NAT between IPIVR (or UCCX) and CUCM?
Hi,
i would like to know if NAT between IPIVR (or UCCX) and CUCM is allowed? (with ASA only or also router and switch).
I didn't find anything about it in UCCX SRND.
thanks
[IPIVR v8, CUCM v7.1(5).]
Hello,
1) Yes, please use sip trunk as the interface between cme and cucm.
2) Please note: officially cme sip trunk video is only supported for cme1—sip trunk---cme2 type set up, but for basic call you could try to setup cucm to use early media on the sip trunk. cme by default would use early media and it should work.
3) For configuration guide on CME Video, you can refer http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmevideo.html#wp1027101
4) For interfacing CME with CUCM, please remember to configure below command on CME:
voice service voip
sip
asymmetric payload full
Hope this helps,
Vishal
Similar Messages
-
Hi All - We are planning to go for CUCM direct upgrade from 7.1.3 - 9.1.2
Also for UCCX from 7.0.1 SR5 ---> 8.5.1 --> 8.5.1 SU3 --> 9.0.2
During upgarde of UCCX 8.5.1 on UCS Machine it will ask to eneter CUCM AXL user Credentails which is in 9.1.2, So we need to know is that correct way by doing so since UCCX is 8.5.1 and CUCM 9.1.2
Also i checked few PDF'S where i can get below info.
These Unified CM versions are supported - 8.0(1), 8.0(2) and all SUs, 8.5(1) and all SUs, and Unified CM 8.6.2.22033 and later.
Does it mean CUCM 9.1.2 is compatible with UCCX 8.5.1 and 8.5.1 SU3.
SIVANESAN RRefer to this document for all CCX compatibility details including which version you can upgrade from:
http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_compatibility/matrix/crscomtx.pdf
CUCM 9.1.2 is compatible with CCX 8.5SU4 for example.
Also, you can upgrade to CCX 9.0.2 directly from 7.0.2ES3.
HtH,
Chris -
Hi,
I integrated UCCX 8.5 and CUCM 8.5 in a lab setup using VMware.
Created CTI ports and then some applications including AA application. But when calling from my soft phone to the Trigger, its getting disconnected after 5 seconds. I am not able to hear the prompt also.
Checked and started all the services and resynced all the applications and finally installed CUCM and UCCX again but still the same issue is happening.
Please give some valuable inputs.
Regards..Hi
You should probably try a debug of the script. Run Script Editor and make sure you log in. The do Debug/Reactive Script, and enter SSCRIPT[aa.aef] in the top box, and 60 in the bottom box.
Then dial the AA.
One of several things should happen:
1) Nothing at all - in this case the system can't run the AA script, and you'll have to look at the logs to find out why.
2) The script will appear, and you can step through it by pressing F10 and see what the script does in real time. As you step through the steps, if you go past a Play Prompt and still get silence, then it might reach a point where it decides you aren't responding and hangs up on you
3) You might get an error in the script
Report back what happens...
Also:
1) What language configuration do you have on the system?
2) If you press the ? key on a 79xx twice quicky during the 5 second call, do you see rx packets increasing?
Aaron -
CUEAC 9.1.1.10 and CUCM 7.1(5) 64 bit TSP Plugin
Hello,
I have a customer with CUCM 7.1(5) who has purchased CUEAC 9.1.1.10 and wants to run it on Windows Server 2008 R2 (64 bit).
According to the data sheet this should be supported but when I go through the CUEAC server installation process it tries to download the 64 bit TSP plugin from the CUCM server.
This is a problem as CUCM 7.1(5) does not have the 64 bit TSP plugin - it only has the 32 bit version.
The exact message I get is
Error occured while downloading Cisco TSP.
Path: https://10.80.20.12/plugins/CiscoTSPx64.exe
I have obtained the 64 bit TSP from a later CUCM and done a manual installation hoping that the installer would see the TSP is already installed and skip the step but it does not do so.
Can anyone suggest how to resolve this?
I know I could use a 32 bit version of Windows Server or upgrade CUCM but these options are not available.
ThanksUpdate
I built a CUCM 9.x server as a virtual machine and integrated CUEAC with that. The 64 bit TSP downloaded and installed ok and I was hoping that I could then reconfigure the TSP CTI manager addresses and the CUEAC CUCM server to point to the version 7.1 CUCM server.
Unfortunately this did not work as I got a message complaining about version incompatibilities between the CUEAC server and CUCM.
I do not think there is any workaround for running CUCM 7.1 with CUEAC on a 64 bit Windows Server.
Luckily for me the customer found an old Windows 2003 32 bit server that they used to run Cisco ACS on. CUEAC installed without a hitch on this server and is running fine.
If anyone manages to get this working I would be interested to know how.
Lesson here is do not believe Cisco data sheets -
### How to make integration between UCCX and Active Directory##
Hello,
I want to know what is the right procedure to perform a right integration between the UCCX and the Active Directory?
Waiting Yours Reply,,,,
Thanks a lot......What version?
Assuming a current version (5.0 and higher): there is NO direct integration between CCX and Active Directory. The CCX server must not be joined to a domain.
CCX uses UC Manager End Users for synchronized usernames and passwords. If UC Manager is synchronized with an LDAP source, such as Active Directory, then this will carry forward to CCX. CCX would pass authentication requests to CCX through AXL. UCM would perform the LDAP authentication and inform CCX of the success/failure. -
Exchange 2013 SP1 and CUCM 9.1.2 - Exch not recognizing called extension
I think I'm almost there in getting Exchange 2013 SP1 UM working with CUCM 9.1.2...I've got two issues at the moment that I need a little help with.
1) When I dial my VM pilot (6040) from a UM enabled extension it prompts to enter an extension. When I dial the same extension and let it ring to VM, Exchange picks up and says "the person you are trying to reach does not have a valid voice mail box
on our system".
2) This just started happening this afternoon, when I dial my VM pilot (6040) exch3 picks up as thats what I have my route pattern pointing to. If I enter the extension of a mailbox on exch2, I get stuck in a endless loop.
I've followed this post as a guide but it hasn't resolved my issue.
https://supportforums.cisco.com/discussion/11914031/exchange-2013-um-and-cucm-86
My Exchange environment looks like this:
Site 1:
exch1 - CAS/Mailbox, used for mainly utility type work, journal, dedicated SMTP flows etc
exch2 - CAS/Mailbox, part DAG13
exch3 - CAS/Mailbox, part of DAG13
Site 2:
exch2dr - CAS/Mailbox, part of DAG13
exch3dr - CAS/Mailbox, part of DAG13
DAG13 is stretched between two sites, there are no users at our DR site so CUCM is pointing to Site 1 for UM. Each site has an internet facing CAS-only server for OWA/EAS etc.
Any help is greatly appreciated. I'd love to get rid of Unity.
EDIT:
I just found this event in the event logs:
The Microsoft Exchange Unified Messaging service on the Mailbox server received a diverted call with ID "d51600-3a3140c5-9b8-c1414ac@EXCH3-IPADDR" for extension "4099" on UM dial plan "CUCM" from UM IP gateway "CUCM IP",
but no UM-enabled mailbox for the corresponding extension could be found. Please check the extension and make sure that the corresponding mailbox is enabled for UM and associated with the correct UM dial plan.9.1.2 I think it is, we upgraded to avoid the known DNS bug
I cant see how to PM you either
The crux of it was outlined below with some tweaks
http://blogs.technet.com/b/canitpro/archive/2014/04/30/step-by-step-integration-between-exchange-2013-um-and-cisco-unified-communication-manager.aspx
As we have multiple combined role servers, our trunks are set up as follows:
1. 1 x CAS Trunk - contains all CAS Servers on port 5060
2. 4 x MBX Trunks - contains Maibox Server with ports 5062-5068
On top of that, we had to Allow "Redirecting Diversion Header Delivery - Inbound (and Outbound)" on the CAS Trunk but DISABLE it on the Mailbox Trunks
Also, make sure that you are using Telephone Extension Dial plans in Exchange 2013 (Despite them being unable to be associated with a 13 Server - EX13 answers for all calls anyway)
Lastly, the MS documentation is a little strange - it says that as your last step of UM migration, you should point your Call Manager to 2013 - I don't agree with that statement, EX13 routes calls back to 2010 UM Servers perfectly fine, so treat it the same
as any other CAS based service - point to 2013, and it will handle the rest -
Can not foward into voicemail from outside call on CUE and CUCM 8.6
Dear Team,
I have CUE Utility and CUCM 8.6.
I can call from local, if user busy or go out office then call will foward to voice mail.It is ok.
But when i call from outside to my phone(direct line), then call can not foward to voice mail on CUE.
Please help me some solution.
Thanks.Hi nam,
A couple of things to check. Have you set the Forward Busy/No Answer "External"
on the DN config page in CUCM?
Are the calls coming in using a codec other than g.711?
Best Practices for Deploying Cisco Unity Express
• Each mailbox can be associated with a primary extension number and a primary E.164 number.
Typically, this number is the direct-inward-dial (DID) number that PSTN callers use. If the primary
E.164 number is configured to any other number, use Cisco IOS translation patterns to match either
the primary extension number or primary E.164 number so that the correct mailbox can be reached
during SRST mode.
• Each Cisco Unity Express site must be associated with a CTI route point for voicemail and one for
AA (if licensed and purchased), and you must configure the same number of CTI route points as
Cisco Unity Express ports licensed. Ensure that the number of sites with Cisco Unity Express does
not exceed the CTI scalability guidelines presented in the chapter on Call Processing, page 8-1.
• Cisco Unity Express is associated with a JTAPI user on Cisco Unified CallManager. Although a
single JTAPI user can be associated with multiple Cisco Unity Expresses in a system, Cisco
recommends associating each dedicated JTAPI user in Cisco Unified CallManager with a single
Cisco Unity Express.
• Calls into Cisco Unity Express use G.711 only. Cisco recommends using a local transcoder to
convert the G.729 calls traversing the WAN into G.711 calls. You can configure Cisco Unified
CallManager regions with the G.711 voice codec for intra-region calls and the G.729 voice codec
for inter-region calls.
• If transcoding facilities are not available at the Cisco Unity Express site, provision enough
bandwidth for the required number of G.711 voicemail calls over the WAN. Configure the Cisco
Unified CallManager regions with the G.711 voice codec for calls between the IP phones and Cisco
Unity Express devices (CTI ports and CTI route points).
• The CTI ports and CTI route points can be defined in specific locations. Cisco recommends using
location-based call admission control between Cisco Unified CallManager and Cisco Unity Express.
RSVP may also be used.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42unityx.pdf
Cheers!
Rob
"Far away from your trouble and worry
You belong somewhere you feel free" - Tom Petty -
Good day,
I would ask if it is possible to do NAT between two Interfaces on the same device?
The problem is that I need access from my inside lan to the management interface on the ASA. We will not manage the ASA over the inside interface.
This is my current NAT statement:
nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional
This is my PacketTracer output:
Phase: 1Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 192.168.3.0 255.255.255.0 mgmt
Phase: 2Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group inside in interface insideaccess-list inside extended permit ip 172.20.200.0 255.255.255.0 anyAdditional Information:Phase: 3Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 4Type: NATSubtype:Result: ALLOWConfig:nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectionalAdditional Information:Static translate 172.20.200.1/0 to 192.168.3.222/0Phase: 5Type: USER-STATISTICSSubtype: user-statisticsResult: ALLOWConfig:Additional Information:Phase: 6Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 244039047, packet dispatched to next moduleResult:input-interface: insideinput-status: upinput-line-status: upoutput-interface: mgmtoutput-status: upoutput-line-status: upAction: allow
So NAT seems to be working correct. I can reach other devices behind the mgmt network this is no problem. But I cant access the ASA on the mgmt interface 192.168.3.2.
Clould it be a problem with the traffic flow? Because in the PacketTracer output I see on Phase1 a Route-Lookup and later on Phase4 the NAT statement.
Is there a way to get this working?
Many thanks for your feedback.
Brgds,
MarkusHi,
To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
- Jouni -
Asymmetric NAT rules matched for forward and reverse flows - NAT Issue
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
The Error:
5 Nov 12 2012 13:52:50 192.168.9.19 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes. Here's my current running configuration.
: Saved
ASA Version 8.3(2)
hostname fw1
domain-name xxxxxxxx.xxx
enable password <removed>
passwd <removed>
names
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.248
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
interface Vlan33
description Police Subnet
shutdown
nameif PDNet
security-level 90
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/5
switchport access vlan 23
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
banner exec Access Restricted to Personnel Only
banner login Access Restricted to Personnel Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.xxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address hostmaster@xxxxxxxxx
logging recipient-address john@xxxxxxxxx level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> privilege 15
tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
tunnel-group 173.xxx.xxx.xxx general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
: end
Any ideas would be appreciated.
JohnI don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
Sent from Cisco Technical Support iPad App -
Hi,
I have an ASA5510 running version 8.2(5). I have set up a new network on interface Ethernet0/1.777 of the fwl. The firewall works perfectly with remote access VPNs but has now given me the error with the new network that has been set up:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure
The difference between the other networks and the new one that I have set up is that this is the first one using a private addressing scheme. I understand that NAT is not allowing something along the way but I cant figure out what needs to change in order to get it to work. My config is as follows:
interface Ethernet0/1.777
description TRU 777
vlan 777
nameif tru777
security-level 50
ip address 10.1.34.17 255.255.255.240 standby 10.1.34.18
access-list acl_tru777 remark * ALLOW ALL OUTBOUND *
access-list acl_tru777 extended permit ip any any
access-list RA-VPN extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list acl_ra-lock-tru777 extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
access-list acl_ra-lock-tru777 extended permit ip 10.159.159.0 255.255.255.0 10.1.34.16 255.255.255.240
ip local pool ra-pool 10.159.159.0-10.159.159.254 mask 255.255.255.0
nat (tru777) 4 access-list acl_no-nat
nat (tru777) 2 10.1.34.16 255.255.255.240
global (outside) 2 x.x.x.x
crypto isakmp nat-traversal 20
I think that is everything you should need, if not please just ask.
Thank you very much in advance,
ChrisHi Julio,
Here you go:
FWL01# sh nameif
Interface Name Security
Ethernet0/0 outside 0
Ethernet0/1 CLIENTS 50
Ethernet0/1.314 tru01 50
Ethernet0/1.313 dmz01 50
Ethernet0/1.316 tru02 50
Ethernet0/1.776 dmz776 50
Ethernet0/1.777 tru777 50
Management0/0 management 100
FWL01# sh run nat
nat (tru02) 1 192.168.3.0 255.255.255.240
nat (tru777) 4 access-list acl_no-nat
nat (tru777) 2 10.1.34.16 255.255.255.240
FWL01# sh run glob
global (outside) 1 interface
global (outside) 2 x.x.x.x
Thanks,
Chris -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"טבלה רגילה";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:Arial;
mso-bidi-theme-font:minor-bidi;}
Hi,
I have a setup with VSM, VEM & VC.
The setup is L3 configuration between the VSM and VEM and i am trying to configure NAT between them (i have cisco routers in the middle).
From what I saw, I do not think it can work in a NAT configuration between the VSM to VEM as for the VSM always update the VC of VMWARE what its real ip address (it inform it via application layer rather than on L3 headers, actually in L3 there is a udp encapsulation), then the VC update the VEM about the VSM real IP address and where to open the tunnel.
The VEM will always try to bring up the Tunnel towards the real ip address of the VSM and not towards the Nat ip address.
am i correct ot i need to configure somthing else?
Thanks,/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"טבלה רגילה";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:Arial;
mso-bidi-theme-font:minor-bidi;}
Hi,
I have a setup with VSM, VEM & VC.
The setup is L3 configuration between the VSM and VEM and i am trying to configure NAT between them (i have cisco routers in the middle).
From what I saw, I do not think it can work in a NAT configuration between the VSM to VEM as for the VSM always update the VC of VMWARE what its real ip address (it inform it via application layer rather than on L3 headers, actually in L3 there is a udp encapsulation), then the VC update the VEM about the VSM real IP address and where to open the tunnel.
The VEM will always try to bring up the Tunnel towards the real ip address of the VSM and not towards the Nat ip address.
am i correct ot i need to configure somthing else?
Thanks, -
MeetingPlace 6.0 and CUCM
We have Meetingplace 6.0.639.0 and CUCM with 6.1.5. I need to upgrade CUCM to 7.1.5. A sales rep told me that meetingplace will not work with 7.1.5.
can I run this verision of Meetingplace with 7.1.5?
ThanksHello Carlo
Meeting Place 6.0MR5 is integrated with the CUCM cluster via an H323 or a SIP trunk.
You should have a server in your MP deployment which is the IPGW MeetingPlace server.
All the call signalling between the CUCM and the MP Platform is done through that server.
So in CUCM 7.1.5 you can still configure an H323 trunk or a SIP Trunk to your IPGW server and it will work.
So in theory it is perfectly ok to use CUCM 7.1.5 with MP 6.0MR5.
Check the docwiki information about the configuration of the IP Gateway:
http://docwiki.cisco.com/wiki/Cisco_Unified_MeetingPlace,_Release_6.x_--_Cisco_Unified_MeetingPlace_H.323/SIP_IP_Gateway,_Release_5.3
Thanks
Fernando -
Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
I've ip overlapping issue, so i'm trying to use nat aware vrf.
The shared service is on a vrf also.
I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
This is my configuration :
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
mpls label protocol ldp
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat enable
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
ip nat outside
ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
tried also with
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
but it didn't work...
any suggestion ?
any help will be appreciated
MaxHi Mohammed, now all works well.
I understand my error, basically when i tried to ping, i pinged a router on my
own vrf, because i imported the network, so the packet didn't came across
interfaces and nat was not in place.Now i tried static host and network
natting and dymanic natting and all works well.
here there is a complete working configuration
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
mpls label protocol ldp
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip nat outside
ip address 172.31.50.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
Many thanks for the help, now all works well and i understand the way to
configure it. -
Question about NAT Inside Source, Inside Destination, and Outside Source
I read the Cisco command references about "ip nat inside source", "inside destination", and "outside source", but couldn't have a clear understanding of how to associate the commands with "ip nat inside" and ip nat outside" configured for interfaces.
Does "ip nat inside source ..." translation only happen on the interface configured as "ip nat inside"?
Since NAT is a bidirectional action, what's the difference between "ip nat inside cource ..." and "ip nat inside destination ..."?
I've never used "ip nat outside source ...". In what cases would it be needed?
On an interface where there are NAT translation and also other actions such as policy map or IP Sec crypto map, would NAT happen before or after other actions?
Thanks for help with any questions.
GaryHi Gary,
The following documents may help you to understand some of the terminology:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
Also, the following document has a clear explanation of the order of operations when using NAT:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Hope that helps - pls rate the post if it does.
Paresh -
SIP trunking between Microsoft OCS server and Cisco Voice GW router.
Hello All,
I have a client with an existing Microsoft OCS (office communications server) environment with the OCS server in their head office. The OCS clients in the remote Office registers with the OCS server in the head office. The WAN connectivity between the remote office and the Head office is MPLS.I would like to facilitate local call (PSTN) features at the remote site through a newly proposed Voice gateway router.
Can I achieve this by doing a SIP trunk between the OCS server in the head office to the newly proposed voice GW router in the remote office through the existing MPLS link. If yes, Could any one please assist me in this regards or suggest any other best solution to achieve the same.
Thank you in advance,
Mohammed Ameen RHi David,
this is a normal behaviour. To CUCM, OCS is a remote destination (just like your mobile phone). When your mobile phone hangs up, the system will put the call on hold for 10 sec.
This is there for the mobile user to go to his desk to pick up the call and continue the conversation (part of single number reach feature)
The best practise will be for the user to ensure that the other party hangs up the call first before he hang up.
Please grade if you think it's useful =)
Maybe you are looking for
-
Web Analysis: Report for Users Logged in
Hello All, I want to create a report in Webanalysi,s which shows the the number and name of users those are logged in. I am using shared services and source is essbase. Please suggest me the solution. Thanks in advance. Raj
-
Release management with Azure and Visual Studio Online (Cloud TFS)
What strategy would you use to manage the releasing of versioned software to Azure cloud services (web and worker roles)? We are not looking for continuous integration. We are using Visual Studio 2013 and Visual Studio Online (Cloud TFS). At one poin
-
my trash bin has one item that refuses to be deleted. Under name, it says, 0. date; dec. 31, 1903. size; 0 kb. I have no idea where it came from. When I click, info. the info. window starts to appear, then goes away. Weird or what? Hope someone can h
-
[Error when creating an index]
Hi there, When i issue a create index statement, i get this error. On checking the ctx_indexes table, i see my index there. What is wrong and how can I rectify it? -- error -- SQL> create index STAG_SCD_CONTENT_IDX on SEARCH_DATA(SCD_CONTENT) indexty
-
10.5.2 Erased all Calendar Entries
What happened to all my iCal entries after updating to 10.5.2???