Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asa phone proxy to ipsec vpn issue

Seeing if anyone can help with an issue. we have a Cisco 5510 with 8.2.1 and running both a phone proxy and ipsec site to site vpns. the asa sslphone proxy works fine for any lan and wan sites ( mpls) behind the asa. that is not an issue. and lan / wan phones can reach all pnoes at sites connected via the ipsec vpn's. no issue. the issue is that when an ssl phone proxy attached external phone attempts to call another ip phone at a remote site the call fails no VOICE. It appears as if the ASA does not hairpin or route traffic out from the ssl phone proxy back out the interface to the vpn tunnel. Note I am ponly using a single global media termination address which is external. ( not one where I can put one on each interface) If anyone has done an ssl phone proxy coming in and then hairpinning back out an ipsec site to site vpn tunnel connection please let me know and if you can share a sanitized sample config it would be appreciated. this one is frustrating me. Thank you.

New Member

Re: asa phone proxy to ipsec vpn issue

That's exactly the same issue I had before. The workaround was to make sure that the audio path was correct both ways. Although version 8.2.1 must have fix this issue (but be sure you have a internal and external for your MTA), I have to make a few static routes into my network devices.

check this out, maybe this could help:


New Member

Re: asa phone proxy to ipsec vpn issue


We are trying to create a similar configuration on as ASA5510 running 8.2(1)11.  We have the Phone Proxy configured and working we are trying to use the same ASA as the termination point for EZVPN connections from remote 871 routers.  We need to support a combination of remote phones connecting to the Call Manager / TFTP from private address blocks across IPSec VPN and remote phones connecting to the Phone Proxy interface.  Our issue is with the VPN connected phones; the are not able to receive the CTL and xml config files via TFTP from the Call Manager.  It appears the Phone Proxy function on the ASA intercepts all TFTP traffic and does not allow it to return across the tunnel.  We can ping, browse, and RDP to the Call Manager across the VPN, so the issue appears to be TFTP specific.  We see the TFTP request in the ASA log for the VPN attached phone, but configuration does not reach the phone.

Is there something specific (ACL, etc) required to enable the ASA to differentiate Phone Proxy traffic and VPN traffic for TFTP connections, and route appropriately?

Thank you in advance.