02-20-2006 11:51 AM - edited 02-21-2020 02:16 PM
I deployed an IP Telephony infrastructure with several IP Communicator software phones. Most users of these IP Communicators are teleworkers connecting from the Internet to the headquarters using Cisco's VPN client. The VPN concentrator is a Cisco ASA 5510 at the Headquarters where the CallManager resides.
My problem is that when the teleworkers call each other, altough the call is correctly setup, there is no voice traffic at all. I quickly realized that it was because there is no IP connectivity between two VPN tunnels. Any idea on how can I solve this issue? How can I route IP traffic between tunnels in the ASA?
02-24-2006 10:37 AM
Concurrent to the LAN-to-LAN VPN, the central concentrator also accepts remote access VPN connections. Communication is then enabled between the remote access VPN Client and the local LAN, behind the remote concentrator, through the central concentrator. The communication between spokes is enabled through the use of Reverse Route Injection (RRI).
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml
06-15-2006 08:08 PM
I am also having this issue...however, I am using a PIX-520 running 6.3(3). My problem is exactly the same, however.
It may also be possible to route the voice calls through the callmanager server somehow...however, I am not aware of how to do this, or if it's truly possible...any help would be appreciated from anybody.
06-17-2006 08:04 AM
This global command solved my problem:
same-security-traffic permit intra-interface
However I'm not sure if it works with version 6.3.(3).
Don't forget also to add the address pool for the VPN client to the crypto ACL and the NAT0 ACL.
Good luck!
Rafa
06-18-2006 07:59 AM
I found out that this an be resolved by upgrading to PIX 7 software, and then using the commands given earlier in this post (just as they can be used in the ASA). However, my PIX 520 is too old to run PIX 7, as it is not supported. So, I'm looking into upgrading to an ASA 5520 to resolve this.
06-18-2006 12:19 AM
assuming you have the same ip pool range for your remote users and that you are running code 7.+ on the ASA.. make sure you have the below commands on your config.
sysopt connection permit-ipsec.
same-security-traffic permit intra-interface
this will allow commnuication between remote users
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide