Cisco 2921 destination NAT for transparent proxy
Hi All,
I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.
In iptables its easy:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>
I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.
So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.
The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).
Any ideas guys? I'm stuck.
Cheers,
Jordan.
Sounds like you need a route-map to change the next IP hop?
This would be the best way to do it which will also verify the remote proxy server is available as well.
ip sla monitor 1
type echo protocol ipIcmpEcho <ip address of your proxy server>
timeout 3000
frequency 3
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
interface FastEthernet0/1
ip address <x.x.x.x x.x.x.x>
ip policy route-map REDIRECT-TO-PROXY
ip access-list extended webtraffic
! Deny traffic from your proxy server from redirecting
deny tcp host <ip address of your proxy server> any eq www
deny tcp host <ip address of your proxy server> any eq https
permit tcp <your ip network> <subnet mask> any eq www
permit tcp <your ip network> <subnet mask> any eq https
route-map REDIRECT-TO-PROXY permit 10
match ip address webtraffic
set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
Here is how my router is configured.
interface FastEthernet0/0
ip address dhcp hostname home-rtr-1
ip nat outside
interface FastEthernet0/1
ip address 10.235.x.x 255.255.255.252
ip nat inside
ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit <your ip network> <your ip subnet>
HTH
Similar Messages
-
Cisco device supporting NAT for SCTP
Hello,
I can't think of a more proper category for posting this one. I'd like to know if there is a cisco router (or other device for that matter) which may offer NAT service for packet using the SCTP protocol, i.e. translate IP address and SCTP port contained in the packet (Source or Destination) into those configured on the device by the user.
Packet received by Device: Source IP a.b.c.d Source SCTP port: X1 Dest IP
translate the Destination IP and Port of SCTP packets sent from PCU to IP and Port set on Windows PC and vice versa.Hello,
I can't think of a more proper category for posting this one. I'd like to know if there is a cisco router (or other device for that matter) which may offer NAT service for packet using the SCTP protocol, i.e. translate IP address and SCTP port contained in the packet (Source or Destination) into those configured on the device by the user.
Packet received by Device: Source IP a1.b1.c1.d1 Source SCTP port: X1 Dest IP w1.x1.y1.z1 Dest SCTP port: Y1
Packet exiting Device: Source IP a2.b2.c2.d2 Source SCTP port: X2 Dest IP w2.x2.y2.z2 Dest SCTP port: Y2
I thank you in advance for your responses. -
Cisco 800 outbound redirect for Cloud Proxy
Hey,
I want to know if it's possible to redirect all outbound HTTP/HTTPS traffic to an external service on a custom port? Example below.
Client points their browser to google.com (port 80) and the router should redirect this request to ExternalProxy:1234.
Thanks for any help.Sounds like you need a route-map to change the next IP hop?
This would be the best way to do it which will also verify the remote proxy server is available as well.
ip sla monitor 1
type echo protocol ipIcmpEcho <ip address of your proxy server>
timeout 3000
frequency 3
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
interface FastEthernet0/1
ip address <x.x.x.x x.x.x.x>
ip policy route-map REDIRECT-TO-PROXY
ip access-list extended webtraffic
! Deny traffic from your proxy server from redirecting
deny tcp host <ip address of your proxy server> any eq www
deny tcp host <ip address of your proxy server> any eq https
permit tcp <your ip network> <subnet mask> any eq www
permit tcp <your ip network> <subnet mask> any eq https
route-map REDIRECT-TO-PROXY permit 10
match ip address webtraffic
set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
Here is how my router is configured.
interface FastEthernet0/0
ip address dhcp hostname home-rtr-1
ip nat outside
interface FastEthernet0/1
ip address 10.235.x.x 255.255.255.252
ip nat inside
ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit <your ip network> <your ip subnet>
HTH -
Cisco ASA 8.2. Destination NAT (network - network)
Hi Guys,
Could you tell me if I can do destination NAT (class C network => class C network) on Cisco ASA running 8.2? (or another version).
For example, will destination NAT like this work:
static (inside,outside) 8.2.2.0 10.10.8.0 netmask 255.255.255.0
I need that when a packet from Internet go to 8.2.2.X it's destination IP address will change to 10.10.8.X.
So, if a packet goes to 8.2.2.145 , the dest IP field of the packet will be changed to 10.10.8.145.
If a packet goes to 8.2.2.1, the dest IP field of the packet will be changed to 10.10.8.1.
Etc.
Thanks.Hello,
Yes, that is possible.. In fact that is the way it works.
Regards,
Julio -
Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP
Hello Dears,
I'm trying to implement Cache loadbalancing through Cisco ACE Module.
I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
I'm afraid that I have a problem in the returned traffic PBR.
can anyone help please.
ThanksHi Ibrahim
I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
msfc---vlan 265---ACE--vlan 264----CE farm
interface vlan 265
description Interface_With_MSFC_SUBS_2_INTERNET
ip address 168.168.1.52 255.255.255.248
access-group input PERMIT_ALL
service-policy input L3L4_PM
no shutdown
ip route 0.0.0.0 0.0.0.0 168.168.1.50
ip access-list extended HSDPA_2_CACHE
permit tcp 168.168.0.0 0.0.255.255 any eq www <<<-- wrong
ip access-list extended Internet_2_CACHE
permit tcp any eq www 168.168.0.0 0.0.255.255 <<<---wrong
interface Vlan 265
description Interface_With_ACE
ip address 168.168.1.50 255.255.255.248
route-map INTERNET_2_HSDPA permit 10
description "PBR for Response HTTP Traffic"
match ip address Internet_2_CACHE
set ip next-hop 168.168.1.52
route-map HSDPA_2_INTERNET permit 10
match ip address HSDPA_2_CACHE
set ip next-hop 168.168.1.52
regards
Andrew -
Cisco asa traffic flow with destination nat
Hi Folks,
Can anybody comment on the below.
1. in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
regards
RajeshThe ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from. On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
The short answer:
The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface.
If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
The longer answer:
For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
-or-
Step 2 check B: Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
Now lets refer to the specific example you outlined in your post; you said:
route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
nat (LAN,ISP-1) after-auto source dynamic any interface
nat (LAN,ISP-2) after-auto source dynamic any interface
Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
Message was edited by: Jay Johnston -
Bypass NAT for single printer IP
Hi all,
I posted a while ago that we were having problems translating an IP for a printer (located here https://supportforums.cisco.com/message/4099013#4099013)
We still haven't been able to get it working and thought about another approach which is to leave the printer IP as a 10.100.x.x IP and instead set up the ASA to bypass the NAT for this IP so it doesn't get translated.
Is this possible and how would i go about doing it?
Many thanks
JamieYeah its really frustrating that we can't solve it.
Regarding the ports, we have a piece of software that apparently needs to communicate on 52221, 52222 and HTTPS (443) but it still doesn't seem to communicate. Apparently that IP in the config is the source but i wouldn't mind opening those ports globally for all IPs.
Here is the current config.
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.100.104.2 255.255.248.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.29.8.1 255.255.248.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa845-k8.bin
ftp mode passive
object network any-inside
subnet 0.0.0.0 0.0.0.0
object network TSTC-Printing
host 172.29.8.20
object service tcp_9100
service tcp source eq 9100 destination eq 9100
object network TCSC-Printing
object network PRINTER
host 10.100.104.20
object network Portico
host 172.29.8.46
object network Eportal
host 172.29.8.36
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 52221
port-object eq 52222
port-object eq https
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100
access-list outside_access_in remark Form Pearson Exam Software
access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20
access-list outside_access_in extended permit ip any object TSTC-Printing
access-list outside_access_in extended permit ip any object Portico
access-list outside_access_in extended permit ip any object Eportal
access-list PRINTER-CAPTURE extended permit ip host 10.100.104.20 any
access-list PRINTER-CAPTURE extended permit ip any host 10.100.104.20
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 172.29.10.226 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
object network any-inside
nat (inside,outside) dynamic interface
object network TSTC-Printing
nat (inside,outside) static 10.100.104.20
object network Portico
nat (inside,outside) static 10.100.104.5
object network Eportal
nat (inside,outside) static 10.100.104.4
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.100.104.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable 1234
http 192.168.1.0 255.255.255.0 management
http 172.29.8.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.29.8.0 255.255.248.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.10-192.168.1.20 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username password encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
Many thanks -
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy
Hi!
I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
I'm in process of migrating some VPN tunnels with from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
Thanks!!
//CodyAre you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0 -
Hi,
I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
Any ideas?
Thanks Steve
https://supportforums.cisco.com/thread/255085
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT deviceAre you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0 -
NAT overload is not working when i configure Double NAT for VPN
I have Cisco 2921 router with OS version 15.1(4)M1.
the router is configured for NAT overload and working fine, i have site to site VPN tunnel with peer with normal NAT translation. now we need to configure Double NAT on the VPN tunnel as we need to free the subnet on peer network. for double nat i use 3.2.21.x - 3.2.23.x / 24 network and apply following command
Double NAT translation
ip nat inside source static network 192.168.10.0 3.2.21.0 /24 no-alias
ip nat inside source static network 192.168.20.0 3.2.22.0/24 no-alias
ip nat inside source static network 192.168.30.0 3.2.23.0 /24 no-alias
Nonat
access-list 101 deny ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
VPN encrypted traffic over the tunnel
access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
Problem:
as soon as i apply Double NAT translation command the NAT overload stop working and client cannot reach to the internet
the router partial configuration is as below
REACH-R01(config)#do sh run
Building configuration...
Current configuration : 19233 bytes
! Last configuration change at 09:56:45 MST Tue Jan 29 2013 by admin
! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname REACH-R01
boot-start-marker
boot-end-marker
card type t1 0 0
logging buffered 51200 warnings
no aaa new-model
clock timezone MST -7 0
clock summer-time MST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.20.250 192.168.20.255
ip dhcp pool CISCO_PHONES
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
option 150 ip 192.168.20.254
no ip domain lookup
ip domain name reach.local
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
multilink bundle-name authenticated
isdn switch-type primary-ni
trunk group PRI
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3180627716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3180627716
revocation-check none
rsakeypair TP-self-signed-3180627716
voice-card 0
dsp services dspfarm
voice service voip
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
voice translation-rule 1
rule 5 /^7804981231/ /401/
voice translation-rule 2
rule 5 // /7804981231/
voice translation-profile DID_INBOUND
translate called 1
voice translation-profile DID_OUTBOUND
translate calling 2
license udi pid CISCO2911/K9 sn FGL1540114P
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module ism 0
hw-module pvdm 0/0
username test test
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-6,24
no ip ftp passive
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key P@ssw0rd address 33.33.33.33 no-xauth
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map VPN-TUNNEL 1 ipsec-isakmp
description COMPUGEN
set peer 33.33.33.33
set transform-set ESP-AES256-SHA
match address 115
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Outside Interface To the Internet
ip address dhcp
ip access-group outside_access_in in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN-TUNNEL
interface ISM0/0
ip unnumbered GigabitEthernet0/1.20
service-module ip address 192.168.20.2 255.255.255.0
!Application: CUE Running on ISM
service-module ip default-gateway 192.168.20.254
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.10
description VLAN 10 DATA VLAN
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly in
interface GigabitEthernet0/1.20
description VLAN 20 VOICE VLAN
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.30
description VLAN 30 WIRELESS VLAN
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly in
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
trunk-group PRI
no cdp enable
interface Vlan1
no ip address
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:CME8.6/GUI
ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.10.10 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 192.168.10.10 1723 interface GigabitEthernet0/0 1723
ip nat inside source static tcp 192.168.10.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.10.10 123 interface GigabitEthernet0/0 123
ip nat inside source static tcp 192.168.10.10 987 interface GigabitEthernet0/0 987
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 75.152.248.1
ip route 0.0.0.0 0.0.0.0 75.152.248.1 254
ip route 0.0.0.0 0.0.0.0 205.206.0.1 254
ip route 192.168.20.2 255.255.255.255 ISM0/0
ip access-list extended outside_access_in
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any host 22.22.22.22 eq 1723
permit tcp any host 22.22.22.22 eq 3389
permit tcp any host 22.22.22.22 eq smtp
permit tcp any host 22.22.22.22 eq 443
permit tcp any host 22.22.22.22 eq domain
permit udp any host 22.22.22.22 eq domain
permit tcp any host 22.22.22.22 eq 123
permit icmp any host 22.22.22.22 unreachable
permit icmp any host 22.22.22.22 echo-reply
permit icmp any host 22.22.22.22 packet-too-big
permit icmp any host 22.22.22.22 time-exceeded
permit icmp any host 22.22.22.22 traceroute
permit icmp any host 22.22.22.22 administratively-prohibited
permit icmp any host 22.22.22.22 echo
permit tcp any host 22.22.22.22 eq 987
permit tcp any host 22.22.22.22 eq 47
permit gre any host 22.22.22.22
permit udp any host 22.22.22.22 eq isakmp
permit esp any host 22.22.22.22
access-list 23 permit any
access-list 101 deny ip 192.168.20.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 192.168.30.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.30.0 0.0.0.255 any
access-list 110 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
Solution: Support forums teamI have the same problem also. Restarting isn't helping and the auto lock/unlock button is on. Plus a couple of time when I turn it on it is asking if I want to power off. That is when I push the button on the front to wake it up. Not the power button on top. I have an IPAd 2. Worked fine before the update.
-
IPhoto '08 Book upload errors with squid transparent proxy - tip
Hi folks
I've just "solved" a problem I was having with iPhoto Book uploads. The solution may apply to other publishing products from iPhoto and possibly iDisk uploads too.
My firewall & proxy setup is basically Linux iptables redirecting all outbound http (port 80) connections to a dansguardian filter, which in turn is passed onto a squid instance running as a transparent proxy (oh, and there's a privoxy in this all too!). Yeah, OK, I know, slightly paranoid, but I don't want my children accidently browsing stuff I don't think they are old enough for yet!
Now I had the problem before with iPhoto '06 as well, but at the time just didn't have the time or inclination to figure out what the problem was, and just did the book order and upload from the office, where it went through without a problem. This time I decided to dig a bit and see what was happening. The clue that triggered off the solution was watching the part of the order process where the book data is uploaded. In my default setup, the upload bar would scream through to 100%, and then sit there for ages, before coming back with a connection error. Watching the network flashy lights on the NIC on the firewall though, it suddenly dawned on me that what was happening was that the upload was screaming through to the squid (as there was no outbound network activity from the firewall while this was happening) and then sitting there waiting for squid to pass it on to the Apple site (as shown by the outbound NIC activity light suddenly going bonkers once the uoload bar hit 100%).
So clearly there's a problem sending book orders via a squid proxy setup as a transparent proxy. It might also very well be dansguardian interfering and wanting to take the entire upload and checking it before passing it on to squid. I already have site exception setup for all apple.com urls though in dansguardian, so didn't think it would be that. I thought about dicking around with the squid acl's but didn't have the enthusiasm to spend half the day getting that working.
So what I did in the end was tail the squid logs to see what was being proxied whilst the book order was going on, and then dropped in 3 new rules in my iptables setup just before the redirect rule. Tried ordering the book again, and voila!
The three rules I inserted were:
$IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d mercury.apple.com -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d configuration.apple.com -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d publish.mac.com -j ACCEPT
The "-s ! 10.1.1.1" bit is obviously particular to my setup, as I wouldn't want connections from the router itself being proxied, so that may need to either be customised or left out altogether. These three rules are then immediately followed by the redirect:
$IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp --dport 80 -j REDIRECT --to-port 8081
Hope that is of some help to someone out there!
KTony,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Problem whit cisco 2921 + EVM-HD-8FXS/DID whit CUCM
Hello everyone.
I have the following problem that I am not able to resolve. I define a new connection BRI.
I can make calls seamlessly between the Cisco Unified Communications Manager (version: 8.5.1.10000-26) and Cisco 2921 (CISCO2921-V/K9).
But when you receive calls from BRI Cisco receives the call but the Cisco Unified Communications Manager does not tranfere for Ext
And I can not understand why. In other BRI interfaces do not have this problem.
This configuration here that I'm using.
Current configuration : 17238 bytes
! Last configuration change at 18:02:34 PORT Mon Apr 2 2012 by admin
! NVRAM config last updated at 18:02:56 PORT Mon Apr 2 2012 by admin
! NVRAM config last updated at 18:02:56 PORT Mon Apr 2 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname <<omitted>>
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 <<omitted>>
aaa new-model
aaa authentication login default none
aaa authentication login <<omitted>>
aaa accounting connection h323 start-stop group radius
aaa session-id common
clock timezone PORT 0 0
clock summer-time PORT recurring last Sun Mar 1:00 last Sun Oct 1:00
network-clock-participate slot 1
network-clock-participate wic 0
network-clock-participate wic 1
network-clock-participate wic 2
network-clock-participate wic 3
network-clock-select 1 BRI0/0/0
network-clock-select 2 BRI0/1/0
network-clock-select 3 BRI0/2/0
network-clock-select 4 BRI0/3/0
no ipv6 cef
ip source-route
ip cef
no ip domain lookup
ip domain name <<omitted>>
multilink bundle-name authenticated
isdn switch-type basic-net3
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed- <<omitted>>
enrollment selfsigned
subject-name cn= <<omitted>>
revocation-check none
rsakeypair TP-self-signed- <<omitted>>
crypto pki certificate chain <<omitted>>
<<omitted>>
quit
voice-card 0
dsp services dspfarm
voice call send-alert
voice call disc-pi-off
voice call carrier capacity active
voice rtp send-recv
voice service voip
no ip address trusted authenticate
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
h323
modem passthrough nse codec g711ulaw
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
voice class h323 1
h225 timeout tcp establish 5
voice translation-rule 1
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
voice translation-rule 2
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
rule 4 /^21 <<omitted>>/ /21 <<omitted>>/
rule 5 /^21 <<omitted>>/ /21 <<omitted>>/
rule 6 /^21 <<omitted>>/ /21 <<omitted>>/
voice translation-rule 3
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
voice translation-rule 4
rule 1 /^0/ /400/
rule 2 /^/ /21 <<omitted>>/
voice translation-rule 5
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
voice translation-rule 11
rule 1 /.*/ /21 <<omitted>>/
voice translation-rule 12
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /.*/ /21 <<omitted>>/
voice translation-rule 13
rule 1 /.*/ /21 <<omitted>>/
voice translation-rule 14
rule 1 /.*/ /21 <<omitted>>/
voice translation-rule 15
rule 1 /.*/ /21<<omitted>>/
voice translation-rule 21
rule 1 /^./ /0&/
voice translation-rule 22
rule 1 /^./ /0&/
voice translation-rule 25
rule 1 /^./ /0&/
|
voice translation-rule 23
rule 1 /^./ /0&/
voice translation-rule 24
rule 1 /^./ /0&/
voice translation-rule 32
rule 1 /^212104974/ /21 <<omitted>>/
rule 2 /.*/ /212104975/
voice translation-profile INLINE_EMPA
translate calling 22
translate called 2
voice translation-profile INLINE_EMPB
translate calling 23
translate called 3
voice translation-profile INLINE_EMPC
translate calling 25
translate called 5
voice translation-profile INLINE_EMPE
translate calling 24
translate called 4
voice translation-profile INLINE_EMPD
translate calling 21
translate called 1
voice translation-profile OUTLINE_EMPA
translate calling 12
voice translation-profile OUTLINE_EMPA_NT_FAX
translate calling 32
voice translation-profile OUTLINE_EMPB
translate calling 13
voice translation-profile OUTLINE_EMPC
translate calling 15
voice translation-profile OUTLINE_EMPE
translate calling 14
voice translation-profile OUTLINE_EMPD
translate calling 11
license udi pid CISCO2921/K9 sn <<omitted>>
hw-module pvdm 0/0
hw-module sm 1
username admin privilege 15 password 0 <<omitted>>
redundancy
ip ssh time-out 60
ip ssh authentication-retries 2
class-map match-all Voz
match access-group 100
policy-map QoS
class Voz
priority 200
set precedence 5
class class-default
fair-queue
gw-accounting aaa
attribute acct-session-id overloaded
acct-template callhistory-detail
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address <<omitted>> 255.255.0.0
ip access-group BLOCK in
load-interval 30
duplex auto
speed auto
h323-gateway voip interface
h323-gateway voip bind srcaddr <<omitted>>
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
interface BRI0/0/0
description EMPD N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/0/1
description Ecotel EMPD N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/1/0
description EMPA N:
no ip address
isdn switch-type basic-net3
isdn tei-negotiation first-call
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/1/1
description EMPA N:
no ip address
isdn switch-type basic-net3
isdn tei-negotiation preserve
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/2/0
description EMPB N:
no ip address
isdn switch-type basic-net3
isdn tei-negotiation preserve
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/2/1
description Ecotel EMPB N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI0/3/0
description EMPE N:
no ip address
isdn switch-type basic-net3
isdn tei-negotiation preserve
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/3/1
description Ecotel EMPA N
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/0
description B EMPC N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI1/1
description Ecotel EMPE N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/2
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/3
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/4
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/5
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/6
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/7
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip rtcp report interval 500
ip access-list extended BLOCK
deny ip any host <<omitted>>
deny ip any host <<omitted>>
deny ip any host <<omitted>>
deny ip any host <<omitted>>
permit ip any any
ip radius source-interface GigabitEthernet0/0
radius-server host <<omitted>> auth-port 1647
radius-server host <<omitted>> acct-port 1647
radius-server key <<omitted>>
radius-server vsa send accounting
control-plane
voice-port 0/0/0
translation-profile incoming INLINE_EMPD
translation-profile outgoing OUTLINE_EMPD
compand-type a-law
cptone PT
voice-port 0/0/1
compand-type a-law
cptone PT
voice-port 0/1/0
translation-profile incoming INLINE_EMPA
translation-profile outgoing OUTLINE_EMPA
compand-type a-law
cptone PT
voice-port 0/1/1
translation-profile incoming INLINE_EMPA
translation-profile outgoing OUTLINE_EMPA_NT_FAX
compand-type a-law
cptone PT
voice-port 0/2/0
translation-profile incoming INLINE_EMPB
translation-profile outgoing OUTLINE_EMPB
compand-type a-law
cptone PT
voice-port 0/2/1
translation-profile incoming INLINE_EMPB
translation-profile outgoing OUTLINE_EMPB
compand-type a-law
cptone PT
description Ligacao Acesso GSM
bearer-cap Speech
voice-port 0/3/0
translation-profile incoming INLINE_EMPE
translation-profile outgoing OUTLINE_EMPE
compand-type a-law
cptone PT
voice-port 0/3/1
translation-profile incoming INLINE_EMPA
translation-profile outgoing OUTLINE_EMPA
compand-type a-law
cptone PT
description Ligacao Acesso GSM
bearer-cap Speech
voice-port 1/0/0
compand-type a-law
cptone PT
voice-port 1/0/1
compand-type a-law
cptone PT
voice-port 1/0/2
compand-type a-law
cptone PT
voice-port 1/0/3
compand-type a-law
cptone PT
voice-port 1/0/4
compand-type a-law
cptone PT
voice-port 1/0/5
compand-type a-law
cptone PT
voice-port 1/0/6
compand-type a-law
cptone PT
voice-port 1/0/7
compand-type a-law
cptone PT
voice-port 1/0/8
translation-profile incoming INLINE_EMPC
translation-profile outgoing OUTLINE_EMPC
compand-type a-law
cptone PT
voice-port 1/0/9
compand-type a-law
cptone PT
voice-port 1/0/10
compand-type a-law
cptone PT
voice-port 1/0/11
compand-type a-law
cptone PT
voice-port 1/0/16
compand-type a-law
cptone PT
voice-port 1/0/17
compand-type a-law
cptone PT
voice-port 1/0/18
compand-type a-law
cptone PT
voice-port 1/0/19
compand-type a-law
cptone PT
ccm-manager music-on-hold
no mgcp package-capability res-package
no mgcp package-capability fxr-package
no mgcp timer receive-rtcp
mgcp profile default
dial-peer voice 1 pots
description +++++ Dial-peer +++++
incoming called-number .
direct-inward-dial
port 0/0/0
dial-peer voice 10 pots
description touchwise
destination-pattern 1T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/0
dial-peer voice 20 pots
description globalmove
preference 1
shutdown
destination-pattern 5T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/0
dial-peer voice 30 pots
description globaltemp
shutdown
destination-pattern 3T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/2/0
dial-peer voice 40 pots
description EMPE
destination-pattern 4T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/3/0
dial-peer voice 100 voip
preference 1
destination-pattern .
session target ipv4:10.35.2.1
voice-class codec 1
no vad
dial-peer voice 21 pots
description globalmove
preference 2
shutdown
destination-pattern 5T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/1
dial-peer voice 101 voip
preference 2
destination-pattern .
session target ipv4:10.35.2.2
voice-class codec 1
no vad
dial-peer voice 24 pots
description globalmove
preference 1
destination-pattern 59[1236].......
port 0/3/1
forward-digits 9
dial-peer voice 25 pots
description globalmove
preference 1
destination-pattern 500T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/0
dial-peer voice 26 pots
description globalmove
preference 2
destination-pattern 500T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/1
dial-peer voice 27 pots
description globalmove
preference 1
destination-pattern 5[123678]T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/0
dial-peer voice 28 pots
description globalmove
preference 2
destination-pattern 5[123678]T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/1
dial-peer voice 34 pots
description globalTemp
preference 1
destination-pattern 39[1236].......
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/2/1
forward-digits 9
dial-peer voice 35 pots
description globalTemp
preference 1
destination-pattern 300T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/2/0
dial-peer voice 37 pots
description globalTemp
preference 1
destination-pattern 3[123678]T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/2/0
dial-peer voice 14 pots
description empd
preference 1
destination-pattern 19386648.......
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/1
forward-digits 9
dial-peer voice 15 pots
description empd
preference 1
destination-pattern 19365483.......
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/1
forward-digits 9
dial-peer voice 16 pots
description empd
preference 1
destination-pattern 19341347.......
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/1
forward-digits 9
dial-peer voice 50 pots
description EMPC
destination-pattern 5T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 1/0/8
gateway
timer receive-rtp 1200
gatekeeper
shutdown
call-manager-fallback
max-conferences 4 gain -6
transfer-system full-consult
ip source-address 10.35.2.250 port 2000
max-ephones 100
max-dn 300
transfer-pattern 09........
transfer-pattern 02........
transfer-pattern 0.........
transfer-pattern 000T
transfer-pattern 4...
keepalive 10
time-format 24
date-format dd-mm-yy
shutdown
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login authentication touchwise
transport input ssh
line vty 5 15
login authentication touchwise
transport input ssh
scheduler allocate 20000 1000
ntp master 5
endIf t i "Translation Pattern Configuration" switch to another "Partition" existing or internal it works.
If change back for the new i create. It does not work.
So I must be some flaw i made in Cisco Unified CM. -
Can someone provide some information on how you would setup 2 servers to proxy out as the VIP address?
On the CSS I know you can accomplish this though the use of a group rule
Ex:
group Outbound_Proxy
vip address 192.168.1.x
add service web1
add service web2
active
What would be the equivalent on the ACE? I am sure it would be a dynamic NAT configuration however, I am not to sure how to set that up.
Can someone please provide some advice?
Thank you in advance!Thank you for your response Gilles! Glad to know that my configuration should work.
The reason I assume it does not work is due to the output given from a 'show service-policy NAT-POLICY detail'. There is no registered hit count on any of the counters when I would initiate a connection to the .163 VIP were it should balance to either the 192.168.100.158 or 192.168.100.157 IP addresses. I thought the outbound response would have incremented something within the service-policy output.
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 91
service-policy: NAT-POLICY
class: DNS-NAT-Servers
nat:
nat dynamic 2 vlan 695
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
This is the reason I have not yet performed a packet capture.
I notice the connection establish just fine and the ACE forward/balance my connection to the correct destination server. However, looking at the me-stats for the connection ID I noticed it is not dynamically NAT'ing the response out.
ACE-12539-187036/spam# sho conn | i 64.39.0.40
150536 1 in TCP 695 64.39.0.40:56412 192.168.100.163:53 ESTAB
34566 1 out TCP 91 192.168.100.157:53 64.39.0.40:56412 ESTAB
Connection ID:seq: 34566[0x8706].5
Other ConnID : 150536[0x24c08].10
Proxy ConnID : 0[0x0].0
Next Q : 0[0x0]
192.168.100.157:53 -> 64.39.0.40:56412 [RX-NextHop: TX] [TX-NextHop: TX]
Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
L3 Protocol : IPv4 L4 Protocol : 6
Inbound Flag : 0
Interface Match : Yes
Interface MatchID: 13
EncapsID:ver : 234:0 TCP ACK delta : 0x5194237d
MSS : 1380 TOS Stamp : 0
Repeat mode : No ARP Lookup : No
TOS Stamp : No TCP Window Check: No
ACE ID : 12898 NAT Policy ID : 0
Post NAT hop : 0
Packet Count : 1 Byte Count : 44
TCP Information: (State = 3)
Window size : 16384 Window scale : 0
FIN seen : No FIN/ACK seen : No
FIN/ACK exp : No Close initiator : No
FIN/ACK expval: 5b40000 Last seq : 79e90c16
timestamp_delta: 0 Last ack : 1
No Trigger : 0 Trigger Status : 0
Timestamp : 6279495f
TCP options negotiated:
Sack:Clear TS:Clear Windowscale: Clear
Reserved: Allow Exceed MSS: Deny Window var: Allow
Is the above connection output in the me-stats expected with my DNAT configuration? Would this DNAT configuration apply to only outbound connections initiated from the .158 or .157 IP addresses? I would assume it would work with the response traffic as well. I know I can setup dynamic NAT for a specific serverfarm. Do you think I should try that instead?
Thank you in advance!
- Jason -
Cache engine http transparent proxy and caching
Hi..
My customer some GPRS user in which they couldn't control proxy setting of the web browser.
Is it possible to configure on a cache engine such that when these users access the Internet, they will be intercepted by the cache engine. THe cache engine then forwards the request to a proxy server and out to the Internet ?
Rgds
Eng WeeIt is possible to configure the cache engine to provide access to the users. The following URL shows an example on how to configure the Cisco Cache Engine for transparent caching using the Web Cache Coordination Protocol (WCCP).
http://www.cisco.com/warp/public/117/cache_engine/transparentconfig.html
This scenario is pretty similar to your requirement. Hope this helps. -
we want destination nat to work. we have 6509 series swithces running HSRP. we have 2 locations. at these locations proxy servers do the the job of filtering and sending the web traffic. what we want is if the proxy server at location 1 goes down, we shd be able to nat the incoming traffic for proxy sever from user vlan to the proxy server of location b traffic. teh ios version is IOS (tm) MSFC2 Software (C6MSFC2-IS-M), Version 12.1(4)E3,what commands we need to run
thanxYour problem is not going to be so much the nat as how you figure out when the proxy goes down.
The only thing I have seen that can take action based on a external server is to use object tracking and policy routing. I don't think Nat has any ability to do this.
Another solution that you may want to concider if your switches support it is to use server load balancing (SLB) to do this.
There are a number of ways to configure this but it will depend on where your servers are located in relation to the switch. Since this is designed for load balancing first and redundacy second it may not end up being effectient.
Now if you really want to use nat you could use the policy routing with the object track options and route the traffic to either another router or to loopback interfaces. This would be a variation of nat on a stick. In effect you would be rerouting your traffic though NAT interfaces based on availablilty. Both the policy routing track options and nat on a stick are not the most simple things to comfigure. The policy routing with track option is fairly new and I don't know if they have put it in the switch versions of the IOS yet.
Maybe you are looking for
-
I have a ipod 2nd gen that was synced to a computer that i no longer have access to...now when i plug it in to my new computer it shows the ipod but wants to erase all my music on the ipod in order to use itunes!!!
-
Attachment in OSX Mail are placed in random areas within e-mail
Why is it when I add an attachment to Mail in OSX mail, it places the attachement in random places within my typed e-mail? Why doesn't it just attach blow in a designate spot? Instead I could type out a long e-mail and then when I place the attachmen
-
I can not get my spot removal tool to work at all!!
I have tried numerous times to get my spot removal tool to work; without success. I have read tons about it and nothing works. What is going on?? Neither clone nor heal does anything! I am very frustrated with Lightroom 3! tc
-
Inspection Lot stock posting automatically
Hi, In my company for e.g. the stock in quality is 100 nos. while doing QA32 i am specifying 20 nos for unrestricted stock and saving it. But while checking the stock the total quantity is 100 in unrestricted stock. I again tried again for another 1
-
I have Error 1611 on my Ipod Touch 2 Gen. I am also stuck on Restore screen on my ipod. Please help!