Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

One Way Voice

Help, The problem is when i VPN onto the pix from home using ADSL and Cisco VPN client 4.0.1 i get no voice at all, call setup is ok. I am using the " IP BLUE Softphone" which uses the Skinny protocol.

When i take out the Loopback Address on the Gateway i get one way voice.

Look forward to your reply's

Here are my config's :

1. Pix Config

2. Gwy 2600 Config

3. Switch 3500 Config ( data network 192.168.1.0 voice 10.1.200.0 )

Pix config :

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd xxxxxxencrypted

hostname xxxxx

domain-name xxxxxxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_outbound_nat0_acl permit ip any 192.168.5.0 255.255.255.224

access-list inside_access_in remark PA Test

access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.x.x.x

ip address inside 192.168.1.253 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool xxxxx 192.168.5.1-192.168.5.20

pdm location 192.168.1.51 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 192.168.5.0 255.255.255.224 outside

pdm location 10.1.200.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.1.200.0 255.255.255.0 192.168.1.254 1

route inside 10.254.254.254 255.255.255.255 192.168.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.51 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup drdvpn address-pool xxxxxx

vpngroup drdvpn dns-server 192.168.1.4

vpngroup drdvpn wins-server 192.168.1.4 192.168.1.1

vpngroup drdvpn default-domain xxxxxxx

vpngroup drdvpn idle-time 1800

vpngroup drdvpn password ********

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40

vpdn group PPTP-VPDN-GROUP client configuration address local xxxxxx

vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.4

vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.1

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username xxxx password *********

vpdn enable outside

dhcpd address 192.168.1.40-192.168.1.49 inside

dhcpd dns x.x.x.x x.x.x.x

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain xxxxxxxx

terminal width 80

Cryptochecksum:xxxxxx

: end

[OK]

Gatewayconfig 2600 :

Building configuration...

Current configuration : 2152 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxxxx

enable secret

!

clock timezone gmt 0

clock summer-time bst recurring

voice-card 0

dspfarm

!

ip subnet-zero

!

!

no ip domain lookup

!

isdn switch-type primary-net5 !

voice call convert-discpi-to-prog

voice rtp send-recv

!

!

voice class h323 1

!

mta receive maximum-recipients 0

!

controller E1 0/0

pri-group timeslots 1-31

!

translation-rule 1

Rule 1 ^.% 9

!

interface Loopback0

ip address x.x.x.254 255.255.255.255

h323-gateway voip bind srcaddr 10.2.200.254

!

interface FastEthernet0/0

no ip address

duplex auto

speed 100

!

interface FastEthernet0/0.1

description connection to data vlan

encapsulation dot1Q 1 native

ip address 192.168.1.254 255.255.255.0

!

interface FastEthernet0/0.2

description connection to voice vlan

encapsulation dot1Q 200

ip address x.x.x.254 255.255.255.0

!

interface Serial0/0:15

no ip address

no logging event link-status

isdn switch-type primary-net5

isdn incoming-voice voice

no cdp enable

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.253

ip http server

!

call rsvp-sync

!

voice-port 0/0:15

cptone GB

!

voice-port 1/0/0

cptone GB

connection plar 1273

!

voice-port 1/0/1

cptone GB

!

!

mgcp profile default

!

dial-peer cor custom

!

dial-peer voice 10 voip

destination-pattern ....

progress_ind setup enable 3

translate-outgoing calling 1

voice-class h323 1

session target ipv4:10.1.200.200

dtmf-relay h245-alphanumeric

codec g711alaw

no vad

!

dial-peer voice 1 pots

destination-pattern 9

progress_ind alert enable 8

progress_ind progress enable 8

progress_ind connect enable 8

direct-inward-dial

port 1/0/0

forward-digits all

!

dial-peer voice 2 pots

destination-pattern 1300

port 1/0/1

!

!

call-manager-fallback

ip source-address x.x.x.254 port 2000

max-ephones 24

max-dn 48

!

line con 0

password xxxxx

line aux 0

line vty 0 4

password xxxxxx

login

!

!

end

Switch Config : ( this has been shorten'd )

Data network = 192.168.1.0

Voice network = 10.1.200.0

Building configuration...

Current configuration : 4656 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname xxxxx

!

enable password xxxxx

!

clock timezone gmt 0

clock summer-time bst recurring

ip subnet-zero

no ip domain-lookup

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

interface FastEthernet0/1

description voice

switchport trunk encapsulation dot1q

switchport mode trunk

switchport voice vlan 200

no ip address

spanning-tree portfast

!

interface FastEthernet0/2

description voice

switchport trunk encapsulation dot1q

switchport mode trunk

switchport voice vlan 200

no ip address

spanning-tree portfast

!

( switch show run has been shotend ! )

!

!

interface FastEthernet0/22

description Pix connection

no ip address

spanning-tree portfast

!

interface FastEthernet0/23

description Connection to CM-PUB-01 (callamanger)

switchport access vlan 200

no ip address

spanning-tree portfast

!

interface FastEthernet0/24

description connection to 2600 gateway

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

spanning-tree portfast

!

interface GigabitEthernet0/2

no ip address

!

interface Vlan1

ip address 192.168.1.252 255.255.255.0

!

ip default-gateway 192.168.1.254

ip classless

ip http server

!

!

!

line con 0

password xxxxx

login

line vty 0 4

password xxxxxx

login

line vty 5 15

login

!

end

If anyone can help it would be most appreciated

Look forward to your reply's

4 REPLIES
Community Member

Re: One Way Voice

You need bypass nat to vpn client address, i use this topology in my company and all work fine.

Normally this problem is solved with h323 bind, moreover this command is to h323 and you stay using skinny.

See this paper they is very usefull.

VoIP Traversal of NAT and Firewall

http://www.cisco.com/en/US/partner/tech/tk652/tk701/technologies_tech_note09186a00800f2853.shtml

Best Regards

Joao Medeiros

Community Member

Re: One Way Voice

What I have seen using a softphone over a software-based VPN device is that the softphone advertises the wrong address during call setup. For instance, if my home PC had a 10.10.10.10 behind my home router and the VPN client assigned me an address of 172.168.10.10, it is possible that the softphone client would, during call setup, tell the far end to send the RTP stream to 10.10.10.10, to which the far end cannot route and would cause one-way audio. In the Cisco softphone, the network settings can be configured to specify which address to bind. I don't know if the IP Blue product has something similiar.

Community Member

Re: One Way Voice

Are you using Windows XP? If so make sure the firewall is disabled (happened to me). Also, make sure in CM you have the correct PC associated with the softphone. Hope this helps!

Community Member

Re: One Way Voice

We have been able to successfully troubleshoot one way voice using no fixup skinny on the firewall

493
Views
10
Helpful
4
Replies
CreatePlease to create content