NAT between IPIVR (or UCCX) and CUCM?

Similar Messages

• UCCX and CUCM Upgrade

  Hi All - We are planning to go for CUCM direct upgrade from 7.1.3 - 9.1.2
  Also for UCCX from 7.0.1 SR5 ---> 8.5.1 --> 8.5.1 SU3 --> 9.0.2
  During upgarde of UCCX 8.5.1 on UCS Machine it will ask to eneter CUCM AXL user Credentails which is in 9.1.2, So we need to know is that correct way by doing so since UCCX is 8.5.1 and CUCM 9.1.2
  Also i checked few PDF'S where i can get below info.
  These Unified CM versions are supported - 8.0(1), 8.0(2) and all SUs, 8.5(1) and all SUs, and Unified CM 8.6.2.22033 and later.
  Does it mean CUCM 9.1.2 is compatible with UCCX 8.5.1 and 8.5.1 SU3.
  SIVANESAN R       

  Refer to this document for all CCX compatibility details including which version you can upgrade from:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_compatibility/matrix/crscomtx.pdf
  CUCM 9.1.2 is compatible with CCX 8.5SU4 for example.
  Also, you can upgrade to CCX 9.0.2 directly from 7.0.2ES3.
  HtH,
  Chris

• UCCX and CUCM issue

  Hi,
  I integrated UCCX 8.5 and CUCM 8.5 in a lab setup using VMware.
  Created CTI ports and then some applications including AA application. But when calling from my soft phone to the Trigger, its getting disconnected after 5 seconds. I am not able to hear the prompt also.
  Checked and started all the services and resynced all the applications and finally installed CUCM and UCCX again but still the same issue is happening.
  Please give some valuable inputs.
  Regards..

  Hi
  You should probably try a debug of the script. Run Script Editor and make sure you log in. The do Debug/Reactive Script, and enter SSCRIPT[aa.aef] in the top box, and 60 in the bottom box.
  Then dial the AA.
  One of several things should happen:
  1) Nothing at all - in this case the system can't run the AA script, and you'll have to look at the logs to find out why.
  2) The script will appear, and you can step through it by pressing F10 and see what the script does in real time. As you step through the steps, if you go past a Play Prompt and still get silence, then it might reach a point where it decides you aren't responding and hangs up on you
  3) You might get an error in the script
  Report back what happens...
  Also:
  1) What language configuration do you have on the system?
  2) If you press the ? key on a 79xx twice quicky during the 5 second call, do you see rx packets increasing?
  Aaron

• CUEAC 9.1.1.10 and CUCM 7.1(5) 64 bit TSP Plugin

  Hello,
  I have a customer with CUCM 7.1(5) who has purchased CUEAC 9.1.1.10 and wants to run it on Windows Server 2008 R2 (64 bit).
  According to the data sheet this should be supported but when I go through the CUEAC server installation process it tries to download the 64 bit TSP plugin from the CUCM server.
  This is a problem as CUCM 7.1(5) does not have the 64 bit TSP plugin - it only has the 32 bit version.
  The exact message I get is
  Error occured while downloading Cisco TSP.
  Path: https://10.80.20.12/plugins/CiscoTSPx64.exe
  I have obtained the 64 bit TSP from a later CUCM and done a manual installation hoping that the installer would see the TSP is already installed and skip the step but it does not do so.
  Can anyone suggest how to resolve this?
  I know I could use a 32 bit version of Windows Server or upgrade CUCM but these options are not available.
  Thanks

  Update
  I built a CUCM 9.x server as a virtual machine and integrated CUEAC with that. The 64 bit TSP downloaded and installed ok and I was hoping that I could then reconfigure the TSP CTI manager addresses and the CUEAC CUCM server to point to the version 7.1 CUCM server.
  Unfortunately this did not work as I got a message complaining about version incompatibilities between the CUEAC server and CUCM.
  I do not think there is any workaround for running CUCM 7.1 with CUEAC on a 64 bit Windows Server.
  Luckily for me the customer found an old Windows 2003 32 bit server that they used to run Cisco ACS on. CUEAC installed without a hitch on this server and is running fine.
  If anyone manages to get this working I would be interested to know how.
  Lesson here is do not believe Cisco data sheets

• ### How to make integration between UCCX and Active Directory##

  Hello,
  I want to know what is the right procedure to perform a right integration between the UCCX and the Active Directory?
  Waiting Yours Reply,,,,
  Thanks a lot......

  What version?
  Assuming a current version (5.0 and higher): there is NO direct integration between CCX and Active Directory. The CCX server must not be joined to a domain.
  CCX uses UC Manager End Users for synchronized usernames and passwords. If UC Manager is synchronized with an LDAP source, such as Active Directory, then this will carry forward to CCX. CCX would pass authentication requests to CCX through AXL. UCM would perform the LDAP authentication and inform CCX of the success/failure.

• Exchange 2013 SP1 and CUCM 9.1.2 - Exch not recognizing called extension

  I think I'm almost there in getting Exchange 2013 SP1 UM working with CUCM 9.1.2...I've got two issues at the moment that I need a little help with.
  1) When I dial my VM pilot (6040) from a UM enabled extension it prompts to enter an extension. When I dial the same extension and let it ring to VM, Exchange picks up and says "the person you are trying to reach does not have a valid voice mail box
  on our system".
  2) This just started happening this afternoon, when I dial my VM pilot (6040) exch3 picks up as thats what I have my route pattern pointing to. If I enter the extension of a mailbox on exch2, I get stuck in a endless loop.
  I've followed this post as a guide but it hasn't resolved my issue.
  https://supportforums.cisco.com/discussion/11914031/exchange-2013-um-and-cucm-86
  My Exchange environment looks like this:
  Site 1:
  exch1 - CAS/Mailbox, used for mainly utility type work, journal, dedicated SMTP flows etc
  exch2 - CAS/Mailbox, part DAG13
  exch3 - CAS/Mailbox, part of DAG13
  Site 2:
  exch2dr - CAS/Mailbox, part of DAG13
  exch3dr - CAS/Mailbox, part of DAG13
  DAG13 is stretched between two sites, there are no users at our DR site so CUCM is pointing to Site 1 for UM. Each site has an internet facing CAS-only server for OWA/EAS etc.
  Any help is greatly appreciated. I'd love to get rid of Unity. 
  EDIT:
  I just found this event in the event logs:
  The Microsoft Exchange Unified Messaging service on the Mailbox server received a diverted call with ID "d51600-3a3140c5-9b8-c1414ac@EXCH3-IPADDR" for extension "4099" on UM dial plan "CUCM" from UM IP gateway "CUCM IP",
  but no UM-enabled mailbox for the corresponding extension could be found. Please check the extension and make sure that the corresponding mailbox is enabled for UM and associated with the correct UM dial plan.

  9.1.2 I think it is, we upgraded to avoid the known DNS bug
  I cant see how to PM you either
  The crux of it was outlined below with some tweaks
  http://blogs.technet.com/b/canitpro/archive/2014/04/30/step-by-step-integration-between-exchange-2013-um-and-cisco-unified-communication-manager.aspx
  As we have multiple combined role servers, our trunks are set up as follows:
  1. 1 x CAS Trunk - contains all CAS Servers on port 5060
  2. 4 x MBX Trunks - contains Maibox Server with ports 5062-5068
  On top of that, we had to Allow "Redirecting Diversion Header Delivery - Inbound (and Outbound)" on the CAS Trunk but DISABLE it on the Mailbox Trunks
  Also, make sure that you are using Telephone Extension Dial plans in Exchange 2013 (Despite them being unable to be associated with a 13 Server - EX13 answers for all calls anyway)
  Lastly, the MS documentation is a little strange - it says that as your last step of UM migration, you should point your Call Manager to 2013 - I don't agree with that statement, EX13 routes calls back to 2010 UM Servers perfectly fine, so treat it the same
  as any other CAS based service - point to 2013, and it will handle the rest

• Can not foward into voicemail from outside call on CUE and CUCM 8.6

  Dear Team,
  I have CUE Utility and CUCM 8.6.
  I can call from local, if user busy or go out office then call will foward to voice mail.It is ok.
  But when i call from outside to my phone(direct line), then call can not foward to voice mail on CUE.
  Please help me some solution.
  Thanks.

  Hi nam,
  A couple of things to check. Have you set the Forward Busy/No Answer "External"
  on the DN config page in CUCM?
  Are the calls coming in using a codec other than g.711?
  Best Practices for Deploying Cisco Unity Express
  • Each mailbox can be associated with a primary extension number and a primary E.164 number.
  Typically, this number is the direct-inward-dial (DID) number that PSTN callers use. If the primary
  E.164 number is configured to any other number, use Cisco IOS translation patterns to match either
  the primary extension number or primary E.164 number so that the correct mailbox can be reached
  during SRST mode.
  • Each Cisco Unity Express site must be associated with a CTI route point for voicemail and one for
  AA (if licensed and purchased), and you must configure the same number of CTI route points as
  Cisco Unity Express ports licensed. Ensure that the number of sites with Cisco Unity Express does
  not exceed the CTI scalability guidelines presented in the chapter on Call Processing, page 8-1.
  • Cisco Unity Express is associated with a JTAPI user on Cisco Unified CallManager. Although a
  single JTAPI user can be associated with multiple Cisco Unity Expresses in a system, Cisco
  recommends associating each dedicated JTAPI user in Cisco Unified CallManager with a single
  Cisco Unity Express.
  • Calls into Cisco Unity Express use G.711 only. Cisco recommends using a local transcoder to
  convert the G.729 calls traversing the WAN into G.711 calls. You can configure Cisco Unified
  CallManager regions with the G.711 voice codec for intra-region calls and the G.729 voice codec
  for inter-region calls.
  • If transcoding facilities are not available at the Cisco Unity Express site, provision enough
  bandwidth for the required number of G.711 voicemail calls over the WAN. Configure the Cisco
  Unified CallManager regions with the G.711 voice codec for calls between the IP phones and Cisco
  Unity Express devices (CTI ports and CTI route points).
  • The CTI ports and CTI route points can be defined in specific locations. Cisco recommends using
  location-based call admission control between Cisco Unified CallManager and Cisco Unity Express.
  RSVP may also be used.
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42unityx.pdf
  Cheers!
  Rob
  "Far away from your trouble and worry
  You belong somewhere you feel free" - Tom Petty

• NAT between two interfaces

  Good day,
  I would ask if it is possible to do NAT between two Interfaces on the same device?
  The problem is that I need access from my inside lan to the management interface on the ASA. We will not manage the ASA over the inside interface.
  This is my current NAT statement:
  nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional
  This is my PacketTracer output:
  Phase: 1Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.3.0     255.255.255.0  mgmt
  Phase: 2Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group inside in interface insideaccess-list inside extended permit ip 172.20.200.0 255.255.255.0 anyAdditional Information:Phase: 3Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 4Type: NATSubtype:Result: ALLOWConfig:nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectionalAdditional Information:Static translate 172.20.200.1/0 to 192.168.3.222/0Phase: 5Type: USER-STATISTICSSubtype: user-statisticsResult: ALLOWConfig:Additional Information:Phase: 6Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 244039047, packet dispatched to next moduleResult:input-interface: insideinput-status: upinput-line-status: upoutput-interface: mgmtoutput-status: upoutput-line-status: upAction: allow
  So NAT seems to be working correct. I can reach other devices behind the mgmt network this is no problem. But I cant access the ASA on the mgmt interface 192.168.3.2.
  Clould it be a problem with the traffic flow? Because in the PacketTracer output I see on Phase1 a Route-Lookup and later on Phase4 the NAT statement.
  Is there a way to get this working?
  Many thanks for your feedback.
  Brgds,
  Markus

  Hi,
  To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
  In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
  I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
  - Jouni

• Asymmetric NAT rules matched for forward and reverse flows - NAT Issue

  Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505.   The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet).   I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
  The Error:
  5          Nov 12 2012          13:52:50                    192.168.9.19                                        Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
  I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes.   Here's my current running configuration.
  : Saved
  ASA Version 8.3(2)
  hostname fw1
  domain-name xxxxxxxx.xxx
  enable password <removed>
  passwd <removed>
  names
  interface Vlan1
  description Town Internal Network
  nameif inside
  security-level 100
  ip address 192.168.9.1 255.255.255.0
  interface Vlan2
  description Public Internet
  nameif outside
  security-level 0
  ip address 173.xxx.xxx.xxx 255.255.255.248
  interface Vlan3
  description DMZ (CaTV)
  nameif dmz
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  interface Vlan10
  description Infrastructure Network
  nameif InfraNet
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan13
  description Guest Wireless
  nameif Wireless-Guest
  security-level 25
  ip address 192.168.1.1 255.255.255.0
  interface Vlan23
  nameif StateNet
  security-level 75
  ip address 10.63.198.2 255.255.255.0
  interface Vlan33
  description Police Subnet
  shutdown
  nameif PDNet
  security-level 90
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport trunk allowed vlan 1,5,10,13
  switchport trunk native vlan 1
  switchport mode trunk
  speed 100
  duplex full
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  switchport trunk allowed vlan 1,10,13
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/5
  switchport access vlan 23
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  switchport trunk allowed vlan 1
  switchport trunk native vlan 1
  switchport mode trunk
  shutdown
  banner exec                     Access Restricted to Personnel Only
  banner login                     Access Restricted to Personnel Only
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name xxxxxxx.xxx
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object service IMAPoverSSL
  service tcp destination eq 993
  description IMAP over SSL     
  object service POPoverSSL
  service tcp destination eq 995
  description POP3 over SSL     
  object service SMTPwTLS
  service tcp destination eq 465
  description SMTP with TLS     
  object network obj-192.168.9.20
  host 192.168.9.20
  object network obj-claggett-https
  host 192.168.9.20
  object network obj-claggett-imap4
  host 192.168.9.20
  object network obj-claggett-pop3
  host 192.168.9.20
  object network obj-claggett-smtp
  host 192.168.9.20
  object network obj-claggett-imapoverssl
  host 192.168.9.20
  object network obj-claggett-popoverssl
  host 192.168.9.20
  object network obj-claggett-smtpwTLS
  host 192.168.9.20
  object network obj-192.168.9.120
  host 192.168.9.120
  object network obj-192.168.9.119
  host 192.168.9.119
  object network obj-192.168.9.121
  host 192.168.9.121
  object network obj-wirelessnet
  subnet 192.168.1.0 255.255.255.0
  object network WirelessClients
  subnet 192.168.1.0 255.255.255.0
  object network obj-dmznetwork
  subnet 192.168.2.0 255.255.255.0
  object network FD_Firewall
  host 74.94.142.229
  object network FD_Net
  subnet 192.168.6.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network obj-TownHallNet
  subnet 192.168.9.0 255.255.255.0
  object network obj_InfraNet
  subnet 192.168.10.0 255.255.255.0
  object-group service EmailServices
  description Normal Email/Exchange Services
  service-object object IMAPoverSSL
  service-object object POPoverSSL
  service-object object SMTPwTLS
  service-object tcp destination eq https
  service-object tcp destination eq imap4
  service-object tcp destination eq pop3
  service-object tcp destination eq smtp
  object-group service DM_INLINE_SERVICE_1
  service-object object IMAPoverSSL
  service-object object POPoverSSL
  service-object object SMTPwTLS
  service-object tcp destination eq pop3
  service-object tcp destination eq https
  service-object tcp destination eq smtp
  object-group service DM_INLINE_SERVICE_2
  service-object object IMAPoverSSL
  service-object object POPoverSSL
  service-object object SMTPwTLS
  service-object tcp destination eq https
  service-object tcp destination eq pop3
  service-object tcp destination eq smtp
  object-group network obj_clerkpc
  description Clerk's PCs
  network-object object obj-192.168.9.119
  network-object object obj-192.168.9.120
  network-object object obj-192.168.9.121
  object-group network TownHall_Nets
  network-object 192.168.10.0 255.255.255.0
  network-object object obj-TownHallNet
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.9.0 255.255.255.0
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
  access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
  access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
  pager lines 24
  logging enable
  logging asdm debugging
  logging mail errors
  logging from-address hostmaster@xxxxxxxxx
  logging recipient-address john@xxxxxxxxx level errors
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  mtu Wireless-Guest 1500
  mtu StateNet 1500
  mtu InfraNet 1500
  mtu PDNet 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-635.bin
  no asdm history enable
  arp timeout 14400
  nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
  nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
  object network obj_any
  nat (inside,outside) static interface
  object network obj-claggett-https
  nat (inside,outside) static interface service tcp https https
  object network obj-claggett-imap4
  nat (inside,outside) static interface service tcp imap4 imap4
  object network obj-claggett-pop3
  nat (inside,outside) static interface service tcp pop3 pop3
  object network obj-claggett-smtp
  nat (inside,outside) static interface service tcp smtp smtp
  object network obj-claggett-imapoverssl
  nat (inside,outside) static interface service tcp 993 993
  object network obj-claggett-popoverssl
  nat (inside,outside) static interface service tcp 995 995
  object network obj-claggett-smtpwTLS
  nat (inside,outside) static interface service tcp 465 465
  object network obj-192.168.9.120
  nat (inside,StateNet) static 10.63.198.12
  object network obj-192.168.9.119
  nat (any,StateNet) static 10.63.198.10
  object network obj-192.168.9.121
  nat (any,StateNet) static 10.63.198.11
  object network obj-wirelessnet
  nat (Wireless-Guest,outside) static interface
  object network obj-dmznetwork
  nat (any,outside) static interface
  object network obj_InfraNet
  nat (InfraNet,outside) static interface
  access-group outside_access_in in interface outside
  access-group StateNet_access_in in interface StateNet
  route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
  route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable 5443
  http 192.168.9.0 255.255.255.0 inside
  http 74.xxx.xxx.xxx 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 173.xxx.xxx.xxx
  crypto map outside_map 2 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.9.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.9.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd dns 208.67.222.222 208.67.220.220
  dhcpd lease 10800
  dhcpd auto_config outside
  dhcpd address 192.168.2.100-192.168.2.254 dmz
  dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
  dhcpd enable dmz
  dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
  dhcpd enable Wireless-Guest
  threat-detection basic-threat
  threat-detection statistics host number-of-rate 2
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 63.240.161.99 source outside prefer
  ntp server 207.171.30.106 source outside prefer
  ntp server 70.86.250.6 source outside prefer
  webvpn
  group-policy FDIPSECTunnel internal
  group-policy FDIPSECTunnel attributes
  vpn-idle-timeout none
  vpn-tunnel-protocol IPSec l2tp-ipsec
  username support password <removed> privilege 15
  tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 173.xxx.xxx.xxx general-attributes
  default-group-policy FDIPSECTunnel
  tunnel-group 173.xxx.xxx.xxx ipsec-attributes
  pre-shared-key *****
  smtp-server 192.168.9.20
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
  : end
  Any ideas would be appreciated.
  John

  I don't see any inspection-commands in your config. Is there a reason for not using any of them?
  If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
  Sent from Cisco Technical Support iPad App

• %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure

  Hi,
  I have an ASA5510 running version 8.2(5). I have set up a new network on interface Ethernet0/1.777 of the fwl. The firewall works perfectly with remote access VPNs but has now given me the error with the new network that has been set up:
  %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure
  The difference between the other networks and the new one that I have set up is that this is the first one using a private addressing scheme. I understand that NAT is not allowing something along the way but I cant figure out what needs to change in order to get it to work. My config is as follows:
  interface Ethernet0/1.777
  description TRU 777
  vlan 777
  nameif tru777
  security-level 50
  ip address 10.1.34.17 255.255.255.240 standby 10.1.34.18
  access-list acl_tru777 remark * ALLOW ALL OUTBOUND *
  access-list acl_tru777 extended permit ip any any
  access-list RA-VPN extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
  access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 10.0.0.0 255.0.0.0
  access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 172.16.0.0 255.240.0.0
  access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list acl_ra-lock-tru777 extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
  access-list acl_ra-lock-tru777 extended permit ip 10.159.159.0 255.255.255.0 10.1.34.16 255.255.255.240
  ip local pool ra-pool 10.159.159.0-10.159.159.254 mask 255.255.255.0
  nat (tru777) 4 access-list acl_no-nat
  nat (tru777) 2 10.1.34.16 255.255.255.240
  global (outside) 2 x.x.x.x
  crypto isakmp nat-traversal 20
  I think that is everything you should need, if not please just ask.
  Thank you very much in advance,
  Chris

  Hi Julio,
  Here you go:
  FWL01# sh nameif
  Interface                Name                     Security
  Ethernet0/0              outside                    0
  Ethernet0/1              CLIENTS                 50
  Ethernet0/1.314        tru01                      50
  Ethernet0/1.313        dmz01                    50
  Ethernet0/1.316        tru02                      50
  Ethernet0/1.776        dmz776                  50
  Ethernet0/1.777        tru777                     50
  Management0/0       management           100
  FWL01#  sh run nat
  nat (tru02) 1 192.168.3.0 255.255.255.240
  nat (tru777) 4 access-list acl_no-nat
  nat (tru777) 2 10.1.34.16 255.255.255.240
  FWL01#    sh run glob
  global (outside) 1 interface
  global (outside) 2 x.x.x.x
  Thanks,
  Chris

• NAT between VEM & VSM

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"טבלה רגילה";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:Arial;
  mso-bidi-theme-font:minor-bidi;}
  Hi,
  I have a setup with VSM, VEM & VC.
  The setup is L3 configuration between the VSM and VEM and i am trying to configure NAT between them (i have cisco routers in the middle).
  From what I saw, I do not think it can work in a NAT configuration between the VSM to VEM as for the VSM always update the VC of VMWARE what its real ip address (it inform it via application layer rather than on L3 headers, actually in L3 there is a udp encapsulation), then the VC update the VEM about the VSM real IP address and where to open the tunnel.
  The VEM will always try to bring up the Tunnel towards the real ip address of the VSM and not towards the Nat  ip address.
  am i correct ot i need to configure somthing else?
  Thanks,

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"טבלה רגילה";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:Arial;
  mso-bidi-theme-font:minor-bidi;}
  Hi,
  I have a setup with VSM, VEM & VC.
  The setup is L3 configuration between the VSM and VEM and i am trying to configure NAT between them (i have cisco routers in the middle).
  From what I saw, I do not think it can work in a NAT configuration between the VSM to VEM as for the VSM always update the VC of VMWARE what its real ip address (it inform it via application layer rather than on L3 headers, actually in L3 there is a udp encapsulation), then the VC update the VEM about the VSM real IP address and where to open the tunnel.
  The VEM will always try to bring up the Tunnel towards the real ip address of the VSM and not towards the Nat  ip address.
  am i correct ot i need to configure somthing else?
  Thanks,

• MeetingPlace 6.0 and CUCM

  We have Meetingplace 6.0.639.0 and CUCM with 6.1.5. I need to upgrade CUCM to 7.1.5. A sales rep told me that meetingplace will not work with 7.1.5.
  can I run this verision of Meetingplace with 7.1.5?
  Thanks

  Hello Carlo
  Meeting Place 6.0MR5 is integrated with the CUCM cluster via an H323 or a SIP trunk.
  You should have a server in your MP deployment which is the IPGW MeetingPlace server.
  All the call signalling between the CUCM and the MP Platform is done through that server.
  So in CUCM 7.1.5 you can still configure an H323 trunk or a SIP Trunk to your IPGW server and it will work.
  So in theory it is perfectly ok to use CUCM 7.1.5 with MP 6.0MR5.
  Check the docwiki information about the configuration of the IP Gateway:
  http://docwiki.cisco.com/wiki/Cisco_Unified_MeetingPlace,_Release_6.x_--_Cisco_Unified_MeetingPlace_H.323/SIP_IP_Gateway,_Release_5.3
  Thanks
  Fernando

• Nat between vrf

  Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
  I've ip overlapping issue, so i'm trying to use nat aware vrf.
  The shared service is on a vrf also.
  I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
  This is my configuration :
  ip vrf proxy
  rd 500:500
  route-target export 500:500
  route-target export 501:501
  route-target import 500:500
  route-target import 401:401
  ip vrf upa
  rd 300:300
  route-target export 300:300
  route-target export 401:401
  route-target import 300:300
  route-target import 501:501
  ip vrf upa-tv
  rd 1000:1000
  route-target export 1000:1000
  route-target export 401:401
  route-target import 1000:1000
  route-target import 501:501
  mpls label protocol ldp
  interface GigabitEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/0.1
  description interfacccia outside per ip pubblico ipsec
  encapsulation dot1Q 500
  ip address 195.195.195.195 255.255.255.0
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 300
  ip vrf forwarding upa
  ip address 172.31.47.254 255.255.255.0
  ip nat enable
  interface GigabitEthernet0/0.20
  encapsulation dot1Q 310
  ip vrf forwarding proxy
  ip address 172.31.50.1 255.255.255.0
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 320
  ip vrf forwarding upa-tv
  ip address 10.4.1.254 255.255.255.0
  interface GigabitEthernet0/1
  description connessa a 6500
  ip address 80.x.x.1 255.255.255.0
  duplex auto
  speed auto
  mpls ip
  router bgp 65000
  no synchronization
  bgp log-neighbor-changes
  neighbor 80.80.80.2 remote-as 65000
  no auto-summary
  address-family vpnv4
  neighbor 80.80.80.2 activate
  neighbor 80.80.80.2 send-community both
  exit-address-family
  address-family ipv4 vrf upa-tv
  no synchronization
  exit-address-family
  address-family ipv4 vrf upa
  redistribute connected
  no synchronization
  exit-address-family
  address-family ipv4 vrf proxy
  redistribute connected
  no synchronization
  exit-address-family
  ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
  ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
  ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
  as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
  network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 300
  ip vrf forwarding upa
  ip address 172.31.47.254 255.255.255.0
  ip nat inside
  interface GigabitEthernet0/0.20
  encapsulation dot1Q 310
  ip vrf forwarding proxy
  ip address 172.31.50.1 255.255.255.0
  ip nat outside
  ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
  tried also with
  ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
  but it didn't work...
  any suggestion ?
  any help will be appreciated
  Max

  Hi Mohammed, now all works well.
  I understand my error, basically when i tried to ping, i pinged a router on my
  own vrf, because i imported the network, so the packet didn't came across
  interfaces and nat was not in place.Now i tried static host and network
  natting and dymanic natting and all works well.
  here there is a complete working configuration
  ip vrf proxy
  rd 500:500
  route-target export 500:500
  route-target export 501:501
  route-target import 500:500
  route-target import 401:401
  ip vrf upa
  rd 300:300
  route-target export 300:300
  route-target export 401:401
  route-target import 300:300
  route-target import 501:501
  ip vrf upa-tv
  rd 1000:1000
  route-target export 1000:1000
  route-target export 401:401
  route-target import 1000:1000
  route-target import 501:501
  mpls label protocol ldp
  interface GigabitEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/0.1
  description interfacccia outside per ip pubblico ipsec
  encapsulation dot1Q 500
  ip address 195.195.195.195 255.255.255.0
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 300
  ip vrf forwarding upa
  ip address 172.31.47.254 255.255.255.0
  ip nat inside
  interface GigabitEthernet0/0.20
  encapsulation dot1Q 310
  ip vrf forwarding proxy
  ip nat outside
  ip address 172.31.50.1 255.255.255.0
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 320
  ip vrf forwarding upa-tv
  ip address 10.4.1.254 255.255.255.0
  interface GigabitEthernet0/1
  description connessa a 6500
  ip address 80.x.x.1 255.255.255.0
  duplex auto
  speed auto
  mpls ip
  router bgp 65000
  no synchronization
  bgp log-neighbor-changes
  neighbor 80.80.80.2 remote-as 65000
  no auto-summary
  address-family vpnv4
  neighbor 80.80.80.2 activate
  neighbor 80.80.80.2 send-community both
  exit-address-family
  address-family ipv4 vrf upa-tv
  no synchronization
  exit-address-family
  address-family ipv4 vrf upa
  redistribute connected
  no synchronization
  exit-address-family
  address-family ipv4 vrf proxy
  redistribute connected
  no synchronization
  exit-address-family
  ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
  ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
  ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
  Many thanks for the help, now all works well and i understand the way to
  configure it.

• Question about NAT Inside Source, Inside Destination, and Outside Source

  I read the Cisco command references about "ip nat inside source", "inside destination", and "outside source", but couldn't have a clear understanding of how to associate the commands with "ip nat inside" and ip nat outside" configured for interfaces.
  Does "ip nat inside source ..." translation only happen on the interface configured as "ip nat inside"?
  Since NAT is a bidirectional action, what's the difference between "ip nat inside cource ..." and "ip nat inside destination ..."?
  I've never used "ip nat outside source ...". In what cases would it be needed?
  On an interface where there are NAT translation and also other actions such as policy map or IP Sec crypto map, would NAT happen before or after other actions?
  Thanks for help with any questions.
  Gary

  Hi Gary,
  The following documents may help you to understand some of the terminology:
  http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
  http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
  Also, the following document has a clear explanation of the order of operations when using NAT:
  http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
  Hope that helps - pls rate the post if it does.
  Paresh

• SIP trunking between Microsoft OCS server and Cisco Voice GW router.

  Hello All,
  I have a client with an existing Microsoft OCS (office communications server) environment with the OCS server in their head office. The OCS clients in the remote Office registers with the OCS server in the head office. The WAN connectivity between the remote office and the Head office is MPLS.I would like to facilitate local call (PSTN) features at the remote site through a newly proposed Voice gateway router.
  Can I achieve this by doing a SIP trunk between the OCS server in the head office to the newly proposed voice GW router in the remote office through the existing MPLS link. If yes, Could any one please assist me in this regards or suggest any other best solution to achieve the same.
  Thank you in advance,
  Mohammed Ameen R

  Hi David,
  this is a normal behaviour. To CUCM, OCS is a remote destination (just like your mobile phone). When your mobile phone hangs up, the system will put the call on hold for 10 sec.
  This is there for the mobile user to go to his desk to pick up the call and continue the conversation (part of single number reach feature)
  The best practise will be for the user to ensure that the other party hangs up the call first before he hang up.
  Please grade if you think it's useful =)