IPSec iKev1 VPN Issue, overlapping IP subnet for Call Manager

ahmed-ejaz · ‎03-09-2016

Hi,

We have Cisco ASA 5520 in our Head Office and Cisco ASA 5520 at one of our customer site. The local IP subnet in HQ is 10.10.1.0-10.10.10.0/24 (All 10 subnets). The local subnet at the customer site is 192.168.x.0/24, 10.10.1.0/24 and 10.10.2.0/24. The call manager at the customer is on 10.10.2.0/24 network, more specifically 10.10.2.2/24.

The requirement is to have IP Phones located in HQ to register to the Call manager at the customer site for remote support (service desk)

I have set-up a Site-To-Site IKEv1 IPSec VPN between both locations and the VPN is up and working fine. The only problem is that since I have 10.10.2.0/24 in HQ, I cannot communicate to the call manager at the customer site since it is on 10.10.2.0 network as well.

Basically traffic from HQ is hitting the ASA in HQ and returning back on the inside interface since 10.10.2.0/24 is locally configured.

I cannot use NAT for the above i-e change the source or destination as the phones are getting the configuration file through TFTP from the call manager and the IP (10.10.2.0) is there in the configuration file which cannot be changed.

The ASA at HQ is running 9.2 and customer is on 8.4 IOS.

Please advise for any possible solution.

Thank you,

Ahmed

Philip D'Ath · ‎03-09-2016

Best option - re-number your end, or re-number the customer end.

Another option, buy a licence for the customer's ASA and enable the SSL phone proxy feature. No VPN needed then.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/unified_comm_phoneproxy.html

ahmed-ejaz · ‎03-10-2016

Hi Philip,

Thank you for your reply. The re-numbering option is out of the picture as there are almost 50+ live servers in HQ and customer site on this subnet.

I will surely go through the phone proxy option and see what can be done as this will be required at each customer end to enable the IP Phone communication for the service desk.

I was thinking of using policy routing in HQ end for the host 10.10.2.2/32 to route over the VPN. Not tried yet and not sure if this will work or not as the ASA have a 10.10.0.0/16 pointing back to the local switch.

Philip D'Ath · ‎03-10-2016

How about this for a cheap option. Buy a little baby Cisco 5506. Run it in EzyVPN mode. On the "inside" only plug in the phones to connect to the customer call manager.

The phones don't require access to anything else, so why join your whole network.

I just remembered another option. Some phones now come with Cisco AnyConnect VPN built in. This might be the simplest option of all. Let the phones VPN in like normal clients. I found this guide on the support forums.

https://supportforums.cisco.com/document/33891/ip-phone-ssl-vpn-asa-using-anyconnect

ahmed-ejaz · ‎03-10-2016

Thank you Philip,

We thought about these options but none are suitable as we do not want to buy a separate 5506 for each customer.

The built-in VPN option is a good one, we are already looking into this but as a business we DO NOT want to pay anything and still have the phones working :)

Philip D'Ath · ‎03-10-2016

What about having an extension number at the customers site that simply forwards to a DDI at your office?

ahmed-ejaz · ‎03-10-2016

Not an option as they want the capability to dial using internal extension since its a service desk, not wanting the user to know that the service desk has been outsourced.

I really appreciate you help mate, thanks a lot.

Kind regards,

Ahmed