Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1559
Views
4
Helpful
5
Replies

'How to' Setup a VPN between a UC540 and a SR520 with remote IP extension

Go to solution
Jerry Collins
Level 1
Level 1

‎05-01-2010 06:43 AM

Hi All,

I need some help setting up a link between a Head Office UC540 and a remote SR520 which I want to use a PC and an IP Phone from. This remote site is the first of several.

I've found several examples of site to site IPsec VPNs, but none with references to voice and data VLANs, do I need to worry about this or will the phone just work.

All Advice and suggestions gratefully accepted,

Jerry

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jerry Collins

‎05-02-2010 03:39 AM

Here is a LAN-to-LAN VPN sample configuration between 2 IOS routers:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml

Assuming from your example:

VLAN 1 - data - 192.168.19.0/24

VLAN 100 - voice - 10.1.1.0/24

And on the other side:

VLAN 1 - data - 192.168.20.0/24

VLAN 100 - voice: 10.2.2.0/24

The crypto ACL would:

access-list 150 permit ip 192.168.19.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 150 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

Crypto ACL on the other side would be:

access-list 150 permit ip 192.168.20.0 0.0.0.255 192.168.19.0 0.0.0.255

access-list 150 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-01-2010 06:06 PM

Is your data vlan and phone vlan in the same subnet? Site-to-site VPN is configured based on specifying interesting traffic to be encrypted, ie: via access-list. If your data vlan and phone vlan is in different subnet, then you would need to configure the access-list accordingly in your crypto ACL.

0 Helpful

Go to solution
Jerry Collins
Level 1
Level 1
In response to Jennifer Halim

‎05-02-2010 03:32 AM

Hi halijenn,

Vlan 1 is the data vlan and is setup as 192.168.19.X class c, the voice vlan is 100 and is setup as 10.1.1.0 also class c.

I'm using CCA to do the configuration work and this is, more or less, standard settings.

Could you give me an example of the access-list please.

Jerry

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jerry Collins

‎05-02-2010 03:39 AM

Here is a LAN-to-LAN VPN sample configuration between 2 IOS routers:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml

Assuming from your example:

VLAN 1 - data - 192.168.19.0/24

VLAN 100 - voice - 10.1.1.0/24

And on the other side:

VLAN 1 - data - 192.168.20.0/24

VLAN 100 - voice: 10.2.2.0/24

The crypto ACL would:

access-list 150 permit ip 192.168.19.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 150 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

Crypto ACL on the other side would be:

access-list 150 permit ip 192.168.20.0 0.0.0.255 192.168.19.0 0.0.0.255

access-list 150 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

0 Helpful

Go to solution
Jerry Collins
Level 1
Level 1
In response to Jennifer Halim

‎05-04-2010 08:57 AM

ok Thanks for that.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents