow-export event-type all destination 192.168.0.145

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 4096

Please check and give me a solution.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to alexageorge

‎07-25-2011 10:43 AM

Hi,

Are your phones using SIP? If so, you might want to enable "inspect sip" on the ASA.

Thanks and Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents