Cisco 2911 ISR Firewall

Hi everyone,
I would like to inquire on how to deploy Cisco 2911 ISR routers to act as Firewall to protect segments of my network. We have more than 10 units of the said router on our branch and i would like to ask on how i can make it a Firewall, it is running on IOS with sec/k9 license.
Hope that anyone can help me with my problem.
Thank you very much in advance
Best Regards,
Jayson Cruz

Hi Julio,
A good day its me again. My apologies to bother you again. May i ask for your advice regarding the set-up of my IOS Zone-Based Firewall via 2911 routers.
I have 2 2911 beanch routers with bgp peering on a WAN links to reach the branch. On the LAN interface of the said Branch Routers are the LAN segments configured via subinterface command and running HSRP with the other branch router.
How would i implement Zone-Based Firewall with HA without having drops because of asymetric routing. Im sorry since the configuration guide that you have sent me as so many options and configurations that i tend to be confusing on which one is another option and which one is prt of the previous procedure. I hope you could help me with this one as i need to implement it within this week.
Thanks you very much and I'm sorry for bothering you.
Thank you very much!
Jayson
Sent from Cisco Technical Support Android App

Similar Messages

  • Configure SPA 525G with 2911 ISR Routers

    Hey hi.
    I have 10 SPA525G phones with me for which I have bought a CISCO 2911 ISR, But after configuring it up, the router says it does not support old model phones such as the 525G.
    Any idea on how to install. Please help
    I see discussion where people have already installed similar modules. And hence the question. Called up cisco, but they were helpless and asked me to buy new phones.

    I have it working now. Thank you very much to both Dragan and Cyril for your help and guidance. It turned out the problem was a communication error between the ISP and me. We have two connections supplied by the same ISP, one for internet, one for telephony. When talking to their support we were mistakenly talking about different connections — the PPPoE credentials I was given related to the telephony connection, whereas I was trying to configure the internet connection. Once the confusion was identified I was given the correct connection info (which is not PPPoE after all), and I've got basic connectivity up and running quite quickly after that...
    My sincere apologies for the wild goose chase on these forums — and again, many thanks for those who tried to help. I have learned lots from you regardless.
    Cheers,
    Kevin

  • 2911 ISR G2 as a core switch in campus network?

    Hello experts,
    Just wonder about having a Cisco 2911 ISR G2 router with Cisco SM-X Layer 2/3 EtherSwitch Service Module (16 port) can be used as a core switch in a campus network. Possible? Our goal is to find a way to simplify our company's network infrastructure by re-using/re-assigning/upgrade some of our existing Cisco network devices in order to reduce cost.
    Kindly advice.
    Regards,
    Alex

    1Gbps backbone between the switch and router? Where can I find the information?
    Go HERE.  
    The interface communication between router-to-module may be 1 Gbps but you won't be able to push 1 Gbps.  

  • Hardware Needed for Cisco 2911 as a console server

    Hi,
    We need to setup Cisco 2911 router as a console server for OOB (Out of band) connectivity to console of each DC device (upto 20 devices) Could someone please respond to the following questions we had:
    1. What interface module can we install on the 2911 ISR for this purpose?
    2. What cable (part number please) will go to the that 2911-ISR interface slot and then we can connect the consoel ports of out network devices to that cable.
    It needs to be something similar to the cisco octal cable which I know we used for Cisco 2500 series for console purposes to other devices. But not sure about Cisco 2911.
    I would highly appreciate your information and help.
    Thanks
    Lovleen

    You would need an interface providing asynchronous serial ports. Something like the HWIC-8A or the HWIC-16A. Needing 20 ports you will most likely use one of each type (having then 24 ports).
    The cable to connect to the HWIC is the CAB-HD8-ASYNC. If you attach routers and switches console ports directly to the RJ45 plugs everything is fine. If you have other types of serial ports to serve (DB-9 or DB-25) then you need the according adapters. I don't know if they have product numbers...
    Or to have it all on one single PDF follow this link
    BR
    Björn

  • IP SLA Monitor on Cisco 2911

    Dear all,
    I have a cisco 2911 router that is located in my head office LAN and I use this router to connect to my branch networks. I want to configure IP SLA Monitor on this router to track my WAN Links but it does not support the command IP SLA Monitor. My IOS VERSION is  c2900-universalk9-mz.SPA.151-2.T1.bin. Please help tell me how I can configure IP SLA on my router.
    Any assistance will be highly appreciated.

    The Data Technology Package License part number SL-29-DATA-K9 was changed to the AppX Technology Package License that includes DATA and WAAS features with part number SL-29-APP-K9.
    SL-29-APP-K9 (AppX License for Cisco 2900 Series) - USD 1,000.00
    Please check the Change in Product Part Number Announcement for the Cisco 2900 Series Integrated Services Routers Data Technology Package Licenses link below for your reference(s): 
    http://www.cisco.com/c/en/us/products/collateral/routers/2900-series-integrated-services-routers-isr/eos-eol-notice-c51-730946.html

  • Cisco 2911 SFP Question

    Hello,
    Have what I hope is a simple question for you. How best to connect my 250 Mbit/s internet circuit to a newly arrived Cisco 2911? We're changing over our internet circuit from being managed by AT&T (includes router) to an unmanaged one (we provide router). The existing demarc extension terminates in a mult-mode LC connector and connects to a SFP module in the managed AT&T router.
    Was sent a 2911 with no additional modules or cards.  I have some GLC-SX-MM= SFP modules, but did not see any SFP slots in the 2911. Do I have to go with a higher router, like the 2921? Or are there SFP carrier cards or other modules we can use from Cisco?  Thanks.
    Scott

    For the ISR G2, like the 2900, you should be looking for the EHWIC-1GE-SFP-CU.
    How best to connect my 250 Mbit/s internet circuit to a newly arrived Cisco 2911?
    However, the main question is this:  Can a 2911 handle 250 Mbps bandwidth?  The answer is no.  The 2911 can handle 180.73 Mbps of traffic.  This value is express in HALF duplex and without any encryption.
    I believe a 3925E can support 250 Mbps of traffic (full dupex, full encryption).

  • Need help with troubleshooting VPN betwen Cisco 2911 and Dell Sonicwall 4060

    Hello all,
    I am trying to set up a VPN Tunnel between the devices mentioned above.  The tunnel appears to be established, but I've encountered some issues along the way.  I can ping from the Cisco 2911 to a server behind the Sonicwall, but I cannot ping from that server to the Cisco router unless the router is pinging the server at the same time.  What should I do to fix this problem?
    UPDATE:  The tunnel is no longer working between the two devices.  The end result I am looking for is to have a VPN tunnel between these two devices which does NAT and allows me to ping across without having to constantly ping to keep the session open.  Before the tunnel went down, I was able to ping that server behind the sonicwall using a port on the inside of the firewall as a source port for the ping, and at one point I was able to ping back to the router from the server, but was unable to ping beyond that interface.  I think the problem that I am running into has to do with the zone-based firewall configurations that are already on the router.  I don't want to mess with those configurations already in place, but I am not sure how to get this tunnel working.  I'm fairly certain I need to start from the beginning in regards to this tunnel, but I cannot figure out how to configure this the right way. 
    Thanks in advance for any help
    Michael
    Message was edited by: Michael Sotalin

    Finally the testing is successful on Sonicwall NSA 240 as well with Cisco ASA. Actually somehow Sonicwall firewall was discovering my VPN Box's Public leg (Private IP (10.10.50.10)) as well, which was behind a Live Peer IP (203.124.x.x). As per security policies it shouldnt have been discovered on the remote end. i will bring this in Cisco TAC notice.
    Logs of Sonicwall were showing ASA local ike id as "203.124.x.x" & ASA Remote ike id "10.10.50.10".
    Sonicwall sets these two parameters with PSK (local ike id & remote ike id). This is other than setting the Peer IP. i asked my client to add my ASA actual and NAT IP in these two parameters and the VPN got UP.

  • Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

    Hello,
    I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded 
    access-list 100 permit icmp any any unreachable
    ip address outside xxx.xxx.xxx.94 255.255.255.224
    ip address inside 192.168.1.1 255.255.255.0
    global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
    global (outside) 1 xxx.xxx.xxx.95
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0 0 xxx.xxx.xxx.93
    access-group 100 in interface outside
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
    static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
    static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

    Hey Craig,
    Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
    On 8.4 for interface defining use below mentioned example :
    int eth0/0
    ip add x.x.x.x y.y.y.y
    nameif outside
    no shut
    int eth0/1
    ip add x.x.x.x y.y.y.y
    nameif inside
    no shut
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
    global (outside) 1 xxx.xxx.xxx.95
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded 
    access-list 100 permit icmp any any unreachable
    static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
    static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
    route outside 0 0 xxx.xxx.xxx.93
    access-group 100 in interface outside
    You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
    If you're still not able to reach.Paste your entire config and version that you are using on ASA.

  • I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

    I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
    I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
    I need to allow the following IP addresses to have RDP access to my server:
    66.237.238.193-66.237.238.222
    69.195.249.177-69.195.249.190
    69.65.80.240-69.65.80.249
    My external WAN server info is - 99.89.69.333
    The internal IP address of my server is - 192.168.6.2
    The other server shows up as 99.89.69.334 but is working fine.
    I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
    THE FOLLOWING IS MY CONFIGURATION FILE
    Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
    Also the bolded lines are the modifications I made but that arent working.
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password DowJbZ7jrm5Nkm5B encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.6.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 99.89.69.233 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group network EMRMC
    network-object 10.1.2.0 255.255.255.0
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.11.0 255.255.255.0
    network-object 172.16.0.0 255.255.0.0
    network-object 192.168.9.0 255.255.255.0
    object-group service RDP tcp
    description RDP
    port-object eq 3389
    object-group service GMED tcp
    description GMED
    port-object eq 3390
    object-group service MarsAccess tcp
    description MarsAccess
    port-object range pcanywhere-data 5632
    object-group service MarsFTP tcp
    description MarsFTP
    port-object range ftp-data ftp
    object-group service MarsSupportAppls tcp
    description MarsSupportAppls
    port-object eq 1972
    object-group service MarsUpdatePort tcp
    description MarsUpdatePort
    port-object eq 7835
    object-group service NM1503 tcp
    description NM1503
    port-object eq 1503
    object-group service NM1720 tcp
    description NM1720
    port-object eq h323
    object-group service NM1731 tcp
    description NM1731
    port-object eq 1731
    object-group service NM389 tcp
    description NM389
    port-object eq ldap
    object-group service NM522 tcp
    description NM522
    port-object eq 522
    object-group service SSL tcp
    description SSL
    port-object eq https
    object-group service rdp tcp
    port-object eq 3389
    access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
    access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
    access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
    access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
    access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.6.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 68.156.148.5
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    tunnel-group 68.156.148.5 type ipsec-l2l
    tunnel-group 68.156.148.5 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
    : end
    ciscoasa(config-network)#

    Unclear what did not work.  In your original post you include said some commands were added but don't work:
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    and later you state you add another command that gets an error:
    static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
    You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
    The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
    Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

  • TS2709 I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?

    I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?

    I also get this problem on my iPad, so probably not related to the AppleTV. On the iPad I restarted Airport Extreme this time, and then the iPad saw my Home Sharing.
    So to recap, restarting the router or Airport Express allowed the iPad and AppleTV to see Home Sharing. Restarting AppleTV also allows AppleTV to see Home Sharing.
    So does anyone have any idea?
    Thanks

  • CME B-ACD on Cisco 2911 with IOS 15.2(4)M5 not working

    Hi Folks,
    I am currently setting up CME version 9.1 with B-ACD (app-b-acd-aa-3.0.0.2.tcl & app-b-acd-3.0.0.2.tcl), running on
    Cisco 2911 with IOS ver 15.2(4)M5, this is for lab purposes.
    Below is my CME & B-ACD configuration :
    voice service voip
    ip address trusted list
      ipv4 0.0.0.0 0.0.0.0
    allow-connections h323 to h323
    allow-connections h323 to sip
    allow-connections sip to h323
    allow-connections sip to sip
    fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
    h323
      h225 listen-port 1820
      no call service stop
    sip
      bind control source-interface Vlan400
      bind media source-interface Vlan400
      registrar server expires max 600 min 60
    voice register global
    mode cme
    source-address 172.25.202.1 port 5060
    max-dn 2
    max-pool 2
    load 9971 sip9971.9-2-2SR1-9
    authenticate register
    timezone 28
    time-format 24
    date-format D/M/Y
    tftp-path flash:
    create profile sync 0004714411607756
    voice register dn  1
    number 3005
    name br2phn2
    voice register dn  2
    number 3006
    name br2phn4
    voice register template  1
    dialplan 1
    voice register dialplan 1
    type 7940-7960-others
    pattern 1 3...
    pattern 2 999
    voice register pool  1
    id mac 1C1D.86C4.0D6D
    type 9971
    number 1 dn 1
    template 1
    dtmf-relay rtp-nte
    username 3005 password cisco
    description 3214-3005
    codec g711ulaw
    voice register pool  2
    id mac 1C1D.86C4.A574
    type 9971
    number 1 dn 2
    template 1
    dtmf-relay rtp-nte
    username 3006 password cisco
    description 3214-3006
    codec g711ulaw
    voice hunt-group 1 parallel
    list 3002,3006
    pilot 3210
    application
    service aa flash:/app-b-acd-aa-3.0.0.2.tcl
      paramspace english index 1
      param number-of-hunt-grps 2
      param handoff-string aa
      paramspace english language en
      param max-time-vm-retry 2
      param aa-pilot 3500
      paramspace english location flash://
      param second-greeting-time 60
      param welcome-prompt _bacd_welcome.au
      param call-retry-timer 15
      param voice-mail 3001
      param max-time-call-retry 90
      param service-name queue
    service aa-drop flash:/app-b-acd-aa-3.0.0.2.tcl
      paramspace english index 1
      param service-name queue
      param drop-through-option 2
      param second-greeting-time 60
      paramspace english language en
      param max-time-vm-retry 2
      param max-time-call-retry 90
      param voice-mail 3001
      paramspace english location flash://
      param aa-pilot 3501
      param number-of-hunt-grps 1
      param handoff-string aa-drop
      param call-retry-timer 15
    service queue flash:/app-b-acd-3.0.0.2.tcl
      param queue-len 15
      param aa-hunt10 3006
      param queue-manager-debugs 1
      param number-of-hunt-grps 2
      param aa-hunt2 3210
    interface Loopback0
    ip address 172.25.110.3 255.255.255.255
    ip ospf network point-to-point
    h323-gateway voip interface
    h323-gateway voip id Spain ipaddr 172.25.110.1 1719
    h323-gateway voip h323-id BR2-RTR
    h323-gateway voip tech-prefix 1#
    h323-gateway voip bind srcaddr 172.25.110.3
    interface Vlan400
    ip address 172.25.202.1 255.255.255.0
    ip pim dense-mode
    dial-peer voice 3500 voip
    service aa
    destination-pattern 3500
    session target ipv4:172.25.110.3
    incoming called-number 3500
    dtmf-relay h245-alphanumeric
    codec g711ulaw
    no vad
    dial-peer voice 3501 voip
    service aa-drop
    destination-pattern 3501
    session target ipv4:172.25.110.3
    incoming called-number 3501
    dtmf-relay h245-alphanumeric
    codec g711ulaw
    no vad
    telephony-service
    no auto-reg-ephone
    max-ephones 2
    max-dn 2 no-reg both
    ip source-address 172.25.110.3 port 2000
    cnf-file location flash:
    load 7965 term65.default.loads
    time-zone 28
    time-format 24
    date-format dd-mm-yy
    max-conferences 8 gain -6
    moh "music-on-hold.au"
    web admin system name admin password cisco
    dn-webedit
    transfer-system full-consult
    create cnf-files version-stamp 7960 Feb 14 2014 05:54:44
    ephone-template  1
    softkeys connected  Endcall Hold Park Trnsfer Acct Flash
    ephone-dn  1  octo-line
    number 3001 no-reg both
    description 3214-3001
    name br2phn1
    ephone-dn  2  octo-line
    number 3002 no-reg both
    description 3214-3002
    name br2phn3
    ephone  1
    device-security-mode none
    mac-address 189C.5DB6.D303
    ephone-template 1
    max-calls-per-button 5
    busy-trigger-per-button 3
    type 7965
    button  1:1
    ephone  2
    device-security-mode none
    description 3214-3002
    mac-address 984B.E194.FDDD
    ephone-template 1
    max-calls-per-button 5
    busy-trigger-per-button 3
    type 7960
    button  1:2
    Problem :
    1. When I test call from CME Phone both SIP and SCCP Phone by dial 3500 or 3501, I get the busy tone.
    2. Debug voip dial-peer, match with dial-peer voice 3500 for (aa service) & 3501 for (aa-drop service).
    3. Debug voice application script, show nothing.
    Is there something wrong with my configuration ?
    Rgds
    Novri

    Hi Novriadi,
    In your configuration
    service aa flash:/app-b-acd-aa-3.0.0.2.tcl
    service queue flash:/app-b-acd-3.0.0.2.tcl
    paramspace english location flash://
    Remove "/" and "//" from the configuration
    Then use the call application voice load command in privileged EXEC mode to reload the scripts.
    Router# call application voice load aa
    Router# call application voice load queue
    Router# call application voice load aa-drop
    You can refer to following document as well for more info
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/bacd/configuration/guide/cme40tcl/40bacd.html#wp1018270
    Please find the sample configuration that is required to configure b-acd in CME for reference.
    telephony-service
    moh music-on-hold.au
    multicast moh 239.1.1.1 port 2000
    application
    service queue flash:app-b-acd-2.1.0.0.tcl
      param number-of-hunt-grps 2
      param aa-hunt2 1111
      param aa-hunt3 1222
      param queue-len 15
      param queue-manager-debugs 1
    service aa flash:app-b-acd-aa-2.1.0.0.tcl
      paramspace english index 1
      paramspace english language en
      paramspace english location flash:
      param service-name queue
      param handoff-string aa
      param aa-pilot 8005550123
      param welcome-prompt _bacd_welcome.au
      param number-of-hunt-grps 2
      param dial-by-extension-option 1
      param second-greeting-time 60
      param call-retry-timer 15
      param max-time-call-retry 700
      param max-time-vm-retry 2
      param voice-mail 5003
    dial-peer voice 222 voip
    service aa
    destination-pattern 8005550123
    session target ipv4:192.168.1.1
    incoming called-number 8005550123
    dtmf-relay h245-alphanumeric
    codec g711ulaw
    no vad
    Thanks & Regards,
    Mudit Mathur

  • Cisco Prime Infrastructure deployment through Cisco 3945 ISR

    Dears,
    I have Cisco 3945 ISR include module for the Cisco prime infrastructure.
    I need to deploy the prime but when I connected monitor on the module I saw that it is looking for DHCP only.
    Please can anyone support me with procedure to install the prime?
    Should I install the ESXi on this module by make it boot from external device (USB, or CD drive)?
    Your support is highly appreciated,
    Regards,

    Duplicate post. 
    Go HERE.

  • Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

    I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
    This is my configuration:
    141Kerioth#sh config
    Using 3763 out of 262136 bytes
    ! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname 141Kerioth
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    aaa new-model
    141Kerioth#do wr mem
                  ^
    % Invalid input detected at '^' marker.
    141Kerioth#wr mem
    Building configuration...
    [OK]
    141Kerioth#sh run
    Building configuration...
    Current configuration : 5053 bytes
    ! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname 141Kerioth
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    aaa new-model
    aaa authentication login default local
    aaa authentication ppp default local
    aaa session-id common
    memory-size iomem 10
    crypto pki trustpoint TP-self-signed-580381394
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-580381394
     revocation-check none
     rsakeypair TP-self-signed-580381394
    crypto pki certificate chain TP-self-signed-580381394
     certificate self-signed 01
      30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
      365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
      532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
      33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
      B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
      173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
      930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
      D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
      02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
      23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
      1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
      4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
      9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
      0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
      00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
      14EF37EA 15E57AD0 3C5D01F3 EF
            quit
    ip dhcp excluded-address 10.0.16.1
    ip dhcp pool ccp-pool
     import all
     network 10.0.16.0 255.255.255.0
     default-router 10.0.16.1
     dns-server 8.8.8.8
     lease 0 2
    ip domain name kerioth.com
    ip host hostname.domain z.z.z.z
    ip name-server 8.8.8.8
    ip name-server 4.2.2.2
    ip cef
    no ipv6 cef
    license udi pid CISCO881-K9 sn FTX180483DD
    username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
    username meadowbrook privilege 0 password 0 $8UBr#Ux
    username meadowbrook autocommand exit
    policy-map type inspect outbound-policy
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 5
    crypto isakmp key 141Township address z.z.z.z
    crypto isakmp keepalive 10
    crypto ipsec transform-set TS esp-3des esp-sha-hmac
     mode tunnel
    crypto map mymap 10 ipsec-isakmp
     set peer z.z.z.z
     set transform-set TS
     match address 115
    interface Loopback0
     no ip address
    interface Tunnel1
     no ip address
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     no ip address
    interface FastEthernet2
     no ip address
    interface FastEthernet3
     no ip address
    interface FastEthernet4
     description $FW_OUTSIDE_WAN$
     ip address 50.y.y.y 255.255.255.240
     ip nat outside
     ip virtual-reassembly in
     duplex auto
     speed auto
     crypto map mymap
    interface Vlan1
     description $ETH_LAN$
     ip address 10.0.16.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     ip tcp adjust-mss 1452
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 115 interface Vlan1 overload
    ip nat inside source list 199 interface FastEthernet4 overload
    ip nat inside source route-map nonat interface FastEthernet4 overload
    ip route 0.0.0.0 0.0.0.0 50.x.x.x
    access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
    access-list 110 permit ip 10.0.16.0 0.0.0.255 any
    access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
    access-list 144 permit icmp host c.c.c.c host 10.0.1.50
    access-list 144 permit icmp host p.p.p.p host 10.0.16.105
    access-list 199 permit ip a.a.a.a 0.0.0.255 any
    no cdp run
    route-map nonat permit 10
     match ip address 100
    line con 0
     no modem enable
    line aux 0
    line vty 0 4
     access-class 1 in
     exec-timeout 30 0
     privilege level 15
     transport preferred ssh
     transport input ssh
    line vty 5 15
     access-class 23 in
     privilege level 15
     transport input telnet ssh
    cns trusted-server all-agents x.x.x.x
    cns trusted-server all-agents hostname
    cns trusted-server all-agents hostname.domain
    cns id hardware-serial
    cns id hardware-serial event
    cns id hardware-serial image
    cns event hostname.domain 11011
    cns config initial hostname.domain 80
    cns config partial hostname.domain 80
    cns exec 80
    end

    Why do you have following command on the PIX?
    crypto map outside_map 40 set transform-set 165.228.x.x
    Also you have this transform set on the PIX:
    crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
    This does not match the transfor set on the router:
    crypto ipsec transform-set tritest esp-3des esp-md5-hmac
    Where are you using the access-list/route-map
    101 ?

  • DSP hardware in Cisco 2911?

    I have a Cisco 2911 router that needs to do T1 PRI with 32 voice DSPs.
    I think I need UC license and VWIC3-1MFT-T1/E1=. I don't see any onboard DSP in "show inv" or "show diag" so is it correct I need to purchase a PVDM2-32? Should this be installed onboard or does this require a NM-HDV2 to house it?

    Hi,
    You need one PVDM3-32. You don't need NM.
    Regards,
    - Adrian.

  • Can't establish a Voice gateway (cisco 2911) using SIP with CUCM 9.1

    I have configured a Cisco 2911 as a Voice Gateway using SIP (the configuration is attached), but unfortunately can't establish a test call to a phone (CUPC 8.6 SCCP) using csim start. I have done logging the ccsip debug and ccapi debug and attached them. Could anyone help me to solve this problem?

    I just did some research on my end and csim is not supported for SIP. The Invite will never be created and sent to the CUCM to initate the call. It disconnects in the router itself with normal cause.
    *Apr 18 08:58:48.086: //40/7D08458F8077/SIP/Error/sipSPIOutgoingCallSDP: 
     Could not create source SDP for Outgoing Call
    *Apr 18 08:58:48.086: //40/7D08458F8077/SIP/Error/sipSPICreateOutboundSDP: 
     Error in creating an SDP for the outbound call - Check for supported codecs
    *Apr 18 08:58:48.086: //40/7D08458F8077/SIP/Error/preprocessSetup: 
     Error during outbound SDP creation
    *Apr 18 08:58:48.086: //40/7D08458F8077/SIP/Info/sipSPIInitiateDisconnect: Initiate call disconnect(16) for outgoing call
    Please use an actual call to test your dial-peer and integration with call manager. csim will not work.
    Hantale
    Sree

Maybe you are looking for

  • Why READ_IMAGE_FILE is not working in Linux Appln Server?

    Hello! I have a form with a new_form_instance Trigger I wrote the read_image_file trigger to read a GIF file in an image item.It works fine on windows XP(development machine).I copied the GIF file to the same location where my fmx files are there in

  • HT1386 ipod touch not being found by itunes

    just downloaded the larest version of i Tunes and now my iPod touch wont sync and id not being recognised by iTunes!!!!"!!!!!!

  • Time Machine Backup turns on the display

    After using the Sleep Display script in Tiger from Dockables, it was a pretty welcome relief to see that you could put your display to sleep with a hot corner = D. However, I can't get the display to stay sleeping consistently. Whenever Time Machine

  • Acrobat Pro 9.4.5 crashes when I open PDF file - How can I fix it ??

    Dear Fellow Mac Users, I have a MacPro4,1 with a 2 X 2.226 Ghz Quad-Core Intel Xeon Processor and 16 GB 1066 MHz DDR3 Memory. On my MacPro4,1, I have Adobe CS4 Suite installed. I now have Adobe Acrobat version 9.4.5. Whenever I open a PDF file, regua

  • Loyalty Campaigns

    Hi Experts, I've created Loyalty Campaign/Porgram and R R and released all. Using Loaylty IC Agent role I'm not able to see the Loyalty Campaigns. Can any one pls let me know how to display all the loyalty campaigns which are released as part of Loya