I am trying to set up an IP phone behind a PIX 501 with a site-to-site IPSEC tunnel to my corporate office. The tunnel is up and working, and I can pass traffic both ways successfully. However, when I plugged in the IP phone, I was able to get it registered, but when I make or receive a call, I don't hear anything. I can see the call progress on the screen and the other side can hear me fine, I just cannot hear them. I have tried this to multiple phones at the corporate office, as well as voicemail and PSTN, and get the same result.
I had read in the forums that I need to make sure the correct UDP ports are allowed through my PIX, but I was under the impression that a VPN tunnel passed all traffic that matched source and destination, so I didn't need to worry about additional access lists. I even went so far as to add access lists specifically permitting UDP any any between the corporate office and the local IP phone, but still no change.
I know lots of you are running IP phones behind PIX 501s, so how are you doing it?
These are the access lists from the PIX config. The first two are the IPSEC access lists that control NAT and tunnel access, the third is the one I added to permit udp.
access-list inside_outbound_nat0_acl permit ip 172.31.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.31.0.0 255.255.255.0 10.254.1.0 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 172.31.0.0 255.255.255.0 10.253.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.31.0.0 255.255.255.0 10.100.0.0 255.255.0.0
access-list outside_cryptomap_20 permit ip 172.31.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.31.0.0 255.255.255.0 10.254.1.0 255.255.255.252
access-list outside_cryptomap_20 permit ip 172.31.0.0 255.255.255.0 10.253.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.31.0.0 255.255.255.0 10.100.0.0 255.255.0.0
access-list outside_access_in permit udp 10.254.1.0 255.255.255.252 host 172.31.0.60
access-list outside_access_in permit udp 10.253.1.0 255.255.255.0 host 172.31.0.60
access-list outside_access_in permit udp 10.100.19.0 255.255.255.0 host 172.31.0.60
Any help would be greatly appreciated, thanks!
I think the problem is on the other side of the VPN. The device there is not letting UDP go toward the phone hence no audio in that direction.
Here are the access lists on the inside going out to the PIX. I was under the impression that permit ip meant permit everything, but do I have to add entries to permit udp as well?
access-list 100 remark Chris_VPN
access-list 100 permit ip 10.254.1.0 0.0.0.3 172.31.0.0 0.0.0.255
access-list 100 permit ip 10.100.0.0 0.0.255.255 172.31.0.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.31.0.0 0.0.0.255
access-list 100 permit ip 10.253.1.0 0.0.0.255 172.31.0.0 0.0.0.255
Are you also classifying this traffic in nat 0 on the PIX to avoid having it nat'd?
No, if you permit ip, you're permitting everything above it.
Yes, those same subnets are listed in nat 0 on the PIX. That's why I'm confused. The tunnel works fine, and the phone registers, can browse directories, etc., but still I get the one-way audio while in a call.
I am perplexed. :)
From your voice vlan on one side, you would need to be able to ping the phone in the voice vlan on the other side. You can have phones registering from CCM/CCME over a VLAN without being able to call phones that are in another VLAN.
You could post full config's if you wanted, but I would say without a doubt it's just a matching interesting traffic, or natting problem.
Another thing that I have run into with the PIX's is routing. The subnet's that your phones are in probably have had no reason in the past to pass through the PIX. Do you have static routes in the PIX to point to the router necessary to get to the subnet in which the phones belong?
Couple of questions that might help to identify the issue:
What version PIX are you running?
What protocol for the phone to register to CCM?
What version of CCM?
What type of phone?
There are a couple of good documents on CCO regarding IP phones behind PIX firewalls.
Also, another thing to check is your phone load on the phone. There was one that contained a bug which sounds very similar to what you have, signaling okay, call progress seems okay, but only one way audio. Easy check to see if you are hitting this bug, place a call, wait till the other site answers, then put the call on hold, hit resume and check if you have two way voice (the bug was that incoming RTP packets where simply not processed by the phone).
Check statistics on your phone to see if you are receiving RTP packets. Also debug the PIX on both outside and inside interface to see if RTP packets (from outside you will only see the encrypted packets of curse) are returning.
Thanks for all the replies!
First off, I can ping the phone from the other side, I can even ping from the voicemail subnet and the IP phone subnets at the corporate office.
I believe that confirms that routing is correct, as I can ping both ways successfully. I am still unsure about routing, though, because the remote subnet is not listed in a "sh ip route" on the 2821, even though packets are successfully being delivered.
As far as versions go:
- PIX is a 501 running sw 6.3(5)
- Phone is registered as SCCP
- callmanager is CallManager Express 3.4 running on the 2821 router that is also the IPSEC endpoint
- Phone is a 7940 running phone load 8.0(5.0)
Configs are forthcoming as I am still stumped. This is the first IPSEC tunnel I have set up between cisco devices, so I may have it wrong.
Thanks for all the help!
For background, here is the way the network is set up:
The phone is on the internal LAN of the PIX, along with a few other devices. Local LAN on the pix is 172.31.0.0/24.
PIX is connected to 2821 at corporate office via a site2site IPSEC tunnel.
2821 at corporate office is our main internet router, as well as CME and CUE system.
Subnets that are allowed through the tunnel:
172.31.0.0/24 > 10.254.1.0/30 (CCME address is in this net)
172.31.0.0/24 > 10.253.1.0/30 (CUE net)
172.31.0.0/24 > 10.100.0.0/16 (internal LAN - VVLANS are in this subnet)
172.31.0.0/24 > 192.168.100.0/24 (legacy device LAN)
10.254.1.0/30 > 172.31.0.0/24 (reverse path)
10.253.1.0/30 > 172.31.0.0/24 (reverse path)
10.100.0.0/16 > 172.31.0.0/24 (reverse path)
192.168.100.0/24 > 172.31.0.0/24 (reverse path)
IP phone is 172.31.0.60
CME is 10.254.1.1
CUE is 10.253.1.3
Other IP phones are on 10.100.19.0/24
Either check the Access-list at the CME. or most propable is you need to issue:
H323-gateway voip bind srcaddr 10.254.1.1 under G0/0
One way audio is either routing or routing :-)