03-07-2014 06:55 AM - edited 03-17-2019 04:00 PM
Hello,
I really need your help. I'm facing with one way voice issue when I'm calling my local IP phones from iphone 5 who is connected on outside wireless network via Cisco AnyConnect through ASA 5510. To make it worse Android phone users can't even hear in one way. This is really frustrating
On iphone I can hear the voice from my collagues but they cant hear mine ( there is silent noise ). Last week I upgrade Cisco ASA to 9.1 version and configured anyconnect VPN so everything works fine ( I can access to voice network, data network, IP connectivity is fine ) but when I call via Cisco Jabber my local IP phones there is one way voice issue. Also I can establish external calls via Jabber.
I've read some articles about NAT but currently I'm lil bit confused about this problem and dont know what to do. Here is configuration from ASA and I'd be very grateful if you could help me.
Down here is topology and ASA configuration. In our LAN network we are using OSPF as routing protocols. Also guys from voice deparment says that CUCM is configured correctly.
We tried everything but no success.
Jabber Voice 9.1.6.21640
Cisco AnyConnect Secure Mobility Client Version 3.0.09231
asa5510PLUS# show run
: Saved
:
ASA Version 9.1(4)
!
hostname asa5510PLUS
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNI5346546dI.2KYOU encrypted
names
ip local pool CiscoVPNClientPool 192.168.200.1-192.168.200.10 mask 255.255.255.0
ip local pool AnyConnectPool 10.10.10.1-10.10.10.254 mask 255.255.255.0
ip local pool VOIP 172.18.115.2-172.18.115.6 mask 255.255.255.0
!
interface Ethernet0/0
description Ziraat LAN
nameif inside
security-level 100
ip address 192.168.115.4 255.255.255.0
delay 10
!
interface Ethernet0/1
description INTERNET
duplex full
nameif outside
security-level 0
ip address 217.75.195.xxx 255.255.255.2xx
delay 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.100.1 255.255.255.0
!
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 217.xx.xx.10
name-server 217.xx.xx.11
name-server 192.168.115.xx
name-server 192.168.115.xx
domain-name xxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network lan-subnet
subnet 192.168.115.0 255.255.255.0
object network AnyconnectRange
range 10.10.10.1 10.10.10.50
description AnyconnectRange
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
object network 241VLAN
subnet 192.168.241.0 255.255.255.0
description 241VLAN
object service RTP
service udp source range 16384 32766 destination range 16384 32766
description RTP
object service TEST
service udp source range 20000 50000 destination range 20000 50000
object network Voice-vlan
subnet 172.18.115.0 255.255.255.0
description Voice-vlan
object network Core
host 192.168.115.100
description core
object service MGCP
service udp source eq 2427 destination eq 2427
description MGCP
object service MGCP2
service udp source eq 2727 destination eq 2727
description MGCP2
object service h323udp
service udp source range 1718 1719 destination range 1718 1719
description h323/udp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object udp
service-object object RTP
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object udp
service-object object RTP
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object udp
service-object object RTP
service-object object MGCP
service-object object MGCP2
service-object object h323udp
service-object tcp destination eq h323
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object udp
service-object object RTP
service-object object MGCP
service-object object MGCP2
service-object tcp destination eq h323
service-object object h323udp
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object udp
service-object object RTP
service-object object MGCP
service-object object MGCP2
service-object object h323udp
service-object tcp destination eq h323
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object udp
service-object object RTP
service-object object MGCP
service-object object MGCP2
service-object object h323udp
service-object tcp destination eq h323
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object udp
service-object object RTP
service-object object MGCP
service-object object MGCP2
service-object object h323udp
service-object tcp destination eq h323
object-group service DM_INLINE_SERVICE_8
service-object ip
service-object udp
service-object object RTP
service-object object MGCP
service-object object MGCP2
service-object object h323udp
service-object tcp destination eq h323
object-group service DM_INLINE_SERVICE_10
service-object object MGCP
service-object object MGCP2
service-object ip
service-object udp
service-object object RTP
service-object object h323udp
service-object tcp destination eq h323
object-group service DM_INLINE_SERVICE_9
service-object object MGCP
service-object object MGCP2
service-object ip
service-object udp
service-object object RTP
service-object object h323udp
service-object tcp destination eq h323
access-list AnyconnectAccess extended permit object-group DM_INLINE_PROTOCOL_1 user LOCAL\test objec t AnyconnectRange object lan-subnet
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object NETWORK_OBJ_10. 10.10.0_24 object 241VLAN
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 192.168.115.0 255.255. 255.0 object AnyconnectRange
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object 241VLAN object AnyconnectRange
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Voice-vlan any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 object NETWORK_OBJ_10. 10.10.0_24 object Voice-vlan
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_6 object NETWORK_OBJ_10. 10.10.0_24 object NETWORK_OBJ_10.10.10.0_24
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_10 any any
access-list split-tunneling-Jabber standard permit 192.168.115.0 255.255.255.0
access-list split-tunneling-Jabber standard permit 192.168.241.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_9 any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging asdm-buffer-size 500
logging buffered warnings
logging trap notifications
logging asdm informational
logging from-address asa@xxxx.com
logging recipient-address ict@xxxx.ba level errors
logging host inside 192.168.115.xx
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any inside
icmp deny any outside
asdm image disk0:/asdm-715-100.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static AnyconnectRange AnyconnectRange
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
access-group inside_access_in global
route outside 0.0.0.0 0.0.0.0 217.xx.xx.xxx 1
route inside 192.168.241.0 255.255.255.0 192.168.115.100 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.115.0 255.255.255.0 inside
http 217.75.xxx.xx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto engine large-mod-accel
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-1 28-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP -DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.115.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface management
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 87.232.1.41 prefer
ntp server 78.46.108.116
ntp server 192.36.143.150
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect profiles AnyConnectProfile disk0:/anyconnectprofile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.115.xx 192.168.115.xx
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_Jabber internal
group-policy GroupPolicy_Jabber attributes
banner none
wins-server none
dns-server value 192.168.115.xx 192.168.115.xx
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunneling-Jabber
default-domain value ziraatbosnia.com
split-dns value 192.168.115.xx 192.168.115.xx
group-policy AnyconnectGroupPolicy internal
group-policy AnyconnectGroupPolicy attributes
banner value PRISTUP DOZVOLJEN SAMO OVLASTENIM LICIMA
banner value Ovaj sistem je vlasnistvo Ziraat Bank BH.
banner value Ukoliko niste ovlastena osoba odmah prekinite konekciju!
banner value Ovaj sistem je pod stalnim nadzorom i sve aktivnosti ce biti zapisane.
wins-server none
dns-server value 217.xx.xxx.10 217.xx.xxx.11
vpn-filter value AnyconnectAccess
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value split-tunneling-Jabber
default-domain value ziraatbosnia.com
split-dns none
address-pools value AnyConnectPool
webvpn
anyconnect ssl dtls enable
anyconnect ssl keepalive none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway none
anyconnect profiles value AnyConnectProfile type user
anyconnect ask enable default anyconnect timeout 15
vpn-group-policy GroupPolicy_Jabber
vpn-group-policy AnyconnectGroupPolicy
vpn-tunnel-protocol ssl-client
tunnel-group Jabber type remote-access
tunnel-group Jabber general-attributes
address-pool AnyConnectPool
default-group-policy GroupPolicy_Jabber
nat-assigned-to-public-ip outside
tunnel-group Jabber webvpn-attributes
group-alias Jabber enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
inspect h323 h225
inspect h323 ras
class class-default
user-statistics accounting
inspect sip
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1e26cc3bb55d9e9a64ddc57758b64691
: end
asa5510PLUS#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide