Configuring Cisco 8800 phones for VPN

Similar Messages

• ASA license for Cisco IP Phone over VPN

  Hi,
  Are there special licenses required on the ASA to use Cisco IP Phones (Hard phone) over SSL VPN connection?
  Thanks

  Hi,
  You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
  It is not mandatory to purchase this license however.
  From the ASA configuration guide:
  http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
  "The  Cisco Phone Proxy on the adaptive security  appliance bridges IP  telephony between the corporate IP telephony  network and the Internet  in a secure manner by forcing data from remote  phones on an untrusted  network to be encrypted. "
  Don't forget to rate all posts that are helpful.

• Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

  I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
  home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

  Hi,
  Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
  Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

• Cisco 9971 phone over VPN

  Hi
  I am trying to set up a anyconnect VPN for Cisco 9971, so that I can use it at home. the tunnel has up, I've tested it but Phone got the following error message:
  11:56:11 Updating Trust List
  11:56:11 Trust List updated
  11:56:12 SEP0011111111.cnf.xml.sgn (HTTP)
  11:56:13 VPN Error: VPN is not Configured.
  12:14:40 Reset requested by CUCM
  12:15:14 DNS Timeout 
  12:15:14 Updating Trust List
  12:15:14 Trust List updated
  12:15:15 SEP0011111111.cnf.xml.sgn (HTTP)
  12:15:16 VPN Error: VPN is not Configured.
  Any help would be appreciated.
  By the way, this is a SIP phone.

  Hi,
  You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
  It is not mandatory to purchase this license however.
  From the ASA configuration guide:
  http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
  "The  Cisco Phone Proxy on the adaptive security  appliance bridges IP  telephony between the corporate IP telephony  network and the Internet  in a secure manner by forcing data from remote  phones on an untrusted  network to be encrypted. "
  Don't forget to rate all posts that are helpful.

• Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth

  Hello all,
  I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
  Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
  When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
  We opened a TAC case with Cisco, and this is their response:
  The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
  I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
  I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?

  My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
  I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either.

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• Cisco IP Phone 7965 VPN Requirements

  We are currently running CUCM System version: 8.6.2.21900-5.  We are having issues setting up and getting IP phones to connect from some employee homes.  We have the licensing, and I know the setup works as I have been able to successfully confingure & connect several phones to our PBX from my home network.
  What I cannot seem to find is a list of routers that are or are not compatible with the IP phone/vpn.  I also need to find "checklist" of what to look for or what should be set up on a home network to make this setup for the users and IT staff easier.
  I should note, that these users report that they can connect to our vpn fine via Anyconnect and their computers.  1 user even had access to other routers and on the 3rd router was able to get a connection and place a call.
  I am in the process of getting the home router/modem make and models from these users if it helps.

  There is no such list. Phone uses SSL VPN that are regular TCP/UDP packets so nothing special in that for the home router and any should work.

• Configuring Cisco/IronPort plugin for Outlook with CRES

  With the discontinuation of the IronPort IEA appliances we are getting ready to move from our on-premise IEA appliances to CRES.  I have a demo key for Encryption that I am running on my C660s and I have an Outlook client configured with the Email Security Plug-In version 7.2.0.39.  Currently the Outlook Plug in is configured to point to our on premise IEA appliances for the Server URL attribute in Desktop Encryption Options and is working great.
  My question is, what do I use to connect it to CRES for desktop encryption?
  The Admin guide "Cisco IronPort Email Security Plug-in 7.2 Administrator Guide" page 4-46 just says "Server URL Enter the URL for your  Encryption server."
  Thanks

  Hi Jason,
  Thanks for your question.  The short answer is https://res.cisco.com:443 HOWEVER please note the following two points.  First, you will need a CRES account, so that you can download a token to use with the plugin, to authenticate to CRES; you cannot use the default token which you have probably been using with your IEA.  Second, using the current Outlook plug-in version 7.2 with CRES is not supported; it works, but it is not supported.  There are plans to release a supported version.

• What is the best cisco ip phone for call manager and ipcc practicals

                     Hi i have recently started my training on Cisco Call Manger and CCIE voice from a leading cisco voice training institute (http://networkerszone.com/), and am working on 7900 series phones, is there any other phone that i should use or this is fine.

  Naval,
  7900 phones are good enough for both CUCM & UCCE. UCCE however doesnt support all models of 7900 series, please refer UCCE Compatibility Matrix for supported phone models.
  You may also use CIPC as agent phone.
  GP.
  Pls rate the post if it helps !!

• Configuring Cisco Aironet 1140 for Radius and setting up a Radius server

  guys i need some help setting up my Radius to work with cisco aironet 1140, i am new at this however i was tasked with setting up a Radius server and setting our AP with WPA2- enterprise so users can log into our AP using AD credentials.
  When i try to setup on the AP a new SSID i do not see the option for WPA2- enterprise?

  Here are other links with examples:
  https://supportforums.cisco.com/thread/331581
  http://targetcisco.blogspot.com/2011/03/cisco-autonomous-access-point.html
  http://downloads.avaya.com/css/P8/documents/100041614
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Cisco 2811 compatibilty for VPN

  Hello
  I have an existing live router which is at present not handling VPN.
  There is a requirement to add VPN service to it and am trying to find the compatibility for it.
  The router is
  PID: CISCO2811
  and the IOS running on it
  c2800nm-spservicesk9-mz.124-24.T3.bin
  It does not have any of the SEC bundles in it.
  Can you please let me know if i need to swap out the router with one of the ones with the SEC bundles to establish a VPN on it?
  Many Thanks
  Kaushik

  Hi u will need to upgrade image to
  c2800nm-adventerprisek9 or c2800nm-adsecurityk9
  ** Do Rate Helpful Posts**

• Configuring Cisco TFTP Server for CUCM

  Hi,
  I currently have a Publisher and two Subscriber (v 6.1.3), I have now gone over the magical 1250 devices where Cisco recommend a standalone TFTP server.
  I understand to deploy it I need to add it to the Publisher as a Server and then once up and running enable the Cisco TFTP service, then update the Option 150 address in my DHCP scope to point towards the new TFTP server.
  A couple of questions, does the TFTP server need the following installed at the same level as the Publisher/Subscribers:
  Dial Plans
  Device Packs
  Locales
  Thanks and any other comments appreciated.

  Hi Ian,
  - By architecture, the TFTP server would be the one pushing out the firmware load and  to the phones - so you would need your device packs, containing the bundle of firmware loads, to be on your standalone TFTP server.
  - locales install files which the phones get from the TFTP server, such as their dictionary - so you would need locales on the standalone TFTP server
  - Dial plans are files used by the CCM binary file. If you are not planning on running CCM service on the server ever, you don't need to install dial plans on that server.  However, as best practice, it is good to have dial plans, locales and device packs uploaded on this standalone TFTP server, in case the server roles were adjusted at a later point in time.
  - Sriram
  Please rate helpful posts !

• How to configure CISCO ASA 5510 for internal remote desktop ?

  Helo,I have a client that want to install new ASA (5510) in their network.
  and then I did some experiment to implement it. the topology is like this :
  --------configuration---------
  2800 router :
  interface FastEthernet0/0
  ip address 172.16.1.1 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.11.3 255.255.255.0
  duplex auto
  speed auto
  ip route 192.168.12.0 255.255.255.0 172.16.1.2
  1841 router :
  interface FastEthernet0/0
  ip address 172.16.1.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.12.1 255.255.255.0
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 172.16.1.1
  ASA 5510 :
  : Saved
  : Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
  ASA Version 8.2(1)
  hostname ciscoasa
  enable password **** encrypted
  passwd ***** encrypted
  names
  name 192.168.12.0 Branch
  dns-guard
  interface Ethernet0/0
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.11.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  management-only
  boot system disk0:/asa821-k8.bin
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
  access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
  access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
  tcp-map mssmap
    synack-data allow
    invalid-ack allow
    seq-past-window allow
    urgent-flag allow
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  asdm location Branch 255.255.255.0 inside
  no asdm history enable
  arp timeout 14400
  static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
  static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
  access-group inside_access_in in interface inside
  route inside Branch 255.255.255.0 172.16.1.1 1
  timeout xlate 3:00:00
  timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username ***** password ***** encrypted
  class-map mymap
  match access-list inside_access_in
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  policy-map myPolicy
  class mymap
    set connection advanced-options mssmap
  service-policy global_policy global
  service-policy myPolicy interface inside
  prompt hostname context
  Cryptochecksum:a605d94f29924e5267644dd0f4476145
  : end
  I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
  then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
  "1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
  "1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
  I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
  please help, any suggest would be great .
  thanks .
  sincerley yours
  -IAN WIJAYA-

  ear Ian_benderaz,
  Thank god i am not alone on this ,
  Me too having the exact same problem , i can ping to the host ,but no remote desktop .
  Somebody please help me on this , how enable remote desktop on asa 5505 
  Thanks 

• Configuring Cisco Switch VLANs for Samsung DLNA Sharing!

  Hello there,
  In my vlan 40, I have Samsung Smart TV and Samsung Allshare "DLNA" software on one of my PCs in the same vlan. Everything works fine and I can watch movies on my TV streaming from my PC.
  Now, my brother, which is in Vlan 20, bought Samsung Smart TV.
  I want my PC, which hosts Samsung Allshare software (vlan40), to send its media streaming to my brother's TV (vlan20) so he can watch my movies.
  I know broadcasts are dropped between vlans.
  So, How can I accomplish that?

  Hi,
  Have a look at this link:-
  http://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/9356-48.html
  If your switch is doing the inter vlan routing (IE Layer3 compatable)
  Then a simple DENSE mode config something like this should be OK.
  ip routing
  ip multicast-routing dist
  int vlan 20
  desc ***MY BROTHERS VLAN ***
  ip add 192.168.20.1 255.255.255.0
  ip pim sparse-dense-mode
  no shut
  int vlan 40
  desc ***MY  VLAN ***
  ip add 192.168.40.1 255.255.255.0
  ip pim sparse-dense-mode
  no shut
  Regards
  Alex

• Forced Authorization Code For Cisco SIP Phone 3905

  Hi Team,
  Can i configure  Cisco SIP Phone 3905 to use Forced Authorization Code ? I am using Call Manager 9.X.
  Regards,
  Praful Sartape

  Hi Praful,
  Yes you right for CME but for CUCM some sip phones supports FAC , as far as 3905 is concerned it supports FAC .
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/3905/8_6/english/admin_guide/IP05_BK_CDEEDD7F_00_admin-guide-3905_chapter_0101.html#IP05_RF_A5029279_00
  I didnt find link for CUCM 9.x but that above link will help.
  And also check this thread- https://supportforums.cisco.com/thread/2125452
  Rate all the helpful post.
  Thanks
  Manish