12-02-2010 11:40 AM
We have a remote user that needs to use a softphone (shoretel). We've been asked to open ports for the user in the VPN. How can I check the allowed ports and how would we go about opening those.
12-02-2010 11:53 AM
Hi,
If the softphone goes thorugh the VPN tunnel, by default all IP traffic is permitted so there's no need to open TCP/UDP ports.
If the phone uses SIP for example, the ASA will allow the traffic but will also inspect SIP by default.
Is the softphone not working?
Federico.
12-02-2010 12:11 PM
Right, it's not working. We have many users that use the softphone internally. It's when a remote user connects via vpn that it doesn't work. Maybe the subnet the user is on, once connected is not allowed?
How can I make sure that indeed we're allowing all IP traffic via VPN?
12-02-2010 12:28 PM
If the problem is related to the subnet/routing try to PING through the tunnel from the client.
Does the softphone registers and the problem is audio or it does not register at all?
Federico.
12-02-2010 01:08 PM
How can I make sure that indeed we're allowing all IP traffic via VPN?
12-02-2010 01:10 PM
1. Check that you have the command ''sysopt connection permit-vpn'' under ''sh run all sysopt''
2. Check that there are no vpn-filters under the group-policy of the tunnel-group for the VPN clients.
3. Check that ''cry isa nat-t'' is configured to allow traffic to pass through the tunnel when coming behind a PAT device.
Federico.
12-03-2010 09:16 AM
Below is what I have from "show run"
1. CP-ASAINT-P01# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1200
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
2. vpn-filter none
3. lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
Appreciate your help.
12-10-2010 02:19 PM
i changed it to crypto isakmp nat-traversal. Still doesn't work.
12-10-2010 02:25 PM
From the computer where the softphone resides (connecting via VPN), can you PING through the tunnel?
I mean... the problem is only the ports required for the softphone or there's no IP connectivity at all?
Federico.
12-10-2010 02:45 PM
I can't ping the subnet where the Shoretel call manager resides.
12-10-2010 03:09 PM
Maybe there's no traffic going through the tunnel at all.
Are you establishing the VPN tunnel using an IPsec client from the remote computer or how?
Do you see the tunnel established on the VPN gateway (ASA/router)?
Federico.
12-10-2010 03:15 PM
Yes we've been using the cisco vpn client for a few years. We can see the users connected and the users can access the clients.
12-10-2010 03:18 PM
Ok but what I want to know is if from the PC (where the softphone is) can you PING the local LAN where the Call Manager is?
This remote PC has an IP address (received by the VPN client connection)... do you see the tunnel established on the VPN server? ''sh cry isa sa''
If the tunnel is up... do you see packets encrypted/decrypted ''sh cry ips sa''?
Federico.
12-10-2010 03:33 PM
12-10-2010 03:36 PM
Ok so the tunnel is established and traffic is flowing through...
Can you provide the sanitized config from the VPN server (ASA)?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide