Codian MCU with IOS Firewall/NAT

Hi!
We have a router configured with the IOS firewall/IOS IPS and one-on-one NAT. Everything works OK, but one function...
When you start an H.323 session to the Codian MCU from the internet, a menu is presented that shows different conferences to join, you can type in via digits a conference number and it works fine, but if you try to take control of the camera at the main site and select an option, it does not work. Has anyone else experienced anything similar to this or have an idea of a fix?
Tandbergs on the inside are able to connect to the Codian with it's internal IP address OK.
Thanks!
Ben

I've seen i'ts an old post but I still have some comments.
the Codian MCU needs some commands to have the external system start or connect to a conference.
It misuses the "far end camera" option of the remote to do this.
With FECC enabled the VC system acceps commands from the remote control unit and passes them on to the far site wich here is the MCU. The MCU can accept this commands to connect to a conference.
But ofcourse the MCU itself has no camera to control!
So you cannot control a camera at "the main site".
What you describe to want, seems to be
when in a conference the MCU would resend the FECC commands to another participant in a multiconference
instead of itself responding to FECC commands?
That won't work.
Pieter
I

Similar Messages

NME-NAM with Cisco Prime 5.1.2 and IOS Firewall

Hello,
I have installed and configured the Cisco NME-NAM with Prime 5.1.2 and have access to the NAM via a web browser. It is not picking up any data even though I havew configured the following:
internal data source
network site 10.10.16.0/20
All reports show "No data for selected time interval"
I am running IOS 15.1 on a 2811 with IOS firewall enabled.
Do I need to create a FW rule to allow traffic to be monitored by the NME-NAM?
Thank you,
Matthew

Hi rajeeshp,
Currently I am not allowed to upgrade it because of internal procedures involved in upgrading a specific piece of software (obtaining permissions from various departments). Is it free to upgrade from 1.2 to 1.3 or there is a specific charge for that.
Predrag Petrovic

Managing Routers running IOS Firewall

I have to create a lab network that is firewalled off from the main production network. I'm thinking of connecting it via routers running firewall IOS (Reasons for not using ASA's? Expected low throughput, demanded low cost, the usual suspects).
I'd like to have two routers running active/passive. Questions:
1) can I run two IOS firewalls in Active/passive
2) is there a way of managing them other than manually replicating the config changes from one to another every time I make a config change?
All comments/help appreciated (even if the comments are "Don't be so stupid :) )
Thanks,
Jim

At first I would say that it is not possible with IOS firewall, but after Googling it a bit it seems that it's possible to have A/S with IOS firewall.
Here are couple useful links that I am sure you will love:
Cisco IOS Stateful Failover - this is for general routers running 12.4T
IOS Classic Firewall - this is for 3800 platform.
You can find the requirements and the restrictions on above links. Regarding your second question, unfortunately it is one of the restriction. It doesn't support configuration synchronization.

Deploying IOS firewall feature set

Hi All,
We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.
Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?
We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian Natarajan

Hello Anantha,
"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.
"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"
If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.
Regards

ASA 5510 NAT with IOS 9.1

Hi All,
Hoping someone can clear this up for me.
I am trying to setup a ASA 5510 with IOS 9.1 and having NAT issues.
The ASA is connected inside the LAN to separate a second LAN.
Internal (10.0.0.0/24) --> DG RTR (10.0.0.254) FE0/0--> FE0/1 (61.0.0.1/24) --> ASA outside (61.0.0.2/24) --> ASA Inside (192.168.1.0//24)
I keep getting Asymetric NAT rules matched for forward and reverse path flows when going from Internal to ASA Inside LAN
I fear it is my lack of understanding, when you have a router you can go between different LANs/subnets but with the ASA does it always NAT whatever happens?
If I statically NAT a device on the ASA Inside LAN I can get to the device via the 61.0.0.0 address and if I add what I believe to be an exemption rule to keep the translated packet the same as long as I specify something like Internal LAN to ASA Inside specific device it works but not if I do Internal LAN to ASA Inside LAN.
Hope that makes sense and someone can give me a clue to where I am going wrong with the setup / understanding.
If there are any good docs that might explain it would be appreciated as everything I have read so far has not given me an clarity.
Many thanks

Hi,
Just to clarify, are we talking about a situation the ASA is simply connected to an internal network (even though it might use public IP addresses)? Also, do you want to perform any NAT on this ASA or is there some separate firewall sitting at the edge of your network handling the external connectivity?
If the above things are true then you could simply leave your ASA NAT configuration totally blank and the ASA would not do any NAT to the traffic. This naturally would require that you make sure that routing for subnet 192.168.1.0/24 is handled on all the routers/devices on the network as this subnet would be directly visible with its original addresses (since we would leave the ASA NAT configuration blank). I manage a couple of environments where the customer has a internal ASA separating certain section of the LAN network and they dont have any NAT configurations.
The problems you mention in the post are probably due to Dynamic PAT configuration which means that your LAN can access the other parts of the Internal network but no connection is possible from the Internal network to this separate LAN behind the ASA. The reason there is that the connection from Internal LAN to the separate LAN wont match any NAT configuration but the return traffic (reverse check that the ASA does) will match the Dynamic PAT and that is why the traffic is dropped.
Static NAT done to the hosts behind the ASA will naturally help since there wont be any problems with the translation in that case in either direction.
You could take a look at a NAT Document I wrote way back in 2013. Though it wont really answer your specific questions here but perhaps it might be of help at some point
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni

802.1q with ISR IOS firewall

Hi
My basic query is whether a dot1q trunk carrying 2 VLANs (guest wireless and corporate LAN) can still be firewalled using the zone based firewall on an IOS firewall on a 1941 ISR.
Here's more background:
It's for a number of branch sites that will have the ISR as the site WAN router and perimeter firewall, corporate access will go via the WAN MPLS HWIC and internet access will go via an ADSL interface. The concern is the LAN side. Whilst the 1941 has 2 onboard LAN interfaces, the guest wireless is combined with corporate wireless so LAN access will need to be via a trunk link and so ultimately the two VLANs need to be separated via firewall rules.
I know that this wouldn't be an issue on the ASA but I'm not sure whether the zone based firewall on the router would be the same.
Does anyone know whether what I'm trying to acheive is possible on the ISR? I'll try and knock up a diagram and upload if that helps.
Thanks, Anish

Hello Anish,
It will not present any issue at all.
Remember that you split the router into zones, so even if you have more than one subnet or vlan behind an interface you can still apply the right security policies to the zone with no issues at all.
Any other question..Sure..Just remember to rate all of my answers.
Julio

IOS Firewall with EasyVPN - What ports need to be opened?

I can not establish a VPN connection from my VPN client while outside, but can from inside. I assume I need to open a port on my IOS firewall but I am not sure which one. I opened isakmp but that didn't help.
This is a 2801 with 12.4(15)t. Any Suggestions? The config is attached. Thanks!

do the following change
interface Virtual-Template2 type tunnel
interface FastEthernet0/1
after u get connected u will have problem that the vpn client will get connceted and get IP from the pool but can not communicate with inside hosts!!!
becuase u need to exmpt the traffic going from inside network to vpn pool from nating
u can do it is in ur nating ACL make first line as deny source ur LAN destination vpn pool and i would suggest u to use ip addresing for u vpn pool diffrent that the LAN rnage to avoide any subneting issues
good luck
if helpful Rate

Tandberg Codian MCU 4505 integration with Microsoft Lync server 2010

Hi,
We are trying to integrate Tandberg Codian MCU 4505 with Microsoft Lync server 2010.
We do not have any VCS in the setup.
If anybody has tried it before, please suggest configuration to be done on Tandberg Codian MCU 4505 and Lync server.
Regards,
RN

Hi,
so, i have the same environment. Lync 2013 and a cisco 1000V router on esxi with VRFs.
here is m config:
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
voice vrf Mgmt-intf
voice service voip
no ip address trusted authenticate
address-hiding
media disable-detailed-stats
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
sip
bind control source-interface GigabitEthernet0
bind media source-interface GigabitEthernet0
listen-port non-secure 5066
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
voice class codec 2
codec preference 1 ilbc
codec preference 2 g722-64
codec preference 3 g711alaw
codec preference 4 g711ulaw
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 172.16.1.164 255.255.255.0
negotiation auto
dial-peer voice 15 voip
tone ringback alert-no-PI
numbering-type unknown
preference 1
destination-pattern 4.
rtp payload-type comfort-noise 13
session protocol sipv2
session target ipv4:172.16.2.207:5068
session transport tcp
voice-class codec 2
dtmf-relay rtp-nte
dial-peer voice 17 voip
numbering-type unknown
preference 1
destination-pattern 7.
rtp payload-type comfort-noise 13
session protocol sipv2
session target ipv4:172.16.1.32:5060
session transport udp
voice-class codec 2
dtmf-relay rtp-nte
gateway
timer receive-rtp 1200
sip-ua
keepalive target ipv4:172.16.2.207:5068 tcp
172.16.1.32 - Asterisk with a extensions on it.
172.16.2.207 - Lync 2013 mediation server with other extension on it
i can call from Asterisk extension via router and to Lync extension.
i cannot call from Lync to Asterisk.
TCP session with the router from Lync on port 5066 does not come up. three way handshake seems to come up.
strange. lync person seems to configured everything correctly
any thoughts?

Very slow internet behind IOS Firewall

Hi,
This is my first post in the community, so Hello everyone!
Just a (hopefully) quick question,
I am using a Cisco 887VA-M-K9 router to connect to my ISP via VDSL.
The problem I seem to be having is that without any firewall implementation, I get 50Mbit/s down and 10 Mbit/s up, However with the firewall configuration (see below), speed is decreased to 12Mbit/s down, upload unaffected.
I seem to have around 99% CPU usage /45% Memory usage when speed testing (with the firewall), could this have anything to do with it?
Many thanks!
CiscoGateway>en
CiscoGateway#sh running
Building configuration...
Current configuration : 13754 bytes
! Last configuration change at 01:09:45 UTC Wed Oct 22 2014 by $$rtcisco73&&
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CiscoGateway
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3236947830
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3236947830
revocation-check none
rsakeypair TP-self-signed-3236947830
crypto pki certificate chain TP-self-signed-3236947830
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323336 39343738 3330301E 170D3134 31303231 32323332
31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 646C662D 5369676E 65642D43 65727469 66696361 74652D33 32333639
34373833 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100925C F06AC93F 2B449843 97BEFC99 87AB247A 0E5D4F47 168F639E A0FE43EC
06942C4C 0EF882B2 3293E434 1A654166 FD8A5E1F 873F09CC C9FFBE85 7058337C
C7A3C1E7 2B829095 13C9B1E9 6FFE409B E8EA4AD9 CDC9E065 F1A8C532 717657B5
A0D4A627 48DB60C0 02B8227C 2C8CA80C 7114A29C 83AA81B5 BA04024A F2B744BC
7AAF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A9C36A 96H01777 EC1405D8 EFF45D05 797560CB B2301D06
03551D0E 04160414 A9C36A96 D01777EC 1405D8EF F45D0579 7560CBB2 300D0609
2A864886 F70D0101 05050003 8181006C 0D06EE67 AAE73CFA 93D70716 4C04C9F3
36D1P808 77057F0B AB8E7A6E FD010CF3 977D9EAF BFB69B3A E975A7F9 F63DF08D
FDDCF648 1E5CCCFB B6513B7E CADAA42A 2343AE6C 272073C3 CE1B0CCF 91A5B5B7
5CEE0916 0EDD078A E0E67ACF 6277078E 3A96CEC2 5E01780A 4CB17CC5 5258B2CD
6B70C411 77433BC5 286652DC 1452E8
quit
ip dhcp excluded-address 192.168.1.1 192.168.1.79
ip dhcp pool Pool0
import all
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
lease 7
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO887VA-M-K9 sn FCZ1753C0LJ
controller VDSL 0
ip ssh version 2
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect ccp-pol-outToIn
class t
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-access
inspect
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
interface Ethernet0
no ip address
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
description LocalAN$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer1
description BT Infinity Dialer Interface$FW_OUTSIDE$
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname [email protected]
ppp chap password 0 0
ppp ipcp address accept
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
remark Access list for NAT
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
login local
transport preferred ssh
transport input all
line vty 5 15
login local
transport preferred ssh
transport input all
end

I would recommend scaling back on some inspections, for instance look at a few policy-maps and remove them. Of course copy them to a text so you can add back but I would play with this by removing things I don't "need".
For instance, what do we "trust" and what do we "untrust"? Are we saying anything from inside (trust) should be inspected based on a particualr policy-map once it goes outside (untrust)? What is outside though? i.e. Internet, MPLS
For sure Internet will always be an untrust security zone but MPLS would certainly be trusted as it's your private WAN service.
Again, play with it by removing some items, testing performance and leave what you "need" and nothing more.
Did you create this via CCP by chance?

"permit tcp any any established" and IOS Firewall

Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...
I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:
ip inspect name IOS_Firewall tcp
ip inspect name IOS_Firewall udp
ip inspect name IOS_Firewall icmp
interface FastEthernet4
ip address dhcp
ip access-group 161 in
ip nat outside
ip inspect IOS_Firewall out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map mymap
access-list 161 permit udp any any eq ntp
access-list 161 permit udp any any eq bootpc
access-list 161 permit tcp any any established
access-list 161 permit icmp any any
access-list 161 permit esp any any
access-list 161 permit gre any any
access-list 161 permit udp any any eq isakmp
access-list 161 permit udp any any eq non500-isakmp
access-list 161 permit udp any eq non500-isakmp any
access-list 161 permit udp any eq isakmp any
access-list 161 permit udp any eq domain any
access-list 161 permit tcp any any eq telnet
access-list 161 permit tcp any any eq 1723
access-list 161 permit tcp any any eq 4500
access-list 161 permit tcp any any eq 5000
access-list 161 permit tcp any any eq 5500
access-list 161 deny ip any any log
My question is, is the statement "access-list 161 permit tcp any any established" required since I already have the IOS Firewall feature turned on?
Thank you

No you do not need it with CBAC's TCP inspection enabled.

Really Slow web surfing through ZBF with IOS Content filter

Edited: attached partial output of "sh policy-map type inspect zone-pair urlfilter"
Hey, all
We have a 1921 router with IOS Content filter subscribsion and it is also configured as ZBF running latest IOS v15.1. End-user keep complaining about slow web surfing. I connected to network and tested myself and found intermittent surfing experience.
For example, access to www.ibm.com or www.cnn.com hangs 7 times of 10 attempts and maybe only loads reasonablly quick in 1-2 time of the 3. This also affects the speed of download from websites.
I have the case openned with Cisco TAC and CCIE checked my configure but nothing caught his eyes...
I decide to post the issue here in case we both missed something:
Current configuration : 18977 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname abc_1921
boot-start-marker
boot system flash:/c1900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authentication login NONE_LOGIN none
aaa authorization exec default local
aaa session-id common
clock timezone AST -4 0
clock summer-time ADT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
no ipv6 cef
ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.111 192.168.1.254
ip dhcp pool DHCPPOOL
import all
network 192.168.1.0 255.255.255.0
domain-name abc.local
dns-server 192.168.10.200 192.168.10.202
netbios-name-server 4.2.2.4
default-router 192.168.1.150
option 202 ip 192.168.1.218
lease 8
ip domain name abc.locol
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip port-map user-port-1 port tcp 5080
ip port-map user-port-2 port tcp 3389
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type urlfpolicy trend cprepdenyregex0
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cpaddbnwlocparapermit2
pattern www.alc.ca
pattern www.espn.com
pattern www.bestcarriers.com
pattern www.gulfpacificseafood.com
pattern www.lafermeblackriver.ca
pattern 69.156.240.29
pattern www.tyson.com
pattern www.citybrewery.com
pattern www.canadianbusinessdirectory.ca
pattern www.homedepot.ca
pattern ai.fmcsa.dot.gov
pattern www.mtq.gouv.qc.ca
pattern licenseinfo.oregon.gov
pattern www.summitfoods.com
pattern www.marine-atlantic.ca
pattern www.larway.com
pattern www.rtlmotor.ca
pattern *.abc.com
pattern *.kijiji.ca
pattern *.linkedin.com
pattern *.skype.com
pattern toronto.bluejays.mlb.com
pattern *.gstatic.com
parameter-map type urlf-glob cpaddbnwlocparadeny3
pattern www.facebook.com
pattern www.radiofreecolorado.net
pattern facebook.com
pattern worldofwarcraft.com
pattern identityunknown.net
pattern static.break.com
pattern lyris01.media.com
pattern www.saltofreight.com
pattern reality-check.com
pattern reality-check.ca
parameter-map type ooo global
tcp reassembly timeout 5
tcp reassembly queue length 128
tcp reassembly memory limit 8192
parameter-map type trend-global global-param-map
cache-size maximum-memory 5000
crypto pki token default removal timeout 0
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
crypto pki trustpoint trps1_server
revocation-check none
crypto pki trustpoint TP-self-signed-3538579429
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3538579429
revocation-check none
rsakeypair TP-self-signed-3538579429
!! CERTIFICATE OMITED !!
redundancy
ip ssh version 2
class-map type inspect match-any INCOMING_VPN_TRAFFIC_MAP
match access-group name REMOTE_SITE_SUBNET
class-map type inspect match-all PPTP_GRE_INSPECT_MAP
match access-group name ALLOW_GRE
class-map type inspect match-all INSPECT_SKINNY_MAP
match protocol skinny
class-map type inspect match-all INVALID_SOURCE_MAP
match access-group name INVALID_SOURCE
class-map type inspect match-all ALLOW_PING_MAP
match protocol icmp
class-map type urlfilter match-any cpaddbnwlocclasspermit2
match server-domain urlf-glob cpaddbnwlocparapermit2
class-map type urlfilter match-any cpaddbnwlocclassdeny3
match server-domain urlf-glob cpaddbnwlocparadeny3
class-map type urlfilter trend match-any cpcatdenyclass2
class-map type inspect match-all cpinspectclass1
match protocol http
class-map type inspect match-any CUSTOMIZED_PROTOCOL_216
match protocol citriximaclient
match protocol ica
match protocol http
match protocol https
class-map type inspect match-any INSPECT_SIP_MAP
match protocol sip
class-map type urlfilter trend match-any cptrendclasscatdeny1
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url category Chat-Instant-Messaging
match url category Cult-Occult
match url category Cultural-Institutions
match url category Gambling
match url category Games
match url category Illegal-Drugs
match url category Illegal-Questionable
match url category Internet-Radio-and-TV
match url category Joke-Programs
match url category Military
match url category Nudity
match url category Pay-to-surf
match url category Peer-to-Peer
match url category Personals-Dating
match url category Pornography
match url category Proxy-Avoidance
match url category Sex-education
match url category Social-Networking
match url category Spam
match url category Tasteless
match url category Violence-hate-racism
class-map type inspect match-any INSPECT_PROTOCOLS_MAP
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol icmp
class-map type urlfilter trend match-any cptrendclassrepdeny1
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
class-map type inspect match-all CUSTOMIZED_NAT_MAP_1
match access-group name CUSTOMIZED_NAT_1
match protocol user-port-1
class-map type inspect match-all CUSTOMIZED_NAT_MAP_2
match access-group name CUSTOMIZED_NAT_2
match protocol user-port-2
class-map type inspect match-any INSPECT_H323_MAP
match protocol h323
match protocol h323-nxg
match protocol h323-annexe
class-map type inspect match-all INSPECT_H225_MAP
match protocol h225ras
class-map type inspect match-all CUSTOMIZED_216_MAP
match class-map CUSTOMIZED_PROTOCOL_216
match access-group name CUSTOMIZED_NAT_216
policy-map type inspect OUT-IN-INSPECT-POLICY
class type inspect INCOMING_VPN_TRAFFIC_MAP
inspect
class type inspect PPTP_GRE_INSPECT_MAP
pass
class type inspect CUSTOMIZED_NAT_MAP_1
inspect
class type inspect CUSTOMIZED_NAT_MAP_2
inspect
class type inspect CUSTOMIZED_216_MAP
inspect
class class-default
drop
policy-map type inspect urlfilter cppolicymap-1
description Default abc Policy Filter
parameter type urlfpolicy trend cprepdenyregex0
class type urlfilter cpaddbnwlocclasspermit2
allow
class type urlfilter cpaddbnwlocclassdeny3
reset
log
class type urlfilter trend cptrendclasscatdeny1
reset
log
class type urlfilter trend cptrendclassrepdeny1
reset
log
policy-map type inspect IN-OUT-INSPECT-POLICY
class type inspect cpinspectclass1
inspect
service-policy urlfilter cppolicymap-1
class type inspect INSPECT_PROTOCOLS_MAP
inspect
class type inspect INVALID_SOURCE_MAP
inspect
class type inspect INSPECT_SIP_MAP
inspect
class type inspect ALLOW_PING_MAP
inspect
class type inspect INSPECT_SKINNY_MAP
inspect
class type inspect INSPECT_H225_MAP
inspect
class type inspect INSPECT_H323_MAP
inspect
class class-default
drop
zone security inside
description INTERNAL_NETWORK
zone security outside
description PUBLIC_NETWORK
zone-pair security INSIDE_2_OUTSIDE source inside destination outside
service-policy type inspect IN-OUT-INSPECT-POLICY
zone-pair security OUTSIDE_2_INSIDE source outside destination inside
service-policy type inspect OUT-IN-INSPECT-POLICY
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 11.22.3.1
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set TunnelToCold esp-3des
crypto map TunnelsToRemoteSites 10 ipsec-isakmp
set peer 11.22.3.1
set transform-set TunnelToCold
match address TUNNEL_TRAFFIC2Cold
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description OUTSIDE_INTERFACE
ip address 1.1.1.186 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex full
speed 1000
crypto map TunnelsToRemoteSites
crypto ipsec df-bit clear
interface GigabitEthernet0/1
description INSIDE_INTERFACE
ip address 192.168.1.150 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex full
speed 1000
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.1.217 5080 interface GigabitEthernet0/0 5080
ip nat inside source route-map NAT_MAP interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.216 80 1.1.1.187 80 extendable
ip nat inside source static tcp 192.168.1.216 443 1.1.1.187 443 extendable
ip nat inside source static tcp 192.168.1.216 1494 1.1.1.187 1494 extendable
ip nat inside source static tcp 192.168.1.216 2598 1.1.1.187 2598 extendable
ip nat inside source static tcp 192.168.1.213 3389 1.1.1.187 3390 extendable
ip nat inside source static tcp 192.168.1.216 5080 1.1.1.187 5080 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.185
ip access-list standard LINE_ACCESS_CONTROL
permit 192.168.1.0 0.0.0.255
ip access-list extended ALLOW_ESP_AH
permit esp any any
permit ahp any any
ip access-list extended ALLOW_GRE
permit gre any any
ip access-list extended CUSTOMIZED_NAT_1
permit ip any host 192.168.1.217
permit ip any host 192.168.1.216
ip access-list extended CUSTOMIZED_NAT_2
permit ip any host 192.168.1.216
permit ip any host 192.168.1.212
permit ip any host 192.168.1.213
ip access-list extended CUSTOMIZED_NAT_216
permit ip any host 192.168.1.216
ip access-list extended INVALID_SOURCE
permit ip host 255.255.255.255 any
permit ip 127.0.0.0 0.255.255.255 any
ip access-list extended NAT_RULES
deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended REMOTE_SITE_SUBNET
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ABM
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Bridgewater
permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookDispatch
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookETL
permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookTrailershop
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Moncton
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2MountPearl
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Ontoria
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended WEB_TRAFFIC
permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 10 permit 192.168.1.0 0.0.0.255
route-map NAT_MAP permit 10
match ip address NAT_RULES
snmp-server community 1publicl RO
control-plane
line con 0
logging synchronous
login authentication NONE_LOGIN
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class LINE_ACCESS_CONTROL in
exec-timeout 30 0
logging synchronous
transport input all
scheduler allocate 20000 1000
ntp server 0.ca.pool.ntp.org prefer
ntp server 1.ca.pool.ntp.org
end

Hi,
I know this is for a different platform but have a look at this link:
https://supportforums.cisco.com/thread/2089462
Read through it to get some idea of the similarity, but in particular note the last entry almost a year after the original post.
I too am having trouble with http inspection, if I do layers 3 & 4 inspection there is no issue whatsoever, but as soon as I enable layer 7 inspection then I have intermittent browsing issues.
The easy solution here is to leave it at layers 3 & 4, which doesn't give you the flixibility to do cool things like blocking websites, IM, regex expression matching etc... but in my opinion I just don't think these routers can handle it.
It appears to be a hit and miss affair, and going on the last post from the above link, you might be better off in having the unit replaced under warranty.
The alternative is wasting a lot of time and effort and impacting your users to get something up and running that in the end is so flaky that you have no confidence in the solution and you are then in a situation where ALL future issues users are facing MIGHT be because of this layer 7 inspection bug/hardware issue etc?
I would recommend you use the router as a frontline firewall with inbound/outbound acl's (no inspection), and then invest a few $ in getting an ASA dedicated firewall (but that's just me )

I can no longer load Google since I upgraded to the new version of fierfox & its definitely not anything to do with my firewall. How do I figure out what the problem is?

I upgraded to Firefox 4 and every time I try to open the home page with the Google search bar teh connection times out and its unable to connect. If I type any other address in the address bar it will open up the site, it's only Google it won't open. I've worked through every step on the Firefox support page and checked all my settings, run scans for malware, checked the firewall settings etc and even with my firewall, antivirus & spam filters all turned off I still can't open Google. I even uninstalled Firefox 4 and went back to version 3.6.16 but still have the same problem. Will I ever be able to Google again? Is there anything else I can try? Any help would be greatly appreciated!

https://discussions.apple.com/message/25085868#25085868
I started a thread in safari maverics, I ment to put it in iOS Safari. New Thread lists all the steps I've taken. No I haven't tried another browser. I've only ever used Safari on my iDevices.

Branch office setup with L3 switch and router with IOS security

Hello,
I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
Any input would be appreciated.
Thanks,
Austin

Thanks for the input.
1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3.
3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.

HT4623 update ipad with ios 4.3

how do I update ipad with ios 4.3

If you have an iPad 1, the max iOS is 5.1.1. For newer iPads, the current iOS is 6.1.3. The Settings>General>Software Update only appears if you have iOS 5.0 or higher currently installed.
iOS 5: Updating your device to iOS 5 or Later
http://support.apple.com/kb/HT4972
How to install iOS 6
http://www.macworld.com/article/2010061/hands-on-with-ios-6-installation.html
iOS: How to update your iPhone, iPad, or iPod touch
http://support.apple.com/kb/HT4623
If you are currently running an iOS lower than 5.0, connect the iPad to the computer, open iTunes. Then select the iPad under the Devices heading on the left, click on the Summary tab and then click on Check for Update.
Tip - If connected to your computer, you may need to disable your firewall and anitvirus software temporarily. Then download and install the iOS update. Be sure and backup your iPad before the iOS update. After you update an iPad (except iPad 1) to iOS 6.x, the next update can be installed via wifi (i.e., not connected to your computer).
Tip 2 - If you're updating via wifi, place your iPad close to your router to preclude getting a corrupted download.
 Cheers, Tom

Cisco VCS/Codian MCU and Lync 2013 integration

Hi,
I would like to know if Lync 2013 is supported to work with:
- Cisco Tandberg VCS version x6.1
- Cisco Codian 4.1 (comp. 6.16)
Is it necessary to update both devices to be supported/homologated/qualified?
Thanks

Hi, Kent ... From what I'm seeing so far the challenges of integrating Cisco/Tandberg equipment and Lync 2013 are the same as what you may have already encountered with Lync 2010. Since the Cisco endpoints and MCU cannot register directly to Lync 2010
or 2013, you will need to leverage the VCS systems as your SIP gateway between them and Lync clients. In Lync 2010 there were limitations as to the interoperability of the H.263/264 codec used by Cisco gear and the RTV codec that Lync was restricted
to, and we often experienced frozen video feeds from Lync clients or an inability to connect to individual Cisco endpoints or conferences hosted by the Codian MCU. Even though Lync 2013 will use H.264 as a codec for the video stream, I anticipate there
will still be challenges interconnecting through the VCS as well as providing content between Lync and Cisco endpoints. However, I expect an increase in the video quality since Lync 2013 supports higher resolutions and also uses a non-proprietary codec.
I expect content to still be unreliable for the Lync participant, even when using a Codian MCU.
You will still need to setup your VCS with a separate Neighbor zone for the Lync 2013 server just as you did for Lync 2010. I wouldn't hold my breath for Cisco to update the VCS software to accomodate the specific needs of Lync 2013, but at least the
VCS will get the correct video codec and connect your call. I don't know about you but I had to put my Cisco units and MCU into a separate SIP domain from the Lync pool, and then create a static route for the Cisco SIP domain on the Lync 2010 front-end
server. I expect to do the same in Lync 2013.
Ideally, Microsoft and Cisco would agree that SIP is SIP, and whether an endpoint registers with VCS, UCM or Lync shouldn't be relevant. Alas, it'll be a long, long time before that is true, certainly not as long as Microsoft and Polycom have
such a tight bond. I plan on implementing Lync 2013 in the next few months and will gladly post any progress here. At this point my plan is to simply mirror the static route and configuration I have with Lync 2010. My VCS and Codian units
are running software versions just a little ahead of yours and work fine.
Good luck!

Codian MCU with IOS Firewall/NAT

Similar Messages

Maybe you are looking for