Cisco 2911 ISR Firewall
Hi everyone,
I would like to inquire on how to deploy Cisco 2911 ISR routers to act as Firewall to protect segments of my network. We have more than 10 units of the said router on our branch and i would like to ask on how i can make it a Firewall, it is running on IOS with sec/k9 license.
Hope that anyone can help me with my problem.
Thank you very much in advance
Best Regards,
Jayson Cruz
Hi Julio,
A good day its me again. My apologies to bother you again. May i ask for your advice regarding the set-up of my IOS Zone-Based Firewall via 2911 routers.
I have 2 2911 beanch routers with bgp peering on a WAN links to reach the branch. On the LAN interface of the said Branch Routers are the LAN segments configured via subinterface command and running HSRP with the other branch router.
How would i implement Zone-Based Firewall with HA without having drops because of asymetric routing. Im sorry since the configuration guide that you have sent me as so many options and configurations that i tend to be confusing on which one is another option and which one is prt of the previous procedure. I hope you could help me with this one as i need to implement it within this week.
Thanks you very much and I'm sorry for bothering you.
Thank you very much!
Jayson
Sent from Cisco Technical Support Android App
Similar Messages
-
Configure SPA 525G with 2911 ISR Routers
Hey hi.
I have 10 SPA525G phones with me for which I have bought a CISCO 2911 ISR, But after configuring it up, the router says it does not support old model phones such as the 525G.
Any idea on how to install. Please help
I see discussion where people have already installed similar modules. And hence the question. Called up cisco, but they were helpless and asked me to buy new phones.I have it working now. Thank you very much to both Dragan and Cyril for your help and guidance. It turned out the problem was a communication error between the ISP and me. We have two connections supplied by the same ISP, one for internet, one for telephony. When talking to their support we were mistakenly talking about different connections — the PPPoE credentials I was given related to the telephony connection, whereas I was trying to configure the internet connection. Once the confusion was identified I was given the correct connection info (which is not PPPoE after all), and I've got basic connectivity up and running quite quickly after that...
My sincere apologies for the wild goose chase on these forums — and again, many thanks for those who tried to help. I have learned lots from you regardless.
Cheers,
Kevin -
2911 ISR G2 as a core switch in campus network?
Hello experts,
Just wonder about having a Cisco 2911 ISR G2 router with Cisco SM-X Layer 2/3 EtherSwitch Service Module (16 port) can be used as a core switch in a campus network. Possible? Our goal is to find a way to simplify our company's network infrastructure by re-using/re-assigning/upgrade some of our existing Cisco network devices in order to reduce cost.
Kindly advice.
Regards,
Alex1Gbps backbone between the switch and router? Where can I find the information?
Go HERE.
The interface communication between router-to-module may be 1 Gbps but you won't be able to push 1 Gbps. -
Hardware Needed for Cisco 2911 as a console server
Hi,
We need to setup Cisco 2911 router as a console server for OOB (Out of band) connectivity to console of each DC device (upto 20 devices) Could someone please respond to the following questions we had:
1. What interface module can we install on the 2911 ISR for this purpose?
2. What cable (part number please) will go to the that 2911-ISR interface slot and then we can connect the consoel ports of out network devices to that cable.
It needs to be something similar to the cisco octal cable which I know we used for Cisco 2500 series for console purposes to other devices. But not sure about Cisco 2911.
I would highly appreciate your information and help.
Thanks
LovleenYou would need an interface providing asynchronous serial ports. Something like the HWIC-8A or the HWIC-16A. Needing 20 ports you will most likely use one of each type (having then 24 ports).
The cable to connect to the HWIC is the CAB-HD8-ASYNC. If you attach routers and switches console ports directly to the RJ45 plugs everything is fine. If you have other types of serial ports to serve (DB-9 or DB-25) then you need the according adapters. I don't know if they have product numbers...
Or to have it all on one single PDF follow this link
BR
Björn -
Dear all,
I have a cisco 2911 router that is located in my head office LAN and I use this router to connect to my branch networks. I want to configure IP SLA Monitor on this router to track my WAN Links but it does not support the command IP SLA Monitor. My IOS VERSION is c2900-universalk9-mz.SPA.151-2.T1.bin. Please help tell me how I can configure IP SLA on my router.
Any assistance will be highly appreciated.The Data Technology Package License part number SL-29-DATA-K9 was changed to the AppX Technology Package License that includes DATA and WAAS features with part number SL-29-APP-K9.
SL-29-APP-K9 (AppX License for Cisco 2900 Series) - USD 1,000.00
Please check the Change in Product Part Number Announcement for the Cisco 2900 Series Integrated Services Routers Data Technology Package Licenses link below for your reference(s):
http://www.cisco.com/c/en/us/products/collateral/routers/2900-series-integrated-services-routers-isr/eos-eol-notice-c51-730946.html -
Hello,
Have what I hope is a simple question for you. How best to connect my 250 Mbit/s internet circuit to a newly arrived Cisco 2911? We're changing over our internet circuit from being managed by AT&T (includes router) to an unmanaged one (we provide router). The existing demarc extension terminates in a mult-mode LC connector and connects to a SFP module in the managed AT&T router.
Was sent a 2911 with no additional modules or cards. I have some GLC-SX-MM= SFP modules, but did not see any SFP slots in the 2911. Do I have to go with a higher router, like the 2921? Or are there SFP carrier cards or other modules we can use from Cisco? Thanks.
ScottFor the ISR G2, like the 2900, you should be looking for the EHWIC-1GE-SFP-CU.
How best to connect my 250 Mbit/s internet circuit to a newly arrived Cisco 2911?
However, the main question is this: Can a 2911 handle 250 Mbps bandwidth? The answer is no. The 2911 can handle 180.73 Mbps of traffic. This value is express in HALF duplex and without any encryption.
I believe a 3925E can support 250 Mbps of traffic (full dupex, full encryption). -
Need help with troubleshooting VPN betwen Cisco 2911 and Dell Sonicwall 4060
Hello all,
I am trying to set up a VPN Tunnel between the devices mentioned above. The tunnel appears to be established, but I've encountered some issues along the way. I can ping from the Cisco 2911 to a server behind the Sonicwall, but I cannot ping from that server to the Cisco router unless the router is pinging the server at the same time. What should I do to fix this problem?
UPDATE: The tunnel is no longer working between the two devices. The end result I am looking for is to have a VPN tunnel between these two devices which does NAT and allows me to ping across without having to constantly ping to keep the session open. Before the tunnel went down, I was able to ping that server behind the sonicwall using a port on the inside of the firewall as a source port for the ping, and at one point I was able to ping back to the router from the server, but was unable to ping beyond that interface. I think the problem that I am running into has to do with the zone-based firewall configurations that are already on the router. I don't want to mess with those configurations already in place, but I am not sure how to get this tunnel working. I'm fairly certain I need to start from the beginning in regards to this tunnel, but I cannot figure out how to configure this the right way.
Thanks in advance for any help
Michael
Message was edited by: Michael SotalinFinally the testing is successful on Sonicwall NSA 240 as well with Cisco ASA. Actually somehow Sonicwall firewall was discovering my VPN Box's Public leg (Private IP (10.10.50.10)) as well, which was behind a Live Peer IP (203.124.x.x). As per security policies it shouldnt have been discovered on the remote end. i will bring this in Cisco TAC notice.
Logs of Sonicwall were showing ASA local ike id as "203.124.x.x" & ASA Remote ike id "10.10.50.10".
Sonicwall sets these two parameters with PSK (local ike id & remote ike id). This is other than setting the Peer IP. i asked my client to add my ASA actual and NAT IP in these two parameters and the VPN got UP. -
Cisco ASA 5505 Firewall Not Allowing Incoming Traffic
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out. I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. Can someone please let me know what I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside xxx.xxx.xxx.94 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq wwwHey Craig,
Based on your commands I think you were using 6.3 version on PIX and now you must be moving to ASA ver 8.2.x.
On 8.4 for interface defining use below mentioned example :
int eth0/0
ip add x.x.x.x y.y.y.y
nameif outside
no shut
int eth0/1
ip add x.x.x.x y.y.y.y
nameif inside
no shut
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
If you're still not able to reach.Paste your entire config and version that you are using on ASA. -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?
I also get this problem on my iPad, so probably not related to the AppleTV. On the iPad I restarted Airport Extreme this time, and then the iPad saw my Home Sharing.
So to recap, restarting the router or Airport Express allowed the iPad and AppleTV to see Home Sharing. Restarting AppleTV also allows AppleTV to see Home Sharing.
So does anyone have any idea?
Thanks -
CME B-ACD on Cisco 2911 with IOS 15.2(4)M5 not working
Hi Folks,
I am currently setting up CME version 9.1 with B-ACD (app-b-acd-aa-3.0.0.2.tcl & app-b-acd-3.0.0.2.tcl), running on
Cisco 2911 with IOS ver 15.2(4)M5, this is for lab purposes.
Below is my CME & B-ACD configuration :
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
h323
h225 listen-port 1820
no call service stop
sip
bind control source-interface Vlan400
bind media source-interface Vlan400
registrar server expires max 600 min 60
voice register global
mode cme
source-address 172.25.202.1 port 5060
max-dn 2
max-pool 2
load 9971 sip9971.9-2-2SR1-9
authenticate register
timezone 28
time-format 24
date-format D/M/Y
tftp-path flash:
create profile sync 0004714411607756
voice register dn 1
number 3005
name br2phn2
voice register dn 2
number 3006
name br2phn4
voice register template 1
dialplan 1
voice register dialplan 1
type 7940-7960-others
pattern 1 3...
pattern 2 999
voice register pool 1
id mac 1C1D.86C4.0D6D
type 9971
number 1 dn 1
template 1
dtmf-relay rtp-nte
username 3005 password cisco
description 3214-3005
codec g711ulaw
voice register pool 2
id mac 1C1D.86C4.A574
type 9971
number 1 dn 2
template 1
dtmf-relay rtp-nte
username 3006 password cisco
description 3214-3006
codec g711ulaw
voice hunt-group 1 parallel
list 3002,3006
pilot 3210
application
service aa flash:/app-b-acd-aa-3.0.0.2.tcl
paramspace english index 1
param number-of-hunt-grps 2
param handoff-string aa
paramspace english language en
param max-time-vm-retry 2
param aa-pilot 3500
paramspace english location flash://
param second-greeting-time 60
param welcome-prompt _bacd_welcome.au
param call-retry-timer 15
param voice-mail 3001
param max-time-call-retry 90
param service-name queue
service aa-drop flash:/app-b-acd-aa-3.0.0.2.tcl
paramspace english index 1
param service-name queue
param drop-through-option 2
param second-greeting-time 60
paramspace english language en
param max-time-vm-retry 2
param max-time-call-retry 90
param voice-mail 3001
paramspace english location flash://
param aa-pilot 3501
param number-of-hunt-grps 1
param handoff-string aa-drop
param call-retry-timer 15
service queue flash:/app-b-acd-3.0.0.2.tcl
param queue-len 15
param aa-hunt10 3006
param queue-manager-debugs 1
param number-of-hunt-grps 2
param aa-hunt2 3210
interface Loopback0
ip address 172.25.110.3 255.255.255.255
ip ospf network point-to-point
h323-gateway voip interface
h323-gateway voip id Spain ipaddr 172.25.110.1 1719
h323-gateway voip h323-id BR2-RTR
h323-gateway voip tech-prefix 1#
h323-gateway voip bind srcaddr 172.25.110.3
interface Vlan400
ip address 172.25.202.1 255.255.255.0
ip pim dense-mode
dial-peer voice 3500 voip
service aa
destination-pattern 3500
session target ipv4:172.25.110.3
incoming called-number 3500
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
dial-peer voice 3501 voip
service aa-drop
destination-pattern 3501
session target ipv4:172.25.110.3
incoming called-number 3501
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
telephony-service
no auto-reg-ephone
max-ephones 2
max-dn 2 no-reg both
ip source-address 172.25.110.3 port 2000
cnf-file location flash:
load 7965 term65.default.loads
time-zone 28
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
moh "music-on-hold.au"
web admin system name admin password cisco
dn-webedit
transfer-system full-consult
create cnf-files version-stamp 7960 Feb 14 2014 05:54:44
ephone-template 1
softkeys connected Endcall Hold Park Trnsfer Acct Flash
ephone-dn 1 octo-line
number 3001 no-reg both
description 3214-3001
name br2phn1
ephone-dn 2 octo-line
number 3002 no-reg both
description 3214-3002
name br2phn3
ephone 1
device-security-mode none
mac-address 189C.5DB6.D303
ephone-template 1
max-calls-per-button 5
busy-trigger-per-button 3
type 7965
button 1:1
ephone 2
device-security-mode none
description 3214-3002
mac-address 984B.E194.FDDD
ephone-template 1
max-calls-per-button 5
busy-trigger-per-button 3
type 7960
button 1:2
Problem :
1. When I test call from CME Phone both SIP and SCCP Phone by dial 3500 or 3501, I get the busy tone.
2. Debug voip dial-peer, match with dial-peer voice 3500 for (aa service) & 3501 for (aa-drop service).
3. Debug voice application script, show nothing.
Is there something wrong with my configuration ?
Rgds
NovriHi Novriadi,
In your configuration
service aa flash:/app-b-acd-aa-3.0.0.2.tcl
service queue flash:/app-b-acd-3.0.0.2.tcl
paramspace english location flash://
Remove "/" and "//" from the configuration
Then use the call application voice load command in privileged EXEC mode to reload the scripts.
Router# call application voice load aa
Router# call application voice load queue
Router# call application voice load aa-drop
You can refer to following document as well for more info
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/bacd/configuration/guide/cme40tcl/40bacd.html#wp1018270
Please find the sample configuration that is required to configure b-acd in CME for reference.
telephony-service
moh music-on-hold.au
multicast moh 239.1.1.1 port 2000
application
service queue flash:app-b-acd-2.1.0.0.tcl
param number-of-hunt-grps 2
param aa-hunt2 1111
param aa-hunt3 1222
param queue-len 15
param queue-manager-debugs 1
service aa flash:app-b-acd-aa-2.1.0.0.tcl
paramspace english index 1
paramspace english language en
paramspace english location flash:
param service-name queue
param handoff-string aa
param aa-pilot 8005550123
param welcome-prompt _bacd_welcome.au
param number-of-hunt-grps 2
param dial-by-extension-option 1
param second-greeting-time 60
param call-retry-timer 15
param max-time-call-retry 700
param max-time-vm-retry 2
param voice-mail 5003
dial-peer voice 222 voip
service aa
destination-pattern 8005550123
session target ipv4:192.168.1.1
incoming called-number 8005550123
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
Thanks & Regards,
Mudit Mathur -
Cisco Prime Infrastructure deployment through Cisco 3945 ISR
Dears,
I have Cisco 3945 ISR include module for the Cisco prime infrastructure.
I need to deploy the prime but when I connected monitor on the module I saw that it is looking for DHCP only.
Please can anyone support me with procedure to install the prime?
Should I install the ESXi on this module by make it boot from external device (USB, or CD drive)?
Your support is highly appreciated,
Regards,Duplicate post.
Go HERE. -
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
DSP hardware in Cisco 2911?
I have a Cisco 2911 router that needs to do T1 PRI with 32 voice DSPs.
I think I need UC license and VWIC3-1MFT-T1/E1=. I don't see any onboard DSP in "show inv" or "show diag" so is it correct I need to purchase a PVDM2-32? Should this be installed onboard or does this require a NM-HDV2 to house it?Hi,
You need one PVDM3-32. You don't need NM.
Regards,
- Adrian. -
Can't establish a Voice gateway (cisco 2911) using SIP with CUCM 9.1
I have configured a Cisco 2911 as a Voice Gateway using SIP (the configuration is attached), but unfortunately can't establish a test call to a phone (CUPC 8.6 SCCP) using csim start. I have done logging the ccsip debug and ccapi debug and attached them. Could anyone help me to solve this problem?
I just did some research on my end and csim is not supported for SIP. The Invite will never be created and sent to the CUCM to initate the call. It disconnects in the router itself with normal cause.
*Apr 18 08:58:48.086: //40/7D08458F8077/SIP/Error/sipSPIOutgoingCallSDP:
Could not create source SDP for Outgoing Call
*Apr 18 08:58:48.086: //40/7D08458F8077/SIP/Error/sipSPICreateOutboundSDP:
Error in creating an SDP for the outbound call - Check for supported codecs
*Apr 18 08:58:48.086: //40/7D08458F8077/SIP/Error/preprocessSetup:
Error during outbound SDP creation
*Apr 18 08:58:48.086: //40/7D08458F8077/SIP/Info/sipSPIInitiateDisconnect: Initiate call disconnect(16) for outgoing call
Please use an actual call to test your dial-peer and integration with call manager. csim will not work.
Hantale
Sree
Maybe you are looking for
-
Why READ_IMAGE_FILE is not working in Linux Appln Server?
Hello! I have a form with a new_form_instance Trigger I wrote the read_image_file trigger to read a GIF file in an image item.It works fine on windows XP(development machine).I copied the GIF file to the same location where my fmx files are there in
-
HT1386 ipod touch not being found by itunes
just downloaded the larest version of i Tunes and now my iPod touch wont sync and id not being recognised by iTunes!!!!"!!!!!!
-
Time Machine Backup turns on the display
After using the Sleep Display script in Tiger from Dockables, it was a pretty welcome relief to see that you could put your display to sleep with a hot corner = D. However, I can't get the display to stay sleeping consistently. Whenever Time Machine
-
Acrobat Pro 9.4.5 crashes when I open PDF file - How can I fix it ??
Dear Fellow Mac Users, I have a MacPro4,1 with a 2 X 2.226 Ghz Quad-Core Intel Xeon Processor and 16 GB 1066 MHz DDR3 Memory. On my MacPro4,1, I have Adobe CS4 Suite installed. I now have Adobe Acrobat version 9.4.5. Whenever I open a PDF file, regua
-
Hi Experts, I've created Loyalty Campaign/Porgram and R R and released all. Using Loaylty IC Agent role I'm not able to see the Loyalty Campaigns. Can any one pls let me know how to display all the loyalty campaigns which are released as part of Loya