FTTH und Cisco 2921
Hi @all,
wir würden gerne einen Cisco 2921 mittels PPPOE über einen FTTH-Link an einem Internet-Business Light Anschluss der Swisscom in Betrieb nehmen. Als Bridge ist das Zyxel FSG1100HN im Einsatz.
Die Bridge mit einem PC und PPPOE-Verbindung funktioniert einwandfrei.
Der Cisco-Router sendet zwar Datenpakete um die Authetifizierung zu starten, bekommt aber keine Rückmeldung (PADI timer expired).
Hat jemand von Euch einen TIP?
Besten Dank im Voraus
Olaf
Hi Olaf,
This is the Optical Section I think your post would be better in the Switching Section.
Chris
Similar Messages
-
Problem whit cisco 2921 + EVM-HD-8FXS/DID whit CUCM
Hello everyone.
I have the following problem that I am not able to resolve. I define a new connection BRI.
I can make calls seamlessly between the Cisco Unified Communications Manager (version: 8.5.1.10000-26) and Cisco 2921 (CISCO2921-V/K9).
But when you receive calls from BRI Cisco receives the call but the Cisco Unified Communications Manager does not tranfere for Ext
And I can not understand why. In other BRI interfaces do not have this problem.
This configuration here that I'm using.
Current configuration : 17238 bytes
! Last configuration change at 18:02:34 PORT Mon Apr 2 2012 by admin
! NVRAM config last updated at 18:02:56 PORT Mon Apr 2 2012 by admin
! NVRAM config last updated at 18:02:56 PORT Mon Apr 2 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname <<omitted>>
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 <<omitted>>
aaa new-model
aaa authentication login default none
aaa authentication login <<omitted>>
aaa accounting connection h323 start-stop group radius
aaa session-id common
clock timezone PORT 0 0
clock summer-time PORT recurring last Sun Mar 1:00 last Sun Oct 1:00
network-clock-participate slot 1
network-clock-participate wic 0
network-clock-participate wic 1
network-clock-participate wic 2
network-clock-participate wic 3
network-clock-select 1 BRI0/0/0
network-clock-select 2 BRI0/1/0
network-clock-select 3 BRI0/2/0
network-clock-select 4 BRI0/3/0
no ipv6 cef
ip source-route
ip cef
no ip domain lookup
ip domain name <<omitted>>
multilink bundle-name authenticated
isdn switch-type basic-net3
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed- <<omitted>>
enrollment selfsigned
subject-name cn= <<omitted>>
revocation-check none
rsakeypair TP-self-signed- <<omitted>>
crypto pki certificate chain <<omitted>>
<<omitted>>
quit
voice-card 0
dsp services dspfarm
voice call send-alert
voice call disc-pi-off
voice call carrier capacity active
voice rtp send-recv
voice service voip
no ip address trusted authenticate
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
h323
modem passthrough nse codec g711ulaw
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
voice class h323 1
h225 timeout tcp establish 5
voice translation-rule 1
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
voice translation-rule 2
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
rule 4 /^21 <<omitted>>/ /21 <<omitted>>/
rule 5 /^21 <<omitted>>/ /21 <<omitted>>/
rule 6 /^21 <<omitted>>/ /21 <<omitted>>/
voice translation-rule 3
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
voice translation-rule 4
rule 1 /^0/ /400/
rule 2 /^/ /21 <<omitted>>/
voice translation-rule 5
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /^21 <<omitted>>/ /21 <<omitted>>/
rule 3 /^21 <<omitted>>/ /21 <<omitted>>/
voice translation-rule 11
rule 1 /.*/ /21 <<omitted>>/
voice translation-rule 12
rule 1 /^21 <<omitted>>/ /21 <<omitted>>/
rule 2 /.*/ /21 <<omitted>>/
voice translation-rule 13
rule 1 /.*/ /21 <<omitted>>/
voice translation-rule 14
rule 1 /.*/ /21 <<omitted>>/
voice translation-rule 15
rule 1 /.*/ /21<<omitted>>/
voice translation-rule 21
rule 1 /^./ /0&/
voice translation-rule 22
rule 1 /^./ /0&/
voice translation-rule 25
rule 1 /^./ /0&/
|
voice translation-rule 23
rule 1 /^./ /0&/
voice translation-rule 24
rule 1 /^./ /0&/
voice translation-rule 32
rule 1 /^212104974/ /21 <<omitted>>/
rule 2 /.*/ /212104975/
voice translation-profile INLINE_EMPA
translate calling 22
translate called 2
voice translation-profile INLINE_EMPB
translate calling 23
translate called 3
voice translation-profile INLINE_EMPC
translate calling 25
translate called 5
voice translation-profile INLINE_EMPE
translate calling 24
translate called 4
voice translation-profile INLINE_EMPD
translate calling 21
translate called 1
voice translation-profile OUTLINE_EMPA
translate calling 12
voice translation-profile OUTLINE_EMPA_NT_FAX
translate calling 32
voice translation-profile OUTLINE_EMPB
translate calling 13
voice translation-profile OUTLINE_EMPC
translate calling 15
voice translation-profile OUTLINE_EMPE
translate calling 14
voice translation-profile OUTLINE_EMPD
translate calling 11
license udi pid CISCO2921/K9 sn <<omitted>>
hw-module pvdm 0/0
hw-module sm 1
username admin privilege 15 password 0 <<omitted>>
redundancy
ip ssh time-out 60
ip ssh authentication-retries 2
class-map match-all Voz
match access-group 100
policy-map QoS
class Voz
priority 200
set precedence 5
class class-default
fair-queue
gw-accounting aaa
attribute acct-session-id overloaded
acct-template callhistory-detail
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address <<omitted>> 255.255.0.0
ip access-group BLOCK in
load-interval 30
duplex auto
speed auto
h323-gateway voip interface
h323-gateway voip bind srcaddr <<omitted>>
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
interface BRI0/0/0
description EMPD N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/0/1
description Ecotel EMPD N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/1/0
description EMPA N:
no ip address
isdn switch-type basic-net3
isdn tei-negotiation first-call
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/1/1
description EMPA N:
no ip address
isdn switch-type basic-net3
isdn tei-negotiation preserve
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/2/0
description EMPB N:
no ip address
isdn switch-type basic-net3
isdn tei-negotiation preserve
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/2/1
description Ecotel EMPB N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI0/3/0
description EMPE N:
no ip address
isdn switch-type basic-net3
isdn tei-negotiation preserve
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI0/3/1
description Ecotel EMPA N
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/0
description B EMPC N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn static-tei 0
interface BRI1/1
description Ecotel EMPE N:
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/2
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/3
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/4
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/5
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/6
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
interface BRI1/7
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
isdn send-alerting
isdn sending-complete
isdn static-tei 0
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip rtcp report interval 500
ip access-list extended BLOCK
deny ip any host <<omitted>>
deny ip any host <<omitted>>
deny ip any host <<omitted>>
deny ip any host <<omitted>>
permit ip any any
ip radius source-interface GigabitEthernet0/0
radius-server host <<omitted>> auth-port 1647
radius-server host <<omitted>> acct-port 1647
radius-server key <<omitted>>
radius-server vsa send accounting
control-plane
voice-port 0/0/0
translation-profile incoming INLINE_EMPD
translation-profile outgoing OUTLINE_EMPD
compand-type a-law
cptone PT
voice-port 0/0/1
compand-type a-law
cptone PT
voice-port 0/1/0
translation-profile incoming INLINE_EMPA
translation-profile outgoing OUTLINE_EMPA
compand-type a-law
cptone PT
voice-port 0/1/1
translation-profile incoming INLINE_EMPA
translation-profile outgoing OUTLINE_EMPA_NT_FAX
compand-type a-law
cptone PT
voice-port 0/2/0
translation-profile incoming INLINE_EMPB
translation-profile outgoing OUTLINE_EMPB
compand-type a-law
cptone PT
voice-port 0/2/1
translation-profile incoming INLINE_EMPB
translation-profile outgoing OUTLINE_EMPB
compand-type a-law
cptone PT
description Ligacao Acesso GSM
bearer-cap Speech
voice-port 0/3/0
translation-profile incoming INLINE_EMPE
translation-profile outgoing OUTLINE_EMPE
compand-type a-law
cptone PT
voice-port 0/3/1
translation-profile incoming INLINE_EMPA
translation-profile outgoing OUTLINE_EMPA
compand-type a-law
cptone PT
description Ligacao Acesso GSM
bearer-cap Speech
voice-port 1/0/0
compand-type a-law
cptone PT
voice-port 1/0/1
compand-type a-law
cptone PT
voice-port 1/0/2
compand-type a-law
cptone PT
voice-port 1/0/3
compand-type a-law
cptone PT
voice-port 1/0/4
compand-type a-law
cptone PT
voice-port 1/0/5
compand-type a-law
cptone PT
voice-port 1/0/6
compand-type a-law
cptone PT
voice-port 1/0/7
compand-type a-law
cptone PT
voice-port 1/0/8
translation-profile incoming INLINE_EMPC
translation-profile outgoing OUTLINE_EMPC
compand-type a-law
cptone PT
voice-port 1/0/9
compand-type a-law
cptone PT
voice-port 1/0/10
compand-type a-law
cptone PT
voice-port 1/0/11
compand-type a-law
cptone PT
voice-port 1/0/16
compand-type a-law
cptone PT
voice-port 1/0/17
compand-type a-law
cptone PT
voice-port 1/0/18
compand-type a-law
cptone PT
voice-port 1/0/19
compand-type a-law
cptone PT
ccm-manager music-on-hold
no mgcp package-capability res-package
no mgcp package-capability fxr-package
no mgcp timer receive-rtcp
mgcp profile default
dial-peer voice 1 pots
description +++++ Dial-peer +++++
incoming called-number .
direct-inward-dial
port 0/0/0
dial-peer voice 10 pots
description touchwise
destination-pattern 1T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/0
dial-peer voice 20 pots
description globalmove
preference 1
shutdown
destination-pattern 5T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/0
dial-peer voice 30 pots
description globaltemp
shutdown
destination-pattern 3T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/2/0
dial-peer voice 40 pots
description EMPE
destination-pattern 4T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/3/0
dial-peer voice 100 voip
preference 1
destination-pattern .
session target ipv4:10.35.2.1
voice-class codec 1
no vad
dial-peer voice 21 pots
description globalmove
preference 2
shutdown
destination-pattern 5T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/1
dial-peer voice 101 voip
preference 2
destination-pattern .
session target ipv4:10.35.2.2
voice-class codec 1
no vad
dial-peer voice 24 pots
description globalmove
preference 1
destination-pattern 59[1236].......
port 0/3/1
forward-digits 9
dial-peer voice 25 pots
description globalmove
preference 1
destination-pattern 500T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/0
dial-peer voice 26 pots
description globalmove
preference 2
destination-pattern 500T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/1
dial-peer voice 27 pots
description globalmove
preference 1
destination-pattern 5[123678]T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/0
dial-peer voice 28 pots
description globalmove
preference 2
destination-pattern 5[123678]T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/1/1
dial-peer voice 34 pots
description globalTemp
preference 1
destination-pattern 39[1236].......
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/2/1
forward-digits 9
dial-peer voice 35 pots
description globalTemp
preference 1
destination-pattern 300T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/2/0
dial-peer voice 37 pots
description globalTemp
preference 1
destination-pattern 3[123678]T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/2/0
dial-peer voice 14 pots
description empd
preference 1
destination-pattern 19386648.......
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/1
forward-digits 9
dial-peer voice 15 pots
description empd
preference 1
destination-pattern 19365483.......
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/1
forward-digits 9
dial-peer voice 16 pots
description empd
preference 1
destination-pattern 19341347.......
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/1
forward-digits 9
dial-peer voice 50 pots
description EMPC
destination-pattern 5T
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 1/0/8
gateway
timer receive-rtp 1200
gatekeeper
shutdown
call-manager-fallback
max-conferences 4 gain -6
transfer-system full-consult
ip source-address 10.35.2.250 port 2000
max-ephones 100
max-dn 300
transfer-pattern 09........
transfer-pattern 02........
transfer-pattern 0.........
transfer-pattern 000T
transfer-pattern 4...
keepalive 10
time-format 24
date-format dd-mm-yy
shutdown
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login authentication touchwise
transport input ssh
line vty 5 15
login authentication touchwise
transport input ssh
scheduler allocate 20000 1000
ntp master 5
endIf t i "Translation Pattern Configuration" switch to another "Partition" existing or internal it works.
If change back for the new i create. It does not work.
So I must be some flaw i made in Cisco Unified CM. -
Cisco IOS IPS in Cisco 2921/k9 router
Hi All,
I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
Will it support on the Basic IP Base IOS or do i need to change the IOS?
If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
Do i need to buy any addtional module for this like (NME-IPS-K9) ?
Thanks in advance for your quick support
regards
SunnyHi Sunny
1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
2. Correct, the modules and appliances run a different kind of software and are much more powerful
3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
I hope this helps, let us know.
regards
Herbert
jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1) Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2) I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3) If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
Services Routers does not require a Security Feature license.
In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
thanks alot for the support.
regards
Sunny -
Configuring - Cisco 2921 with Switch Module/POE PS and 3750-x 24 port switch
This is what I have
- Cisco 2921 router
with SM-ES2-24-P switch module and
POE power supply
-Cisco 3750x- 24 port Switch
I have port G1/0 (which connects to 24p Switch Module port g0/26 logically) configured with 3 sub interfaces (management, User and VOIP)
I want to connect 3750x to G0/1 on 2921 via fiber GBIC but want to use same three VLANs
I can not daisy chain 3750x via the switch module because it does not have fiber port.
I do not want to create another routed (g0/1) interface because I want to keep Users on both switches on the same subnet without further splitting the subnet in two.
I hope I am not making this confusing.
How can I bridge g1/0 and g0/1 so I can pass vlan traffic between two switches?
Second problem i have is ...
I have a VOIP connected to switch module (SM) and it is not getting any power.
I went in to all the interfaces on SM and issued power inline auto command
On the SM (sh power inline) - available is 0.0(w)
on the 2921 (sh power inline)
- power supply status is good,
- maximun power available is 280.
- interface G1/0( which connects to SM)
*device is unknown
* powered off
* allocated 0.0 watts.
I already tried resetting SM
Is there any other command I need to issue?
thanks for your help.I'm having a similar issue. I can get trunked connectivity between the switch module and the router if I put the IP address on the router sub interface, but not if I put it on a VLAN interface. I was hoping to have it on a VLAN sub interface on the router so I could use Gig0/1 and Gig0/2 to connect other switches and have them on the same VLANs. I'm using Gig1/0 on the router side and Gig0/51 on the switch side (48-port module).
Any help? Am I on the wrong track altogether? -
Hi Everyone.... I need urgent help on the below scenario....
ISP Managed Router connected to ADSL & looked for me to view or change configuration.... i have successfully configured my own 2921 to work with ISP router with IP NAT, Internet is working for all my LAN Users.
After connecting the VPN from outside to managed services router... i am able to reach my 2921 (10.10.10,100) but unable to access Internal LAN interface which is (10.10.100.1) on-wards....
ISP Managed Router (10.10.10.1) >>>>>>>>>> (10.10.10.100) MY Router (2921) (10.10.100.1)>>>>>>>>>>DHCP Users (10.10.100.21 to 100)
CONFIGURATION OF 2921 Attached.
Please give suggestions and advise if i need to so some more settings on 2921.Hi Paul,
I have changed the config as required.... yes ISP router side is 10.10.10.1
Still issues.... Internet is working fine for my LAN users...
When i connect VPN on ISP managed router - 78.93.181.41 its connected....
I can ping 10.10.10.0 range.... and able to reach my router which is 10.10.100.1.... but unable to access anything on 10.10.100.0 (which is my LAN)
Any ideas.... as i asked ISP to allow this in their router which they did....
access-list 10 permit 10.10.100.0 0.0.0.255
this what i get from 2921 now....
RGTSTHALIA2900#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 10.10.10.100:1031 10.10.100.21:1031 192.168.1.111:161 192.168.1.111:161
udp 10.10.10.100:1031 10.10.100.21:1031 192.168.100.11:161 192.168.100.11:161
udp 10.10.10.100:1031 10.10.100.21:1031 192.168.100.111:161 192.168.100.111:161
udp 10.10.10.100:1031 10.10.100.21:1031 192.168.100.112:161 192.168.100.112:161
tcp 10.10.10.100:1674 10.10.100.21:1674 2.21.39.117:80 2.21.39.117:80
tcp 10.10.10.100:1734 10.10.100.21:1734 2.21.39.117:80 2.21.39.117:80
tcp 10.10.10.100:1735 10.10.100.21:1735 2.21.39.117:80 2.21.39.117:80
RGTSTHALIA2900#show ip route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.10.1, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.100/32 is directly connected, GigabitEthernet0/0
C 10.10.100.0/24 is directly connected, GigabitEthernet0/1
L 10.10.100.1/32 is directly connected, GigabitEthernet0/1 -
Cisco 2921 destination NAT for transparent proxy
Hi All,
I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.
In iptables its easy:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>
I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.
So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.
The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).
Any ideas guys? I'm stuck.
Cheers,
Jordan.Sounds like you need a route-map to change the next IP hop?
This would be the best way to do it which will also verify the remote proxy server is available as well.
ip sla monitor 1
type echo protocol ipIcmpEcho <ip address of your proxy server>
timeout 3000
frequency 3
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
interface FastEthernet0/1
ip address <x.x.x.x x.x.x.x>
ip policy route-map REDIRECT-TO-PROXY
ip access-list extended webtraffic
! Deny traffic from your proxy server from redirecting
deny tcp host <ip address of your proxy server> any eq www
deny tcp host <ip address of your proxy server> any eq https
permit tcp <your ip network> <subnet mask> any eq www
permit tcp <your ip network> <subnet mask> any eq https
route-map REDIRECT-TO-PROXY permit 10
match ip address webtraffic
set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
Here is how my router is configured.
interface FastEthernet0/0
ip address dhcp hostname home-rtr-1
ip nat outside
interface FastEthernet0/1
ip address 10.235.x.x 255.255.255.252
ip nat inside
ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit <your ip network> <your ip subnet>
HTH -
VPN und Cisco Anyconnect Cisco ISA570 - einrichtung
Hallo zusammen,
ich habe eine Cisco ISA570 Firewall, diese läuft soweit auch tadellos. Das einzige was ich nicht hinbekomme ist die VPN Verbindung, ich habe den VPN Wizzard schon X mal gemacht. Aber weder mit der normalen VPN Verbindung von Windows noch mit dem Cisco Anyconnect Tool bekomme ich eine Verbindung hin. Ich denke ich mache bei dem Wizzard einen Fehler. Welche Angaben muss ich noch machen damit ihr mir besser folgen könnt?
Vielen Dank im voraus!Hallo Chris Nielsen,
verfuegt die ISA ueber eine oeffentliche IP? Wie lautet die Fehlermeldung auf der ISA?
Gruss,
Friedrich Scharz -
ACS4.2, NX-OS und Cisco AV-Pair
Hi
Although i configured the aaa stuff on the Nexus5k and the ACS with the Shell exec and role information i still end up with the default role "network-operator" in the Nexus
I attached the main configuration for this feature.
Does anybody has an idea where the problem could be found.
Apparently the output of the debug aaa all is not very usfull - in this case NX-OS is not like IOS
ACS 4.2 Configuration:
User Config:
shell exec (enabled)
shell:roles*"network-admin" (actually i tried also the shell:roles="network-admin")
After Login - the output of the command "show user-account" says:
user:ude3964
roles:network-operator
account created through REMOTE authentication
AAA Configuration:
rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request
rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+
tacacs-server timeout 3
tacacs-server host 172.28.193.35 key 7 "xx"
aaa group server tacacs+ tacacs
server 172.28.193.35
source-interface Vlan501
In the ACS passed Authentication Report everything looks fine.
Any hints?
Cheers
PatrickOn ACS set the log level detail to full, reproduce the problem, collect a package.cab, then look at the auth.log and TCS.log files, see if any hints appear there.
Also, consider capturing the traffic between the NX-OS switch and ACS, to see what ACS is receiving from the switch and what is sending back. -
EoMPLS support on Cisco ISR G2 2921?
Hi there is saw in feature navigator that EoMPLS is a supported feature for 2921...
- Can somebody please confirm that EoMPLS is supported with Cisco 2921?
- Is pseudowire redundancy possible?
Thanks
ManuelHi Manuel,
yes it is supported (if I am not wrong since release 12(4)T) and also L2VPN PW redundancy is supported.
Riccardo -
Cisco Unity Problems Activating Licenses
We are running a ISM-SRE-300-K9 module on a Cisco 2921 router, which we inherited and did not originally program at this site. We have purchased L-FL-CUE-MBX-5= licenses but we are having tons of trouble getting them activated. I am not too familiar with Cisco equipment so thanks for any help that can be provided.
We contacted Cisco support and they wanted a Product Authorization Key in order to provide us with a license file. The company that we purchased the licenses from does not seem to know what the PAK is, and they have been unsuccessful in getting this information from Cisco.
According to my research, it sounds like we might not even need to install a license file, as I was reading that sometimes you can just telnet into the router and accept the end user agreement to modify the number of active licenses. However, attempting to enter these commands did not work - I am thinking that it might have something to do with the version we are running.
Also to note, if I log into our Unity Express Admin page, it is showing that we have 10 inactive VMIVR-VM-MBX licenses along with 50 active, in use VMIVR-VM-MBX licenses. However, when I run a show license command through telnet, it is not even showing these inactive licenses in the system. The other odd thing is that I have the Cisco Configuration Professional tool and it is showing the same thing - however, it is also showing that we have 35 VMIVR-VM-MBX licenses that are not deployed, but active and not in use on the router itself. They come up under the CISCO2921 device rather than the ISM-SRE-300-K9 device.
Can anybody assist in figuring out how to either (a) activate the 10 inactive licenses already installed on the module...(b) move the 35 active but not in use licenses from the 2921 to the Unity module...(c) add the 5 licenses we just purchased but were not provided with a license file or PAK...or all of the above? Thank you so much!Thank you for your help. So am I correct in saying that VMIVR-VM-MBX mailboxes always require a PAK in order to activate them? The company I purchased the mailboxes from does not seem to have the PAK numbers nor do they even know what they are...
-
Cisco WLC 5508 Guest Authentification issue
Hi ..
I have one interface setup to a Cisco 2921 router connected to a Cable modem.
DHCP is on the 2921.
when I connect to the ssid for my guest i'm redirected to the authentification portal 1.1.1.1 .
I'm putting valide credential and when pressing the submit button .. it just go anywhere.
I have setup another SSID with a psk and it's working fine.. getting ip and able to browse internet.
From what i have read... it's apparently DNS issue on my router.. but what should I check.My client has ip like that
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 40-2C-F4-ED-AD-FB
IPv4 Address. . . . . . . . . . . : 192.168.6.36
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.6.1
DNS Servers . . . . . . . . . . . : 24.200.241.37
24.200.243.189
DNS are the one from my service provider -
IP SLA Monitor /Tracking 2921
I am looking or IOS code for a Cisco 2921/K9 that will allow me to do IP SLA Tracking. The current code "c2900-universalk9-mz.SPA.151-4.M.bin" will only allow me to sset up IP SLA responder or IP SLA Server but NOT IP SLA Monitor or IP SLA RTR.
I have used the Cisco feature set research tool and chose what it recommended but to no avail.
Am I missing something? Will the Server or Responder perform tracking?
Thanks in advance to anyone who can assist..
~gDear All,
I have the same problem with C2921. I want to config IP SLA for my C2921 but it seems do not support. The below for your reference.
####### Do not have option monitor
ip sla ?
key-chain Use MD5 Authentication for IP SLAs Control Messages
responder Enable IP SLAs Responder
server IPPM server configuration
Show version
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M1.bin"
License Info:
License UDI:
Device# PID SN
*0 CISCO2921/K9 FGL153913PM
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None
Please kindly advise what ios I can use for configuring IP SLA. there're any problem with my licence for that
Best Regards,
Binh -
2921 ISR G2 ROMMON Upgrade fails
Hi,
I need to upgrade the rom monitor of a 2921 ISR G2 from currently installed 15.0(1r)M15 to the latest one 15.0(1r)M16.
The upgrade command is running without any problems:
# upgrade rom-monitor file tftp://10.10.10.1/C1900_2900_RM2.srec.SPA.150-1r.M16
Loading C1900_2900_RM2.srec.SPA.150-1r.M16 from 10.10.10.1 (via GigabitEthernet0/0): !!!!!!!!!!!!
[OK - 2819002 bytes]
Platform Field Upgradeable ROMMON LOAD test
ROM: Digitally Signed Production Software
This command will result in a 'power-on reset' of the router!
Continue? [yes/no]: y
ROMMON image upgrade in progress.
Erasing boot flash eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Programming boot flash pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
Now Reloading
But after the reload the router comes up with the old rom version
System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2011 by cisco Systems, Inc.
Total memory size = 1536 MB - On-board = 512 MB, DIMM0 = 1024 MB
Upgrade ROMMON programming not complete.
Falling to ReadOnly ROMMON
CISCO2921/K9 platform with 1572864 Kbytes of main memory
Main memory is configured to 72/72(On-board/DIMM0) bit mode with ECC enabled
Any ideas how to solve this?
Many thanks!Hi Leo,
I re-downloaded the ROMmon Image, and I also tried it with older versions (M9, M6) and on a second Cisco 2921 ISR G2 router (which has the M15 version installed): Same result.
Any more ideas?
Thanks! -
Cisco ISR G2 SIP Calls Capacity
Dear all,
We're planning for Cisco Voice Gateway configuration with SIP trunk, till now no E1s are used.
I would like to know how can we calculate the number of simulataneous calls that a cisco ISR G2 router (1921. 2921.3945,etc...) can support ?
How much sip simultaneous calls each ISR G2 model can support ?
Is it better to use SIP or we must get into E1 PRI ?
Regards,The Q and A below has the call capacity you are looking for
Table 1. Number of IP-to-IP Calls per Platform
Platform
Maximum Number of Simultaneous Calls (Flow-Through)
Cisco 3945E
2500
Cisco 3925E
2100
Cisco 3945
950
Cisco 3925
800
Cisco 2951
500
Cisco 2921
400
Cisco 2911
200
Cisco 2901
100
Cisco ASR 1004; and Cisco ASR 1006 Router Processor 2 (RP2)
5000; 16000*
Cisco ASR 1002, ASR 1004, and ASR 1006 RP1
1750
Cisco AS5350XM and AS5400XM
600
Cisco 3845
500
Cisco 3825
400
Cisco 2851
225
Cisco 2821
200
Cisco 2811
110
Cisco 2801
55
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6790/gatecont/ps5640/prod_qas09186a00801da69b.html
Please rate all useful posts
"opportunity is a haughty goddess who waste no time with those who are unprepared" -
Enable a cftv server to cisco router to publish the acess on public network
Hi,
i have a cftv server on the network, but i need to configure the router to publish thease conted on the internet.
how i can do that, i have a cisco 2921 witch sec ios.The reason why you can't remote desktop is because you have configured the following static PAT statement that unfortunately take precedence over your NAT exemption:
ip nat inside source static tcp 10.10.1.2 3389 192.198.46.14 3389 extendable
Do you require RDP with the public IP? if you don't and only require RDP via VPN, then please take the static PAT statement out, and RDP via VPN will work.
Maybe you are looking for
-
I have the old windows on my computer and would like your expertise:)
-
Creating socket factories.
I have problem with URLConnection class which doesnt set any default time out. I want to fix this problem in my project. I searched the web and came to know about implementing custom socket factories. I am notw trying to create Custom socket factory
-
Cannot Open Nikon D90 Raw files in Photoshop Elements 7
Does anyone have advice on how to get Photoshop Elements 7 to read Nikon D90 Camera Raw (.NEF) images? When I try to open one of these Raw images, I get an error message saying that the program does not recognize that file type.
-
When I answered my FaceTime the video picture went sideways and half the size.Turning it does not help and the people on the other side say I show up in a very small box.How do I fix this?
-
I even did a full factory restore without using a back-up (for other reasons) and it still won't work...please help?