Solved: UC540 VPN to SA520 - Page 2

sweaver · ‎09-06-2012

I am needing to vpn the UC540 to a SA520. I got the data vpn working through CCA but the remote phones will not come up because the voice traffic is not passing. Anyone that could give me a step by step how to do this would be appreciated.

Thanks,

janickle · ‎09-15-2012

Hi,

I’m sorry that you have been having a hard time with the configuration of your VPN. I think that the issue you are running into is the interesting traffic crossing the VPN or lack thereof. You should be able to edit the VPN traffic rules via CCA under the new ACL editor. But first you will need to identify which ACL goes with what. First lets address the NAT on the UC. You will need to put some deny statements to stop the traffic destined for the SA520 from being affected by NAT. The NAT rules are usually associated with a route map called SDM_RMAP. It will look something like this in the config:

route-map SDM_RMAP_1 permit 1

match ip address 106

So based on this statement we are going to look at ACL 106. Right now yours probably looks like this:

access-list 106 remark SDM_ACL Category=2

access-list 106 deny ip 192.168.10.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 106 permit ip 10.1.10.0 0.0.0.3 any

access-list 106 permit ip 192.168.10.0 0.0.0.255 any

access-list 106 permit ip 10.1.1.0 0.0.0.255 any

In order to stop the NAT across the VPN we will need to edit this ACL to look like this:

access-list 106 remark SDM_ACL Category=2

access-list 106 deny ip 192.168.10.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 106 deny ip 10.1.1.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 106 deny ip 10.1.10.0 0.0.0.3 192.168.75.0 0.0.0.255

access-list 106 permit ip 10.1.10.0 0.0.0.3 any

access-list 106 permit ip 192.168.10.0 0.0.0.255 any

access-list 106 permit ip 10.1.1.0 0.0.0.255 any

We are basically just adding the Voice and CUE networks to the ACL.

Next its time to allow the Voice and CUE to cross the tunnel. To find this ACL look for the crypto map created by CCA. This should like similar to this in the configuration:

crypto map multisite 1 ipsec-isakmp

description SA520

set peer 65.0.0.0

set transform-set ESP-3DES-SHA

match address 105

qos pre-classify

Here the crypto map is pointing to ACL 105. So in the configuration we find the ACL 105 which should look something like this:

access-list 105 remark CryptoACL for SA520

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.75.0 0.0.0.255

Now we just need to edit this rule to allow the Voice and CUE networks to pass to the SA520:

access-list 105 remark CryptoACL for SA520

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 105 permit ip 10.1.10.0 0.0.0.3 192.168.75.0 0.0.0.255

That’s it for the UC.

Next we just need to repeat the process on the SA520 under the IPSec Section of the VPN configuration. I have included a picture for this portion.

You can see that the policies are all very similar. The only real difference from the original statement that you already have is the local network of the UC. Notice that the Voice and CUE VLAN information is now allowed across the tunnel. Inside the configuration just references your original IKE policy.

Finaly on the SA520 make sure that you are passing you TFTP information via DHCP. This should be the 10.1.10.2 address and con be configured under the LAN settings on the SA520.

That should do it. Reboot your phones and watch them register. If you have any further questions please let me know.

Thank you,

Jason Nickle

sweaver · ‎09-17-2012

Thanks Jason and John for your help. Jason your last reply is what got us up and running!!!!