09-09-2013 10:54 PM
Hi guys,
Kindly find the attached diagram which can help you to understand what i'm looking for.
recently i have cisco IP phones on site-A and site-B by giving them static IPs. The purpose is to make
them communicate with HO. Now they are able to communicate with HO but somehow they are not able to
make call between spokes.
i want to make them calls between both sides
Site-A and site-B are connected through site-to-site VPN. I tried to ping from site-A to the subnet of
Site-B but not able. So in this case i need to do the needful configuration but keeping in mind i dont
want to allow complete subnets i just want to allow the cisco IP phones to call means only IP phones traffic
should only be allowed
i'm also going to attach the configurations of followings.
1- Site-A router
2- Site-B router
3- HO-ASA
kindly look into it do let me know what additional
config is required to full fill my need
ASA5520:-
VPN config on ASA5520 for site-A
object-group network site-A
network-object 10.3.0.0 255.255.0.0
network-object 192.168.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_104
network-object 10.1.0.0 255.255.0.0
network-object 192.6.14.0 255.255.255.0
access-list Outside_7_cryptomap extended permit ip object-group DM_INLINE_NETWORK_104 object-group site-A
crypto map Outside_map 7 match address Outside_7_cryptomap
crypto map Outside_map 7 set pfs
crypto map Outside_map 7 set peer 62.xx.xx.xx
crypto map Outside_map 7 set transform-set ESP-3DES
crypto map Outside_map 7 set transform-set ESP-3DES-SHA
crypto map Outside_map 7 set phase1-mode aggressive
group-policy siteA_HO internal
group-policy siteA_HO attributes
vpn-tunnel-protocol IPSec
tunnel-group 62.xx.xx.xx type ipsec-l2l
tunnel-group 62.xx.xx.xx general-attributes
default-group-policy siteA_HO
tunnel-group 62.xx.xx.xx ipsec-attributes
pre-shared-key ******
peer-id-validate nocheck
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_104 object-group site-A
access-list inside_nat0_outbound object-group DM_INLINE_NETWORK_104 object-group site-A
=========================================================================================================================================================
VPN config on ASA5520 for site-B:-
object-group network DM_INLINE_NETWORK_4
network-object 182.72.41.32 255.255.255.248
network-object 192.168.124.0 255.255.255.0
access-list Outside_3_cryptomap extended permit ip 192.6.14.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list Outside_3_cryptomap extended permit ip 10.1.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_4
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set pfs
crypto map Outside_map 3 set peer 182.xx.xx.xx
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map 3 set phase1-mode aggressive
group-policy site-B internal
group-policy site-B attributes
vpn-tunnel-protocol IPSec
tunnel-group 182.xx.xx.xx type ipsec-l2l
tunnel-group 182.xx.xx.xx general-attributes
default-group-policy site-B
tunnel-group 182.xx.xx.xx ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
access-list Outside_nat0_outbound extended permit ip 192.168.124.0 255.255.255.0 192.168.124.0 255.255.255.0
access-list Outside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.168.124.0 255.255.255.0
access-list Outside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 192.168.124.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.168.124.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 192.168.124.0 255.255.255.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 192.168.124.0 255.255.255.0
access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 192.168.124.0 255.255.255.0
=============================================================================================================
Site-A router config:-
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ***** address 83.xx.xx.xx
crypto ipsec transform-set ASA-IPSEC esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to83.xx.xx.xx
set peer 83.xx.xx.xx
set security-association lifetime seconds 28800
set transform-set ASA-IPSEC
set pfs group2
match address 100
interface FastEthernet4.1
encapsulation dot1Q 113
ip address 172.16.7.69 255.255.255.252 secondary
ip address 62.xx.xx.xx 255.255.255.252
ip virtual-reassembly in
crypto map SDM_CMAP_1
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 10.3.0.0 0.0.255.255 192.6.14.0 0.0.0.255
access-list 100 permit ip 10.3.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 192.168.147.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 permit ip 192.168.147.0 0.0.0.255 10.1.0.0 0.0.255.255
ip route 0.0.0.0 0.0.0.0 172.16.7.69
=============================================================================================================
Site-B router config:-
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ******* address 83.xx.xx.xx
!
!
crypto ipsec transform-set ASA-IPSEC esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to83.xx.xx.xxx
set peer 83.xx.xx.xx
set transform-set ASA-IPSEC
set pfs group2
match address 100
interface GigabitEthernet0/0
description "Connected to Internet"
ip address 182.xx.xx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map SDM_CMAP_1
access-list 100 permit ip 192.168.124.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 permit ip 192.168.124.0 0.0.0.255 10.1.0.0 0.0.255.255
route-map nonat permit 10
match ip address 110
access-list 110 deny ip 192.168.124.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 192.168.124.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 192.168.124.0 0.0.0.255 any
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 182.xx.xx.xx
09-12-2013 03:25 AM
Hi,
can i get experts opinion on same???????????????????
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide