Re: Voice Vlan Question - Page 2

galaga · ‎05-04-2012

Sould someone tell me where I am going wrong?

I keep getting this error from the router trying to communicate with call manager via IP phone

013849: *May 4 14:53:56.302 EST-5: ICMP: dst (192.168.225.223) administratively prohibited unreachable sent to 10.1.105.8

013850: *May 4 14:54:16.090 EST-5: ICMP: redirect sent to 10.1.105.8 for dest 192.168.225.224, use gw 10.1.105.3

I have an ACL error, not seeing where it is.

Thanks for any help

Router config:

dot11 syslog
ip source-route
!
ip dhcp excluded-address 172.24.105.1 192.168.105.10
ip dhcp excluded-address 10.1.105.1 10.1.105.5
!
ip dhcp pool data
   network 172.24.105.0 255.255.255.0
   option 150 ip 172.24.225.224 172.24.225.223
   dns-server 172.24.225.31
   default-router 172.24.105.2
!
ip dhcp pool voice
   network 10.1.105.0 255.255.255.0
   dns-server 172.24.225.31
   option 150 ip 172.24.225.224 172.24.225.223
   default-router 10.1.105.2
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name
ip name-server 172.24.225.30
ip name-server 172.24.225.31
no ipv6 cef
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key vpntest123 address 12.164.100.105
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map ipsec-tunnel 1 ipsec-isakmp
set peer 207.264.100.105
set transform-set esp-3des-sha
match address ipsec-rule
!
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 1
!
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
!
!
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
    priority percent 70
class AutoQoS-VoIP-Control-Trust
    bandwidth percent 5
class class-default
    fair-queue
!
!
!
!
interface FastEthernet0
ip address 207.264.100.252 255.255.255.0
ip broadcast-address 0.0.0.0
ip access-group abc-in in
ip access-group abc-out out
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
crypto map ipsec-tunnel
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
description uplink to switch
switchport trunk native vlan 105
switchport mode trunk
auto qos voip trust
service-policy output AutoQoS-Policy-Trust
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.1.105.2 255.255.255.0
!
interface Vlan105
ip address 172.24.105.2 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
--More--
001159: *Apr 26 20:15:35.052 EST-5: RT: NET-REDip route 0.0.0.0 0.0.0.0 207.264.100.1
no ip http server
ip http secure-server
!
!
ip nat inside source list nat-out interface FastEthernet0 overload
!
ip access-list extended abc-in
permit udp host 12.164.100.105 eq isakmp host 12.164.100.252 eq isakmp
permit esp host 12.164.100.105 host 12.164.100.252
deny   ip any any
ip access-list extended abc-out
permit udp host 12.164.100.252 eq isakmp host 12.164.100.105 eq isakmp
permit esp host 12.164.100.252 host 12.164.100.105
deny   ip any any
ip access-list extended ipsec-rule
permit ip 172.24.105.0 0.0.0.255 any
deny   ip any any
ip access-list extended nat-out
deny   ip 172.24.105.0 0.0.0.255 any
deny   ip 10.1.105.0 0.0.0.255 any

permit ip any any

switch config:

Switch#sh run
Building configuration...

Current configuration : 3498 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
system mtu routing 1500
!
!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
!
spanning-tree mode pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport access vlan 105
switchport trunk allowed vlan 10
switchport mode access
switchport voice vlan 10
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
auto qos trust
spanning-tree portfast
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
description uplink to router
switchport trunk native vlan 105
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust cos
auto qos trust
!
interface Vlan1
no ip address
!
interface Vlan105
ip address 172.24.105.10 255.255.255.0
!
ip default-gateway 172.24.105.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
!
line con 0
line vty 5 15
!
end

galaga · ‎05-09-2012

Thanks for all of the advice I am now able to get the phones to register with call manager but there is no audio I can. Not hear any one on the phone I do hear a dial tone

As always thanks for a y suggestions

galaga · ‎05-09-2012

Hello

I believe my problem is I can not ping 10.1.105.10 from 192.168.229.0

Giuseppe Larosa · ‎05-09-2012

Hello Jeff,

now the phones can register with call manager and this is an improvement.

It would be kind if you could share a description of the changes you have done to achieve this.

I guess you have other IP phones somewhere for example on the HQ. I also think of subnet 192.168.229.0 as an IP subnet of IP phones.

However, this IP subnet is not listed in ASA configuration you have posted.

Where is the IP subnet 192.168.229.0 ? on HQ or in another remote site?

>>

I believe my problem is I can not ping 10.1.105.10 from 192.168.229.0

RTP audio streams are between IP phones directly, call manager is used for call setup only, The dial tone is controlled by call manager that can talk with all phones and is produced locally by the phone itself as a reaction to off hook state.

If the IP phones are in the central site you need to permit communication between 10.1.105.0/24 and all IP phone subnets in your network including 192.168.229.0

Up to now you have communication with call manager only.

Repeat all the steps you did between 10.1.105.0 and 192.168..229.0 on C1811 and on ASA

= add statements to all involved ACLs for traffic from 10.1.105.0 to 192.168.229.0 on C1811, from 192.168.229.0 to 10.1.105.0 on ASA

Hope to help

Giuseppe

galaga · ‎05-09-2012

Yes ip phones on 10.1.105.0 are not communicating with with 192.168.229.0

Ideally I would like 10.1.105.0 to communicate with 192.168.0.0

Sent from my iPhone

Giuseppe Larosa · ‎05-10-2012

Hello Jeff,

I hope you have had a chance to implement changes

Repeat all the steps you did between 10.1.105.0 and 172.24.255.0 now between 10.1.105.0 and 192.168..229.0 on C1811 and on ASA

= add statements to all involved ACLs for traffic from 10.1.105.0 to 192.168.229.0 on C1811, from 192.168.229.0 to 10.1.105.0 on ASA

Hope to help

Giuseppe