HI guys. I hope for ur help . i have such diagram : IPOffice500(LAN:172.16.2.220, WAN:192.168.15.110/24)<->Cisco881(WAN:192.168.15.1, interface vlan20 : 192.168.20.1)<-> IP phone 192.168.20.2 .
the problem is ip phone cannot discover IPOffice. I put PC instead of ipphone with static ip 192.168.20.9/24 and able to ping 192.168.20.1, 192.168.15.1 but can not 192.168.15.110 and 172.16.2.220. then I put PC to lan port of IP office500 with 172.16.2.9/24 and able to ping 192.168.20.1, 192.168.15.1 but can not ping 192.168.20.2 or .20.10 , tracert go till .15.1 ; it's look like there is not route between .15.0 net and .20.0 network but I have configured interfaces in router and they are directly connected . Also IPOffice has route to 192.168.20.0 /28 trough 192.168.15.1 , and configured LAN& WAN interfaces. here are configs on cisco:
Current configuration : 5626 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 16:49:09 UTC Tue Jul 31 2012 by cisco
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Remote_r
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3874039267
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3874039267
revocation-check none
rsakeypair TP-self-signed-3874039267
!
!

ip source-route
!
!
!
ip dhcp pool voice20
network 192.168.20.0 255.255.255.240
default-router 192.168.20.1
option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"
lease 8
!
ip dhcp pool data30
network 192.168.30.0 255.255.255.240
default-router 192.168.30.1
option 176 ascii "MCIPADD=172.16.2.220, 192.168.15.110,TFTPSRVR=172.16.2.220,MCPORT=1719,L2QVLAN=20,VLANTEST=600"
lease 8
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX162683CE
!
!
username admin privilege 15 secret 5 $1$bEaR$C/W2WAirkkytWbYHQinNf0
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
!
interface FastEthernet4
description WAN
ip address 192.168.15.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan20
ip address 192.168.20.1 255.255.255.240
!
interface Vlan30
ip address 192.168.30.1 255.255.255.240
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 172.16.2.0 255.255.255.0 192.168.15.110
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 24 permit 192.168.1.2
no cdp run

!
!
!
!
!
control-plane
!

^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 24 in
privilege level 15
password sana1723
logging synchronous
login local
transport input telnet
!
scheduler max-task-time 5000
end

show ip route
172.16.0.0/24 is subnetted, 1 subnets
S 172.16.2.0 [1/0] via 192.168.15.110
192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.15.0/24 is directly connected, FastEthernet4
L 192.168.15.1/32 is directly connected, FastEthernet4
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/28 is directly connected, Vlan20
L 192.168.20.1/32 is directly connected, Vlan20

sho vlan-sw

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0, Fa1, Fa3
10 VLAN0010 active
20 voice active Fa2
30 data active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0

I presume that you meant to say the IPOffice500 has a static route for 192.168.20.0/24. Also, look at the routing table on the IPOffice500 to ensure that it has taken the static route. If it indeed does have one, is there any kind of firewall or ACL on it that may be blocking this?

--Richard

_________________
http://justnetworked.wordpress.com

thank you for ur reply , yes, IPO has taken that staitc route otherwise I'd not be able from PC connected to LAN port of IPO and with IP 172.16.2.9 make a ping to 192.168.15.1 and 192.168.20.1 ; somehow there is not route between interface vlan 20 and fa4 ... there is not ACL and Firewall has not been activated ...
show version : cisco ios , c880data-universalk9-m, version15.0

My apologies, I overlooked the portion of putting a PC on the LAN side of the IPOffice and I see that the network is indeed a /28. However, you did mention that you were able to ping 192.168.20.1 (the SVI IP address for VLAN 20) from the PC on this segment. This would indicate that routing is working properly from the perspective of the IPOffice and 881.

When you mentioned you couldn't ping 192.168.20.10 did you mean the IP of the pc 192.168.20.9? Or did you really try to ping 192.168.20.10? How does the IPOffice deal with traffic coming into the WAN interface? Does it block it by default and only allow through what you have configured? Is there anyway you can post its config?

--Richard

_________________
http://justnetworked.wordpress.com

so, on the router configured dhcp for 192.168.20.0 /28 scope (voice net) and when i put iphone to the port fa2 of the router the iphone get ip 192.168.20.2 or 192.168.20.10 or ... , so it was ip phone ip (1 time i tested with pc second time with ipphone) . IPO has 2 net interfaces lan and wan (172.16.2.220 and 192.168.15.110) and ip route table , so when the traffic is coming from the proper subnet it allow it, there is not configured any policy yet. i can not understand why when i connected behind of IPOffice on the lan interface with ip from ip office network 17216.2.9 /24 and i can ping router interfaces, on the other side of IP office, moreover i can ping SVI 192.168.20.1 BUT I can't ping phone 192.168.20.2 or 20.10 connected to fa2 (switchport access vlan 20) .... why ? help me please , guys .

I resolved it myself so now my vpn is up and my ipphones are registered . The solution is one need to create ACLs to deny NATing then route-map to exclude voice net from Nating and let traffic go trough NAT outside .