softphone for remote user

1salvarez · ‎12-02-2010

We have a remote user that needs to use a softphone (shoretel). We've been asked to open ports for the user in the VPN. How can I check the allowed ports and how would we go about opening those.

Federico Coto Fajardo · ‎12-02-2010

Hi,

If the softphone goes thorugh the VPN tunnel, by default all IP traffic is permitted so there's no need to open TCP/UDP ports.

If the phone uses SIP for example, the ASA will allow the traffic but will also inspect SIP by default.

Is the softphone not working?

Federico.

1salvarez · ‎12-02-2010

Right, it's not working. We have many users that use the softphone internally. It's when a remote user connects via vpn that it doesn't work. Maybe the subnet the user is on, once connected is not allowed?

How can I make sure that indeed we're allowing all IP traffic via VPN?

Federico Coto Fajardo · ‎12-02-2010

If the problem is related to the subnet/routing try to PING through the tunnel from the client.

Does the softphone registers and the problem is audio or it does not register at all?

Federico.

1salvarez · ‎12-02-2010

How can I make sure that indeed we're allowing all IP traffic via VPN?

Federico Coto Fajardo · ‎12-02-2010

1. Check that you have the command ''sysopt connection permit-vpn'' under ''sh run all sysopt''

2. Check that there are no vpn-filters under the group-policy of the tunnel-group for the VPN clients.

3. Check that ''cry isa nat-t'' is configured to allow traffic to pass through the tunnel when coming behind a PAT device.

Federico.

1salvarez · ‎12-03-2010

Below is what I have from "show run"

1. CP-ASAINT-P01# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1200
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn

2. vpn-filter none

3. lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000

Appreciate your help.

1salvarez · ‎12-10-2010

i changed it to crypto isakmp nat-traversal. Still doesn't work.

Federico Coto Fajardo · ‎12-10-2010

From the computer where the softphone resides (connecting via VPN), can you PING through the tunnel?

I mean... the problem is only the ports required for the softphone or there's no IP connectivity at all?

Federico.

1salvarez · ‎12-10-2010

I can't ping the subnet where the Shoretel call manager resides.

Federico Coto Fajardo · ‎12-10-2010

Maybe there's no traffic going through the tunnel at all.

Are you establishing the VPN tunnel using an IPsec client from the remote computer or how?

Do you see the tunnel established on the VPN gateway (ASA/router)?

Federico.

1salvarez · ‎12-10-2010

Yes we've been using the cisco vpn client for a few years. We can see the users connected and the users can access the clients.

Federico Coto Fajardo · ‎12-10-2010

Ok but what I want to know is if from the PC (where the softphone is) can you PING the local LAN where the Call Manager is?

This remote PC has an IP address (received by the VPN client connection)... do you see the tunnel established on the VPN server? ''sh cry isa sa''

If the tunnel is up... do you see packets encrypted/decrypted ''sh cry ips sa''?

Federico.

1salvarez · ‎12-10-2010

The 173.152.223.125 is the softphone user. See attached.

Federico Coto Fajardo · ‎12-10-2010

Ok so the tunnel is established and traffic is flowing through...

Can you provide the sanitized config from the VPN server (ASA)?

Federico.