Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Phones Behind 871 Rotuer through VPN via ASA not registering

I have a VPN set up between an 871 router and an ASA 5505. VPN tunnel is up and I can pass traffic between the LANs. I can hit the phone system from the remote site (behind 871) as well as the main site via VPN tunnel. But, none of the phones will register. While looking at the phone system, I can see them registering/unregistering - Yes. The VPN tunnel is up.

I am getting the following message in the log:

Deny TCP (no connection) from 192.168.14.4 [remote LAN]/51373 to 10.10.10.1 [phone system]/2000 flags PSH ACK on interface outside

While the phones go through the register/unregister process. I have an ACL that permits all between the two sites as well as all of the other Nat/No-Nat etc etc.

Any thoughts would be much appreciated.

3 REPLIES
Cisco Employee

Re: Phones Behind 871 Rotuer through VPN via ASA not registering

Are you aware if the phones registration requires a stateless TCP connection? is there a 3-Way handshake for the tcp connection? If there is not then you need to use the STATE bypass feature (nailed) with the static nat entry:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

New Member

Re: Phones Behind 871 Rotuer through VPN via ASA not registering

Unfortunately, I am not using static NATs for either of the subnets...

My Nat

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_11 192.168.14.0 255.255.255.0

The DM_INLINE_NETWORK_11 includes the phone network (10.10.10.x) and the LAN on the other side of the ASA.

Cisco Employee

Re: Phones Behind 871 Rotuer through VPN via ASA not registering

First you need to check if you need it, if your phones use stateless TCP sessions, then you need to use static nat and nailed.

206
Views
0
Helpful
3
Replies