cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5800
Views
0
Helpful
6
Replies

Traffic between remote sites over Cisco Easy VPN

Kuldeep Saxena
Level 1
Level 1

We have a Cisco 2921 router at the head office (Easy VPN Server) and been deploying Cisco 887VA (EasyVPN remote - Network Extension) for remote offices using EasyVPN. We are allowing Voice and Data traffic over VPN.  Everything has been working great until this issue was discovered today:


When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in either direction.


Calls to/from head office and external mobiles/landlines are fine. Only calls between two remote sites are affected.

As there is no need for DATA connection between Remote office, our only concern is Voice support.


By the looks of it, I think "hair-pinning" of traffic over VPN interface is needed. But need some advice on configuration. (Examples configs etc).


Thanks in advance.

1 Accepted Solution

Accepted Solutions

Thanks for your prompt response.

I am sorry, I assumed the clients were configured in client mode.

No need to remove the SDM_POOL_1, since the clients already have NEM configured.

But add:

crypto isakmp client configuration group CliniEasyVPN

mode network-extension

Are you able to ping from one spoke to the other?

Please make this change:

ip access-list extended 105

     permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

* Make sure exempt this traffic from being translated on the Spokes.

Let me know if you have any questions.

Thanks.

Portu.

View solution in original post

6 Replies 6

Hi Kuldeep,

Please include a network topology and specific traffic flow.

Thanks.

Portu.

Please rate any helpful posts.

Please find Router config of our EasyVPN Server (2912) and hopefully the network topology will be of some help.

Thanks for the update.

For this to work, you need network-extension mode (LAN-to-LAN) instead of client mode:

crypto isakmp client configuration group CliniEasyVPN

no pool SDM_POOL_1

Since the phones need to register to the CUCM with their real IP address.

I can see that you have ZBF, since they all connect to the Virtual-template, perhaps no need to adjust ZBF.

On the other hand, the remote networks cannot overlap.

For a better understanding of EzVPN in network extersion-mode.

IOS Router: Easy VPN (EzVPN) with Network-Extension Mode (NEM) Configuration Example

Let me know.

Please rate any helpful posts

Hi Portu,

Thanks for taking time and replying.

I've configured all of my remote Routers for network Extension mode and as you have noted, I've taken care that none of my networks at remote sites overlap.

As per my EasyVPN server, you reckon all I need to do is to turn off this SDM_POOL_1.

As per now, am using group CliniEasyVPN for both site-to-site and remote users to VPN onto the network. And all remote users get assigned IP from SDM_POOL_1.

Do you propose, I shall perform below:

1) Turn off the SDM_POOL_1 on CliniEasyVPN and just use it for Site-to-Site, by doing so will the phones will start working? Or do I need to make further changes.

2) Create a new EasyVPN Group for remote users with similar settings as of now.

Thanks for your prompt response.

I am sorry, I assumed the clients were configured in client mode.

No need to remove the SDM_POOL_1, since the clients already have NEM configured.

But add:

crypto isakmp client configuration group CliniEasyVPN

mode network-extension

Are you able to ping from one spoke to the other?

Please make this change:

ip access-list extended 105

     permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

* Make sure exempt this traffic from being translated on the Spokes.

Let me know if you have any questions.

Thanks.

Portu.

Thanks Portu,

No we are not able to ping from one remote network to another, but thats never been an issue as we do not want any direct connectivity.

I will make the changes during this weekend and ran further tests.

Also I will add "permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255" under acl 105

To exempt this traffic form being translated on the Spoke, do you want me to modify the nat acl on the spoke router like below:

access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 115 permit ip 192.168.151.0 0.0.0.255 any

access-list 115 permit ip 192.168.152.0 0.0.0.255 any

ip nat inside source list 115 interface Dialer1 overload

Please find a copy of the Spoke Router as attachment. The config only contains 192.168.151.0/24 network (not as per my topology diagram with both 192.168.151.0/24 and 192.168.152.0/24 networks) but I believe will give you insight on the EasyVPN configs.

Thanks again for the assistance.