12-21-2009 05:56 AM
Ip phone on remote site can not register on CUCS. VPN is up, pings are ok, I can ping from remote voice subnet to the local CUCS subnet. However, when IP phone tries to register with CUCS, I get the following:
%ASA-6-302015: Built outbound UDP connection 68507 for vpn-baku:192.168.128.10/69 (192.168.128.10/69) to astara_data:192.168.140.5/49152 (192.168.140.5/49152)
%ASA-6-302015: Built outbound UDP connection 68508 for vpn-baku:192.168.128.10/34488 (192.168.128.10/34488) to astara_data:192.168.140.5/49152 (192.168.140.5/49152)
%ASA-6-110003: Routing failed to locate next hop for UDP from vpn-baku:192.168.128.10/34488 to astara_data:192.168.140.5/49152
Local ASA:
ASA Version 7.0(8)
!
hostname azt-bridge-asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif azt-inside
security-level 100
no ip address
!
interface GigabitEthernet0/0.32
vlan 32
nameif azt_data
security-level 100
ip address 192.168.32.9 255.255.255.0
!
interface GigabitEthernet0/0.129
vlan 129
nameif azt_voice
security-level 100
ip address 192.168.128.9 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif baku-outside
security-level 0
ip address 10.253.17.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list 110 extended permit ip 192.168.32.0 255.255.255.0 any log
access-list 110 extended permit ip 192.168.128.0 255.255.255.0 any log
access-list 110 extended permit ip 10.253.17.0 255.255.255.0 any log
access-list 110 extended permit ip any any log
access-list nonat extended permit ip 192.168.128.0 255.255.255.0 192.168.140.0 255.255.255.0
access-list nonat extended permit ip 192.168.32.0 255.255.255.0 192.168.86.0 255.255.255.0
pager lines 24
logging monitor debugging
logging asdm informational
mtu azt-inside 1500
mtu azt_data 1500
mtu azt_voice 1500
mtu baku-outside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat (azt_data) 0 access-list nonat
route baku-outside 192.168.140.0 255.255.255.0 10.253.17.2 1
route baku-outside 0.0.0.0 0.0.0.0 10.253.17.2 1
route baku-outside 192.168.86.0 255.255.255.0 10.253.17.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password fOxbBT5HEEz5OxJT encrypted
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map bakumap 10 set security-association lifetime seconds 28800
crypto map bakumap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 match address 110
crypto map mymap 20 set peer 10.253.17.2
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000
crypto map mymap interface baku-outside
isakmp enable baku-outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 10.253.17.2 type ipsec-l2l
tunnel-group 10.253.17.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 azt_data
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect skinny
inspect tftp
!
service-policy global_policy global
Cryptochecksum:1e9b30c67a892c2a5111102814efa994
: end
Remote ASA:
ASA Version 7.0(8)
!
hostname azt-astara-asa
enable password zk4oxIHVgmgitTUn encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif astara_inside
security-level 100
no ip address
!
interface Ethernet0/0.86
vlan 86
nameif astara_data
security-level 100
ip address 192.168.86.1 255.255.255.0
!
interface Ethernet0/0.140
vlan 140
nameif astara_voice
security-level 100
ip address 192.168.140.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
security-level 100
no ip address
!
interface Ethernet0/2
nameif vpn-baku
security-level 0
ip address 10.253.17.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list nonat extended permit ip 192.168.86.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list nonat extended permit ip 192.168.140.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list 120 extended permit ip 192.168.86.0 255.255.255.0 any log
access-list 120 extended permit ip 192.168.140.0 255.255.255.0 any log
access-list 120 extended permit ip 10.253.17.0 255.255.255.0 any log
access-list 120 extended permit ip any any log
pager lines 24
logging monitor debugging
logging asdm informational
mtu astara_inside 1434
mtu astara_data 1434
mtu astara_voice 1434
mtu vpn-baku 1434
mtu management 1434
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat (astara_data) 0 access-list nonat
route vpn-baku 0.0.0.0 0.0.0.0 10.253.17.1 1
route vpn-baku 192.168.32.0 255.255.255.0 10.253.17.1 1
route vpn-baku 192.168.128.0 255.255.255.0 10.253.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password fOxbBT5HEEz5OxJT encrypted
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 match address 120
crypto map mymap 20 set peer 10.253.17.1
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000
crypto map mymap interface vpn-baku
crypto map bakumap 10 set security-association lifetime seconds 28800
crypto map bakumap 10 set security-association lifetime kilobytes 4608000
crypto map bakumap 20 set security-association lifetime seconds 28800
crypto map bakumap 20 set security-association lifetime kilobytes 4608000
isakmp enable vpn-baku
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 10.253.17.1 type ipsec-l2l
tunnel-group 10.253.17.1 ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 astara_inside
telnet 0.0.0.0 0.0.0.0 vpn-baku
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 astara_inside
ssh 0.0.0.0 0.0.0.0 astara_data
ssh 0.0.0.0 0.0.0.0 vpn-baku
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect skinny
inspect tftp
!
service-policy global_policy global
Cryptochecksum:098102765abe4083a2747930e3d4a1bb
: end
azt-astara-asa#
Basically, I can ping from 192.168.140.0 (remote voice) to 192.168.128.10 (local CUCS) and vice versa.
Thank you in advance
12-21-2009 09:19 AM
Hi
First of all, I'll suggest you to re-configure your crypto maps ACLs, even though the tunnel is establishing, the best practice is to have them configured as in a mirror.
As far as I understand your configuration you just want to communicate the data VLAN in the Local site with the data VLAN from the remote site. So your ACLs should look like this:
Local ASA:
access-list 110 extended permit ip 192.168.128.0 255.255.255.0 192.168.140.0 255.255.255.0
access-list 110 extended permit ip 192.168.32.0 255.255.255.0 192.168.86.0 255.255.255.0
Remote ASA:
access-list 120 extended permit ip 192.168.86.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list 120 extended permit ip 192.168.140.0 255.255.255.0 192.168.128.0 255.255.255.0
*Note: Try to avoid having permit ip any any in crypto Map ACL
Also add the nonat ACLs you alread have created to the interfaces with voice traffic.
Local ASA:
nat (azt_voice) 0 access-list nonat
Remote ASA:
nat (astara_voice) 0 access-list nonat
That should work for you.Cheers!
- Yamil
12-22-2009 12:54 AM
Issue is solved, I removed interface GigabitEthernet0/0.129 from ASA, left only interface GigabitEthernet0/0.32 and used it as a default gateway.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide