07-20-2008 05:58 AM - edited 02-21-2020 03:50 PM
I have an L2L tunnel of IPSEC between an ASA and a PIX.
The ASA as an 8,0 OS version and the PIX a 7.2 OS version.
In that tunnel I what to pass data and voip.
The packets of data have no problem, but with voip I have some problems.
The thing is like this.
I can make a phone call between the phones in the PIX site and I can do a phone call to the public network, but when I tried to do a phone call between the PIX site and the ASA site I can't do it.
In the ASA site I have a Call Manager.
In the ASA site the phones numbers are like this: 20xx.
In the PIX site the phones numbers are like this: 90xx.
When I make a phone call between the tow sites the phone rings, but when I pickup the phone I can't hear nothing and in the other site they can't hear me too.
Can some one help me?
Please.
Thanks in advance,
Rui
07-20-2008 09:27 AM
show the configurations
07-21-2008 12:11 PM
07-21-2008 05:41 AM
Hello,
make sure:
1. routing is not an issues;
2. mtu size. try ping with different mtu size.
Thanks.
07-21-2008 12:16 PM
Routing I think is not an issue.
Because I can ping the phones in Lisboa when I am in Porto.
I can ping the L3 switch in Lisbon.
My colleague can do the same when he makes a ping from Lisboa to Porto.
07-21-2008 08:11 AM
first check the inspection of skinny is enabled
and try to add this command under the
inspect skinny
parameters
rtp-conformance
also check ur vpn ACLs for intersting traffic and for allowed traffic dose the skinny
sccp port and address allowed
check ur phones address not data adress
by the way the remote site phones regestered with asa site callmanager or deferent call control server they have
good luck and let me know if worked
Rate if helpful
07-21-2008 12:31 PM
Please, see the file with some configuration that I sanded earlier.
I can't see what you mean with
ââ¦check up phones addresses not data addressâ¦â
and, I can't see what you mean with
ââ¦by the way the remote site phones registered with asa site callmanager or deferent call control server they haveâ¦â
Can you explain⦠please?
Thanks,
Rui
07-21-2008 06:01 PM
i meant that
when permiting sccp port and making ur vpn interesting traffic u, put the ip addressing range of ur phone (voice) in addition to data
i asked u about ur phone behind the pix do they belong to ur callmanger behind the ASA or they belong to deffrent call control system?
also check this link
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml
rate if helpful
07-22-2008 05:06 AM
The phones behind the PIX belong (are registered) to the callmanager that are behind the ASA.
One question.
They must have the same extension plan (20xx) or they can be in different plans, i.e., they have to be in the 20xx plan or one can be in the 20xx plan and the other can be in the 90xx plan?
Thanks,
Rui
07-22-2008 05:12 AM
In the configuration that I sanded the vlan 27 is the voice vlan. It's only used for voice traffic. The others vlans are for data.
I don't know if this is what you mean with
ââ¦put the ip addressing range of ur phone (voice) in addition to dataâ¦â
Thanks,
Rui
07-22-2008 06:03 AM
First
Make and ACLs that allow http, https, TFTP and SCCP from the PIX voice lan to the ASA LAN and and especially to your callmanager ip address ( this will let the ip phones on the remote site to rigester with your callmanger)
This shoud be applied on the ouside interfaces of the ASA
Because this traffic for registration should be established from the PIX lan
U have to include the traffic(mentioned above) with ur VPN interesting traffic and also NOTNAT traffic at the PIX side
Now on the ASA include all traffic from ur voice network to the remote voice network in the vpn interesting traffic and NOTNAT
Also check the dhcp configuration for the remote site whither the client taking the right IPs and they do have the option 150 pointing to ur TFTP server which mostly the Callmanger server, also the they have the right gateway !!
And about ur other question about the phone numbers
Yes, u can assign what ever numbers u want not necessarily to be the in the same range
Check your config carefully
And let me know
Good luck
08-23-2008 06:24 AM
Hello,
I tried to had the ârtp-conformanceâ has a parameter in the âinspect skinnyâ command but I could not do it.
The âinspect skinnyâ did not had that parameterâ¦
That's a problem?
Thanks,
Rui Capao
08-23-2008 06:34 AM
if u look to achieve that then do the following
make ACL based on ur requirement source and sit to be refrenced in the sccp policy inspection such as:
access-list global_mpc_1 extended permit ip 10.1.3.0 255.255.255.0 host 10.1.4.2
than match this ACL through a class-map that will be called in the inspection
class-map sccp_class
match access-list global_mpc_1
creat the inspection policy:
policy-map type inspect skinny sccp_policy
parameters
enforce-registration
rtp-conformance
finally bring all together:
policy-map global_policy
class inspection_default
class sccp_class
inspect skinny sccp_policy
now will work:)
please, if helpful Rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide