I recently setup a S2S VPN network between my MX67 and one of my Z3 Gateways. The MX 67 is sitting behind a NAT'ed Fortigate firewall. My Test Z3 is at my home office. Through my Z3, I can get to all of my corporate resources, files, servers etc. I can also connect Jabber and my test Cisco IP Phone. It's with the Jabber and Phone that I am stumped on. I am not able to receive incoming calls to Jabber or the phone but can call out to my cell phone as a test. I understand how traffic should be flowing and I understand that NAT may have to do with signaling going South, but maybe some help from the community will steer me in the right direction on where to look for the block/packet drop. Note: I can ping all of my internal resources from my Z3 to the corporate net, but I am not able to ping or RDP say to my test laptop that is connected to my test Z3. Thanks - JM
MX: Set to Route mode, and is the VPN Hub
Z3: Set to Route Mode, and is a Spoke using the MX67 Hub
These two devices can ping each other all day......
@ctx505 : Check this put the NAT rule to allow the incoming calls
@ctx505 do you have an on-site CUCM server? We run exactly your setup (except the enterprise edge firewalls are a different brand) and Cisco SIP desk phones work just fine connected to an MX/Z3 in a user's home.
@cmr, no the CUCM servers are on an external VLAN that is hosted with a third party. Our core switch routes VOIP to their servers through a VLAN. We do have internal routes on our switch and Firewall for the VOIP traffic and all phones on the corporate LAN can receive calls just fine.
@ctx505 just thinking out loud here, so play along and see if there is something that makes sense (or not).
If you can make an outbound call then your phone is registered, and signaling from your Jabber/phone is working. Did the audio channels also come up successfully? So the traffic is going from your Z3 over the AutoVPN to the MX64 then out the MX64 LAN interface to the core switch then off to the CUCM hosted environment.
If inbound calls can't be setup, but all the routing is working (since the above worked), then my thought is that there is likely a stateful firewall somewhere which is blocking traffic. The above path potentially works as you are on the 'trusted' side of the firewall, and so state is established, thus allowing return traffic. In the other direction (i.e. an inbound call) maybe there is a firewall rule that is blocking the path?
Do you have any rules for the Site-to-Site Outbound Firewall for the AutoVPN? Are there any other firewalls in the path, between your network and the CUCM hosted environment for instance?
I like the thought experiment here, and it is correct. I do have a Fortigate sitting in between the MX and Z3 and the external VLAN for VOIP. I do not have any firewall rules at the moment that speak to the inbound/outbound traffic to the MX/Z3. I am dedicating today to testing some of these theories and hopefully coming to a solution. I will post my results here, thanks all for you help 🙂