Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2591
Views
0
Helpful
8
Replies

VOIP Traffic - Site to Site VPN Tunnel

abccisco2011
Level 1
Level 1

‎04-19-2016 12:59 PM

Hello,

I am trying to install a voip solution between multiple sites. For a test I have two locations (Site A) and (Site B). They have following configuration

Site A 

Cisco ASA 5520 - Software Version 8.2(5)

VLAN 8 - Data ( 10.1.8.0/22)

VLAN 7 - Voice ( 10.1.7.0/24)

Site B 

Cisco ASA 5506 x - Software Version 9.5

I do not have a vlan configured here as currently I have only one network for that site. (10.1.100.0/24). I researched and found out that we have to use router on a stick for VLAN and cannot assign a physical interface to a particular VLAN.

Can some one guide on the configuration on 5506 so that I can have my voice vlan 7 pass through site to site VPN tunnel. Also can I configure Layer 2 vlan and I already have a default gateway for voice vlan configured on the Site A firewall?

Thanks in advance

--

Sushant

Labels:
0 Helpful
8 Replies 8

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-21-2016 02:08 AM

Can you post your current configs?

What about putting the Voice and Data networks on the 5506 directly?  Just plug each of the interfaces into whatever you want to do the switch for them.

0 Helpful

abccisco2011
Level 1
Level 1
In response to Philip D'Ath

‎04-21-2016 01:01 PM

Philip,

Its in a testing phase right now. Here is the 5506 config, I dropped the plan for creating the VLANs and instead use different port for voice and include them in crypto map. That should work, right?

show run
ciscoasa# show running-config
: Saved

:
: Serial Number: JAD201301QT
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif voice
security-level 100
ip address 10.1.11.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
description inside_nw
object network voice_nw
host 10.1.11.0
description voice_nw
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu voice 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username fwadmina password 9KI89.52eSQ4gKA4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:f996fb20a926539d295c6cc7abd6f214
: end

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to abccisco2011

‎04-21-2016 01:12 PM

That's the idea.  Using different ports makes everything easy for you.

0 Helpful

abccisco2011
Level 1
Level 1
In response to Philip D'Ath

‎04-21-2016 01:15 PM

Yeah, learn that the hard way. ASA 5505 was easy to configure, I dont know why Cisco decided to go this way.

Thanks for the help. I will let you know it works.

0 Helpful

Marius Gunnerud
VIP
VIP

‎04-21-2016 12:52 PM

I do not have a vlan configured here as currently I have only one network for that site. (10.1.100.0/24). I researched and found out that we have to use router on a stick for VLAN and cannot assign a physical interface to a particular VLAN.

Not sure what you are getting at here.  The 5506 can be configured with subinterfaces which you can assign to VLAN 7 and give it an IP in that VLAN and perhaps set it to the default gateway for the VOICE network.

Then just add the VLAN 7 subnet to the crypto ACL that is configured for the site to site VPN.  Also remember to add the subnet to the remote VPN device crypto ACL as the destination.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

abccisco2011
Level 1
Level 1
In response to Marius Gunnerud

‎04-21-2016 12:58 PM

Marius,

If I create a Vlan in 5506, I do not have to assign a IP address for that VLAN?

Thanks,

Sushant

0 Helpful

Marius Gunnerud
VIP
VIP
In response to abccisco2011

‎04-21-2016 01:04 PM

You have to assign an IP...it is not a switch.  But you can either configure that IP as the default gateway for the Voice VLAN or you can configure routing so that traffic going to the remote network over the VPN is sendt to the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

abccisco2011
Level 1
Level 1
In response to Marius Gunnerud

‎04-21-2016 01:14 PM

Marius,

What I did is the connect 2 different interfaces for Voice and data. I have 10.1.11.0/24 for voice at SITE B now which will talk to Voice Vlan 7 at Site A through Crypto map. Hope this works.

ASA Version 9.5(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif voice
security-level 100
ip address 10.1.11.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
description inside_nw
object network voice_nw
host 10.1.11.0
description voice_nw
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu voice 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username fwadmina password 9KI89.52eSQ4gKA4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:f996fb20a926539d295c6cc7abd6f214
: end

Thanks,

Sushant

0 Helpful
Customers Also Viewed These Support Documents