Please Can Someone Help Me??????

Unanswered Question
Feb 9th, 2009
User Badges:

Please, I've been working on this for a few weeks now, and have had to learn everything pretty much on my own, because no one can seem to give me an answer and help me. No one has even replied to 3 different posts about this subject, so I'm trying it in here.


Here's the situation. I have 2 1760 routers with DSPs, FXO, & FXS cards. They both have the on-board Fa 0/0 interface. I'm tieing two key systems together via VoIP trunks with these routers. I've completed the VoIP programming and it is working as expected. I'm now trying to implement a site-to-site VPN tunnel for these two routers and the VoIP traffic to go through.


I'm not sure if it can be done with just the onboard fa 0/0 interface, and no real LAN behind it. These routers will be on an existing network, however, they will be obtaining(static) a 2nd WAN IP to connect to the outside world only for VoIP traffic between the two.


Please...I'm not Cisco genius and I need some help. I've got probably 20 docs on configuring VPN, but I need some help and questions answered. I'll send my config if anyone needs to look at it.


Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nicholas Matthews Mon, 02/09/2009 - 08:22
User Badges:
  • Red, 2250 points or more

Hi Mark,


These are the generic requirements for voice with VPN:


-The voice endpoints do not care about the layer 3/ layer 2 topology. All that is required is connectivity.


-If you have multiple interfaces on the routers, you will want to use the appropriate bind command. For h323 it is: h323-gateway voip bin srcaddr


-You will want to make sure that your VPN ACLs permit both signaling and voice traffic. Signaling will be between gateways/CUCM and voice will be directly between the endpoints. In this case, the gateways are stand alone, so they will be the only signaling IPs and audio IPs. If you're using H323, TCP port 1720 for signaling, and UDP 16384-32767 for audio.



hth,

nick

sandman420 Mon, 02/09/2009 - 09:02
User Badges:

Ah Nick...thank you for responding. Honestly, I don't understand a lot of what your saying. But, maybe seeing my config would help both of us. I honestly don't believe the H323 is being used. I think something more along the lines of a G721 codec or something like that. These are just strictly dial-peers to each other. I've since add ssh access, but here it is:


SITE 1:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SITE 1

!

boot-start-marker

boot-end-marker

!

enable secret XXX

!

no aaa new-model

voice-card 2

!

voice-card 3

!

ip cef

!

interface FastEthernet0/0

ip address 192.168.254.30 255.255.255.0

speed auto

no shutdown

!

no ip http server

no ip http secure-server

!

control-plane

!

voice-port 2/0

connection plar opx 290

!

voice-port 2/1

connection plar opx 291

!

voice-port 2/2

!

voice-port 2/3

!

voice-port 3/0

connection plar 190

!

voice-port 3/1

connection plar 191

!

voice-port 3/2

!

voice-port 3/3

!

dial-peer voice 180 pots

destination-pattern 180

port 2/0

!

dial-peer voice 181 pots

destination-pattern 181

port 2/1

!

dial-peer voice 190 voip

destination-pattern 19

session target ipv4:192.168.254.40

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password xxx

logging synchronous

login

transport input telnet

!

end




AND SITE 2:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SITE 2

!

boot-start-marker

boot-end-marker

!

enable secret XXX

!

no aaa new-model

voice-card 2

!

voice-card 3

!

ip cef

!

interface FastEthernet0/0

ip address 192.168.254.40 255.255.255.0

speed auto

!

no ip http server

no ip http secure-server

!

control-plane

!

voice-port 2/0

connection plar opx 280

!

voice-port 2/1

connection plar opx 281

!

voice-port 2/2

!

voice-port 2/3

!

voice-port 3/0

connection plar 180

!

voice-port 3/1

connection plar 181

!

voice-port 3/2

!

voice-port 3/3

!

dial-peer voice 190 pots

destination-pattern 190

port 2/0

!

dial-peer voice 191 pots

destination-pattern 191

port 2/1

!

dial-peer voice 180 voip

destination-pattern 18

session target ipv4:192.168.254.30

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password xxx

logging synchronous

login

transport input telnet

!

end


Thank you,

Mark


paolo bevilacqua Mon, 02/09/2009 - 09:13
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Mark,


I do not want to sound patronizing but why don't you hire someone knowledgeable for the job? You could then learn a lot from he/she does. I personally would charge less than $100 for a professional configuration like the one you're asking.

sandman420 Mon, 02/09/2009 - 09:19
User Badges:

True, however, I'm already paying more than I can afford for the Exploration classes at a local university. We have gotten that far yet, nor honestly do I believe I will be with these CCNA courses, but I'm not the boss with the money, and I'm trying to learn this stuff from config guides and examples and from people on these forums who are supposed to be cisco experts and have CCIE's and all that.


I didn't think that a simple VPN would be this much of an issue for all these cisco professionals that are on these forums, but it must be some kind of daunting task, as you are the only one that has replied to any of my posts about this subject for over a few weeks now. I've deleted so many of my posts off of my subscriptions because they are from soo long ago that I had tried to every few days go in and make a reply to keep it current, but no one, until now has responded to anything.

Nicholas Matthews Mon, 02/09/2009 - 09:24
User Badges:
  • Red, 2250 points or more

It may be best to try reading up on some of the voice fundamentals. This will become much easier to troubleshoot once you have some basics. Maybe you can convince the boss-man to pay for a subscription to Safari Books Online. I think it's less than $50 for a year, and you can read any Cisco book published, plus much more.


For your previous comments - any time you do voice over IP you're running a protocol. The default is H323. By having voip dial peers, you are running H323 (unless you have a session protocol defined, or application).




hth,

nick

sandman420 Mon, 02/09/2009 - 09:37
User Badges:

The voice configuration is done as far as I'm concerned. It works for my purpose...I pick up a phone at site A and select a "co line" and get routed to site B and grab dial tone from the remote system, and vice-versa. That's all I want out of that.


So I'm done with the voice. I don't need anymore voice programming right now. Now I'm trying to configure the VPN connection for a very simple site-to-site connection. I'm just a little confused about how it all works, because, as I've said, I have no inside LAN that I'm trying to route or tunnel or whatever it is that happens when you setup a normal VPN connection, because I have no normal inside LAN connection, like I've configured VPN for in the past.


All I'm trying to figure out now, is if the very simple site-to-site vpn configuration, like I've found in documents 43069 and 71462, among a dozen others, is what I need to base my configuration off of. The only thing with these documents, is that they are building the vpn for a LAN to LAN tunnel, in which case, I do not have any inside LANs. So I'm trying to figure out if I need to delete some of the coding, or add some, or change some or what?


Here's the documents I have (again, these are just two of the dozens):


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml


http://www.cisco.com/en/US/products/hw/routers/ps221/products_configuration_example09186a008073e078.shtml


paolo bevilacqua Mon, 02/09/2009 - 09:27
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

My apologies, since it is for educational purposes I take my comment back, I thought it was for business use.


My recommendation, don't spend anything on cisco training but your own time, used equipment, and the cheapest smartnet you can buy for downloads.

If you're cut for it, you will learn easily from the freely available documentation. You will also understand that this forum is best to answer specific questions rather than very generic ones.


Good luck!

sandman420 Mon, 02/09/2009 - 09:44
User Badges:

I just got done replying to your last post when i saw this one.


Just a couple of questions about this reply:


You have to buy smartnet for each piece of equipment?


Where do I find out how much it is, as I really don't have a lot of money for this kind of thing.


Does having smartnet mean I can call up cisco and ask for help on configuration like I'm trying to do in the forums?

paolo bevilacqua Mon, 02/09/2009 - 09:58
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Mark, you're doing that for educational, all you need is the cheapest smartnet for a single device that allows you to download IOS.


Depending the level you purchase, you can be entitled to TAC access. One you have located a support contract code, search the internet for an online reseller.


Regarding your VPN question, you do not necessarily need internal LANs. You could build the IPSEC for loopbacks and tie you H.323 addresses to them.


A lot really depends where you're headed. If certification, do not try to be inventive, stick to the program, pass the test and move on.


If real networking, that's another story, in fact you may not need a VPN at all to do voice over the Internet.

sandman420 Mon, 02/09/2009 - 10:11
User Badges:

That's more along the lines of what i was thinking i was going to have to do...get a loopback int to act like internal, but i didn't know if i even needed that.


At that point with the loopbacks, their addresses i assign (which can be anything?), would become what i use for making the vpn access lists correct? I mean, I use the public IPs for the "peer" addresses, and on the access lists, I would want to use the loopback int addresses?


I wouldn't have to worry about anything for NAT with this configuration right, since I only have the voice traffic? If I do need NAT, the fa 0/0 would be nat oustide and the loopback would be ip nat inside?


How exactly are you saying to tie the h.323 addresses to the loopbacks?


Now we're getting somewhere.


Thank you soo much,

Mark

Chuck Reid Mon, 02/09/2009 - 10:11
User Badges:

Hi Sandman,


Purchasing smartnet means purchasing a maintenance contract, which I am sure will cost at least a couple hundred dollars, and that entitles you to request Cisco TAC assistance with that particular piece of equipment only. It also enables you download IOS's, download documents etc.. Also, Cisco TAC will not teach you anything, they will work with you to resolve an issue or provide install and configuration assistance, but they will expect that you have knowledge about the product to begin with. One thing I have found as a voice engineer is that people will take the time to help someone with an issue but we really do not have the time to teach someone to install or configure something that is new to them. The amount of basic knowledge needed to teach someone about dial-peers, h323 vs sip vs mgcp is daunting. I personally spent thousands of dollars on my own training, attending boot camps etc and then starting out at a low pay job just to get my foot in the door. Thats why people in general will not reply to posts that are not specific in nature. Engineers want to help other engineers who have already developed a certain amount of skills and who don't need to be "taught" about what they are doing, but "helped" with what they are doing.


Best Regards,

Chuck

Actions

This Discussion