VoIP between IPSec VPN Sites issue

hisham683 · ‎11-21-2010

Hi, hoping for a little guidance on this issue

I am deploying several ASA 5505's for a home office project for remote users. It is an IPSec VPN to the corporate and each user is set up with an IP range starting in the 172.31.96.0 /27 subnet and moving up. The vlan 1 interface is the first IP in that subnet, the ASA assigns a DHCP address to any other connected device also within that subnet.

Basic configuration works fine and the VPN connection is successfully up, the wierd issue I'm facing is with IP phones behind the ASA's. Phones will power up and successfully register to Call manager. They are able to successfully make calls to another phone in the corporate network or to external phones. However, when a phone behind an ASA tries to dial another phone that is also behind an ASA, the call will successfully setup, but there is no audio whatsoever. Status messages on the phone show no audio packets traversing.

Is this a VPN issue or could this possibly be a routing issue?

Thanks

Federico Coto Fajardo · ‎11-21-2010

Hi,

When you need a remote phone to talk to another remote phone, the voice packets need to travel through the VPN tunnel to the corporate site and back to the other end.

I think the problem is that all remote sites work fine, but there's no communication between them.

i.e.

PC1 on remote site 1 cannot PING PC2 on remote site 2

To make this work, the ASA should be able to hairpin the traffic (send the traffic received from a VPN tunnel into another VPN tunnel).

You need:

same-security-traffic permit intra-interface

And also... include the remote networks in the interesting traffic.

Federico.