Problems with Voip in IPSEC L2L tunnel

Unanswered Question
Jul 20th, 2008
User Badges:

I have an L2L tunnel of IPSEC between an ASA and a PIX.

The ASA as an 8,0 OS version and the PIX a 7.2 OS version.

In that tunnel I what to pass data and voip.

The packets of data have no problem, but with voip I have some problems.

The thing is like this.

I can make a phone call between the phones in the PIX site and I can do a phone call to the public network, but when I tried to do a phone call between the PIX site and the ASA site I can't do it.

In the ASA site I have a Call Manager.

In the ASA site the phones numbers are like this: 20xx.

In the PIX site the phones numbers are like this: 90xx.

When I make a phone call between the tow sites the phone rings, but when I pickup the phone I can't hear nothing and in the other site they can't hear me too.


Can some one help me?

Please.


Thanks in advance,



Rui


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bamnocadmin Mon, 07/21/2008 - 05:41
User Badges:

Hello,


make sure:

1. routing is not an issues;

2. mtu size. try ping with different mtu size.


Thanks.

rcapao Mon, 07/21/2008 - 12:16
User Badges:

Routing I think is not an issue.

Because I can ping the phones in Lisboa when I am in Porto.

I can ping the L3 switch in Lisbon.

My colleague can do the same when he makes a ping from Lisboa to Porto.


Marwan ALshawi Mon, 07/21/2008 - 08:11
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

first check the inspection of skinny is enabled

and try to add this command under the

inspect skinny

parameters

rtp-conformance


also check ur vpn ACLs for intersting traffic and for allowed traffic dose the skinny

sccp port and address allowed

check ur phones address not data adress

by the way the remote site phones regestered with asa site callmanager or deferent call control server they have


good luck and let me know if worked


Rate if helpful

rcapao Mon, 07/21/2008 - 12:31
User Badges:

Please, see the file with some configuration that I sanded earlier.


I can't see what you mean with


“…check up phones addresses not data address…”


and, I can't see what you mean with



”…by the way the remote site phones registered with asa site callmanager or deferent call control server they have…”


Can you explain… please?


Thanks,


Rui


Marwan ALshawi Mon, 07/21/2008 - 18:01
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i meant that

when permiting sccp port and making ur vpn interesting traffic u, put the ip addressing range of ur phone (voice) in addition to data


i asked u about ur phone behind the pix do they belong to ur callmanger behind the ASA or they belong to deffrent call control system?


also check this link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml

rate if helpful

rcapao Tue, 07/22/2008 - 05:06
User Badges:

The phones behind the PIX belong (are registered) to the callmanager that are behind the ASA.


One question.

They must have the same extension plan (20xx) or they can be in different plans, i.e., they have to be in the 20xx plan or one can be in the 20xx plan and the other can be in the 90xx plan?


Thanks,


Rui


rcapao Tue, 07/22/2008 - 05:12
User Badges:

In the configuration that I sanded the vlan 27 is the voice vlan. It's only used for voice traffic. The others vlans are for data.

I don't know if this is what you mean with


“…put the ip addressing range of ur phone (voice) in addition to data…”


Thanks,


Rui


Marwan ALshawi Tue, 07/22/2008 - 06:03
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

First

Make and ACLs that allow http, https, TFTP and SCCP from the PIX voice lan to the ASA LAN and and especially to your callmanager ip address ( this will let the ip phones on the remote site to rigester with your callmanger)

This shoud be applied on the ouside interfaces of the ASA


Because this traffic for registration should be established from the PIX lan

U have to include the traffic(mentioned above) with ur VPN interesting traffic and also NOTNAT traffic at the PIX side


Now on the ASA include all traffic from ur voice network to the remote voice network in the vpn interesting traffic and NOTNAT


Also check the dhcp configuration for the remote site whither the client taking the right IPs and they do have the option 150 pointing to ur TFTP server which mostly the Callmanger server, also the they have the right gateway !!


And about ur other question about the phone numbers

Yes, u can assign what ever numbers u want not necessarily to be the in the same range


Check your config carefully

And let me know


Good luck




rcapao Sat, 08/23/2008 - 06:24
User Badges:

Hello,


I tried to had the “rtp-conformance” has a parameter in the “inspect skinny” command but I could not do it.

The “inspect skinny” did not had that parameter…


That's a problem?


Thanks,

Rui Capao


Marwan ALshawi Sat, 08/23/2008 - 06:34
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if u look to achieve that then do the following


make ACL based on ur requirement source and sit to be refrenced in the sccp policy inspection such as:

access-list global_mpc_1 extended permit ip 10.1.3.0 255.255.255.0 host 10.1.4.2


than match this ACL through a class-map that will be called in the inspection


class-map sccp_class

match access-list global_mpc_1


creat the inspection policy:


policy-map type inspect skinny sccp_policy

parameters

enforce-registration

rtp-conformance


finally bring all together:


policy-map global_policy

class inspection_default


class sccp_class

inspect skinny sccp_policy


now will work:)


please, if helpful Rate




Actions

This Discussion