Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
826
Views
0
Helpful
5
Replies

Cisco 861 VPN One-Way Calling (VOIP)

jacobdixon
Level 1
Level 1

‎03-28-2013 09:48 AM

I am having an issue with one-way calling on a VOIP system. Basically I have three sites. All three sites can call out and can hear the remote person but no one can hear what they are saying. (We are using dynamic VPN)

I have a feeling it has something to do with inspecting H323 protocol but I am not sure.

I also should point out that all other traffic over VPN works just fine both ways

Here is the Cisco 861 configuration:

Building configuration...

Current configuration : 10999 bytes

!

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname fw

!

boot-start-marker

boot-end-marker

!

no logging buffered

logging console critical

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

!

no ip source-route

!

!

ip port-map user-protocol--3 port tcp 3389

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name DOMAIN.com

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group name acl_vpn

class-map type inspect match-all sdm-nat-user-protocol--3-1

match access-group 108

match protocol user-protocol--3

class-map type inspect match-all sdm-nat-http-1

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--2-1

match protocol Other

class-map type inspect match-all sdm-nat-user-protocol--1-1

match protocol Other

class-map type inspect match-all sdm-nat-smtp-1

match protocol smtp

class-map type inspect match-all sdm-nat-imap-1

match protocol imap

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol h225ras

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-all sdm-nat-pop3-1

match protocol pop3

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all sdm-nat-https-1

match protocol https

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-smtp-1

  inspect

class type inspect sdm-nat-https-1

  inspect

class type inspect sdm-nat-pop3-1

  inspect

class type inspect sdm-nat-imap-1

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-user-protocol--2-1

  inspect

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-user-protocol--3-1

  inspect

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key <PASSWORD> address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

match address acl_vpn

!

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 1.1.1.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.0.0.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 10.0.0.251 3389 interface FastEthernet4 3390

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 10.0.0.250 80 1.1.1.1 80 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.250 443 1.1.1.1 443 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.250 4125 1.1.1.1 4125 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.139 10000 1.1.1.1 10000 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.140 35300 1.1.1.1 35300 route-map SDM_RMAP_1 extendable

ip route 0.0.0.0 0.0.0.0 <GATEWAY>

!

ip access-list extended Inbound_ACL

permit ip any host 10.0.0.250

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended acl_vpn

permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 172.31.0.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended nonat

deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

deny   ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255

deny   ip 10.0.0.0 0.0.0.255 172.31.0.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

!

no logging trap

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 75.89.103.32 0.0.0.7 any

access-list 108 remark CCP_ACL Category=0

access-list 108 permit ip any host 10.0.0.251

access-list 110 remark CCP_ACL Category=128

access-list 110 permit ip any any

access-list 112 permit ip 10.0.0.0 0.0.0.255 any

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address nonat

!

!

control-plane

!

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

fw#

Labels:
0 Helpful
5 Replies 5

techdata
Level 1
Level 1

‎03-29-2013 02:40 PM

Hi Jacob,

When you call the other site they can hear the phone ringing I guess?

if so, then that means that SIP is going through, but what about skinny protocol. Also, can you try to run a Wireshark capture on both ends, for this I would suggest using SPAN.

here is the link to configure SPAN:

http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

In that way we can tell if the traffic from 1 end is hetting COMPLETE to the other end.

Also, try to ping the other IP just to make sure that this traffic gets encrypted. If that happens then we can assure that the VPN is fine.

0 Helpful

jacobdixon
Level 1
Level 1
In response to techdata

‎03-29-2013 02:52 PM

Basically on the remote-site they can hear the phone ring, they can see the extension lights and everything light up or go off whenever someone at the office picks up a line, but people at the office cannot hear when they talk.

So the person at the remote site can hear the office people, but the office people cannot hear people at remote sites.

0 Helpful

jacobdixon
Level 1
Level 1

‎04-01-2013 10:29 AM

Anyone have an idea? I still wasn't able to get any further on this :-(

Sent from Cisco Technical Support iPhone App

0 Helpful

jacobdixon
Level 1
Level 1

‎04-01-2013 12:37 PM

I wiped out the config and started over. This is my current config with the exact same call problem (you cannot hear people from the remote offices):

Building configuration...

Current configuration : 7040 bytes

!

! Last configuration change at 12:58:02 UTC Mon Jan 2 2006 by compsysadmin

! NVRAM config last updated at 12:54:35 UTC Mon Jan 2 2006 by compsysadmin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname fw

!

boot-start-marker

boot-end-marker

!

no logging buffered

logging console critical

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-2415746705

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2415746705

revocation-check none

rsakeypair TP-self-signed-2415746705

!

!

crypto pki certificate chain TP-self-signed-2415746705

certificate self-signed 01

  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32343135 37343637 3035301E 170D3036 30313032 31323030

  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34313537

  34363730 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B08D 3203AC4B 0165D1B4 D24BC13C E56C6766 E3DC4CF1 2E3E1892 47EE2C57

  32CFD397 0C7D24ED D1DC8D66 D9E5FBE1 D974FE15 A5519BE2 D72BF523 9B42820C

  05B0A1B3 9C267401 D6AC9613 B4932FDB F9456972 1FBD54CE F96D6AD5 8F31FC68

  91227640 5296E350 A46FCDC2 7D8F2DED A4D24208 7DF2388D 91541AA2 EDC6AB95

  41570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603

  551D1104 13301182 0F66772E 6A6D2D66 6F6F6473 2E636F6D 301F0603 551D2304

  18301680 149700B3 53076B43 5003C3ED 1798B052 DDC6FB7D FD301D06 03551D0E

  04160414 9700B353 076B4350 03C3ED17 98B052DD C6FB7DFD 300D0609 2A864886

  F70D0101 04050003 81810087 F96F5348 EBB04D8E 2C69A548 6495EE4E 9048DD0E

  CAB6F6E9 BDFF96BD F46CB4C6 06A533A0 FB8F4B00 9DB2A64E 184A2A73 194BCB4D

  820BCA9A 54BDBD9B F129815F 12EC2C78 9CE886FE 65A7A7D2 1AFC0726 68CC93E4

  42EDAD76 895F8690 5ADFE6BD 78CC15C8 C9B3058A 0D4D5D38 C0FEB9DF 3D561BBC

  1D55EF01 4FCE5EE4 7B1CF3

        quit

no ip source-route

!

!

ip dhcp excluded-address 10.10.10.1

!

!

ip cef

no ip domain lookup

ip domain name domain.com

!

!

!

class-map match-all VOIP

match protocol rtcp

match protocol sip

!

!

policy-map VOIP

class VOIP

    priority percent 50

class class-default

    fair-queue

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

match address acl_vpn

!

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface wlan-ap0

description Service module interface to manage the embedded AP

no ip address

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.0.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 10.0.0.250 80 80 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.250 443 443 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.251 3389 3390 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.250 4125 4125 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.139 10000 10000 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 10.0.0.240 35300 35300 route-map SDM_RMAP_1 extendable

ip route 0.0.0.0 0.0.0.0

!

ip access-list extended SDM_ESP

permit esp any any

ip access-list extended acl_vpn

permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended nonat

deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

deny   ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

!

access-list 1 permit 10.0.0.0 0.0.0.255

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address nonat

!

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

fw#

0 Helpful

jacobdixon
Level 1
Level 1
In response to jacobdixon

‎04-17-2013 08:49 AM

Still no luck on this issue if anyone has any other ideas. Techdata I couldn't even access the link you provided. Do not have an account

0 Helpful
Customers Also Viewed These Support Documents