Cisco VPN :: 5540 - VoIP Over VPN
May 21, 2013
I have a Cisco ASA 5540 running 8.2(5). When I dial a phone on the other of the the VPN the first time I get a blank after it rings(i.e when the voice mail get activated if someone picks the phone up), however works the second and consequent times i dial.
A little background. Two sites A and B connected via IPsec Tunnel. No problems in communication except for the VoIP issue. A Phone in on site A(172.17.168.x) and other on site B(192.168.103.x). Site A and Site B is connected via an IPsec tunnel on the Cisco ASA. First call fails. Second call works. Result of a packet trace is also the same. The UDP packet get drops when tried for the first time but subsequent ones pass.
First time
ASA5520# packet-tracer input inside udp 172.17.168.95 10000 192.168.3.103 10000
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
[code].......
View 0 Replies
ADVERTISEMENT
Dec 3, 2012
Can I bind SSL license key from 1 ASA to another , we recently got 5540 and i want to use my SSL 5510 license on the new firewall
View 1 Replies
View Related
Apr 4, 2012
I have a site to site vpn to set up between an asa 5540 and an 800 router
i only want the vpn to be initiated from the asa with the remote 800 listening for inbound connections
i know i can set the connection type on the asa as originate-only but i can find a command equivalent to answer-only for the remote 800
Is it sufficient to simply configure the asa as originate-only for this crypto map
View 3 Replies
View Related
Jan 17, 2012
I have 4 remote sites that are using a ASA as thir firewall / router. I'm setting up a full mesh VPN between all the sites. One of the sites have a UC500 and the other sites access that UC over the VPN tunnels. I would like to set up some basic QoS for the VOIP traffic
The site that has the UC will have multiple vpn tunnles coming in from the remote sites. How will I do QoS with voice traffic on that site?
View 11 Replies
View Related
Mar 17, 2011
We have ASA 5540. After setting up one-to-one nat, do I need to do anything else? static (Inside,Outside) public ip address private ip address netmask 255.255.255.255.
View 4 Replies
View Related
Jul 14, 2012
I have a ASA 5540 on which VPN is configured (Both SSL through Browser and Anyconnect) , everything was working fine but suddenly the webpage has stopped working and gives the page cannot be displayed error , moreover anyconnect client also fails to connect to the ip.
View 7 Replies
View Related
Feb 11, 2013
I have 2 ASA 5540 in our network. I want to upgrade it from 8.0.4 to 8.4.3. I want assistance in the configuration because I know that there is a change a configuration while migrating from 8.0.4 to 8.4.3.Is there any tool available on Internet that facilitates me to convert the current configuration computable to 8.4.3.
View 2 Replies
View Related
Apr 29, 2012
I am a little new to Cisco ASA's but we bought two new 5540's to use as a new VPN solution for our company. We want to implement Cisco Anyconnect full client and Clientless based solutions for our end users. I am having problems working with setting up access lists based on groups. I simply want to create access-lists to certain IP's based on groups. I ultimately want to get to the point where we have Dynamic Access Policies that are based on Active Directory Groups allowing access to back end servers based solely on their group membership in AD. But first I need to figure out how to just apply an ACL on a group.
View 2 Replies
View Related
Mar 21, 2011
We setup both site-to-site VPN and Remote Access VPN client on VPN 3005 Concentrator. We want to migrate all the configs to the new ASA 5540. Do you recommend that we migrate all the configurations for VPN client first before setting up the site-to-site VPN on the ASA or it does not make any difference?
View 5 Replies
View Related
Aug 14, 2012
Any method to determine the maximum number of concurrently used SSL VPN licenses (sessions) on an ASA5540 over a period of time? For instance, over a week, the MAXIMUM number of concurrent users that were utilizing SSL licenses on the box. We are trying to determine current license capacity of the device.
We are running 8.2(5) on the ASA itself, and have 6.47 ASDM deployed.
View 1 Replies
View Related
Jul 19, 2011
We have two ASA's 5540, running IOS 8.2(4). Is there a command to find out the password that we setup for VPN Load balancing? I recall there was a command that you type under CLI and it will display all passwords.
View 3 Replies
View Related
Jul 16, 2012
i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2 --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
[URL]
I need to use this feature for only three or maximum four users in company then would i really need to do memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
ASA-ISB-HQ# sh version
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
[Code].....
View 2 Replies
View Related
Feb 28, 2011
We're running 8.3(2) in the ASA5540. Users all over our enterprise connect to a business partner's application through the ASA/VPN. We have a class-b address space, and since the users are spread out all over the place, I have the entire class-b space as the local object in the ACL that allows traffic through the VPN tunnel.
The business partner has concerns that our entire address space is available to access the VPN tunnel. So I thought, to alleviate their concerns, to PAT all of our connections outbound to a single IP address.
How is this done in 8.3(2)? We use ASDM to configure the 5540. For example, say our class-b is 159.12.0.0 and the PAT'd IP address will be 199.30.36.6.
View 5 Replies
View Related
Nov 24, 2011
I've configured in an ASA5540 (8.4) access to a server in my LAN using telnet with webVPN. I've installed the ssh/telnet plug-in in the ASA and SSH access to the servers works fine but when I try telnet access I always get this error:
Could not connect to: "ip server" 23
Reason: java.io.IOException: Connection failed
It happen with any server I try. I'm not trying to access to the ASA, just servers inside my LAN that I can access with anyconnect correctly. There is a Cisco bug (CSCsq89467) saying that not configuring any Web-acl in the ASA solve the problem. Telnet always show the same error.
View 1 Replies
View Related
Jun 6, 2011
I have a problem with one of our IPSec site-to-site vpns.
-we use ASA5540 and the remote site uses a software based FW (steelgate borderware). -there are some old ACLs on our FW that have the remote site's IP address as an incoming node having TCP.... access to some servers on our LAN (why they didn't use static/dynamic NAT for clients of both end to have TCP connection???)
-when I try to set up the vpn the name entry of the remote site (which is optional) changes with IP address of the peer in vpn profile and it confuses the vpn, so the IKE phase1 won't establish. the name entry is because of those ACLs that have been entered in the past.
Q- How to stop ASA creating names via ASDM when adding ACLs?
Imagine the other site's network people are the most inflexible IT guys to do any changes in terms of using static or dynamic nat for their clients to have access to ours, so I can replace their FW IP address in ACL with other NAT addresses.
View 1 Replies
View Related
May 9, 2012
I have one established IPSec tunnel between the host at the far end. When they try to eatablise a second IPSec tunnel to our seconf IP we get this error
May 9 18:51:51 odc-np-gw %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x47995CC7, sequence number= 0xCF) from 23.24.138.185 (user= 23.24.138.185) to 205.144.144.4. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 205.144.158.29, its source as 23.24.138.189, and its protocol as icmp. The SA specifies its local proxy as 205.144.158.30/255.255.255.255/ip/0 and its remote_proxy as 23.24.138.189/255.255.255.255/ip/0.
23.24.138.185 is the far end peer
205.144.144.4 is the local peer
23.24.138.189 is the remote configured protected host
205.144.158.29 is the local configured protected host
205.144.158.30 is the working local configured protected host
we have a Cisco 5540 on the far end also.
View 8 Replies
View Related
Nov 19, 2011
ASA5540# sh run nat-control
no nat-control
this means higher security can talk to lower security without NAT rules
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
global (inside) 1 interface
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
And do I have to have a global statement for NAT 0 ...like below?
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-
View 2 Replies
View Related
Jul 2, 2012
How can I do a VoIP Install/Repair?
View 3 Replies
View Related
Sep 9, 2012
having some issues. My basic VOIP network I can get to work no problem uner Vlan 1. But when I try tomake multiple basic networks to connect and put them in to diffrent Vlans such as Vlan 2, 3, 4 and conect them the phones now say configuering IP.
View 1 Replies
View Related
Mar 26, 2012
We just purchased cisco 2960 for our VoIP needs and we are using polycom phones, and Phone and Computer will use same port. Since Polycom phones are capable working with CDP protocol and we are hoping to get another switch to expand VoIP network. I found easiest way of setting up each port is as following (from the cisco tutorial)
Switch#configure terminal
Switch(config)#mls qos
Switch(config)#interface fastethernet 0/1
Switch(config-if)#mls qos trust cos
Switch(config-if)#switchport voice vlan dot1p
Switch(config-if)#switchport voice vlan 10
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
My first question,when we are using switchport voice vlan dot1p ,I thought we instruct the switch port to use 802.1P priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic.Do I still need to create a Vlan 20 for data and Vlan 10 for voice ?
Secondly,same tutorial adds these commands as well,Do you think for our set up, using those commands are feasible ?
Switch(config-if)#switchport priority extend trust
Switch(config-if)#priority-queue out
Switch(config-if)#spanning-tree portfast
Switch(config-if)#spanning-tree bpduguard enable
Switch(config-if)#exit
Thirdly,when we get another switch and do the same configuration for the second switch, can I use any port on Switch 1 as uplink without doing any configuration ?
View 6 Replies
View Related
Aug 15, 2011
my config and all the show's ive run sofar tryign to figure this out, but the policy map isnt matching the traffic for some reason
View 9 Replies
View Related
Jun 26, 2012
I have a little weird request at work. One of our offices would like to split the VOIP traffic. At that office we have a 10MB primary and 3MB backup circuit. Currently the phones are routing over the 10MB circuit. The General Manager would like to use the 3MB backup circuit for VOIP traffic. For the 3MB we have two T1 lines bundled together in a multilink. Configuration is bellow if needed
3MB Circuit
View 19 Replies
View Related
Dec 16, 2011
I have a 887 setup as a EasyVPN server, and a 861 as an EasyVPN remote - network extension mode with split tunnelling.This works fine - I can ping and connect to machines across the tunnel.However if I setup a VOIP handset to connect across the tunnel it registers and calls work, but drop after 30secs....I know this is normally a firewall or nat problem, are easyvpns firewalled or natted?
View 9 Replies
View Related
Oct 25, 2012
I am fairly new to Cisco, but am trying to configure a 1921 router to give higher priority to SIP/VoIP traffic (Port 5060) than everything else.The connection is only 4Mb and is getting hit hard by video streaming, I don't want to block this, just make a lower priority.Any ideas where I am going wrong?My current config is as below.The IP addresses have been changed for security reasons, but in reality are both in the same range, i.e. are both external IPs, so I am not sure if this is causing the problem. Do I need NAT for QoS to work?
View 6 Replies
View Related
Sep 26, 2012
I am tasked to connect my VoIP phones from remote site to my corp site. Basically all remote phones will be registering into a VoIP server in corp site. I have a site to site vpn tunnel established already from remote site to corp site. My hardware includes the following:
-Cisco ASA 5505
-Cisco small business POE switch SF300 24p
-Avaya 2015p VoIP phones
Successfully Register remote VoIP phones to corporate VoIP server 10.30.18.55.I have already configured vlan1 10.30.15.0/24(inside lan) and vlan2 public int(outside Internet) which my dmz only allows 2 per my basic asa licensing.When I connect my phones and register it states "subnet conflict" unable to register.
View 1 Replies
View Related
Dec 27, 2012
I am trying to get QoS for my VoIP system setup on several SGE2000p switches and have got a question...How do I define the ACL for RTP? As far as I can tell it will not let me enter a UDP port range for the RTP traffic... And I cant imagine creating rules for each port would be very effective either. So, how can I define an ACL to cover the RTP traffic so I can classify it?
View 4 Replies
View Related
Jun 10, 2012
I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"
View 2 Replies
View Related
May 11, 2008
I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. How I can find the root cause of the CPU high utilization?
View 2 Replies
View Related
Jun 26, 2011
I designing a new network for the company.
-Core layer is Cat6509 with VSS
-FW Lauer: Cisco ASA 5540
-Switches: L2 Cisco 2960
What is the best plan to make this redundant to the Firewalls?
View 1 Replies
View Related
Apr 26, 2011
Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
View 6 Replies
View Related
Jan 5, 2012
To test the VPN performance of ASA 5540, I will have to build at least 1000 VPN tunnels. It is time-consuming works if I put all of commands line by line manually. It looked like a bundle of VPN tunnels won't be created by ASDM. I am wonder if there is any generator tool for this. I just tried to google it. I found a software is named as VPN Configure Generator, but it is not free.
View 6 Replies
View Related
Apr 25, 2013
I have a Cisco 5540 that terminates one end of a L2L tunnel, the remote end is a Sonicwall TZ100. The tunnel is in place to carry voice traffic and I have a need to decrypt the traffic that's been captured in .cap file using Wireshark 1.8.5. How to go about getting the session keys from either device?
View 3 Replies
View Related
Apr 29, 2012
I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?
View 4 Replies
View Related
