Cisco VPN :: 5505 VoIP Over VPN Traffic
Sep 26, 2012
I am tasked to connect my VoIP phones from remote site to my corp site. Basically all remote phones will be registering into a VoIP server in corp site. I have a site to site vpn tunnel established already from remote site to corp site. My hardware includes the following:
-Cisco ASA 5505
-Cisco small business POE switch SF300 24p
-Avaya 2015p VoIP phones
Successfully Register remote VoIP phones to corporate VoIP server 10.30.18.55.I have already configured vlan1 10.30.15.0/24(inside lan) and vlan2 public int(outside Internet) which my dmz only allows 2 per my basic asa licensing.When I connect my phones and register it states "subnet conflict" unable to register.
View 1 Replies
ADVERTISEMENT
Jun 26, 2012
I have a little weird request at work. One of our offices would like to split the VOIP traffic. At that office we have a 10MB primary and 3MB backup circuit. Currently the phones are routing over the 10MB circuit. The General Manager would like to use the 3MB backup circuit for VOIP traffic. For the 3MB we have two T1 lines bundled together in a multilink. Configuration is bellow if needed
3MB Circuit
View 19 Replies
View Related
May 30, 2011
I am facing a problem with transmitting of VoIP traffic through VPN.
I have a 1921 router in my end where two ISP's terminate and load balancing is done over the ISP'S. I also have a site-to-site IPSEC VPN connection to remote location. Also I am having to analog phones connected to the network through an ATA. My Call manager is in the peer end and has public IP assigned to it. The IP phones get registered when coonected to general inernet connection.
The loadbalancing and VPN is working fine. Now I need to transmit the VoIP traffic over the VPN. I have configured the same but seems not working. [code]
View 5 Replies
View Related
Apr 20, 2011
We are using an ASA 5510 as our gateway to our ISP. All of our VOIP traffic is sent to an Internet SIP provider for our outbound calls. Our pipe to the Internet is 100Mbps metro ethernet. I am trying to find a way to provide QoS for this traffic so that I can reserve 20Mbps of the available 100Mbps pipe for VOIP traffic.From what I've been able to figure out so far I would use a combination of priority queues and traffic policing. However, it seems that this is nearly impossible to accomplish because I cannot control the remote device that my ASA connects to because it is the ISP device. I could police traffic on the inside interface of the ASA. However, lets say that a client on our network starts downloading from an Internet host and the downloaded traffic saturates my Internet connection. I could police this incoming (from the Internet) traffic on my outside interface of the firewall. This would drop the packets but the bandwidth would have already been used by the time it reaches my firewall.Would the fact that I'm policing incoming traffic on my outside interface cause the sender to throttle down their transmit rate because packets are being dropped? Would this achieve my goal of guaranteeing available bandwidth for my VOIP traffic by not allowing other traffic to saturate the link?Most documents I find regarding this topic describe providing QoS for VOIP traffic traversing a VPN connection in which case you could configure both end devices.
View 1 Replies
View Related
Jan 2, 2012
I have a SF300 24 P and Iam trying to configure a voice vlan this is what I have done so far and it doesnt work.
1. create vlan 30 for voice traffic and enable it
2. Telephony OUI add my mac address for allworx phones
3. Port to VLAN add 30 has tagged, port to vlan 1 untagged
4. Vlan to port I try to add 30 and get this error (Port e15 is candidate in voice Vlan 30 and cant be configured as static member in the vlan.
5. Under Discovery LLDP, LLDP MED port Setting Enable MED status, then all other options to yes
In my LLDP neighbor information all my phones are there and says under port ID 0 ( my phones support LLDP and CDP)
View 1 Replies
View Related
Dec 28, 2011
I have a new VOIP implementation using 2960 switches. I want to prioritize voice traffic. After creating VLAN 2 I did the following:
Per Cisco, I did the following on my up-link ports:
switch port trunk allowed vlan 1,2
switch port mode trunk
switch port nonegotiate
priority-queue out
mls qos trust cos
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport nonegotiate
priority-queue out
mls qos trust cos
spanning-tree port fast trunk
spanning-tree bpduguard enable
On my ports where a VOIP phone was plugged in, I did the following:
switch port trunk allowed v lan 1,2switchport mode trunk switch port no negotiate priority-queue outmls qos trust cos spanning-tree port fast trunk spanning-tree bpduguard enable
How can I verify that my voice traffic is being prioritized?
View 5 Replies
View Related
Mar 4, 2012
regarding QOS on Nexus 7000. Our Nexus 7000's form a collapsed distribution/core layer, our access layer switches are are a mixture of Cisco 3750 & Cisco 4507. 3750 switches will connect to Nexus switches via 1Gb uplink, 4507 switches will connect via 10Gb uplinks. Each Nexus will be connected via 20Gb port channel, all servers connect to the Nexus switches via 1Gb links. We're implementing a new telephone system soon which will be using VOIP so I need to configure the switches to perform QOS. The IP phones will mark the RTP traffic with DSCP value EF and call signaling traffic CS3. I'm fine configuring qos on the access layer switches, its just the Nexus switches which I'm not sure about.
Do I actually need to configure any QOS parameters on the Nexus switches so they will prioritise the VOIP traffic. If my understanding the Nexus switches will trust the DSCP values and assign the traffic to the relevent queues?
Just for information VOIP is the only traffic I will be marking QOS values
View 3 Replies
View Related
Mar 12, 2013
I have a customer who has a Zyxel USG50 security firewall on their network. They utilize a cloud hosted voip solution called Vocalocity that provides SIP voip service to their Cisco phones. They have about 8 phones in a small office.the problem they are having is that as it stands now, all VOIP phones in the office are dynamically assigned addresses internally. However, the VOIP phones are having a ton of issues that we believe may be related to the firewall blocking traffic somehow or not playing nicely with the service.
- Some calls are dropped altogether
- Some calls do not ring all phones
- Some phones keep ringing even after a call is picked up
While Vocalocity has admitted that they have the "ghost ringing" issue going on with other customers, the dropped calls and not all phones ringing could be firewall related. We are trying to pinpoint what may be going on.i did open up all of the ports that the VOIP provider claims are used by their service, 5060-5090. However, some 5060 packets still seem like they are being blocked in the firewall logs.How does everyone else out there setup their VOIP phones internally to have unfettered access to the internet? Do you recommend just using the DMZ functionality (which I can do on this USG device) or bypassing the firewall altogether somehow? We have some spare switches and another home level Netgear router we can use for testing.
View 8 Replies
View Related
May 5, 2013
I'm working on setting up a PBX server in our office, and I'm having trouble getting a port opened for SIP on my ASA 5505.I created static NAT rule for SIP traffic from internal server to the outside IP address.I created access rules on outside interface to forward port 5060 to internal PBX server (192.168.1.8)I also disabled sip packet inspection on the ASA.I'm still receiving a message from the PBX that the firewall is configured incorrectly.
[code]....
View 5 Replies
View Related
Sep 16, 2012
[URL] I am not savy configuring ASAs at all and I can't get it to work. We are switching to a SIP trunk phone system and I am in charge of setting up the ASA to not only make it work but also make sure that there's packet priority or QoS.I've never configured something like this and I was giving another set of instructions to make sure that this is working:
[URL]
Configuration:
My configuration is very basic:
3 interfaces - Outside/Inside/Guest
ASA Version: 7.2(3)
ASDM Version 5.2(3)
Firewall Mode: Routed
Solution: When I tried following the instructions on brian-kayser's blog I get an error when I'm sending the following command:
shape average
^ Invalid marker
service-policy PRIORITY-POLICY
^ Incomplete command
I think it's because my version of ASA doesn't have this functionality but I don't know.
View 5 Replies
View Related
Jun 6, 2013
I have still been assigned the task of building a site to site vpn tunnel to our remote site (this will be with two ASA 5505's) which I think I can do. My question is how can I distribute our voip vlan to assign IP's to the phones on the remote switch if the router won't pass this info? Or at least get our phones to register from the remote site through our tunnel?
Our current voip is a hosted vendor, but we have it pushing to vlan200. Any phone connected to this vlan will get an auto assigned ip and the phone will sync. If i setup dhcp on the remote firewall then i will see duplicate ip's being assigned to the phones.
View 9 Replies
View Related
Apr 18, 2012
For some reason my ASA is preventing my traffic from going out. I've added some crumby access-list and applied it to NAT for it to work. I don't like this. I know it is not right, but I am not sure what part is wrong. I will highlight the stuff I have added to make it work. I don't see what I am missing. If I were to remove these lines my ASA could ping in both directions (in and out), but my LAN cannot do anything but ping the ASA. No other traffic is going out unless I have added these unsafe lines of code.
!
interface Vlan1
nameif inside
security-level 100
[Code].....
View 2 Replies
View Related
Dec 5, 2012
I am able to ftp from my Head Office to my test machine at the remote location but I can't get the other way around to work. Error message from the Syslog deny tcp src 192.168.50.5/1825 dst 208.124.202.44/21 by access-group "dmz_access_in".I try a couple of ways to fix it but no luck.A partial config of my ASA 5505. [code]
View 4 Replies
View Related
Sep 7, 2011
I've got a client that recently got an ASA 5505. E0/0 is connected to the outside, E0/1 connected to the internal server (Win 2008). The ASA "local network" is 172.30.1.0/24; my internal network is 192.168.1.0/24. I'm able to connect from home through AnyConnect and get a proper address (which I've got a pool of 172.30.1.64/26 assigned for VPN users), but no traffic from my computer will go to the internal network, nor will the internal server (or the ASA for that matter) can't talk to my VPN'd computer.
On the firewall settings on the ASA, I've got it all open: any/any on both inside and outside, just to try and get anything to go through. I've even got split-tunneling working, but not traffic-passing! The config is below (redacting local AAA users).
[Code] .....
View 9 Replies
View Related
Apr 9, 2013
I have a client with an ASA 5505 who has several networks he's trying to get communicating over a VPN tunnel with a remote office. One of the networks is not working because it's also in use on the management interface of the other side of the tunnel and neither side seems willing to re-IP their internal space.
Their proposed solution is to NAT the conflicting network on the firewall on this side to a different subnet before passing it across the tunnel. How do I implement a NAT that only the VPN tunnel uses while keeping the rest of the traffic that comes across this device un-NATted?The network in question is 192.168.0.0/24. Their desired NAT target is 172.16.0.0/24. ASA config is attached.
View 11 Replies
View Related
Jul 24, 2011
We have a BT Infinity broadband circuit which terminates at a vdsl modem, I've plugged an ASA 5505 into the back of this modem and gone through the ADSM quick setup wizard (yes I'm that much of a beginner!) The config that's been generated is pasted below, the symptomns I'm seeing are;
The ASA is setup with PPPOE on the internet connection, I assume this is correct as if I do a show IP on the ASA I'm getting an IP address that has been assigned, if I change the password to the wrong one then I get no IP (as expected).
If I ping from the ASA to an internet connection I'm getting "no route" error messages, if I try a "ping outside x.x.x.x" then I get no repsonses.
The ASA can ping it's external IP, the client machines can ping it's internal, however nothing appears to be able to get out.
ASA Version 8.4(1)
!
hostname xxxxxx
enable password xxxxxx encrypted
[Code].....
View 15 Replies
View Related
Jun 27, 2011
I have ASA 5505 that has two inside security level 100 interfaces and an outside interface.On the inside interface we have corporate domain subnet with DC and 30 hosts. On the inside2 interface I have few servers that runs specific application important for our business needs, and dumb terminals that are connected to them.I have a laptop user that periodically needs access from our corporate vlan1 to one of the servers on inside 2 vlan via remote desktop or some other remote viewer client,so he can view reports etc.I have enabled same-security-traffic intra-interface command and added nat exempt command pointing specific laptop host machine to that specific server.
Now my main concern is regarding security. This user carries his laptop home, browses the web, puts USB memory, and you can imagine how this machine is susceptible to all kind of malicious software. Inside2 vlan is very important and until now it has been a very secure environment.This is no longer the case since all traffic between this inside sec level 100 vlan host and corresponding inside2 sec level 100 server is now allowed because of the enabled same level interface traffic and nat exemption rule. Do I have another solution that would allow communication based on just a tcp port number for this host? Something like port forwarding from outside to inside Vlan interface?
View 10 Replies
View Related
Dec 5, 2010
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies
View Related
Apr 11, 2012
We have 110mbps internet service. When we have the 5505 behind the cable modem, our speed drops to 55mbps or so. If we remove the 5505, we see the full 100mbps. I assume the 5505 can handle the speed; if so, what other things should I be looking at?As an aside, we used to have 50mbps wich worked fine, then the ISP upgraded to 60mbps and the through put dropped to 30mbps (It always seems to be half)
View 2 Replies
View Related
Jun 25, 2012
My understanding is for insight to outside we need global and NAT, and for outside to inside we need static and ACL? Traffic goes to high to low, I'm just start working with 5505 recently.
View 2 Replies
View Related
Feb 1, 2011
So I have an asa 5505 running ipsec and anyconnect and it has been working great for months. I have not made any changes to the config, but suddenly all of my anyconnect traffic is being dropped. The vpn uses the same subnet as the LAN. I tried putting a rule in to allow all traffic from the LAN subnet on the outside interface. Now I just get the WEBVPN-SVC Action-Drop in packet tracer.
View 1 Replies
View Related
Feb 4, 2013
Two 5505 ASA's for a customer main site and a local office. I have the tunnel up. But I'm unable to pass traffic across it.
Main Site:
ASA Version 7.2(4)
!
hostname Town
enable password iNbSyJZ1ffmb9kn1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
View 7 Replies
View Related
May 26, 2012
I've configured an ASA5505 to be Lan to Lan VPN tunnel endpoint, peering with a linux box. The ASA is full licensed so that side isn't an issue.PROBLEM:When the tunnel is initialised from the linux box everything comes up okay except the ASA isn't encapsulation any packets. It is decrypted the packets received from the Linux box okay but no return traffic is being encrypted.When the tunnel is initialised from the ASA, nothing happens.After some troubleshooting I've found that the ACL defining interesting traffic nor the ACL defining NO_NAT aren't being hit at all.
ACL for NO_NAT:
access-list NO_NAT line 1 remark ACL USED TO DEFINE WHAT TRAFFIC NOT TO NAT OVER THE VPN
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0xc736d5fb
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0)
[code]....
I've checked with the administrator of the linux box and the definition for interesting traffic is exactly the same (except in reverse as should be the case).The firewall is doing other things like NATs and such like too but those NATs have nothing to do with this VPN. The setup is a LAN to LAN connection with no natting in between.The main parts of the config are attached, i've deleted things that should have a bearing on this however if you think it necessary i can sanitise the config and re-post. I think it will be working fine as long as the traffic hits those ACLs, however they're not and I'm unsure why.At this time i'm not seeing anything at all when doing an debug cry ipsec or debug cry isa. The ACL's aren't being hit so i'm guessing it's not even trying to form the VPN as it can't see any traffic that constitutes being 'interesting'.
View 4 Replies
View Related
Mar 19, 2011
I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505
Peer A: x.x.x.x
Lan A: 192.168.0.0 255.255.255.0
Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).
View 1 Replies
View Related
Oct 27, 2011
I have VPN up and running between two sites. Both sites have Cisco ASA 5505. I can ping across the devices from both networks. But I cannot remote into the servers on the other network.
View 8 Replies
View Related
Aug 15, 2011
I have a Cisco ASA 5505 that I have configured. The outside interface is vlan 2 and the inside interface is vlan 1. Port 0 of the ASA is configured to be in vlan 2 and is connected to the ISP provided subnet. Port 1 is connected to my private LAN subnet. I have an additional router connected to Port 2 for guest connectivity. Port 2 is configured to be a member of VLAN 2 so that it can access the ISP provided subnet. From the device connected to port 2 I can ping the vlan 2 interface address of the ASA and from the ASA I can ping the Default gateway of the ISP provided subnet. For some reason the router on port 2 cannot ping the default gateway of the ISP provided subnet. If the vlan were working the same as a vlan in a switch, I would expect to be able to do this. why it is not working or what I can do to get it working?
View 4 Replies
View Related
May 24, 2011
I'm trying to allow SSH traffic from the Internet to my DMZ. I gave my remote guy my ip and he can see the ASA 5505 but not get into the DMZ. The outside is 70.165.19.137. The DMZ server is 192.168.60.2. I have the inside talking to the DMZ fine. [code]
View 9 Replies
View Related
Jun 13, 2012
I am fairly new to configuring ASA's. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case.
View 14 Replies
View Related
Jun 4, 2013
We have 10MB dedicated Internet BW and want to run VC device and due to heavy traffic and BW high utilization at peak hours, VC performance is not sufficient. We would like to reserve 2MB for VC device. How much possible to fix up this configuration in ASA5505 version disk0:/asa724-k8.bin [URL]
View 5 Replies
View Related
Jul 31, 2012
I have a Cisco 5505 with a 12Mbps feed. I want to reserve 2Mbps for RTP traffic. I followed the QoS guide here: url... The goal would be that any traffic destined for port 5000 through 5100 UDP or TCP from any IP to any IP on any interface.should always have 2Mbps available to it.
View 5 Replies
View Related
Oct 19, 2011
Is there any difference with traffic shaping capability on the 5510 as opposed to the 5505? is there anything the 5510 can do that the 5505 cant? with regards to TShaping?
View 4 Replies
View Related
Mar 17, 2011
We have a VPN setup and here's the configuration on the Cisco ASA 5505: [code] The problem is that i'm able to ping the otherside of the tunnel i.e. 192.168.23.14 from the dmz IP 172.16.1.2 but i'm unable to ping from the hosts behind the ASA.Also the other side is able to ping 172.16.1.2 IP but no IP's behind the ASA.
View 9 Replies
View Related
Mar 15, 2012
I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. What I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network. [code]
View 7 Replies
View Related