Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

connectivity Issue between ASA 5520 firewall and Cisco Call Manager

Recently i have installed ASA 5520 firewall, Below is the detail for my network

ASA 5520 inside ip: 10.12.10.2/24

Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice

Cisco Call Manager 3825 IP: 10.12.110.2/24

The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.

the Default Gateway for Data user is 10.12.10.2/24 and

for the voice users is 10.12.110.2/24

 

now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

 

  • LAN Switching and Routing
5 REPLIES
Hall of Fame Super Blue

Do you need to firewall

Do you need to firewall between the data and voice vlans ?

The simplest thing would be to make the default gateway for the data vlan the L3 switch SVI and not the ASA. Then you use a separate IP subnet to connect the L3 switch to the ASA and route between them.

If you do need to firewall between the data and voice vlans then obviously traffic needs to go in and come back out of the ASA inside interface so you would need to set that up correctly.

So if you want to firewall between the vlans can you post your ASA config ?

Jon

New Member

Actually i don't wana to

Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.

 

ASA Version 8.2(1)

name x.x.x.x Mobily

interface GigabitEthernet0/0
 nameif inside
 security-level 99
 ip address 10.12.10.2 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp
 service-object ip
 service-object icmp
 service-object udp
 service-object tcp eq ftp
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq ssh
 service-object tcp eq telnet
access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 Inside-Network 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Mobily 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Mgmt-Network 255.255.255.0 mgmt
http Inside-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh Inside-Network 255.255.255.255 inside
<--- More --->              ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
 dns-server value 86.51.34.17 8.8.8.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_splitTunnelAcl
username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool VPN-Users
 default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
: end

Hall of Fame Super Blue

Actually i don't wana to

Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem

Actually the simple solution is to route both vlans off the L3 switch as that is what L3 switches are for. So traffic only goes to the ASA for internet and VPN access.

It would however mean readdressing the L3 switch to ASA inside interface and adding some routes to the ASA for the internal vlans.

So if you want to do it via the ASA then i'll have a look at the config but firstly you need to add this to your ASA -

same-secuirty-traffic permit intra-interface 

you may also need NAT statments but can you add the above and retry.

Jon

Hall of Fame Super Blue

The other issue you have with

The other issue you have with your current setup is traffic flow ie.

a data client sends it's traffic to the ASA to get to the call manager. The default gateway of the call manager is the L3 switch. When the return traffic gets to the L3 switch it then goes direct to the client because you have a L3 SVI for the data vlan on the L3 switch.

So traffic does not go back via the ASA which may create issues with state on the firewall although it may still work.

The way to solve this would be to remove the L3 SVI for the data vlan off the L3 switch but then you would need to add a route to the L3 switch for the data vlan via the ASA.

So either way you need to add a bit of configuration.

Jon

New Member

Sorry for delay, see i change

Sorry for delay, see i change my gateway from asa to l3 switch but still i am not able to ping the call manger 10.12.110.2.

Please give me advise if i configure a sub interface on ASA firewall the problem will be soled or not. please suggest

48
Views
0
Helpful
5
Replies