Configuring Cisco 8800 phones for VPN
Does anyone know how to configure 8800 phones for VPN? I am particularly interested on 8861/8851 models.
Thanks,
Carlos
So I opened a TAC case and they provided me with the solution:
"Usually you upload the Cisco_Manufacturing_CA certificate on the ASA but with the new models we should upload the Cisco_Manufacturing_CA_SHA2 creating a new trustpoint on the ASA"
The security guide does not specify about this cert, it only mentions Cisco_Manufacturing_CA .
Thanks,
Carlos
Similar Messages
-
ASA license for Cisco IP Phone over VPN
Hi,
Are there special licenses required on the ASA to use Cisco IP Phones (Hard phone) over SSL VPN connection?
ThanksHi,
You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
It is not mandatory to purchase this license however.
From the ASA configuration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
"The Cisco Phone Proxy on the adaptive security appliance bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted. "
Don't forget to rate all posts that are helpful. -
Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007
I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
home to connect via their Outlook clients from home. OWA is working from the outside... Help please...Hi,
Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected] -
Hi
I am trying to set up a anyconnect VPN for Cisco 9971, so that I can use it at home. the tunnel has up, I've tested it but Phone got the following error message:
11:56:11 Updating Trust List
11:56:11 Trust List updated
11:56:12 SEP0011111111.cnf.xml.sgn (HTTP)
11:56:13 VPN Error: VPN is not Configured.
12:14:40 Reset requested by CUCM
12:15:14 DNS Timeout
12:15:14 Updating Trust List
12:15:14 Trust List updated
12:15:15 SEP0011111111.cnf.xml.sgn (HTTP)
12:15:16 VPN Error: VPN is not Configured.
Any help would be appreciated.
By the way, this is a SIP phone.Hi,
You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
It is not mandatory to purchase this license however.
From the ASA configuration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
"The Cisco Phone Proxy on the adaptive security appliance bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted. "
Don't forget to rate all posts that are helpful. -
Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth
Hello all,
I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
We opened a TAC case with Cisco, and this is their response:
The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either. -
How to Configure Cisco ASA 5512 for multiple public IP interfaces
Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support. My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept. We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access. We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections. I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210 255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2. The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.
I can post my config up as needed. I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app. My ASA 5512 is at 9.1.
Thanks in advance for the suggestions/helpI have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick -
Cisco IP Phone 7965 VPN Requirements
We are currently running CUCM System version: 8.6.2.21900-5. We are having issues setting up and getting IP phones to connect from some employee homes. We have the licensing, and I know the setup works as I have been able to successfully confingure & connect several phones to our PBX from my home network.
What I cannot seem to find is a list of routers that are or are not compatible with the IP phone/vpn. I also need to find "checklist" of what to look for or what should be set up on a home network to make this setup for the users and IT staff easier.
I should note, that these users report that they can connect to our vpn fine via Anyconnect and their computers. 1 user even had access to other routers and on the 3rd router was able to get a connection and place a call.
I am in the process of getting the home router/modem make and models from these users if it helps.There is no such list. Phone uses SSL VPN that are regular TCP/UDP packets so nothing special in that for the home router and any should work.
-
Configuring Cisco/IronPort plugin for Outlook with CRES
With the discontinuation of the IronPort IEA appliances we are getting ready to move from our on-premise IEA appliances to CRES. I have a demo key for Encryption that I am running on my C660s and I have an Outlook client configured with the Email Security Plug-In version 7.2.0.39. Currently the Outlook Plug in is configured to point to our on premise IEA appliances for the Server URL attribute in Desktop Encryption Options and is working great.
My question is, what do I use to connect it to CRES for desktop encryption?
The Admin guide "Cisco IronPort Email Security Plug-in 7.2 Administrator Guide" page 4-46 just says "Server URL Enter the URL for your Encryption server."
ThanksHi Jason,
Thanks for your question. The short answer is https://res.cisco.com:443 HOWEVER please note the following two points. First, you will need a CRES account, so that you can download a token to use with the plugin, to authenticate to CRES; you cannot use the default token which you have probably been using with your IEA. Second, using the current Outlook plug-in version 7.2 with CRES is not supported; it works, but it is not supported. There are plans to release a supported version. -
What is the best cisco ip phone for call manager and ipcc practicals
Hi i have recently started my training on Cisco Call Manger and CCIE voice from a leading cisco voice training institute (http://networkerszone.com/), and am working on 7900 series phones, is there any other phone that i should use or this is fine.
Naval,
7900 phones are good enough for both CUCM & UCCE. UCCE however doesnt support all models of 7900 series, please refer UCCE Compatibility Matrix for supported phone models.
You may also use CIPC as agent phone.
GP.
Pls rate the post if it helps !! -
Configuring Cisco Aironet 1140 for Radius and setting up a Radius server
guys i need some help setting up my Radius to work with cisco aironet 1140, i am new at this however i was tasked with setting up a Radius server and setting our AP with WPA2- enterprise so users can log into our AP using AD credentials.
When i try to setup on the AP a new SSID i do not see the option for WPA2- enterprise?Here are other links with examples:
https://supportforums.cisco.com/thread/331581
http://targetcisco.blogspot.com/2011/03/cisco-autonomous-access-point.html
http://downloads.avaya.com/css/P8/documents/100041614
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Cisco 2811 compatibilty for VPN
Hello
I have an existing live router which is at present not handling VPN.
There is a requirement to add VPN service to it and am trying to find the compatibility for it.
The router is
PID: CISCO2811
and the IOS running on it
c2800nm-spservicesk9-mz.124-24.T3.bin
It does not have any of the SEC bundles in it.
Can you please let me know if i need to swap out the router with one of the ones with the SEC bundles to establish a VPN on it?
Many Thanks
KaushikHi u will need to upgrade image to
c2800nm-adventerprisek9 or c2800nm-adsecurityk9
** Do Rate Helpful Posts** -
Configuring Cisco TFTP Server for CUCM
Hi,
I currently have a Publisher and two Subscriber (v 6.1.3), I have now gone over the magical 1250 devices where Cisco recommend a standalone TFTP server.
I understand to deploy it I need to add it to the Publisher as a Server and then once up and running enable the Cisco TFTP service, then update the Option 150 address in my DHCP scope to point towards the new TFTP server.
A couple of questions, does the TFTP server need the following installed at the same level as the Publisher/Subscribers:
Dial Plans
Device Packs
Locales
Thanks and any other comments appreciated.Hi Ian,
- By architecture, the TFTP server would be the one pushing out the firmware load and to the phones - so you would need your device packs, containing the bundle of firmware loads, to be on your standalone TFTP server.
- locales install files which the phones get from the TFTP server, such as their dictionary - so you would need locales on the standalone TFTP server
- Dial plans are files used by the CCM binary file. If you are not planning on running CCM service on the server ever, you don't need to install dial plans on that server. However, as best practice, it is good to have dial plans, locales and device packs uploaded on this standalone TFTP server, in case the server roles were adjusted at a later point in time.
- Sriram
Please rate helpful posts ! -
How to configure CISCO ASA 5510 for internal remote desktop ?
Helo,I have a client that want to install new ASA (5510) in their network.
and then I did some experiment to implement it. the topology is like this :
--------configuration---------
2800 router :
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.11.3 255.255.255.0
duplex auto
speed auto
ip route 192.168.12.0 255.255.255.0 172.16.1.2
1841 router :
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ASA 5510 :
: Saved
: Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
ASA Version 8.2(1)
hostname ciscoasa
enable password **** encrypted
passwd ***** encrypted
names
name 192.168.12.0 Branch
dns-guard
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
tcp-map mssmap
synack-data allow
invalid-ack allow
seq-past-window allow
urgent-flag allow
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm location Branch 255.255.255.0 inside
no asdm history enable
arp timeout 14400
static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
route inside Branch 255.255.255.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ***** password ***** encrypted
class-map mymap
match access-list inside_access_in
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map myPolicy
class mymap
set connection advanced-options mssmap
service-policy global_policy global
service-policy myPolicy interface inside
prompt hostname context
Cryptochecksum:a605d94f29924e5267644dd0f4476145
: end
I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
"1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
"1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
please help, any suggest would be great .
thanks .
sincerley yours
-IAN WIJAYA-ear Ian_benderaz,
Thank god i am not alone on this ,
Me too having the exact same problem , i can ping to the host ,but no remote desktop .
Somebody please help me on this , how enable remote desktop on asa 5505
Thanks -
Configuring Cisco Switch VLANs for Samsung DLNA Sharing!
Hello there,
In my vlan 40, I have Samsung Smart TV and Samsung Allshare "DLNA" software on one of my PCs in the same vlan. Everything works fine and I can watch movies on my TV streaming from my PC.
Now, my brother, which is in Vlan 20, bought Samsung Smart TV.
I want my PC, which hosts Samsung Allshare software (vlan40), to send its media streaming to my brother's TV (vlan20) so he can watch my movies.
I know broadcasts are dropped between vlans.
So, How can I accomplish that?Hi,
Have a look at this link:-
http://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/9356-48.html
If your switch is doing the inter vlan routing (IE Layer3 compatable)
Then a simple DENSE mode config something like this should be OK.
ip routing
ip multicast-routing dist
int vlan 20
desc ***MY BROTHERS VLAN ***
ip add 192.168.20.1 255.255.255.0
ip pim sparse-dense-mode
no shut
int vlan 40
desc ***MY VLAN ***
ip add 192.168.40.1 255.255.255.0
ip pim sparse-dense-mode
no shut
Regards
Alex -
Forced Authorization Code For Cisco SIP Phone 3905
Hi Team,
Can i configure Cisco SIP Phone 3905 to use Forced Authorization Code ? I am using Call Manager 9.X.
Regards,
Praful SartapeHi Praful,
Yes you right for CME but for CUCM some sip phones supports FAC , as far as 3905 is concerned it supports FAC .
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/3905/8_6/english/admin_guide/IP05_BK_CDEEDD7F_00_admin-guide-3905_chapter_0101.html#IP05_RF_A5029279_00
I didnt find link for CUCM 9.x but that above link will help.
And also check this thread- https://supportforums.cisco.com/thread/2125452
Rate all the helpful post.
Thanks
Manish
Maybe you are looking for
-
Is there a report to display tha balances of a G/L account day by day?
Hi All, I'm looking for a report to to display tha balances of a G/L account day by day (the cumulative balances too) T.code FS10N shows me the balances of a G/L account period by period, but not day by day. Could anyone help me? Thanks Gandalf
-
Hello all I am attempting to get the HostScan posture assessment working so we can check that any device connecting to the ASA is a valid corporate asset. I have installed the posture module onto our test client machine (Windows 8.1) using the follow
-
How to find out who has deleted the postion
Hi SRM Gurus, In the EBP org structure some one has deleted the position Around 1000 users were attached to the position. How to findout who has deleted the Position.what is the method is there any T.code.(or) any table to check? G.Ganesh Kumar
-
AS IS process please help to map
Dear Guru's My client have this AS IS process for there raw material and I want to map it in SAP QM. Can any body help me to solve this with the step of Qm. 1. SECURITY DEPTT. INFORMS Q.A. REGARDING RECEIPT OF R/M.THROUGH REGISTER WHICH CONSIST OF SL
-
Hello, i can't open any apps on my macbook air or install any app
Hello, i can't open any apps on my macbook air. when i am attempting it says "you may need to reinstall app but when i am trying to reinstall it doesn't do anything. i can only browse right now. It happened right after when i deleted some files i was