Announcement

Collapse
No announcement yet.

Cisco 1811 Site-to-Site IPSEC VPN Setup with Windows 2003 Server and VoIP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1811 Site-to-Site IPSEC VPN Setup with Windows 2003 Server and VoIP

    I have two sites, each with their own Cisco 1811 routers (IOS 12.4) and Windows 2003 SP2 domain controllers. I am able to tie the two sites together with an IPSEC VPN tunnel. When I use the command:

    show crypto ipsec sa

    It comes up as running. The problem is the remote site has VoIP phones and they were not working after the new router was installed. I also do not want to push these packets unnecessarily through the VPN. Mostly because the two sites are several thousand miles apart. I had to revert to the old setup for the phones to come up. I do not have access to old router.

    Do I need to separate the VoIP phones to their own VLAN? They are SIP phones so I assume they use UDP on port 5060, is this just for incoming (listening)? I was also told by our VoIP provider to open ports 16384 through 32767, which I think is used to dynamically get out.

    Also, I am not sure if I have the proper ports opened for my domain controllers to communicate, but that might be a question for another section.

    Thanks in advance.
    Last edited by eschatoncometh; 26th June 2008, 22:17.

  • #2
    Re: Cisco 1811 Site-to-Site IPSEC VPN Setup with Windows 2003 Server and VoIP

    Can you post a config?
    MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

    Comment


    • #3
      Re: Cisco 1811 Site-to-Site IPSEC VPN Setup with Windows 2003 Server and VoIP

      version 12.4
      service timestamps debug datetime msec
      service timestamps log datetime msec
      service password-encryption
      !
      hostname blank1
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 51200 warnings
      !
      aaa new-model
      !
      !
      !
      aaa session-id common
      !
      resource policy
      !
      !
      !
      ip cef
      !
      !
      ip domain name blank.com
      ip ssh time-out 60
      ip ssh authentication-retries 2
      ip ssh version 2
      ip inspect max-incomplete high 9000
      ip inspect max-incomplete low 9000
      ip inspect one-minute high 9000
      ip inspect one-minute low 9000
      ip inspect tcp max-incomplete host 300 block-time 0
      ip inspect name FA0 icmp alert on audit-trail on timeout 120
      ip inspect name FA0 tcp alert on audit-trail on
      ip inspect name FA0 udp alert on audit-trail on
      ip inspect name FA0 cuseeme
      ip inspect name FA0 ftp
      ip inspect name FA0 h323
      ip inspect name FA0 rcmd
      ip inspect name FA0 realaudio
      ip inspect name FA0 streamworks
      ip inspect name FA0 vdolive
      ip inspect name FA0 sqlnet
      ip inspect name FA0 tftp
      !
      !
      !
      !
      crypto isakmp policy 1
      encr 3des
      authentication pre-share
      group 2
      crypto isakmp key ******* address 209.*.*.*
      !
      crypto isakmp client configuration group remoteusers
      key *******
      dns 192.168.17.6 192.168.16.5
      domain blank.com
      pool REMOTEVPN
      acl REMOTELIST
      !
      crypto ipsec security-association lifetime seconds 86400
      !
      crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac
      !
      !
      !
      crypto map VPN-Map-1 10 ipsec-isakmp
      set peer 209.*.*.*
      set transform-set vpn1
      set pfs group2
      match address Crypto-list
      !
      !
      !
      !
      !
      interface FastEthernet0
      description Outside
      ip address 66.*.*.* 255.255.255.0
      ip access-group INCOMING in
      ip nat outside
      ip inspect FA0 out
      ip virtual-reassembly
      duplex auto
      speed auto
      crypto map VPN-Map-1
      !
      interface FastEthernet1
      no ip address
      ip broadcast-address 0.0.0.0
      shutdown
      duplex auto
      speed auto
      !
      interface FastEthernet2
      !
      interface FastEthernet3
      !
      interface FastEthernet4
      !
      interface FastEthernet5
      !
      interface FastEthernet6
      !
      interface FastEthernet7
      !
      interface FastEthernet8
      !
      interface FastEthernet9
      !
      interface Vlan1
      description
      ip address 192.168.17.1 255.255.255.0
      ip access-group 101 in
      ip nat inside
      ip virtual-reassembly
      !
      interface Async1
      no ip address
      ip broadcast-address 0.0.0.0
      encapsulation slip
      !
      ip local pool REMOTEVPN 192.168.17.10 192.168.17.40
      ip route 0.0.0.0 0.0.0.0 66.*.*.*
      !
      !
      ip http server
      ip http access-class 23
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 60 life 86400 requests 10000
      ip nat pool EXTERNAL 66.*.*.* 66.*.*.* netmask 255.255.255.248
      ip nat inside source list FOR_NAT pool EXTERNAL overload
      ip nat inside source static tcp 192.168.17.6 1723 interface FastEthernet0 1723
      ip nat inside source static tcp 192.168.17.6 21 66.*.*.* 21 route-map NONAT extendable
      ip nat inside source static tcp 192.168.17.6 25 66.*.*.* 25 route-map NONAT extendable
      ip nat inside source static tcp 192.168.17.6 80 66.*.*.* 80 route-map NONAT extendable
      ip nat inside source static tcp 192.168.17.6 443 66.*.*.* 443 route-map NONAT extendable
      ip nat inside source static tcp 192.168.17.6 3389 66.*.*.* 3389 route-map NONAT extendable
      !
      ip access-list extended Crypto-list
      permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
      ip access-list extended FOR_NAT
      permit ip 192.168.16.0 0.0.0.255 any
      ip access-list extended INCOMING
      permit icmp any any
      permit tcp any any eq smtp
      permit tcp any any eq 22
      permit tcp any any eq 443
      remark The 2 and 3 lines allow ICMP and SMTP for troubleshooting
      permit tcp any any eq 3389
      permit tcp any any eq pop3
      permit tcp any any eq www
      permit tcp any any established
      permit udp any any eq isakmp
      permit esp any any
      permit gre any any
      permit ahp any any
      permit udp any any eq non500-isakmp
      permit icmp any any unreachable
      permit icmp any any echo-reply
      permit icmp any any packet-too-big
      permit icmp any any time-exceeded
      permit icmp any any traceroute
      permit icmp any any administratively-prohibited
      permit icmp any any echo
      deny icmp any any
      permit udp host 209.*.*.* any eq isakmp
      permit esp host 209.*.*.* any
      !
      access-list 100 permit tcp any any eq 22
      access-list 100 permit tcp any any eq smtp
      access-list 100 permit tcp any any eq www
      access-list 100 permit tcp any any eq 443
      access-list 100 permit tcp any any eq ftp
      access-list 100 permit tcp any any eq 1723
      access-list 101 permit ip any any
      access-list 102 permit ip any any
      access-list 110 permit ip any any
      no cdp run
      !
      !
      !
      route-map NONAT permit 10
      match ip address 110
      !
      !
      !
      !
      control-plane
      !
      !
      line con 0
      line 1
      modem InOut
      stopbits 1
      speed 115200
      flowcontrol hardware
      line aux 0
      line vty 0 4
      access-class 23 in
      privilege level 15
      transport input telnet ssh
      line vty 5 15
      access-class 23 in
      privilege level 15
      transport input telnet ssh
      !
      !
      webvpn context Default_context
      ssl authenticate verify all
      !
      no inservice
      !
      end

      Comment


      • #4
        Re: Cisco 1811 Site-to-Site IPSEC VPN Setup with Windows 2003 Server and VoIP

        version 12.4
        service timestamps debug datetime msec
        service timestamps log datetime msec
        no service password-encryption
        !
        hostname blank2
        !
        boot-start-marker
        boot-end-marker
        !
        logging buffered 51200 warnings
        !
        aaa new-model
        !
        !
        !
        aaa session-id common
        !
        resource policy
        !
        !
        !
        ip cef
        !
        !
        no ip domain lookup
        ip domain name blank.com
        ip ssh time-out 60
        ip ssh authentication-retries 2
        ip ssh version 2
        ip inspect max-incomplete high 9000
        ip inspect max-incomplete low 9000
        ip inspect one-minute high 9000
        ip inspect one-minute low 9000
        ip inspect tcp max-incomplete host 300 block-time 0
        ip inspect name FA0 icmp alert on audit-trail on timeout 120
        ip inspect name FA0 tcp alert on audit-trail on
        ip inspect name FA0 udp alert on audit-trail on
        ip inspect name FA0 cuseeme
        ip inspect name FA0 ftp
        ip inspect name FA0 h323
        ip inspect name FA0 rcmd
        ip inspect name FA0 realaudio
        ip inspect name FA0 streamworks
        ip inspect name FA0 vdolive
        ip inspect name FA0 sqlnet
        ip inspect name FA0 tftp
        !
        password encryption aes
        !
        !
        !
        !
        crypto isakmp policy 1
        encr 3des
        authentication pre-share
        group 2
        crypto isakmp key ******* address 66.*.*.*
        !
        crypto ipsec security-association lifetime seconds 86400
        !
        crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac
        !
        !
        !
        crypto map VPN-Map-1 10 ipsec-isakmp
        set peer 66.*.*.*
        set transform-set vpn1
        set pfs group2
        match address Crypto-list
        !
        !
        !
        !
        interface FastEthernet0
        description Outside
        ip address 209.*.*.* 255.255.255.0
        ip access-group INCOMING in
        ip nat outside
        ip inspect FA0 out
        ip virtual-reassembly
        duplex auto
        speed auto
        crypto map VPN-Map-1
        !
        interface FastEthernet1
        no ip address
        ip broadcast-address 0.0.0.0
        shutdown
        duplex auto
        speed auto
        !
        interface FastEthernet2
        !
        interface FastEthernet3
        !
        interface FastEthernet4
        !
        interface FastEthernet5
        !
        interface FastEthernet6
        !
        interface FastEthernet7
        !
        interface FastEthernet8
        !
        interface FastEthernet9
        !
        interface Vlan1
        ip address 192.168.16.1 255.255.255.0
        ip access-group 101 in
        ip nat inside
        ip virtual-reassembly
        !
        interface Async1
        no ip address
        ip broadcast-address 0.0.0.0
        encapsulation slip
        !
        ip route 0.0.0.0 0.0.0.0 209.*.*.*
        !
        !
        ip http server
        ip http access-class 23
        ip http authentication local
        ip http secure-server
        ip http timeout-policy idle 60 life 86400 requests 10000
        ip nat pool EXTERNAL 209.*.*.* 209.*.*.* netmask 255.255.255.248
        ip nat inside source list FOR_NAT pool EXTERNAL overload
        ip nat inside source static tcp 192.168.16.5 1723 interface FastEthernet0 1723
        ip nat inside source static tcp 192.168.16.10 21 209.*.*.* 21 route-map NONAT extendable
        ip nat inside source static tcp 192.168.16.10 25 209.*.*.* 25 route-map NONAT extendable
        ip nat inside source static tcp 192.168.16.10 80 209.*.*.* 80 route-map NONAT extendable
        ip nat inside source static tcp 192.168.16.10 443 209.*.*.* 443 route-map NONAT extendable
        ip nat inside source static tcp 192.168.16.5 3389 209.*.*.* 3389 route-map NONAT extendable
        !
        ip access-list extended Crypto-list
        permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
        ip access-list extended FOR_NAT
        permit ip 192.168.16.0 0.0.0.255 any
        ip access-list extended INCOMING
        permit icmp any any
        permit tcp any any eq smtp
        permit tcp any any eq 22
        permit tcp any any eq 443
        remark The 2 and 3 lines allow ICMP and SMTP for troubleshooting
        permit tcp any any eq 3389
        permit tcp any any eq pop3
        permit tcp any any eq www
        permit tcp any any established
        permit udp any any eq isakmp
        permit esp any any
        permit gre any any
        permit ahp any any
        permit udp any any eq non500-isakmp
        permit icmp any any unreachable
        permit icmp any any echo-reply
        permit icmp any any packet-too-big
        permit icmp any any time-exceeded
        permit icmp any any traceroute
        permit icmp any any administratively-prohibited
        permit icmp any any echo
        deny icmp any any
        permit ip any any
        permit udp host 66.*.*.* any eq isakmp
        permit esp host 66.*.*.* any
        !
        access-list 23 permit any
        access-list 100 permit tcp any any eq 22
        access-list 100 permit tcp any any eq smtp
        access-list 100 permit tcp any any eq www
        access-list 100 permit tcp any any eq 443
        access-list 100 permit tcp any any eq ftp
        access-list 100 permit tcp any any eq 1723
        access-list 101 permit ip any any
        access-list 102 permit ip any any
        access-list 110 permit ip any any
        no cdp run
        !
        !
        !
        route-map NONAT permit 10
        match ip address 110
        !
        !
        !
        !
        control-plane
        !
        !
        line con 0
        line 1
        modem InOut
        stopbits 1
        speed 115200
        flowcontrol hardware
        line aux 0
        line vty 0 4
        access-class 23 in
        privilege level 15
        transport input telnet ssh
        line vty 5 15
        access-class 23 in
        privilege level 15
        transport input telnet ssh
        !
        !
        webvpn context Default_context
        ssl authenticate verify all
        !
        no inservice
        !
        end

        Comment


        • #5
          Re: Cisco 1811 Site-to-Site IPSEC VPN Setup with Windows 2003 Server and VoIP

          Those are my configs between the two 1811 routers. There might be some different settings as of now because I was playing with the new router config remotely before I had to have the older router reinstalled so my users could use their phones.

          To reiterate, should I just separate my VoIP to another VLAN? What ports does Windows 2003 Server need opened (DNS, DHCP, Exchange,WINS, DFS)?

          Any ideas?

          Comment

          Working...
          X