remote ip phone over VPN using CME 3.3

Answered Question
Sep 7th, 2008

Hi,

I like to ask for help configuring the 2811 router with CME 3.3 I am planning to have an ip phone on a remote site connected to this router over VPN. IP phones on the remote site have different subnet from the ip phone on the other site. Need help to configure the router to see the ip phones on the remote site.

i have a asa5505 on the remote location and asa5520 on the other site.

Thanks,

Cempuerto

I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 8 years 2 months ago

from what i understood !!

ur topology looks like

CME---ASA---internet---ASA--remote ip phones

so based on this topology and ur requiremnts

u need to build normal site-to site vpn

and for example lets say u have the following IP addressing

192.168.1.0/24(voice)CME-.1--172.16.1.0/24--.2 ASA--internet--ASA--10.1.1.0/24

on the ASA connected to the CME u need to have a route to the inside like:

route inside 192.168.1.0 255.255.255.0 172.16.1.1

now on the same ASA the main site u need to have two important ACLs for vpn

one for interesting traffic and one for nat exmption or NAT0 going from CME/ASA to remote LAN

based on our example:

interesting traffic:

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 100 permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

now nat exmption:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 101 permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

on the ASA u may have the following

nat (inside) 1 0 0

global (outside) 1 interface

nat exmption like:

NAT (inside) 0 access-list 101

also keep in minde for vpn u need to have sccp, TFTP, and somtimes http included in the interesting traffic

additionaly on both ASA u can use

sysopt permite ipsec command to allwe all traffic through VPN

or u can do packet filltering on the outsid einterface but u need to permit all required traffic for voice

also make sure u have skiny inspection enabled on the defualt inspection policy

on the remote site u need to apply the same idea

like

access-list 100 permit 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0

and same for nat exmption

also on the client VOICE phone they need the option 150 set with CME ip address configured as a source address on the telephoney service to let those phones register with the CME

have a look at the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml

good luck

if helpful Rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
gogasca Sun, 09/07/2008 - 19:02

IP Phones needs only IP connectivity, you may post this request under the VPN forum for a better response.

cempuerto Sun, 09/07/2008 - 19:19

thanks..i have a question. Its a must to have subinterface for voice vlan.right?? what if my switch is a l3 switch and the voice vlan interface is on the switch using intervlan routing.do i need to disable the ip routing on the switch so that i can use trunk line going to the router??

Marwan ALshawi Mon, 09/08/2008 - 04:58

i fu have intervaln routing u cloud use this way

les say ur voice vlan o nthe switch is vlan10 withc ip subnet 10.1.1.0/24

and data vlan is vlan 5 with ip network 192.168.1.1

u should have already ccreated SVI for each vlan

interface vlan 10

ip address 10.1.1.1 25.255.255.0

no shut

interface vlan 5

ip address 192.168.1.1 255.255.255.0

no shut

now try to make the port connected to the CME which is the gateway at the same time as layer three port called routed port cor example

lets say the LAN interface of the CME is

172.16.1.1/24

make the switch port connected to the CME like:

interface fa0/24

no switchport

ip address 172.16.1.2 255.255.255.0

no shut

now make default route point to the router CME lan address like:

ip route 0.0.0.0 0.0.0.0 172.16.1.1

on the CME make two static routes point to each vlan through the switch routed interface for example

on CME

ip route 10.1.1.0 0.0.0.255 172.16.1.2

and for data as well this will help the ASA to get the lan networks !

in the CME u should have command like

telephney serive

ip source-addr 172.16.1.1

while this is the LAN interface ip of the CME

on the switch u could configure DHCP for each vlan like:

ip dhcp excluded-address 10.1.1.1

ip dhcp excluded-address 192.168.1.1

ip dhcp pool voice_vlan10

network 10.1.1.0 /24

option 150 172.16.1.1

default-router 10.1.1.1

ip dhcp pool data_vlan5

network 192.168.1.0 /24

default-router 192.168.1.1

dont forget to enable this comand on each access port

spaning-tree portfast

to avoid problem with getting ip from DHCP

good luck

if helpful Rate

cempuerto Mon, 09/08/2008 - 05:20

i have this set up..phoes are getting the tftp setting but no dial tone on the phones.

My CME ip address is 10.48.0.1 and itis attacted to port 23 on the switch.

ip dhcp excluded-address 10.10.10.1 10.10.10.10

!

ip dhcp pool phone

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

option 150 ip 10.48.0.1

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

interface GigabitEthernet0/1

switchport access vlan 10

!

interface GigabitEthernet0/2

switchport access vlan 10

!

interface GigabitEthernet0/3

switchport access vlan 10

duplex full

!

interface GigabitEthernet0/4

switchport access vlan 10

!

interface GigabitEthernet0/5

switchport access vlan 20

speed 100

!

interface GigabitEthernet0/6

switchport access vlan 20

!

interface GigabitEthernet0/7

switchport access vlan 20

!

interface GigabitEthernet0/8

switchport access vlan 20

!

interface GigabitEthernet0/9

!

interface GigabitEthernet0/10

!

interface GigabitEthernet0/11

!

interface GigabitEthernet0/12

switchport access vlan 2

!

interface GigabitEthernet0/13

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet0/14

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet0/15

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet0/16

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet0/17

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet0/18

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet0/19

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet0/20

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet0/21

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet0/22

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet0/23

spanning-tree portfast

!

interface GigabitEthernet0/24

spanning-tree portfast

!

interface GigabitEthernet0/25

switchport trunk encapsulation dot1q

!

interface GigabitEthernet0/26

!

interface GigabitEthernet0/27

switchport trunk encapsulation dot1q

!

interface GigabitEthernet0/28

!

interface Vlan1

description Management VLAN

ip address 10.48.0.2 255.255.255.0

!

interface Vlan2

ip address 10.48.1.3 255.255.255.0

ip helper-address 10.48.0.100

ip helper-address 10.48.1.4

!

interface Vlan3

ip address 10.48.2.3 255.255.255.0

ip helper-address 10.48.0.101

ip helper-address 10.48.2.4

ip policy route-map admin

!

interface Vlan10

no ip address

!

interface Vlan20

no ip address

!

interface Vlan100

no ip address

!

interface Vlan400

description voice vLAN

ip address 10.10.10.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.48.0.1

ip http server

ip http secure-server

!

!

access-list 1 permit 10.48.1.0 0.0.0.255

access-list 2 permit 10.48.2.0 0.0.0.255

access-list 3 permit 10.48.0.0 0.0.0.255

route-map test permit 10

match ip address 1

set ip next-hop 10.48.0.1

!

route-map admin permit 20

match ip address 2 3

set ip next-hop 10.48.0.103

cempuerto Mon, 09/08/2008 - 05:26

here's my router configuration:

no ip domain lookup

ip name-server 10.48.0.100

!

voice-card 0

no dspfarm

!

!

!

voice service voip

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

supplementary-service h450.12

h323

sip

registrar server expires max 3600 min 3600

!

!

!

voice class codec 1

codec preference 1 g711ulaw

!

!

!

!

!

!

!

!

voice translation-rule 9

rule 1 /^166$/ /166/

rule 2 /^9\(.*\)/ /\1/

!

!

!

class-map match-all L3-to-L2_VoIP-Cntrl

match ip dscp af31

class-map match-all L3-to-L2_VoIP-RTP

match ip dscp ef

class-map match-all SIP

match protocol sip

class-map match-all RTP

match protocol rtp

!

!

policy-map EthOut

class RTP

policy-map output-L3-to-L2

class L3-to-L2_VoIP-RTP

set cos 5

class L3-to-L2_VoIP-Cntrl

set cos 3

!

!

!

!

interface FastEthernet0/0

ip address X.X.X.X X.X.X.X

ip access-group 102 in

no ip redirects

no ip unreachables

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description UPRouter inside network$ETH-LAN$

ip address 10.48.0.1 255.255.255.0

ip access-group 160 in

ip nat inside

no ip mroute-cache

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X permanent

ip route 10.10.10.0 255.255.255.0 FastEthernet0/1

ip route 10.48.1.0 255.255.255.0 10.48.0.2

ip route 10.48.2.0 255.255.255.0 10.48.0.2

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip http path flash:

ip nat inside source list 2 interface FastEthernet0/0 overload

ip nat inside source static tcp 10.48.0.102 80 X.X.X.X 80 extendable

!

!

!

tftp-server enable

tftp-server flash:CP7905060000SCCP050124A.sbin

!

!

telephony-service

load 7905 CP7905060000SCCP050124A

max-ephones 36

max-dn 108

ip source-address 10.48.0.1 port 2000

calling-number initiator

system message UpV

time-zone 5

date-format dd-mm-yy

create cnf-files version-stamp 7960 Sep 06 2008 19:17:00

max-conferences 8 gain -6

call-forward pattern .T

moh music-on-hold.au

web admin system name cisco secret 5 $1$hQ1G$8UPiyi.2PAU/5/3LIK5Lr1

dn-webedit

time-webedit

transfer-system full-consult dss

transfer-pattern 9.T

secondary-dialtone 9

!

!

ephone-dn 1

number 201

label 201

description USER1

name USER1

corlist incoming user900-international

!

!

ephone-dn 2

number 202

label 202

description USER2

name USER2

corlist incoming user900-international

!

!

ephone 1

username "user1" password 201

mac-address 001F.6C7E.D9E3

type 7905

button 1:1

!

!

!

ephone 2

username "user2" password 202

mac-address 001F.6C7E.DC18

type 7905

button 1:2

!

Correct Answer
Marwan ALshawi Sun, 09/07/2008 - 19:19

from what i understood !!

ur topology looks like

CME---ASA---internet---ASA--remote ip phones

so based on this topology and ur requiremnts

u need to build normal site-to site vpn

and for example lets say u have the following IP addressing

192.168.1.0/24(voice)CME-.1--172.16.1.0/24--.2 ASA--internet--ASA--10.1.1.0/24

on the ASA connected to the CME u need to have a route to the inside like:

route inside 192.168.1.0 255.255.255.0 172.16.1.1

now on the same ASA the main site u need to have two important ACLs for vpn

one for interesting traffic and one for nat exmption or NAT0 going from CME/ASA to remote LAN

based on our example:

interesting traffic:

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 100 permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

now nat exmption:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 101 permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

on the ASA u may have the following

nat (inside) 1 0 0

global (outside) 1 interface

nat exmption like:

NAT (inside) 0 access-list 101

also keep in minde for vpn u need to have sccp, TFTP, and somtimes http included in the interesting traffic

additionaly on both ASA u can use

sysopt permite ipsec command to allwe all traffic through VPN

or u can do packet filltering on the outsid einterface but u need to permit all required traffic for voice

also make sure u have skiny inspection enabled on the defualt inspection policy

on the remote site u need to apply the same idea

like

access-list 100 permit 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0

and same for nat exmption

also on the client VOICE phone they need the option 150 set with CME ip address configured as a source address on the telephoney service to let those phones register with the CME

have a look at the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml

good luck

if helpful Rate

Actions

This Discussion