Unanswered Question
Jul 14th, 2010

Hi all,

I have PIX firewall and i configured IPSEC VPN for external users to use IP communicator as their office phones outside the company.

When user use the communicator outside the company, he hear any voice call and the called party hear him even the user call someone inside or outside the company.

But, when the user is inside the company and use the communicator and make external call, he can't hear the called party but the called party hear him.

I think that this issue occur due to that when user access from outside, he assigned to vpn pool which defined on PIX but when user becomes inside the company, he assigned by the data VLAN which natted to real IP for internet access as i tried to nat 0 this data vlan and calls heared by the two ways but no internet access.

So, how to compromise bet. the nat 0 and nat public at the same time for the same inside data vlan.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Redmon Wed, 07/14/2010 - 05:29

Oftentimes, a one-way voice issue is actually due to a routing issue.  If you are only experiencing an issue when the IPCommunicator user is inside the network, be sure to confirm all routes from the Voice Gateway (the device that is responsible for terminating outside calls) and the User who is experiencing the issue.  We know that the outbound route is correct as the remote user can hear the inside user.  Check along this path and confirm that there are also no ACLs that would block UDP traffic.

Let me know if this helps!

Best Regards,


Ahmed Yassin Wed, 07/14/2010 - 05:48

I confirmed that all routes are right and issue arise from natting as router see the virtual inside LAN as public IP, when i remove the global natting and make it nat heared in the two ways normally......................i test it by myself, but i can't leave in such way as inside virtual LAN must natted to public IP to access internet

Nagaraja Thanthry Wed, 07/14/2010 - 06:41


Are these external callers internal to your company? Or are they part of the internet? If they are part of your own network, then you can configure an access-list to specify nat0 rules between your internal users to those external devices (which are also part of your network).

If the callers are internet users (anybody in the world including analog telephones), do you have another device along the path that is doing natting? If yes, then that could be the problem i.e. you are trying to NAT twice and the second nat device is having issues with already natted traffic.

Hope this helps.



Ahmed Yassin Wed, 07/14/2010 - 06:56

Sorry, may be there is miss-understanding, i mean the inside company employees laptops.

When these employees access our network from outside through VPN, to open their ip communicator as their make calls outside as he sit inside his office and the call heared from both sides.

But, when this employees come back to his office and open his laptop which reside in the inside virtual data vlan and make external call , it is heared from outside only and the employee can't hea any thing.

I tried the secnario as i explained in my last reply.

Nagaraja Thanthry Wed, 07/14/2010 - 07:08


If the end users are your VPN clients, then you can try the following:

access-list inside_nat0_outbound permit ip ) 0 access-list inside_nat0_outbound

In this NAT configuration, the use of access-list enables you to selectively nonat certain traffic while all other traffic still goes via NAT rules.

Hope this helps.




This Discussion