Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4492
Views
0
Helpful
11
Replies

VoIP over VPN site-to-site

tinhnho123
Level 2
Level 2

‎07-18-2013 07:57 AM

Hello Everyone,

I currently have a VPN site to site from my branch office to my main office. The main office is using Cisco ASA 5520 and brand office is using Cisco C800 series router. The VPN tunnel is working fine, I can ping the client(s) when I'm at either side of the VPN. At main office, I have a NEC Voip system, below is how I assign a port on my switch for my NEC Voip phone at main office:

Int g0/1

  switchport access vlan 10

  switchport voice vlan 50

  spanning-tree portfast

My phone would pick up the extension right away and I can make a call in/out just in few seconds.

Here is how it looks for the current VPN site to site:

vLAN 1 -> Router -> Internet <- ASA <- vLAN10 and vLAN 50

vLAN1: 192.168.200.0/24 (DHCP)

vLAN10: 192.168.10.0/24 (DHCP)

vLAN50: 192.168.50.0/24

I brought my NEC Voip phone which is already setup and working at main office to my branch office. At branch office, I setup a port on the router:

int fa0/1

    switchport access vlan 1

    switchport voice vlan 50

     spanning-tree portfast

I plug my NEC Voip phone into that port and it keeps saying 'DHCP connecting....(VLAN)' for few minutes then says 'DHCP server not found'. On the router, vLAN 1 has DHCP scope. I'm trying to figure out why my VoIP phone can't connect to VoIP server thru the VPN but none of what I've seen which can help me to solve this issue. Any ideas would be appriciated. Thanks.

Labels:
0 Helpful
11 Replies 11

mvsheik123
Level 7
Level 7

‎07-18-2013 09:44 AM

Hi,

You may need to enable dhcp relay on ASA and some minor config may rquire on router end. Check the below doc. The example does not have router on the other end, but will give you some idea.

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/01/07/asa-pix-dhcp-relay-through-vpn-tunnel

hth

MS

0 Helpful

tinhnho123
Level 2
Level 2
In response to mvsheik123

‎07-20-2013 05:57 PM

Hi,

I'm able to get dhcp relay for my branch office, my main office is handing out dhcp to my branch office PCs now but I still can't get my voip phone working. At my branch  I can ping the VoIp vlan gateway and servers just fine. Am I missing any things? Thanks.

0 Helpful

mvsheik123
Level 7
Level 7
In response to tinhnho123

‎07-21-2013 02:21 AM

What is the error you are getting?  or phone regestered but no calls?

Thx

MS

0 Helpful

tinhnho123
Level 2
Level 2
In response to mvsheik123

‎07-22-2013 10:15 AM

Hi,

On the Voip phone's screen, I'm still getting 'DHCP connecting....(VLAN)' for few minutes then later says 'DHCP server not found'

0 Helpful

Ilya Shilov
Level 1
Level 1
In response to tinhnho123

‎07-22-2013 11:14 AM

Hi,

Show us 'sh int fa0/1 switchport' on branch site switch.

And 'sh runn int vlan 50' on branch site router.

0 Helpful

tinhnho123
Level 2
Level 2
In response to Ilya Shilov

‎07-22-2013 11:59 AM

mybranch#sh int fa01 switchport

Name: Fa1

Switchport: Enabled

Administrative Mode: dynamic access

Operational Mode: dynamic access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Disabled

Access Mode VLAN: 10 (VLAN0010)

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: ALL

Trunking VLANs Active: 10,50

Protected: false

Priority for untagged frames: 0

Override vlan tag priority: FALSE

Voice VLAN: 50

Appliance trust: none

mybranch#

----------------------

mybranch#sh run int vlan 50

                     ^

% Invalid input detected at '^' marker.

mybranch#

---------------------

mybranch#sh run int fa01

Building configuration...

Current configuration : 190 bytes

!

interface FastEthernet1

switchport access vlan 10

switchport voice vlan 50

no ip address

auto qos voip trust

spanning-tree portfast

service-policy output AutoQoS-Policy-Trust

end

-----------------------

mybranch#sh run int vlan 10

Building configuration...

Current configuration : 162 bytes

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip helper-address 192.168.200.200

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

end

Note: The ip address is 192.168.200.200 is the DHCP server at my main office. I posted some extras just in case.

Thanks.

0 Helpful

Ilya Shilov
Level 1
Level 1
In response to tinhnho123

‎07-22-2013 01:48 PM

Try to configure 'int vlan 50' with the same 'ip helper-address'.

If your NEC supports CDP, then it starts in VLAN50... but thereis no L3-interface for this VLAN on router.

0 Helpful

tinhnho123
Level 2
Level 2
In response to Ilya Shilov

‎07-22-2013 02:14 PM

Hi,

You mean on the main office site router?

0 Helpful

Ilya Shilov
Level 1
Level 1
In response to tinhnho123

‎07-22-2013 10:36 PM

You have this lines on mybranch config:

interface FastEthernet1

switchport voice vlan 50

so you must have L3-interface on branch site.

0 Helpful

tinhnho123
Level 2
Level 2
In response to Ilya Shilov

‎07-23-2013 10:15 AM

Hi,

I did a quick research for Layer 3 interface but not sure how to set it on my case for router at branch site. If you can shed some lights, I'd really appriciate it. Thanks.

0 Helpful

tinhnho123
Level 2
Level 2
In response to tinhnho123

‎07-25-2013 03:41 PM

Any ideas anyone? Thanks.

0 Helpful
Customers Also Viewed These Support Documents