Cisco 2921 destination NAT for transparent proxy

Similar Messages

• Cisco device supporting NAT for SCTP

  Hello,
  I can't think of a more proper category for posting this one. I'd like to know if there is a cisco router (or other device for that matter) which may offer NAT service for packet using the SCTP protocol, i.e. translate IP address and SCTP port contained in the packet (Source or Destination) into those configured on the device by the user.
  Packet received by Device: Source IP a.b.c.d Source SCTP port: X1 Dest IP
  translate the Destination IP and Port of SCTP packets sent from PCU to IP and Port set on Windows PC and vice versa.

  Hello,
  I  can't think of a more proper category for posting this one. I'd like to  know if there is a cisco router (or other device for that matter) which  may offer NAT service for packet using the SCTP protocol, i.e.  translate IP address and SCTP port contained in the packet (Source or  Destination) into those configured on the device by the user.
  Packet received by Device: Source IP a1.b1.c1.d1 Source SCTP port: X1 Dest IP w1.x1.y1.z1 Dest SCTP port: Y1
  Packet exiting Device: Source IP a2.b2.c2.d2 Source SCTP port: X2 Dest IP w2.x2.y2.z2 Dest SCTP port: Y2
  I thank you in advance for your responses.

• Cisco 800 outbound redirect for Cloud Proxy

  Hey,
  I want to know if it's possible to redirect all outbound HTTP/HTTPS traffic to an external service on a custom port? Example below.
  Client points their browser to google.com (port 80) and the router should redirect this request to ExternalProxy:1234.
  Thanks for any help.

  Sounds like you need a route-map to change the next IP hop?
  This would be the best way to do it which will also verify the remote proxy server is available as well.
  ip sla monitor 1
  type echo protocol ipIcmpEcho <ip address of your proxy server>
  timeout 3000
  frequency 3
  ip sla monitor schedule 1 life forever start-time now
  track 123 rtr 1 reachability
  interface FastEthernet0/1
  ip address <x.x.x.x x.x.x.x>
  ip policy route-map REDIRECT-TO-PROXY
  ip access-list extended webtraffic
  ! Deny traffic from your proxy server from redirecting
    deny tcp host <ip address of your proxy server> any eq www
    deny tcp host <ip address of your proxy server> any eq https
    permit tcp <your ip network> <subnet mask> any eq www
    permit tcp <your ip network> <subnet mask> any eq https
  route-map REDIRECT-TO-PROXY permit 10
  match ip address webtraffic
  set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
  If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
  Here is how my router is configured.
  interface FastEthernet0/0
   ip address dhcp hostname home-rtr-1
   ip nat outside
  interface FastEthernet0/1
   ip address 10.235.x.x 255.255.255.252
   ip nat inside
  ip nat inside source list 10 interface FastEthernet0/0 overload
  access-list 10 permit <your ip network> <your ip subnet>
  HTH

• Cisco ASA 8.2. Destination NAT (network - network)

  Hi Guys,
  Could you tell me if I can do destination NAT (class C network => class C network) on Cisco ASA running 8.2? (or another version).
  For example, will destination NAT like this work:
  static (inside,outside) 8.2.2.0 10.10.8.0 netmask 255.255.255.0
  I need that when a packet from Internet go to 8.2.2.X it's destination IP address will change to 10.10.8.X.
  So, if a packet goes to 8.2.2.145 , the dest IP field of the packet will be changed to 10.10.8.145.
  If a packet goes to 8.2.2.1, the dest IP field of the packet will be changed to 10.10.8.1.
  Etc.
  Thanks.

  Hello,
  Yes, that is possible.. In fact that is the way it works.
  Regards,
  Julio

• Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP

  Hello Dears,
  I'm trying to implement Cache loadbalancing through Cisco ACE Module.
  I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
  I'm afraid that I have a problem in the returned traffic PBR.
  can anyone help please.
  Thanks

  Hi Ibrahim
  I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
  msfc---vlan 265---ACE--vlan 264----CE farm
  interface vlan 265
    description Interface_With_MSFC_SUBS_2_INTERNET
    ip address 168.168.1.52 255.255.255.248
    access-group input PERMIT_ALL
    service-policy input L3L4_PM
    no shutdown
  ip route 0.0.0.0 0.0.0.0 168.168.1.50
  ip access-list extended HSDPA_2_CACHE
  permit tcp 168.168.0.0 0.0.255.255 any eq www   <<<-- wrong
  ip access-list extended Internet_2_CACHE
  permit tcp any eq www 168.168.0.0 0.0.255.255   <<<---wrong
  interface Vlan 265
  description Interface_With_ACE
  ip address 168.168.1.50 255.255.255.248
  route-map INTERNET_2_HSDPA permit 10
  description "PBR for Response HTTP Traffic"
  match ip address Internet_2_CACHE
  set ip next-hop 168.168.1.52
  route-map HSDPA_2_INTERNET permit 10
  match ip address HSDPA_2_CACHE
  set ip next-hop 168.168.1.52
  regards
  Andrew

• Cisco asa traffic flow with destination nat

  Hi Folks,
                     Can anybody comment on the below.
  1.  in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
  2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
  regards
  Rajesh

  The ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
  The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
  That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from.  On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
  The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
  The short answer:
  The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface. 
       If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
       If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
  The longer answer:
  For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
  Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
       Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
  Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
       Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
     -or-
       Step 2 check B:  Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
       If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
  Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
  Now lets refer to the specific example you outlined in your post; you said:
  route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
  route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
  nat (LAN,ISP-1) after-auto source dynamic any interface
  nat (LAN,ISP-2) after-auto source dynamic any interface
  Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
  The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
  It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
  It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
  Message was edited by: Jay Johnston

• Bypass NAT for single printer IP

  Hi all,
  I posted a while ago that we were having problems translating an IP for a printer (located here https://supportforums.cisco.com/message/4099013#4099013)
  We still haven't been able to get it working and thought about another approach which is to leave the printer IP as a 10.100.x.x IP and instead set up the ASA to bypass the NAT for this IP so it doesn't get translated.
  Is this possible and how would i go about doing it?
  Many thanks
  Jamie

  Yeah its really frustrating that we can't solve it.
  Regarding the ports, we have a piece of software that apparently needs to communicate on 52221, 52222 and HTTPS (443) but it still doesn't seem to communicate. Apparently that IP in the config is the source but i wouldn't mind opening those ports globally for all IPs.
  Here is the current config.
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 10.100.104.2 255.255.248.0
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 172.29.8.1 255.255.248.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  boot system disk0:/asa845-k8.bin
  ftp mode passive
  object network any-inside
  subnet 0.0.0.0 0.0.0.0
  object network TSTC-Printing
  host 172.29.8.20
  object service tcp_9100
  service tcp source eq 9100 destination eq 9100
  object network TCSC-Printing
  object network PRINTER
  host 10.100.104.20
  object network Portico
  host 172.29.8.46
  object network Eportal
  host 172.29.8.36
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq 52221
  port-object eq 52222
  port-object eq https
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100
  access-list outside_access_in remark Form Pearson Exam Software
  access-list outside_access_in extended permit tcp host 212.62.15.118 any object-group DM_INLINE_TCP_1
  access-list outside_access_in extended permit object tcp_9100 any host 10.100.104.20
  access-list outside_access_in extended permit ip any object TSTC-Printing
  access-list outside_access_in extended permit ip any object Portico
  access-list outside_access_in extended permit ip any object Eportal
  access-list PRINTER-CAPTURE extended permit ip host 10.100.104.20 any
  access-list PRINTER-CAPTURE extended permit ip any host 10.100.104.20
  pager lines 24
  logging enable
  logging timestamp
  logging monitor informational
  logging buffered informational
  logging trap informational
  logging asdm informational
  logging host inside 172.29.10.226 format emblem
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip verify reverse-path interface outside
  ip verify reverse-path interface inside
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  object network any-inside
  nat (inside,outside) dynamic interface
  object network TSTC-Printing
  nat (inside,outside) static 10.100.104.20
  object network Portico
  nat (inside,outside) static 10.100.104.5
  object network Eportal
  nat (inside,outside) static 10.100.104.4
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 10.100.104.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable 1234
  http 192.168.1.0 255.255.255.0 management
  http 172.29.8.0 255.255.248.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh 172.29.8.0 255.255.248.0 inside
  ssh 192.168.1.0 255.255.255.0 management
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.10-192.168.1.20 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username password encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  Many thanks

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

  Hi!
  I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
  I'm in process of migrating some VPN tunnels with  from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
  The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
  Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
  Thanks!!
  //Cody

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• NAT overload is not working when i configure Double NAT for VPN

  I have Cisco 2921 router with OS version 15.1(4)M1.
  the router is configured for NAT overload and working fine, i have site to site VPN tunnel with peer with normal NAT translation. now we need to configure Double NAT on the VPN tunnel as we need to free the subnet on peer network. for double nat i use 3.2.21.x - 3.2.23.x / 24 network and apply following command
  Double NAT translation
  ip nat inside source static network 192.168.10.0 3.2.21.0 /24 no-alias
  ip nat inside source static network 192.168.20.0 3.2.22.0/24 no-alias
  ip nat inside source static network 192.168.30.0 3.2.23.0 /24 no-alias
  Nonat
  access-list 101 deny   ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
  VPN encrypted traffic over the tunnel
  access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
  Problem:
  as soon as i apply Double NAT translation command the  NAT overload stop working and client cannot reach to the internet
  the router partial configuration is as below
  REACH-R01(config)#do sh run
  Building configuration...
  Current configuration : 19233 bytes
  ! Last configuration change at 09:56:45 MST Tue Jan 29 2013 by admin
  ! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
  ! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname REACH-R01
  boot-start-marker
  boot-end-marker
  card type t1 0 0
  logging buffered 51200 warnings
  no aaa new-model
  clock timezone MST -7 0
  clock summer-time MST recurring
  network-clock-participate wic 0
  network-clock-select 1 T1 0/0/0
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 192.168.20.1 192.168.20.99
  ip dhcp excluded-address 192.168.20.250 192.168.20.255
  ip dhcp pool CISCO_PHONES
  network 192.168.20.0 255.255.255.0
  default-router 192.168.20.254
  option 150 ip 192.168.20.254
  no ip domain lookup
  ip domain name reach.local
  ip inspect name ethernetin ftp timeout 3600
  ip inspect name ethernetin h323 timeout 3600
  ip inspect name ethernetin http timeout 3600
  ip inspect name ethernetin rcmd timeout 3600
  ip inspect name ethernetin realaudio timeout 3600
  ip inspect name ethernetin smtp timeout 3600
  ip inspect name ethernetin sqlnet timeout 3600
  ip inspect name ethernetin streamworks timeout 3600
  ip inspect name ethernetin tcp timeout 3600
  ip inspect name ethernetin tftp timeout 30
  ip inspect name ethernetin udp timeout 15
  ip inspect name ethernetin vdolive timeout 3600
  multilink bundle-name authenticated
  isdn switch-type primary-ni
  trunk group PRI
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3180627716
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3180627716
  revocation-check none
  rsakeypair TP-self-signed-3180627716
  voice-card 0
  dsp services dspfarm
  voice service voip
  allow-connections sip to sip
  fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
  sip
  voice translation-rule 1
  rule 5 /^7804981231/ /401/
  voice translation-rule 2
  rule 5 // /7804981231/
  voice translation-profile DID_INBOUND
  translate called 1
  voice translation-profile DID_OUTBOUND
  translate calling 2
  license udi pid CISCO2911/K9 sn FGL1540114P
  license accept end user agreement
  license boot module c2900 technology-package securityk9
  hw-module ism 0
  hw-module pvdm 0/0
  username test test
  redundancy
  controller T1 0/0/0
  cablelength long 0db
  pri-group timeslots 1-6,24
  no ip ftp passive
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key P@ssw0rd address 33.33.33.33 no-xauth
  crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
  crypto map VPN-TUNNEL 1 ipsec-isakmp
  description COMPUGEN
  set peer 33.33.33.33
  set transform-set ESP-AES256-SHA
  match address 115
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description Outside Interface To the Internet
  ip address dhcp
  ip access-group outside_access_in in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN-TUNNEL
  interface ISM0/0
  ip unnumbered GigabitEthernet0/1.20
  service-module ip address 192.168.20.2 255.255.255.0
  !Application: CUE Running on ISM
  service-module ip default-gateway 192.168.20.254
  interface GigabitEthernet0/1
  no ip address
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1.10
  description VLAN 10 DATA VLAN
  encapsulation dot1Q 10
  ip address 192.168.10.254 255.255.255.0
  ip nat inside
  ip inspect ethernetin in
  ip virtual-reassembly in
  interface GigabitEthernet0/1.20
  description VLAN 20 VOICE VLAN
  encapsulation dot1Q 20
  ip address 192.168.20.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  interface GigabitEthernet0/1.30
  description VLAN 30 WIRELESS VLAN
  encapsulation dot1Q 30
  ip address 192.168.30.254 255.255.255.0
  ip nat inside
  ip inspect ethernetin in
  ip virtual-reassembly in
  interface GigabitEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  interface ISM0/1
  description Internal switch interface connected to Internal Service Module
  no ip address
  interface Serial0/0/0:23
  no ip address
  encapsulation hdlc
  isdn switch-type primary-ni
  isdn incoming-voice voice
  trunk-group PRI
  no cdp enable
  interface Vlan1
  no ip address
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip http path flash:CME8.6/GUI
  ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet0/0 443
  ip nat inside source static tcp 192.168.10.10 25 interface GigabitEthernet0/0 25
  ip nat inside source static tcp 192.168.10.10 1723 interface GigabitEthernet0/0 1723
  ip nat inside source static tcp 192.168.10.10 3389 interface GigabitEthernet0/0 3389
  ip nat inside source static tcp 192.168.10.10 123 interface GigabitEthernet0/0 123
  ip nat inside source static tcp 192.168.10.10 987 interface GigabitEthernet0/0 987
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 75.152.248.1
  ip route 0.0.0.0 0.0.0.0 75.152.248.1 254
  ip route 0.0.0.0 0.0.0.0 205.206.0.1 254
  ip route 192.168.20.2 255.255.255.255 ISM0/0
  ip access-list extended outside_access_in
  permit udp any any eq bootps
  permit udp any any eq bootpc
  permit tcp any host 22.22.22.22 eq 1723
  permit tcp any host 22.22.22.22 eq 3389
  permit tcp any host 22.22.22.22 eq smtp
  permit tcp any host 22.22.22.22 eq 443
  permit tcp any host 22.22.22.22 eq domain
  permit udp any host 22.22.22.22 eq domain
  permit tcp any host 22.22.22.22 eq 123
  permit icmp any host 22.22.22.22 unreachable
  permit icmp any host 22.22.22.22 echo-reply
  permit icmp any host 22.22.22.22 packet-too-big
  permit icmp any host 22.22.22.22 time-exceeded
  permit icmp any host 22.22.22.22 traceroute
  permit icmp any host 22.22.22.22 administratively-prohibited
  permit icmp any host 22.22.22.22 echo
  permit tcp any host 22.22.22.22 eq 987
  permit tcp any host 22.22.22.22 eq 47
  permit gre any host 22.22.22.22
  permit udp any host 22.22.22.22 eq isakmp
  permit esp any host 22.22.22.22
  access-list 23 permit any
  access-list 101 deny   ip 192.168.20.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 192.168.30.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 192.168.10.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 permit ip 192.168.10.0 0.0.0.255 any
  access-list 101 permit ip 192.168.20.0 0.0.0.255 any
  access-list 101 permit ip 192.168.30.0 0.0.0.255 any
  access-list 110 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
  access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
  Solution: Support forums team

  I have the same problem also.  Restarting isn't helping and the auto lock/unlock button is on.  Plus a couple of time when I turn it on it is asking if I want to power off.  That is when I push the button on the front to wake it up.  Not the power button on top.  I have an IPAd 2. Worked fine before the update. 

• IPhoto '08 Book upload errors with squid transparent proxy - tip

  Hi folks
  I've just "solved" a problem I was having with iPhoto Book uploads. The solution may apply to other publishing products from iPhoto and possibly iDisk uploads too.
  My firewall & proxy setup is basically Linux iptables redirecting all outbound http (port 80) connections to a dansguardian filter, which in turn is passed onto a squid instance running as a transparent proxy (oh, and there's a privoxy in this all too!). Yeah, OK, I know, slightly paranoid, but I don't want my children accidently browsing stuff I don't think they are old enough for yet!
  Now I had the problem before with iPhoto '06 as well, but at the time just didn't have the time or inclination to figure out what the problem was, and just did the book order and upload from the office, where it went through without a problem. This time I decided to dig a bit and see what was happening. The clue that triggered off the solution was watching the part of the order process where the book data is uploaded. In my default setup, the upload bar would scream through to 100%, and then sit there for ages, before coming back with a connection error. Watching the network flashy lights on the NIC on the firewall though, it suddenly dawned on me that what was happening was that the upload was screaming through to the squid (as there was no outbound network activity from the firewall while this was happening) and then sitting there waiting for squid to pass it on to the Apple site (as shown by the outbound NIC activity light suddenly going bonkers once the uoload bar hit 100%).
  So clearly there's a problem sending book orders via a squid proxy setup as a transparent proxy. It might also very well be dansguardian interfering and wanting to take the entire upload and checking it before passing it on to squid. I already have site exception setup for all apple.com urls though in dansguardian, so didn't think it would be that. I thought about dicking around with the squid acl's but didn't have the enthusiasm to spend half the day getting that working.
  So what I did in the end was tail the squid logs to see what was being proxied whilst the book order was going on, and then dropped in 3 new rules in my iptables setup just before the redirect rule. Tried ordering the book again, and voila!
  The three rules I inserted were:
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d mercury.apple.com -j ACCEPT
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d configuration.apple.com -j ACCEPT
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d publish.mac.com -j ACCEPT
  The "-s ! 10.1.1.1" bit is obviously particular to my setup, as I wouldn't want connections from the router itself being proxied, so that may need to either be customised or left out altogether. These three rules are then immediately followed by the redirect:
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp --dport 80 -j REDIRECT --to-port 8081
  Hope that is of some help to someone out there!
  K

  Tony,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Problem whit cisco 2921 + EVM-HD-8FXS/DID whit CUCM

  Hello everyone.
  I have the following problem that I am not able to resolve. I define a new connection BRI.
  I can make calls seamlessly between the Cisco Unified Communications Manager (version: 8.5.1.10000-26) and Cisco 2921 (CISCO2921-V/K9).
  But when you receive calls from BRI Cisco receives the call but the Cisco Unified Communications Manager does not tranfere for Ext
  And I can not understand why. In other BRI interfaces do not have this problem.
  This configuration here that I'm using.
  Current configuration : 17238 bytes
  ! Last configuration change at 18:02:34 PORT Mon Apr 2 2012 by admin
  ! NVRAM config last updated at 18:02:56 PORT Mon Apr 2 2012 by admin
  ! NVRAM config last updated at 18:02:56 PORT Mon Apr 2 2012 by admin
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname  <<omitted>>
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 5  <<omitted>>
  aaa new-model
  aaa authentication login default none
  aaa authentication login <<omitted>>
  aaa accounting connection h323 start-stop group radius
  aaa session-id common
  clock timezone PORT 0 0
  clock summer-time PORT recurring last Sun Mar 1:00 last Sun Oct 1:00
  network-clock-participate slot 1
  network-clock-participate wic 0
  network-clock-participate wic 1
  network-clock-participate wic 2
  network-clock-participate wic 3
  network-clock-select 1 BRI0/0/0
  network-clock-select 2 BRI0/1/0
  network-clock-select 3 BRI0/2/0
  network-clock-select 4 BRI0/3/0
  no ipv6 cef
  ip source-route
  ip cef
  no ip domain lookup
  ip domain name  <<omitted>>
  multilink bundle-name authenticated
  isdn switch-type basic-net3
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed- <<omitted>>
  enrollment selfsigned
  subject-name cn= <<omitted>>
  revocation-check none
  rsakeypair TP-self-signed- <<omitted>>
  crypto pki certificate chain  <<omitted>>
  <<omitted>>
        quit
  voice-card 0
  dsp services dspfarm
  voice call send-alert
  voice call disc-pi-off
  voice call carrier capacity active
  voice rtp send-recv
  voice service voip
  no ip address trusted authenticate
  fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
  h323
  modem passthrough nse codec g711ulaw
  voice class codec 1
  codec preference 1 g711ulaw
  codec preference 2 g711alaw
  codec preference 3 g729r8
  voice class h323 1
    h225 timeout tcp establish 5
  voice translation-rule 1
  rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
  voice translation-rule 2
  rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 4 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 5 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 6 /^21 <<omitted>>/ /21 <<omitted>>/
  voice translation-rule 3
  rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
  voice translation-rule 4
  rule 1 /^0/ /400/
  rule 2 /^/ /21 <<omitted>>/
  voice translation-rule 5
  rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
  voice translation-rule 11
  rule 1 /.*/ /21 <<omitted>>/
  voice translation-rule 12
  rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
  rule 2 /.*/ /21 <<omitted>>/
  voice translation-rule 13
  rule 1 /.*/ /21 <<omitted>>/
  voice translation-rule 14
  rule 1 /.*/ /21 <<omitted>>/
  voice translation-rule 15
  rule 1 /.*/ /21<<omitted>>/
  voice translation-rule 21
  rule 1 /^./ /0&/
  voice translation-rule 22
  rule 1 /^./ /0&/
  voice translation-rule 25
  rule 1 /^./ /0&/
  |
  voice translation-rule 23
  rule 1 /^./ /0&/
  voice translation-rule 24
  rule 1 /^./ /0&/
  voice translation-rule 32
  rule 1 /^212104974/ /21 <<omitted>>/
  rule 2 /.*/ /212104975/
  voice translation-profile INLINE_EMPA
  translate calling 22
  translate called 2
  voice translation-profile INLINE_EMPB
  translate calling 23
  translate called 3
  voice translation-profile INLINE_EMPC
  translate calling 25
  translate called 5
  voice translation-profile INLINE_EMPE
  translate calling 24
  translate called 4
  voice translation-profile INLINE_EMPD
  translate calling 21
  translate called 1
  voice translation-profile OUTLINE_EMPA
  translate calling 12
  voice translation-profile OUTLINE_EMPA_NT_FAX
  translate calling 32
  voice translation-profile OUTLINE_EMPB
  translate calling 13
  voice translation-profile OUTLINE_EMPC
  translate calling 15
  voice translation-profile OUTLINE_EMPE
  translate calling 14
  voice translation-profile OUTLINE_EMPD
  translate calling 11
  license udi pid CISCO2921/K9 sn  <<omitted>>
  hw-module pvdm 0/0
  hw-module sm 1
  username admin privilege 15 password 0  <<omitted>>
  redundancy
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map match-all Voz
  match access-group 100
  policy-map QoS
  class Voz
    priority 200
    set precedence 5
  class class-default
    fair-queue
  gw-accounting aaa
  attribute acct-session-id overloaded
  acct-template callhistory-detail
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
  ip address  <<omitted>> 255.255.0.0
  ip access-group BLOCK in
  load-interval 30
  duplex auto
  speed auto
  h323-gateway voip interface
  h323-gateway voip bind srcaddr  <<omitted>>
  interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  description $ES_LAN$
  no ip address
  shutdown
  duplex auto
  speed auto
  interface BRI0/0/0
  description  EMPD N:
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn static-tei 0
  interface BRI0/0/1
  description Ecotel EMPD N:
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn static-tei 0
  interface BRI0/1/0
  description  EMPA N:
  no ip address
  isdn switch-type basic-net3
  isdn tei-negotiation first-call
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn static-tei 0
  interface BRI0/1/1
  description  EMPA N:
  no ip address
  isdn switch-type basic-net3
  isdn tei-negotiation preserve
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn static-tei 0
  interface BRI0/2/0
  description  EMPB N:
  no ip address
  isdn switch-type basic-net3
  isdn tei-negotiation preserve
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn static-tei 0
  interface BRI0/2/1
  description  Ecotel EMPB N:
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  interface BRI0/3/0
  description  EMPE N:
  no ip address
  isdn switch-type basic-net3
  isdn tei-negotiation preserve
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn static-tei 0
  interface BRI0/3/1
  description  Ecotel EMPA N
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  interface BRI1/0
  description B EMPC N:
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn static-tei 0
  interface BRI1/1
  description  Ecotel EMPE N:
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  interface BRI1/2
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  interface BRI1/3
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  interface BRI1/4
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  interface BRI1/5
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  interface BRI1/6
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  interface BRI1/7
  no ip address
  isdn switch-type basic-net3
  isdn point-to-point-setup
  isdn incoming-voice voice
  isdn send-alerting
  isdn sending-complete
  isdn static-tei 0
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip rtcp report interval 500
  ip access-list extended BLOCK
  deny   ip any host <<omitted>>
  deny   ip any host <<omitted>>
  deny   ip any host <<omitted>>
  deny   ip any host <<omitted>>
  permit ip any any
  ip radius source-interface GigabitEthernet0/0
  radius-server host <<omitted>> auth-port 1647
  radius-server host <<omitted>> acct-port 1647
  radius-server key <<omitted>>
  radius-server vsa send accounting
  control-plane
  voice-port 0/0/0
  translation-profile incoming INLINE_EMPD
  translation-profile outgoing OUTLINE_EMPD
  compand-type a-law
  cptone PT
  voice-port 0/0/1
  compand-type a-law
  cptone PT
  voice-port 0/1/0
  translation-profile incoming INLINE_EMPA
  translation-profile outgoing OUTLINE_EMPA
  compand-type a-law
  cptone PT
  voice-port 0/1/1
  translation-profile incoming INLINE_EMPA
  translation-profile outgoing OUTLINE_EMPA_NT_FAX
  compand-type a-law
  cptone PT
  voice-port 0/2/0
  translation-profile incoming INLINE_EMPB
  translation-profile outgoing OUTLINE_EMPB
  compand-type a-law
  cptone PT
  voice-port 0/2/1
  translation-profile incoming INLINE_EMPB
  translation-profile outgoing OUTLINE_EMPB
  compand-type a-law
  cptone PT
  description Ligacao Acesso GSM
  bearer-cap Speech
  voice-port 0/3/0
  translation-profile incoming INLINE_EMPE
  translation-profile outgoing OUTLINE_EMPE
  compand-type a-law
  cptone PT
  voice-port 0/3/1
  translation-profile incoming INLINE_EMPA
  translation-profile outgoing OUTLINE_EMPA
  compand-type a-law
  cptone PT
  description Ligacao Acesso GSM
  bearer-cap Speech
  voice-port 1/0/0
  compand-type a-law
  cptone PT
  voice-port 1/0/1
  compand-type a-law
  cptone PT
  voice-port 1/0/2
  compand-type a-law
  cptone PT
  voice-port 1/0/3
  compand-type a-law
  cptone PT
  voice-port 1/0/4
  compand-type a-law
  cptone PT
  voice-port 1/0/5
  compand-type a-law
  cptone PT
  voice-port 1/0/6
  compand-type a-law
  cptone PT
  voice-port 1/0/7
  compand-type a-law
  cptone PT
  voice-port 1/0/8
  translation-profile incoming INLINE_EMPC
  translation-profile outgoing OUTLINE_EMPC
  compand-type a-law
  cptone PT
  voice-port 1/0/9
  compand-type a-law
  cptone PT
  voice-port 1/0/10
  compand-type a-law
  cptone PT
  voice-port 1/0/11
  compand-type a-law
  cptone PT
  voice-port 1/0/16
  compand-type a-law
  cptone PT
  voice-port 1/0/17
  compand-type a-law
  cptone PT
  voice-port 1/0/18
  compand-type a-law
  cptone PT
  voice-port 1/0/19
  compand-type a-law
  cptone PT
  ccm-manager music-on-hold
  no mgcp package-capability res-package
  no mgcp package-capability fxr-package
  no mgcp timer receive-rtcp
  mgcp profile default
  dial-peer voice 1 pots
  description +++++ Dial-peer +++++
  incoming called-number .
  direct-inward-dial
  port 0/0/0
  dial-peer voice 10 pots
  description touchwise
  destination-pattern 1T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/0/0
  dial-peer voice 20 pots
  description globalmove
  preference 1
  shutdown
  destination-pattern 5T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/1/0
  dial-peer voice 30 pots
  description globaltemp
  shutdown
  destination-pattern 3T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/2/0
  dial-peer voice 40 pots
  description EMPE
  destination-pattern 4T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/3/0
  dial-peer voice 100 voip
  preference 1
  destination-pattern .
  session target ipv4:10.35.2.1
  voice-class codec 1 
  no vad
  dial-peer voice 21 pots
  description globalmove
  preference 2
  shutdown
  destination-pattern 5T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/1/1
  dial-peer voice 101 voip
  preference 2
  destination-pattern .
  session target ipv4:10.35.2.2
  voice-class codec 1 
  no vad
  dial-peer voice 24 pots
  description globalmove
  preference 1
  destination-pattern 59[1236].......
  port 0/3/1
  forward-digits 9
  dial-peer voice 25 pots
  description globalmove
  preference 1
  destination-pattern 500T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/1/0
  dial-peer voice 26 pots
  description globalmove
  preference 2
  destination-pattern 500T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/1/1
  dial-peer voice 27 pots
  description globalmove
  preference 1
  destination-pattern 5[123678]T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/1/0
  dial-peer voice 28 pots
  description globalmove
  preference 2
  destination-pattern 5[123678]T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/1/1
  dial-peer voice 34 pots
  description globalTemp
  preference 1
  destination-pattern 39[1236].......
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/2/1
  forward-digits 9
  dial-peer voice 35 pots
  description globalTemp
  preference 1
  destination-pattern 300T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/2/0
  dial-peer voice 37 pots
  description globalTemp
  preference 1
  destination-pattern 3[123678]T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/2/0
  dial-peer voice 14 pots
  description empd
  preference 1
  destination-pattern 19386648.......
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/0/1
  forward-digits 9
  dial-peer voice 15 pots
  description empd
  preference 1
  destination-pattern 19365483.......
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/0/1
  forward-digits 9
  dial-peer voice 16 pots
  description empd
  preference 1
  destination-pattern 19341347.......
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 0/0/1
  forward-digits 9
  dial-peer voice 50 pots
  description EMPC
  destination-pattern 5T
  progress_ind alert enable 8
  progress_ind progress enable 8
  progress_ind connect enable 8
  port 1/0/8
  gateway
  timer receive-rtp 1200
  gatekeeper
  shutdown
  call-manager-fallback
  max-conferences 4 gain -6
  transfer-system full-consult
  ip source-address 10.35.2.250 port 2000
  max-ephones 100
  max-dn 300
  transfer-pattern 09........
  transfer-pattern 02........
  transfer-pattern 0.........
  transfer-pattern 000T
  transfer-pattern 4...
  keepalive 10
  time-format 24
  date-format dd-mm-yy
  shutdown
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  login authentication touchwise
  transport input ssh
  line vty 5 15
  login authentication touchwise
  transport input ssh
  scheduler allocate 20000 1000
  ntp master 5
  end

  If t i "Translation Pattern Configuration" switch to another "Partition" existing or internal it works.
  If change back for the new i create. It does not work.
  So I must be some flaw  i made in Cisco Unified CM.

• Destination NAT ACE

  Can someone provide some information on how you would setup 2 servers to proxy out as the VIP address?
  On the CSS I know you can accomplish this though the use of a group rule
  Ex:
  group Outbound_Proxy
  vip address 192.168.1.x
  add service web1
  add service web2
  active
  What would be the equivalent on the ACE? I am sure it would be a dynamic NAT configuration however, I am not to sure how to set that up.
  Can someone please provide some advice?
  Thank you in advance!

  Thank you for your response Gilles! Glad to know that my configuration should work.
  The reason I assume it does not work is due to the output given from a 'show service-policy NAT-POLICY detail'. There is no registered hit count on any of the counters when I would initiate a connection to the .163 VIP were it should balance to either the 192.168.100.158 or 192.168.100.157 IP addresses. I thought the outbound response would have incremented something within the service-policy output.
  Status : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 91
  service-policy: NAT-POLICY
  class: DNS-NAT-Servers
  nat:
  nat dynamic 2 vlan 695
  curr conns : 0 , hit count : 0
  dropped conns : 0
  client pkt count : 0 , client byte count: 0
  server pkt count : 0 , server byte count: 0
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  This is the reason I have not yet performed a packet capture.
  I notice the connection establish just fine and the ACE forward/balance my connection to the correct destination server. However, looking at the me-stats for the connection ID I noticed it is not dynamically NAT'ing the response out.
  ACE-12539-187036/spam# sho conn | i 64.39.0.40
  150536 1 in TCP 695 64.39.0.40:56412 192.168.100.163:53 ESTAB
  34566 1 out TCP 91 192.168.100.157:53 64.39.0.40:56412 ESTAB
  Connection ID:seq: 34566[0x8706].5
  Other ConnID : 150536[0x24c08].10
  Proxy ConnID : 0[0x0].0
  Next Q : 0[0x0]
  192.168.100.157:53 -> 64.39.0.40:56412 [RX-NextHop: TX] [TX-NextHop: TX]
  Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
  L3 Protocol : IPv4 L4 Protocol : 6
  Inbound Flag : 0
  Interface Match : Yes
  Interface MatchID: 13
  EncapsID:ver : 234:0 TCP ACK delta : 0x5194237d
  MSS : 1380 TOS Stamp : 0
  Repeat mode : No ARP Lookup : No
  TOS Stamp : No TCP Window Check: No
  ACE ID : 12898 NAT Policy ID : 0
  Post NAT hop : 0
  Packet Count : 1 Byte Count : 44
  TCP Information: (State = 3)
  Window size : 16384 Window scale : 0
  FIN seen : No FIN/ACK seen : No
  FIN/ACK exp : No Close initiator : No
  FIN/ACK expval: 5b40000 Last seq : 79e90c16
  timestamp_delta: 0 Last ack : 1
  No Trigger : 0 Trigger Status : 0
  Timestamp : 6279495f
  TCP options negotiated:
  Sack:Clear TS:Clear Windowscale: Clear
  Reserved: Allow Exceed MSS: Deny Window var: Allow
  Is the above connection output in the me-stats expected with my DNAT configuration? Would this DNAT configuration apply to only outbound connections initiated from the .158 or .157 IP addresses? I would assume it would work with the response traffic as well. I know I can setup dynamic NAT for a specific serverfarm. Do you think I should try that instead?
  Thank you in advance!
  - Jason

• Cache engine http transparent proxy and caching

  Hi..
  My customer some GPRS user in which they couldn't control proxy setting of the web browser.
  Is it possible to configure on a cache engine such that when these users access the Internet, they will be intercepted by the cache engine. THe cache engine then forwards the request to a proxy server and out to the Internet ?
  Rgds
  Eng Wee

  It is possible to configure the cache engine to provide access to the users. The following URL shows an example on how to configure the Cisco Cache Engine for transparent caching using the Web Cache Coordination Protocol (WCCP).
  http://www.cisco.com/warp/public/117/cache_engine/transparentconfig.html
  This scenario is pretty similar to your requirement. Hope this helps.

• Destination nat on switches

  we want destination nat to work. we have 6509 series swithces running HSRP. we have 2 locations. at these locations proxy servers do the the job of filtering and sending the web traffic. what we want is if the proxy server at location 1 goes down, we shd be able to nat the incoming traffic for proxy sever from user vlan to the proxy server of location b traffic. teh ios version is IOS (tm) MSFC2 Software (C6MSFC2-IS-M), Version 12.1(4)E3,what commands we need to run
  thanx

  Your problem is not going to be so much the nat as how you figure out when the proxy goes down.
  The only thing I have seen that can take action based on a external server is to use object tracking and policy routing. I don't think Nat has any ability to do this.
  Another solution that you may want to concider if your switches support it is to use server load balancing (SLB) to do this.
  There are a number of ways to configure this but it will depend on where your servers are located in relation to the switch. Since this is designed for load balancing first and redundacy second it may not end up being effectient.
  Now if you really want to use nat you could use the policy routing with the object track options and route the traffic to either another router or to loopback interfaces. This would be a variation of nat on a stick. In effect you would be rerouting your traffic though NAT interfaces based on availablilty. Both the policy routing track options and nat on a stick are not the most simple things to comfigure. The policy routing with track option is fairly new and I don't know if they have put it in the switch versions of the IOS yet.