Cisco Jabber implementation with ASA 5510 ( one way voice issue ) HELP!!

Unanswered Question
Mar 7th, 2014
User Badges:

Hello,


I really need your help. I'm facing with one way voice issue when I'm calling my local IP phones from iphone 5 who is connected on outside wireless network via Cisco AnyConnect through ASA 5510. To make it worse Android phone users can't even hear in one way. This is really frustrating

On iphone I can hear the voice from my collagues but they cant hear mine ( there is silent noise ). Last week I upgrade Cisco ASA to 9.1 version and configured anyconnect VPN so everything works fine ( I can access to voice network, data network, IP connectivity is fine ) but when I call via Cisco Jabber my local IP phones there is one way voice issue. Also I can establish external calls via Jabber.

I've read some articles about NAT but currently I'm lil bit confused about this problem and dont know what to do. Here is configuration from ASA and I'd be very grateful if you could help me.


Down here is topology and ASA configuration. In our LAN network we are using OSPF as routing protocols. Also guys from voice deparment says that CUCM is configured correctly.


We tried everything but no success.


Jabber Voice 9.1.6.21640

Cisco AnyConnect Secure Mobility Client Version 3.0.09231


network toplogy.jpg


asa5510PLUS# show run

: Saved

:

ASA Version 9.1(4)

!

hostname asa5510PLUS


xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNI5346546dI.2KYOU encrypted

names

ip local pool CiscoVPNClientPool 192.168.200.1-192.168.200.10 mask 255.255.255.0

ip local pool AnyConnectPool 10.10.10.1-10.10.10.254 mask 255.255.255.0

ip local pool VOIP 172.18.115.2-172.18.115.6 mask 255.255.255.0

!

interface Ethernet0/0

description Ziraat LAN

nameif inside

security-level 100

ip address 192.168.115.4 255.255.255.0

delay 10

!

interface Ethernet0/1

description INTERNET

duplex full

nameif outside

security-level 0

ip address 217.75.195.xxx 255.255.255.2xx

delay 10

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 172.16.100.1 255.255.255.0

!


boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone CET 1

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00

dns domain-lookup outside

dns server-group DefaultDNS

name-server 217.xx.xx.10

name-server 217.xx.xx.11

name-server 192.168.115.xx

name-server 192.168.115.xx

domain-name xxxxx.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network lan-subnet

subnet 192.168.115.0 255.255.255.0

object network AnyconnectRange

range 10.10.10.1 10.10.10.50

description AnyconnectRange

object network NETWORK_OBJ_10.10.10.0_24

subnet 10.10.10.0 255.255.255.0

object network 241VLAN

subnet 192.168.241.0 255.255.255.0

description 241VLAN

object service RTP

service udp source range 16384 32766 destination range 16384 32766

description RTP

object service TEST

service udp source range 20000 50000 destination range 20000 50000

object network Voice-vlan

subnet 172.18.115.0 255.255.255.0

description Voice-vlan

object network Core

host 192.168.115.100

description core

object service MGCP

service udp source eq 2427 destination eq 2427

description MGCP

object service MGCP2

service udp source eq 2727 destination eq 2727

description MGCP2

object service h323udp

service udp source range 1718 1719 destination range 1718 1719

description h323/udp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object udp

service-object object RTP

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object udp

service-object object RTP

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object udp

service-object object RTP

service-object object MGCP

service-object object MGCP2

service-object object h323udp

service-object tcp destination eq h323

object-group service DM_INLINE_SERVICE_4

service-object ip

service-object udp

service-object object RTP

service-object object MGCP

service-object object MGCP2

service-object tcp destination eq h323

service-object object h323udp

object-group service DM_INLINE_SERVICE_5

service-object ip

service-object udp

service-object object RTP

service-object object MGCP

service-object object MGCP2

service-object object h323udp

service-object tcp destination eq h323

object-group service DM_INLINE_SERVICE_6

service-object ip

service-object udp

service-object object RTP

service-object object MGCP

service-object object MGCP2

service-object object h323udp

service-object tcp destination eq h323

object-group service DM_INLINE_SERVICE_7

service-object ip

service-object udp

service-object object RTP

service-object object MGCP

service-object object MGCP2

service-object object h323udp

service-object tcp destination eq h323

object-group service DM_INLINE_SERVICE_8

service-object ip

service-object udp

service-object object RTP

service-object object MGCP

service-object object MGCP2

service-object object h323udp

service-object tcp destination eq h323

object-group service DM_INLINE_SERVICE_10

service-object object MGCP

service-object object MGCP2

service-object ip

service-object udp

service-object object RTP

service-object object h323udp

service-object tcp destination eq h323

object-group service DM_INLINE_SERVICE_9

service-object object MGCP

service-object object MGCP2

service-object ip

service-object udp

service-object object RTP

service-object object h323udp

service-object tcp destination eq h323

access-list AnyconnectAccess extended permit object-group DM_INLINE_PROTOCOL_1 user LOCAL\test objec                                                                    t AnyconnectRange object lan-subnet

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object NETWORK_OBJ_10.                                                                    10.10.0_24 object 241VLAN

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 192.168.115.0 255.255.                                                                    255.0 object AnyconnectRange

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object 241VLAN object                                                                     AnyconnectRange

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Voice-vlan any

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 object NETWORK_OBJ_10.                                                                    10.10.0_24 object Voice-vlan

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_6 object NETWORK_OBJ_10.                                                                    10.10.0_24 object NETWORK_OBJ_10.10.10.0_24

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_10 any any

access-list split-tunneling-Jabber standard permit 192.168.115.0 255.255.255.0

access-list split-tunneling-Jabber standard permit 192.168.241.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_9 any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 1048576

logging asdm-buffer-size 500

logging buffered warnings

logging trap notifications

logging asdm informational

logging from-address [email protected]

logging recipient-address [email protected] level errors

logging host inside 192.168.115.xx

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any inside

icmp deny any outside

asdm image disk0:/asdm-715-100.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static AnyconnectRange AnyconnectRange

access-group inside_access_in in interface inside

access-group outside_access_in_1 in interface outside

access-group inside_access_in global

route outside 0.0.0.0 0.0.0.0 217.xx.xx.xxx 1

route inside 192.168.241.0 255.255.255.0 192.168.115.100 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.115.0 255.255.255.0 inside

http 217.75.xxx.xx 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto engine large-mod-accel

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-1                                                                    28-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP                                                                    -DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.115.0 255.255.255.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 10

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcp-client client-id interface management

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 87.232.1.41 prefer

ntp server 78.46.108.116

ntp server 192.36.143.150

webvpn

enable inside

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1

anyconnect profiles AnyConnectProfile disk0:/anyconnectprofile.xml

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 192.168.115.xx 192.168.115.xx

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

group-policy GroupPolicy_Jabber internal

group-policy GroupPolicy_Jabber attributes

banner none

wins-server none

dns-server value 192.168.115.xx 192.168.115.xx

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunneling-Jabber

default-domain value ziraatbosnia.com

split-dns value 192.168.115.xx 192.168.115.xx

group-policy AnyconnectGroupPolicy internal

group-policy AnyconnectGroupPolicy attributes

banner value PRISTUP DOZVOLJEN SAMO OVLASTENIM LICIMA

banner value Ovaj sistem je vlasnistvo Ziraat Bank BH.

banner value Ukoliko niste ovlastena osoba odmah prekinite konekciju!

banner value Ovaj sistem je pod stalnim nadzorom i sve aktivnosti ce biti zapisane.

wins-server none

dns-server value 217.xx.xxx.10 217.xx.xxx.11

vpn-filter value AnyconnectAccess

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

split-tunnel-policy excludespecified

split-tunnel-network-list value split-tunneling-Jabber

default-domain value ziraatbosnia.com

split-dns none

address-pools value AnyConnectPool

webvpn

  anyconnect ssl dtls enable

  anyconnect ssl keepalive none

  anyconnect dpd-interval client 30

  anyconnect dpd-interval gateway none

  anyconnect profiles value AnyConnectProfile type user

  anyconnect ask enable default anyconnect timeout 15


vpn-group-policy GroupPolicy_Jabber


vpn-group-policy AnyconnectGroupPolicy

vpn-tunnel-protocol ssl-client

tunnel-group Jabber type remote-access

tunnel-group Jabber general-attributes

address-pool AnyConnectPool

default-group-policy GroupPolicy_Jabber

nat-assigned-to-public-ip outside

tunnel-group Jabber webvpn-attributes

group-alias Jabber enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect sip

  inspect h323 h225

  inspect h323 ras

class class-default

  user-statistics accounting

  inspect sip

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:1e26cc3bb55d9e9a64ddc57758b64691

: end

asa5510PLUS#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion