Cisco Unity 4.2 to Cisco Unity Connection 8.x
Hi All,
My company wants to upgrade from our current version of Cisco Unity 4.2 to the newest version of Cisco Unity Connection. I're read that the process can be some what complicated. I get the basics that I need to back up our unity server. Then install Unity Connection then re-install the back up after the unity connection install.
The bad part is that I have to use the same server so I have to do a back up of Unity then wipe out that server, then install Unity Conenction and then apply the back up of Unity. In a perfect world I could use a second server.
Does anyone have any advice that about this process. Any helpful hints and advice I would apperciate.
Thanks,
Dan
Have a look at the videos at the bottom of the page linked to below:
http://www.ciscounitytools.com/Applications/General/COBRAS/COBRAS.html
Similar Messages
-
Unity 4.0(4) to Unity Connection 8.5 Licensing
I've contacted TAC regarding how to do this upgrade in regards to licensing and I was told to email them the old (Unity 4.0) license MAC and the new server (Unity Connection 8.5) license MAC and they'll generate a new license for me.
How do I get the license MAC from the old Windows based 4.0 server?Hi "G",
Looks like you are moving along nicely here
They are just looking for the MAC of the Unity server (current)
To Get the MAC Address of the Cisco Unity Computer
Step 1 On the computer on which Cisco Unity will be installed, do one of the following:
•If the server contains a dual NIC that has been configured for fault tolerance, run the NIC-configuration utility provided by the manufacturer, and write down the MAC address (excluding hyphens) that is shared by the two NICs. Then skip the rest of this procedure.
•If the server does not contain a dual NIC or if the server contains a dual NIC that is not configured for fault tolerance, on the Windows Start menu, click Programs > Accessories > Command Prompt.
Step 2 In the Command Prompt window, enter ipconfig /all, and press Enter.
Step 3 Write down the value of Physical Address, excluding the hyphens, or save it to a file that you can access during online registration. (For example, if the physical address is 00-A1-B2-C3-D4-E5, record 00A1B2C3D4E5.)
If the server contains a dual NIC, two values will appear. Write down the value for the NIC that you will use to connect the Cisco Unity server to the network.
Step 4 Close the Command Prompt window.
http://www.cisco.com/en/US/docs/voice_ip_comm/unity/white/paper/culicenses.html
Cheers!
Rob -
Cisco should include Linux in Cisco Connect Software
I'm a fan of Windows, Mac OS X and Linux. I know Cisco took time adopting Mac to "Network Connect Pro" which is now,
Cisco Connect. I feel the time has come to include Major Linux Distros in Cisco Connect, so that all my Computers, are afforded the same secure platform for networking.
Does anyone know if Cisco has plans to implement Linux? I'd certainly like to hear opinions, regarding this scenario!
Regards,
John CSince there are so many flavors of Linux, it is tough to make a "Linux" implementation of anything. And since the market is divided, it is hard to pick the distributions. Worse, you have to decide if it will use KDE, GNOME, or some other WM look-and-feel.
Have you tried running Cisco Connect in an emulator like WINE? (I haven't. I'm just wondering)
You should also post this suggestion in the Cisco Home Community, http://homecommunity.cisco.com -
Ask the Cisco VIP: Troubleshooting SIP in Cisco Unified communications
Troubleshooting SIP in Cisco Unified communications deployments with Cisco VIP Ayodeji Okanlawon
This is a Q&A Ask the Expert Session continuation from the Live Webcast
Ask your questions on Session Initiation Protocol (SIP) and how it is redefining our UC world.The Session Initiation Protocol (SIP) is a signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP) networks.
Featured Expert
Ayodeji Okanlawon, a Cisco Designated VIP, is the Lead Consultant Engineer for Global Solutions Design and Engineering at Verizon Business. In his past, he has worked at Intact IS, NCS Global, and Schlumberger Information Solutions. His experience includes development of design and deployment of large scale IP telephony projects on Cisco Call Manager platforms, Cisco Voice gateways, Cisco Jabber cloud and on premise solution. His expertise includes SIP solutions, CUBE design and Deployment, Troubleshooting: Voice gateways, CUCM, Unity connection, CUPS. Deji has been awarded the Cisco Designated VIP in 2013 and 2014. Deji holds a Bachelor of Science (BS), Electrical and Electronics Engineering, Second Class Upper from Obafemi Awolowo University.
According to Deji, “If you want to advance your career, if you’re serious about your skill sets, you’ve got to be in the forums.” (Read the Interview >>)
We look forward to your participation. This event is open to all, including partners.
* * Remember to use the rating system to let Deji know if you have received an adequate response. * *
Deji might not be able to answer each question due to the high volume expected during this event. This event runs January 13 through January 23, 2015. Visit this forum often to view responses to your questions and the questions of other community members.Derrick,
RFC 3261defines ways to provide increased security for a SIP session.
The following describes areas in SIP that provides security for the protocol
1. Authenticating users.
We need to authenticate a user to ensure that the sender of the message is who he claims to be.
To achieve this SIP uses digest authentication between a UAC, proxy and a UAS. This provides the most basic level of authentication challenge between a client, proxy and a server.
2. Secure SIP signalling
The next area we can secure is SIP signalling itself. For this we use SSL/TLS. This is similar to using https in web browsers. With TLS before our any signalling is exchange X.509 certificates are used create a secure TLS channel. All our SIP messages are then transported within the secure channel.
NB: The digest authentication mentioned above for authenticating a user agent is just authentication. The messages are not protected from reading or modification hence it is recommended that these messages are carried inside a secure TLS channel for better security.
3. Privacy and Identification
Additional security features in SIP provides means where any user can choose to either reveal or conceal his identity.
4.Secure RTP
SIP also provides the ability to secure the media channel. It is not enough to secure signalling while anyone can listen to the media. RFC3830 discusses how the encryption should be done.
5. S/MIME
S/MIME encapsulation is used to protect sip headers making it impossible for any one in between the sender and receiver to modify the sip headers
Regards -
No Audio on either end Cisco Jabber for Windows over Cisco AnyConnect
Our telephony staff is replacing our aging/unsupported VoIP system with a Cisco system and as the network tech, I'm trying to get Jabber for Windows to work over our AnyConnect VPN client. Jabber to Cisco phone and Jabber to Jabber calls work fine within our LAN.
However, when I take a laptop to a separate internet connection and connect to the network via the VPN, I can't get any audio to pass across the system, in either direction. If I call a phone on our LAN using the Jabber client (via AnyConnect), the phone rings and when I answer it, it's just dead air on both ends. If I reverse the process, calling from the phone to the Jabber client, the same thing, Jabber client rings, but dead air both ways once I answer.
Things I can do from the laptop over the VPN connection:
I'm able to get to the phone's web interface using that same laptop.
I can ping the phone as well. In fact, the VPN profile I'm using has full access to the entire VoIP Vlan including all IP traffic (all ~65,000 ports).
Searching the address book also works fine. I can search for staff and it's pulling directly from our Active Directory environment.
Is there any special settings on the firewall that I need to setup to allow the voice traffic (which I assume is RTP traffic)? I tried to add a service policy for RTP traffic, but that didn't seem to work...unless I built it wrong.
Jabber for Windows - 10.6.0
Cisco Anyconnect - 3.1.06079
Cisco 5515-x ASA - 9.2I was able to resolve this on my own. I thought that SIP traffic needed to be inspected via the global inspection policy in order for it to pass through the firewall. I ran into the same issue with ICMP traffic from an Anyconnect client to LAN devices. I had to enable ICMP in that policy for us to be able to ping LAN devices over the VPN tunnel. So when I saw that SIP was already being inspected by this policy, I moved on looking for other solutions. Then I stumbled deep within a Google search (almost hit the end of the Internet doing so) where someone mentioned that SIP shouldn’t be inspected by that policy. So I unchecked it and bam! Voice is now working over the anyconnect client to phones on the LAN.
-
Trying to get home sharing working on a corporate wireless network. Cisco wireless.
WLC5508 controller
Cisco 3502 access points
All apple devices on same WLAN - security WPA2-PSK
ITunes account up to date
All devices laterst software.
Can ping apll tv from laptop
can ping apple tv from ipad
Can ping ipad from laptop
can ping laptop from ipad.
Apple tv never sees any other device.
Any ideas?Fascinating just reading about your setup. I have a WRT350N and have noticed that it will drop its speed, sometimes down to 1Mbps. It seems to do so at about the same time every day, but usually comes back to speed in about 5 minutes. In my experience, the Apple TV will disconnect if the speed falls this low. Try monitoring the Linksys with Netstumbler, Vistumbler, or just in the Windows Network utility.
Check the "lease obtained" and "lease expired" times for your router to see if that is when the network fails. I've just finished reading an angry thread over at the Linksys forum about the WRT330N where someone mentioned that the router wasn't renewing its lease.
"I cannot set it run off automatic DHCP from the WRT330N, the router will not assign it an IP every time the lease expires, causing me to have to manually set an IP on the Print server. That's annoying. Having the router drop IP's to individual machines after 12-48 hours...very annoying."
http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&thread .id=67412
If that is the problem, then I would consider setting up a Static IP address for your Apple TV. You can do that through the user interface -> Settings -> Network -> Configure ... (Quite intuitive as you only have change IP address and the subsequent details remain the same.)
My router assigns IP Addresses in the ranges of 192.168.1.100 ->149. The idea here is to choose an address outside of that range but is not greater than 192.168.1.253 (and should not end in the number 1). You shouldn't have to change the linksys router as long as 50 clients are assigned in that range. You'll have to figure that out by accessing your router webpage at browser address 192.168.1.1 -> the default password is "admin" (without the quotes).
Good luck. -
Want to playback archived webcast recorded using Cisco webex recording. Downloaded Cisco webex meeting software from apple download page but still cannot play recording
You will probably find better support about the features of the Webex app on their support page here: http://www.webex.com/products/web-conferencing/mobile-iphone-ipad-faq.html
Doesn;t look like it's listed as a feature of the iPad app. -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Says my unity player needs updated but unity website says up to date
says my unity player needs updated but unity website says up to date
There may be an issue with the Firefox plugin checker.<br>
Please do the following:
#Close Firefox
#Open the application data folder and locate the Firefox data
#Locate and open your profile from the folder
#Rename the <code>pluginreg.data</code> file
#Open Firefox
Does this fix the issue?
If not, you can restore the old <code>pluginreg.dat</code> file by deleting the newly created file and renaming the old file back to <code>pluginreg.dat</code> -
Cisco Works NCM Driver for Cisco IPS/IDS
Hi,
Does anybody happen to know if there are drivers for the Cisco Works NCM that support Cisco IDS/IPS devices?
Thanks!!http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a00807a8a2a.html
your vendor is on crack
you can do any think you want .... but depends how many ports you have on the IPS
If you get an ips 4215 w/ 4 fastethernet ports you can do any combination -
Cisco MCS or HP Hardware for Unity/CCM
I am looking at purchasing several new Unity servers, and am trying to understand what benefit there is in purchasing the Cisco version.
For what reason would I purchase a more expensive Cisco MCS rather than the identical HP?
Thanks.Good question,
Looking from a h/w maintenance perspective, you will have a single telephone number to reach.
This doesnt limit you from buying a approved HP or IBM server. You definitely can, but if you have a failed hard drive or server, you have to call HP instead of IBM. Ofcourse maintenance is not free, there is a per year tag for the same.
You can find the specs of MCS servers here and order an identical one if you want to go that route.
http://www.cisco.com/en/US/products/hw/voiceapp/ps378/index.html -
CIsco DRS Backup Error on Cisco unified collaboration products (UCCX, Unity UCM)
ERROR: Backup failed due to an interruption during file copy to backup media, Backup Completed
the backup completes with all the .tar files, but fails to write the .xml file.
it works if i run it on freeftpd on my windows 7 box but is failing on our linux sftp box and it was working before. the only thing we changed was upgrading from 8.6
UCM: 10.5.2.10000-5
Unity: 10.5.2.10000-5
UCCX: 10.5.1.11001-49Hi Chris - Does the directory on the linux server where you are trying to backup has old backups? If yes, try changing the backups to a different directory or move the old backups to an archive.
-Terry -
Cisco Jabber for Windows in Extend and Connect mode and making outbound calls
Hi guys,
I've set up Cisco Jabber for Windows to use Extend and Connect to control a remote PBX endpoint. I've configured the required CTI-RD device, remote destinations, associated the users to the line and added the devices to end-user controlled device. The extend and connect part is working flawlessly without any issues. I'm able to receive inbound calls on the remote PBX endpoint and control the call (hold, resume, transfer etc.) using the Jabber call window that pops up.
However, I'm unable to make any outbound calls via the Jabber client when in extend and Connect mode. Reading the Extend and Connect guide, I need to configure Dial Via Office (DVO) Reverse. So when the user initiates a Dial-Via-Office reverse call, CUCM calls and connect to the Extend and Connect device (CTI-RD). CUCM then calls and connects to the number the user dialled and finally connects the two call legs.
After attempting to configure DVO-R for Jabber for Windows in Extend and Connect mode following the CUCM feature services guide, i'm unable to get any outbound calls working. From RTMT, i am receiving the following Termination Cause Code: (27) Destination out of order. What i also notice is that there is no calling number for that trace either. I would've thought that the calling party would've been the Enterprise Feature Access (EFA) number.
Has anyone got this working or can provide some guidance?
Thanks.Hi guys,
I've set up Cisco Jabber for Windows to use Extend and Connect to control a remote PBX endpoint. I've configured the required CTI-RD device, remote destinations, associated the users to the line and added the devices to end-user controlled device. The extend and connect part is working flawlessly without any issues. I'm able to receive inbound calls on the remote PBX endpoint and control the call (hold, resume, transfer etc.) using the Jabber call window that pops up.
However, I'm unable to make any outbound calls via the Jabber client when in extend and Connect mode. Reading the Extend and Connect guide, I need to configure Dial Via Office (DVO) Reverse. So when the user initiates a Dial-Via-Office reverse call, CUCM calls and connect to the Extend and Connect device (CTI-RD). CUCM then calls and connects to the number the user dialled and finally connects the two call legs.
After attempting to configure DVO-R for Jabber for Windows in Extend and Connect mode following the CUCM feature services guide, i'm unable to get any outbound calls working. From RTMT, i am receiving the following Termination Cause Code: (27) Destination out of order. What i also notice is that there is no calling number for that trace either. I would've thought that the calling party would've been the Enterprise Feature Access (EFA) number.
Has anyone got this working or can provide some guidance?
Thanks. -
Cisco ASA 5505 doesn't forware incoming connection to LAN
Hello everybody.
I just got a Cisco asa 5505 with the next OS and ASDM info
ASA 5505 OS 8.4(3) ASDM 6.47
I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.
Problem 1
I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.
Problem 2.
I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.
Facts:
SMTP.
Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.
PORT 6001 (outside)
this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.
Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.
I will appreciate any help.
Thanks a lot..
CONFIGURATION.
: Saved
ASA Version 8.4(3)
hostname saturn1
domain-name mydominio.com
enable password SOMEPASS encrypted
passwd SOMEPASS encrypted
names
name 192.168.250.11 CAPITOLA-LAN
name 192.168.250.15 OBIi110-LAN
name 192.168.250.21 DRP1260-LAN
name 192.168.250.22 HPOJ8500-LAN
name 192.168.250.30 AP-W77-NG-LAN
name 192.168.250.97 AJ-DTOP-PC-LAN
name 192.168.250.96 SWEETHEART-PC-LAN
name 192.168.250.94 KIDS-PC-LAN
name XX.YY.ZZ.250 EXTERNALIP
name XX.YY.ZZ.251 EXTERNALIP2
name XX.YY.ZZ.1 GTWAY
dns-guard
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.250.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address EXTERNALIP 255.255.255.0
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name mydominio.com
object network CAPITOLA-LAN
host 192.168.250.11
object network EXTERNALIP
host XX.YY.ZZ.250
description Created during name migration
object network CAPITOLA-PUBLIC
host XX.YY.ZZ.251
object network capitola-int
host 192.168.250.11
object network capitola-int-vnc
host 192.168.250.11
object network aj-dtop-int-vnc
host 192.168.250.97
object network sweetheart-int-vnc
host 192.168.250.96
object network kids-int-vnc
host 192.168.250.94
object network VPNNetwork
subnet 10.10.20.0 255.255.255.0
object network InsideNetwork
subnet 192.168.250.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network capitola-int-smtp
host 192.168.250.11
object-group service capitola-int-smtp-service tcp
port-object eq smtp
object-group service capitola-int-services tcp
port-object eq smtp
port-object eq https
port-object eq www
port-object eq 444
object-group service capitola-int-vnc-service tcp
port-object eq 6001
object-group service aj-dtop-int-vnc-service tcp
port-object eq 6002
object-group service sweetheart-int-vnc-service tcp
port-object eq 6003
object-group service kids-int-vnc-service tcp
port-object eq 6004
access-list incoming extended permit icmp any any
access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services
access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service
access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service
access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service
access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service
access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service
access-list split-tunnel standard permit 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any object VPNNetwork
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp
object network capitola-int
nat (any,any) static XX.YY.ZZ.251
object network capitola-int-vnc
nat (inside,outside) static interface service tcp 5900 6001
object network aj-dtop-int-vnc
nat (inside,outside) static interface service tcp 5900 6002
object network sweetheart-int-vnc
nat (inside,outside) static interface service tcp 5900 6003
object network kids-int-vnc
nat (inside,outside) static interface service tcp 5900 6004
object network obj_any
nat (inside,outside) dynamic interface
object network capitola-int-smtp
nat (any,outside) static interface service tcp smtp smtp
access-group incoming in interface outside
route outside 0.0.0.0 0.0.0.0 GTWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 2
http server session-timeout 1
http 192.168.1.0 255.255.255.0 inside
http CAPITOLA-LAN 255.255.255.255 inside
http AJ-DTOP-PC-LAN 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh CAPITOLA-LAN 255.255.255.255 inside
ssh AJ-DTOP-PC-LAN 255.255.255.255 inside
ssh timeout 15
console timeout 0
vpn-addr-assign local reuse-delay 2
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password SOMEPASS encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043
: end
asdm image disk0:/asdm-647.bin
no asdm history enableJose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts
I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enableHi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair
Maybe you are looking for
-
The problem in using object = 0090 to create sales order in LSMW?
who can tell where is the problem "No logical path has been specified" when I doing "specify files"? tks in advance.
-
How to make use of the FM EDIT_TEXT_FORMAT_DOC
Hi frnz, How to make use of the FM EDIT_TEXT_FORMAT_DOC Could anyone explain with an example how to use this regards
-
Cannot connect with IPad2 After downloading newest OS update 10.7.5
I keep getting this message "John Does iPad" cannot be used because it requires iTunes version 10.6.3 or later. Go to www.itunes.com to download the latest version of iTunes. It started after update OS software to latest version.
-
How to run adpatch as an unix backgroud process?
I used to apply hugh patches on unix from remote emulator and I had to wait the adpatch completed the patch apply. If I disconnected the emulator/PC from the network and the adpatch job got terminated. How could I run the adpatch as an unix backgroun
-
Hello, sometimes when i paste to iweb its pasting with actual size , but some time it is not actual size and it needs to be stratched. how to paste always actual size?