Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ISA570W Site to site vpn with ISA550

Hi everyone,

I need some help and guidance to allow several ip phones through the site to site vpn so that they can register with the pbx at the main site. The site to site vpn is working from a windows point of view, since I can access servers and data without issue. I can also ping the pbx server. However when the phones try to establish and register with the pbx it fails. I'm wondering if this is a NAT issue?

I'm hoping someone can help me here. I've looked at the config on both ISA devices and not having much luck at finding a solution. Hoping someone has managed to do this and figured it out.

For info. Site A is 10.0.2.0/24 and Site B is 10.0.3.0/24

Thanks all

8 REPLIES

Re: ISA570W Site to site vpn with ISA550

So I'm assuming the phones are in the same VLAN as the computers?
At the site with the PBX server, is the PBX server in the same VLAN as the computers at that end?
How are the phones going to connect to the PBX server, SIP?
Is all the IP Address information preconfigured on the phones or are they getting DHCP information from the ISA?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: ISA570W Site to site vpn with ISA550

Hi Shawn,

Appreciate the response.

All phones in both locations are in the same Vlan as the computers in their respective sites. I know it isn't recommended but we will move the phones to their own Vlan once we can hook the phones up.

Phones and computers in site B have 20 users, and receive dhcp from the Cisco 550

Phones and computers in site a have 40 users, and receive dhcp from a server. This site is behind a Cisco 570

PBx is in site A and in the same Vlan.

Phones use SIP I believe ( I have emailed the phone people installing them).

I configured the site to site VPN on the cisco's following the help information on the units, and didn't run into any issues. Once the config was completed and I hit connect, VPN was established. Ping and server access works, so a little confused why the phones are unable to register to the PBx from site B. site A works fine, but that was expected.

Thanks again Shawn for replying. I'm at a loss as to what to change and don't want to start randomly changing settings.

Re: ISA570W Site to site vpn with ISA550

Paul,

Happy to try to assist.  I believe I know where the issue is.  Please take a look at the DHCP configuration on the server at Site A.  Most likely there are additional DHCP options configured beyond the standard IP, DNS, Gateway.  Note the additional DHCP Options that are configured and ensure those same optional configurations exist on the ISA 550 at Site B.  The only things that should be different between Site A and Site B as it relates to DHCP are the IP Addresses and Gateway.  Depending on how you manage DNS, they may also be different or the same.  The optional DHCP settings should be the same.

When the phones at Site A connect to DHCP, the DHCP server should be giving them those additional options which tell the phones the IP Address of the PBX and possibly other settings.  If those options are not also configured on the ISA 550 at Site B then the phones will get IP Addresses, but they won't know the IP Address of the PBX at Site A and therefore will not register with it.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: ISA570W Site to site vpn with ISA550

Hi Shawn,

I will check DHCP and get back to you.

I did receive a reply back from the phone people. Apparently SIP phones work without issue!! the phones in question are proprietary Panasonic IP phones. I'm wondering if the Firewall in Site B needs to be adjusted?!?!? or does the Firewall not play a part with Site to Site VPN's. sorry, probably a stupid question.

thanks

Paul

Re: ISA570W Site to site vpn with ISA550

There is one setting that may also be causing you some issues.  I would recommend turning off SIP Support under Firewall -> Application Level Gateway.  There are some issues that can come from unsupported ALG for SIP devices.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Re: ISA570W Site to site vpn with ISA550

Sorry, I meant to respond to your question on tweaking the VPN.  If you're allowing Any Any, as you previously stated, then the VPN shouldn't be causing you any issues.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: ISA570W Site to site vpn with ISA550

Actually Shawn, I created 2 Address Management entries as per the help.

Example

Montreal 10.0.2.0/255.255.255.0 Type Network

London 10.0.3.0/255/255/255/0 Type Network.

So on the IPSec Policies for Site to Site VPN. Local Network has Montreal selected and Remote Network has London Selected. On the other end of the Site to site, it is reversed.

Re: ISA570W Site to site vpn with ISA550

Correct, which is how it should be.  I just realized that my statement regarding you previously mentioning allowing Any Any was incorrect.  I got confused with another thread I was working on where someone else had stated it was setup Any Any.  Ultimately if you setup the VPN following the help information then all of your configuration is most likely correct.

As you did previously state, the VPN came up, the phones and PCs are on the same network at each location, the PCs work fine, the phones at Site A work fine and the phones at Site B do not.  The most likely issue is the DHCP settings.  Once you see what Options are configured on the DHCP Server at Site A, then you'll know what to put into the DHCP scope of the ISA 550 at Site B.  To be perfectly candid, it will most likely be Option 66 and/or Option 150 and will contain the IP Address of the PBX server.  Once you get the information, go to Networking -> VLAN and Edit the appropriate VLAN.  Then select the DHCP Pool Settings tab, scroll to the bottom, and enter the appropriate information using the 3 applicable options boxes listed.  Save the config, reboot the phones so they get updated DHCP info, and you'll probably be up and running.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
1088
Views
0
Helpful
8
Replies
CreatePlease to create content