Problems with Voip in IPSEC L2L tunnel

Unanswered Question
Jul 20th, 2008

I have an L2L tunnel of IPSEC between an ASA and a PIX.

The ASA as an 8,0 OS version and the PIX a 7.2 OS version.

In that tunnel I what to pass data and voip.

The packets of data have no problem, but with voip I have some problems.

The thing is like this.

I can make a phone call between the phones in the PIX site and I can do a phone call to the public network, but when I tried to do a phone call between the PIX site and the ASA site I can't do it.

In the ASA site I have a Call Manager.

In the ASA site the phones numbers are like this: 20xx.

In the PIX site the phones numbers are like this: 90xx.

When I make a phone call between the tow sites the phone rings, but when I pickup the phone I can't hear nothing and in the other site they can't hear me too.

Can some one help me?


Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bamnocadmin Mon, 07/21/2008 - 05:41


make sure:

1. routing is not an issues;

2. mtu size. try ping with different mtu size.


rcapao Mon, 07/21/2008 - 12:16

Routing I think is not an issue.

Because I can ping the phones in Lisboa when I am in Porto.

I can ping the L3 switch in Lisbon.

My colleague can do the same when he makes a ping from Lisboa to Porto.

Marwan ALshawi Mon, 07/21/2008 - 08:11

first check the inspection of skinny is enabled

and try to add this command under the

inspect skinny



also check ur vpn ACLs for intersting traffic and for allowed traffic dose the skinny

sccp port and address allowed

check ur phones address not data adress

by the way the remote site phones regestered with asa site callmanager or deferent call control server they have

good luck and let me know if worked

Rate if helpful

rcapao Mon, 07/21/2008 - 12:31

Please, see the file with some configuration that I sanded earlier.

I can't see what you mean with

“…check up phones addresses not data address…”

and, I can't see what you mean with

”…by the way the remote site phones registered with asa site callmanager or deferent call control server they have…”

Can you explain… please?



Marwan ALshawi Mon, 07/21/2008 - 18:01

i meant that

when permiting sccp port and making ur vpn interesting traffic u, put the ip addressing range of ur phone (voice) in addition to data

i asked u about ur phone behind the pix do they belong to ur callmanger behind the ASA or they belong to deffrent call control system?

also check this link

rate if helpful

rcapao Tue, 07/22/2008 - 05:06

The phones behind the PIX belong (are registered) to the callmanager that are behind the ASA.

One question.

They must have the same extension plan (20xx) or they can be in different plans, i.e., they have to be in the 20xx plan or one can be in the 20xx plan and the other can be in the 90xx plan?



rcapao Tue, 07/22/2008 - 05:12

In the configuration that I sanded the vlan 27 is the voice vlan. It's only used for voice traffic. The others vlans are for data.

I don't know if this is what you mean with

“…put the ip addressing range of ur phone (voice) in addition to data…”



Marwan ALshawi Tue, 07/22/2008 - 06:03


Make and ACLs that allow http, https, TFTP and SCCP from the PIX voice lan to the ASA LAN and and especially to your callmanager ip address ( this will let the ip phones on the remote site to rigester with your callmanger)

This shoud be applied on the ouside interfaces of the ASA

Because this traffic for registration should be established from the PIX lan

U have to include the traffic(mentioned above) with ur VPN interesting traffic and also NOTNAT traffic at the PIX side

Now on the ASA include all traffic from ur voice network to the remote voice network in the vpn interesting traffic and NOTNAT

Also check the dhcp configuration for the remote site whither the client taking the right IPs and they do have the option 150 pointing to ur TFTP server which mostly the Callmanger server, also the they have the right gateway !!

And about ur other question about the phone numbers

Yes, u can assign what ever numbers u want not necessarily to be the in the same range

Check your config carefully

And let me know

Good luck

rcapao Sat, 08/23/2008 - 06:24


I tried to had the “rtp-conformance” has a parameter in the “inspect skinny” command but I could not do it.

The “inspect skinny” did not had that parameter…

That's a problem?


Rui Capao

Marwan ALshawi Sat, 08/23/2008 - 06:34

if u look to achieve that then do the following

make ACL based on ur requirement source and sit to be refrenced in the sccp policy inspection such as:

access-list global_mpc_1 extended permit ip host

than match this ACL through a class-map that will be called in the inspection

class-map sccp_class

match access-list global_mpc_1

creat the inspection policy:

policy-map type inspect skinny sccp_policy




finally bring all together:

policy-map global_policy

class inspection_default

class sccp_class

inspect skinny sccp_policy

now will work:)

please, if helpful Rate


This Discussion