2 Replies Latest reply on Apr 14, 2014 1:55 PM by jayh

    Peer to Peer voip on 2 different subnet issue - no audio

    dlazure New Member

      HI

       

      I have 17 ip phones connected to a 3448. the 3448 is connected via VPN to another 3448 wich connect the voip system. in the 17 ip phones 4 of them are connected on a different subnet because the office did not have 2 data cable. The voice network is 172.17.0.0 255.255.0.0 and the data network is 10.10.201.0 255.255.255.0

       

      if an iphone form the data network call internaly a phone from the voice network there is no audio, RETP packets cant get through

       

      here is a copy of the config

       

      !

      !

      ! ADTRAN, Inc. OS version R10.11.0.E

      ! Boot ROM version 13.03.00.SB

      ! Platform: NetVanta 3448, part number 1200821E1

      ! Serial number LBADTN1311AF102

      !

      !

      hostname "Payette_St-Lambert"

      enable password

      !

      clock timezone -5-Eastern-Time

      !

      ip subnet-zero

      ip classless

      ip default-gateway xx.xx.xxx.xx

      ip routing

      ipv6 unicast-routing

      !

      !

      domain-name "payette.xx.xx

      domain-proxy

      name-server 8.8.8.8 4.2.2.1

      !

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      logging forwarding priority-level info

      no logging email

      !

       

      !

      !

      banner motd #

       

                      ****** Important Banner Message ******

       

      Enable and Telnet passwords are configured to "password".

      HTTP and HTTPS default username is "admin" and password is "password".

      Please change them immediately.

      The switchport interfaces are enabled with an address of 10.10.10.1

      Telnet, HTTP, and HTTPS access are also enabled.

      To remove this message, while in configuration mode type "no banner motd".

       

                      ****** Important Banner Message ******

       

      #

      !

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      !

      !

      !

      !

      ip dhcp database local

      !

      ip dhcp pool "lan"

        network 10.10.201.0 255.255.255.0

        dns-server 207.164.234.129 207.164.234.193

        default-router 10.10.201.1

      !

      !

      !

      !

      !

      !

      !

      ip crypto

      !

      crypto ike policy 100

        initiate main

        respond anymode

        local-id address `xx.xxx.xxx.x

        peer xx.xx.xx.xx

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

      !

      crypto ike remote-id address xx.xx.xx.xx preshared-key xxxxxxxxxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      !

      !

      ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

      !

      ip crypto map VPN 10 ipsec-ike

        description VPN TO LONGEUIL

        match address ip VPN-10-vpn-selectors1

        set peer xx.xx.xx.xx

        set transform-set esp-3des-esp-md5-hmac

        set pfs group1

        ike-policy 100

      !

      qos map VOIP 1

        match precedence 7

        priority percent 40

      !

      !

      !

      !

      vlan 1

        name "Default"

      !

      vlan 2

        name "Voice"

      !

      !

      !

      no ethernet cfm

      !

      interface eth 0/1

        description Internet connection

        no ip address

        traffic-shape rate 26214000

        qos-policy out VOIP

        no shutdown

      !

      !

      interface eth 0/2

        no ip address

        shutdown

      !

      !

      !

      interface switchport 0/1

        no shutdown

      !

      interface switchport 0/2

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/3

        no shutdown

      !

      interface switchport 0/4

        no shutdown

      !

      interface switchport 0/5

        no shutdown

      !

      interface switchport 0/6

        no shutdown

      !

      interface switchport 0/7

        no shutdown

      !

      interface switchport 0/8

        no shutdown

      !

      !

      !

      interface vlan 1

        ip address  10.10.201.1  255.255.255.0

        ip access-policy Private

        media-gateway ip primary

        qos-policy out VOIP

        no shutdown

      !

      interface vlan 2

        description Voice

        ip address  172.17.0.1  255.255.0.0

        ip mtu 1500

        ip access-policy Voice

        no rtp quality-monitoring

        media-gateway ip primary

        qos-policy out VOIP

        no awcp

        no shutdown

      !

      interface ppp 1

        description Internet connection

        ip address negotiated no-default

        ip mtu 1500

        ip access-policy Public

        ip crypto map VPN

        media-gateway ip primary

        no fair-queue

        ppp pap sent-username

        no shutdown

        cross-connect 1 eth 0/1 ppp 1

      !

      !

      !

      !

      !

      !

      !

      ip access-list extended VPN-10-vpn-selectors1

        permit ip 10.10.201.0 0.0.0.255  10.10.200.0 0.0.0.255 

        permit ip 172.17.0.0 0.0.255.255  10.10.200.0 0.0.0.255 

        permit ip 172.17.0.0 0.0.255.255  172.16.0.0 0.0.255.255 

        permit ip 10.10.201.0 0.0.0.255  172.16.0.0 0.0.255.255 

      !

      ip access-list extended web-acl-1

        remark Traffic to netVanta

        permit ip any  any     log

      !

      ip access-list extended web-acl-10

        remark port 21

        permit tcp any  any eq ftp   log

      !

      ip access-list extended web-acl-11

        remark Admin access

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

        permit icmp any  any  echo   log

      !

      ip access-list extended web-acl-12

        remark port 3283

        permit tcp any  any eq 3283   log

        permit tcp any  any eq 5900   log

        permit tcp any  any eq www   log

      !

      ip access-list extended web-acl-2

        remark NAT

        permit ip any  any     log

      !

      ip access-list extended web-acl-3

        remark NAT

        permit ip any  any     log

      !

      ip access-list extended web-acl-4

        remark Traffic to netVanta

        permit ip any  any     log

      !

      ip access-list extended web-acl-5

        remark InterVlan

        permit ip 172.17.0.0 0.0.255.255  10.10.201.0 0.0.0.255 

      !

      ip access-list extended web-acl-6

        remark InterVlan

        permit ip 10.10.201.0 0.0.0.255  172.17.0.0 0.0.255.255 

      !

      ip access-list extended web-acl-9

        remark FTP

        permit tcp any  any eq 548   log

      !

      !

      !

      !

      ip policy-class Private

        allow list VPN-10-vpn-selectors1 stateless

        allow list web-acl-1 self stateless

        allow list web-acl-5 stateless

        nat source list web-acl-2 interface ppp 1 overload

      !

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors1 stateless

        allow list web-acl-11 self

        nat destination list web-acl-9 address 10.10.201.30

        nat destination list web-acl-10 address 10.10.201.30

        nat destination list web-acl-12 address 10.10.201.30

      !

      ip policy-class Voice

        allow list VPN-10-vpn-selectors1 stateless

        allow list web-acl-4 self stateless

        allow list web-acl-6 stateless

        nat source list web-acl-3 interface ppp 1 overload

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 ppp 1

      ip route 10.10.200.0 255.255.255.0 ppp 1

      ip route 70.28.46.198 255.255.255.255 64.230.199.1

      ip route 172.16.0.0 255.255.0.0 ppp 1

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      !

      !

      !

      !

      !

      !

      !

      !

      sip udp 5060

      sip tcp 5060

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      line con 0

        login

      !

      line telnet 0 4

        login

        password password

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      !

      !

      !

      !

      !

      !

      end

        • Re: Peer to Peer voip on 2 different subnet issue - no audio
          jayh Hall_of_Fame

          It looks like your allow policy ACLs are backwards.

           

          Try moving

          allow list web-acl-5 stateless

          to the

          ip policy-class Voice


          and

           

          allow list web-acl-6 stateless

          to the

          ip policy-class Private


          I'd put these at the top of the policy.

           

          Also, now that you've posted here you might want to...


          service password-encryption

          no user admin


          change the enable password

          change the password for user Adm1n

          change the telnet password or shut down telnet completely.


          Just sayin...

          • Re: Peer to Peer voip on 2 different subnet issue - no audio
            jayh Hall_of_Fame

            Another consideration which will be cleaner and avoid the issue completely:

             

            Most IP phones have the capability of trunking two VLANs where one is used for the internal VoIP usage of the phone itself and a second passes through data to the PC port on the back of the phone.  On your switchports for those, configure: 

             

            interface switchport 0/[whatever]

              no shutdown

              switchport mode trunk

              switchport trunk allowed vlan 1-2

              switchport trunk native vlan 1  ! < This is default, change if data not on vlan 1

              switchport voice vlan 2

             

            The phone should learn its voice VLAN via LLDP, if not you can manually configure it on the phone.  The data VLAN 1 will appear untagged on the pass-through port on the phone to the desk PC.