Phones Behind 871 Rotuer through VPN via ASA not registering
I have a VPN set up between an 871 router and an ASA 5505. VPN tunnel is up and I can pass traffic between the LANs. I can hit the phone system from the remote site (behind 871) as well as the main site via VPN tunnel. But, none of the phones will register. While looking at the phone system, I can see them registering/unregistering - Yes. The VPN tunnel is up.
I am getting the following message in the log:
Deny TCP (no connection) from 192.168.14.4 [remote LAN]/51373 to 10.10.10.1 [phone system]/2000 flags PSH ACK on interface outside
While the phones go through the register/unregister process. I have an ACL that permits all between the two sites as well as all of the other Nat/No-Nat etc etc.
Re: Phones Behind 871 Rotuer through VPN via ASA not registering
Are you aware if the phones registration requires a stateless TCP connection? is there a 3-Way handshake for the tcp connection? If there is not then you need to use the STATE bypass feature (nailed) with the static nat entry:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...