SIP bypass of VPN

Hello,
I've got VPN connection from Cisco 877 to ASA 5520 and on the Cisco 877 I've got SIP device which doesn't has to go through VPN. I assume that for the best audio quality I should bypass the VPN and connect directly to the SIP servers, but how to configure it??
Many thanks,
Dan

We use external third party service for phones. All traffic except the SIP should go thourgh VPN from cisco 877 to asa5520, but the SIP could go directly from the cisco 877 to the third party servers.
I'd assume that this way we're not really more exposed just becuase SIP is not going through VPN, but I would hope it will improve VoIP communication as it wouldn't have to go through VPN and our servers/gateway but connect directly to the SIP servers.
Only one ADSL line one the cisco 877 with IPv6 VPN to the asa5520, the SIP providers use IPv4 addresses.
Thank you for your help
Dan

Similar Messages

RV120W SIP over VPN and 1.0.2.6 Firmware

Upgraded to 1.0.2.6 and all of a sudden SIP devices working over the VPN no longer work. Downgrade to 1.0.1.3 and they work again. Any ideas? My guess is that some ports are blocked over the VPN in 1.0.2.6
I thought the general idea was that firmware ugrades fixed bugs rather than introducing them.
Suggestion for Cisco:- Zip the firmware image downloads, or else have an upgrade process that includes a CRC check, that way at least the poor punter will have an indication if they have been corrupted. I had a subtle memory problem that was corrupting some files. The firmware upload appeared to complete properly and you could log on OK but some of the menu choices resulted in a hang with the "Please wait... the page is being loaded" message. Careful checking of file sizes revealed that the file I was uploading into the router was a few hundred bytes different in size to the one on the website, must have been corrupted during the download. But the upload proceeded normally with no indication of any error. It's a pretty basic safeguard that should be in there as a matter of course with the router performing a CRC check and showing an error if it fails.

Hello Michael,
Might be you have SIP Application Layer Gateway enabled. Please try to disable this the SIP over the VPN works fine.
Firewall-->Advanced Settings-->SIP ALG remove the check box.
Thanks,
Jaipal Nair - UAE

E75 Sip on vpn Tunnel

On my nokia e75 vpn works very well but if I try to activate sip service on vpn it does not work or, in same case, e75 reboots.
Can help me?
Thanks in advance.
Sa

Rick,
Done. after applying
"same-security-traffic permit intra-interface"
pings (icmp) are working between hosts on the VPN tunnel (172.16.8.0).
1. Somehow it works for icmp packet but not for the rest of the ip traffic. Could you please suggest, what is an "access list" command that would allow for example, any ip traffic between the hosts on the tunnel.
2. I also have a few static routes mapped to the management interface on ASA that point to several devices on the corporate LAN ; those devices cannot be reached by the hosts on the VPN tunnel, because ASA sends to them packets incoming from the tunnel through the management interface instead of the private one (which is the default route for the tunneled traffic) and the packets are then spoofed on the external FW because expected from the ASA private interface. I hoped that the "..permit intra-interface" would have solve the issue but no...Is there a way to overcome this ?
Many thanks in advance.
BR, Melita

Calls over VPN -- SIP_URL::ParseUrlBase ParseSipUrlParams failed 80004005

I am finding in my environment that users who are on a VPN remotely have issues making phone calls to anyone else who's internal or even someone
outside on their cell phone.
The VPN client being used is Citrix Access Gateway.
User makes calls over the Lync 2010 Client.
I turned on Logging and gathered details from the Tracing directory with Snooper and came across these. Any idea of what is going on?
The person they're trying to call is showing up there as a name instead of a number in the log. Is that normal?
Component: UCCP
Level: ERROR
Flag: N/A
Function: N/A
Source: N/A
Local Time: 01/23/2015-09:42:24.249
Sequence# : 00000373
CorrelationId : N/A
ThreadId : 1138
ProcessId : 1134
CpuId : 0
Original Log Entry :
01/23/2015|09:42:24.249 1134:1138 ERROR :: SIP_URL::ParseUrlParams invalid char Q found when trying to parse params
Component: UCCP
Level: ERROR
Flag: N/A
Function: N/A
Source: N/A
Local Time: 01/23/2015-09:42:24.249
Sequence# : 00000374
CorrelationId : N/A
ThreadId : 1138
ProcessId : 1134
CpuId : 0
Original Log Entry :
01/23/2015|09:42:24.249 1134:1138 ERROR :: SIP_URL::ParseUrlBase ParseSipUrlParams failed 80004005
Component: UCCP
Level: ERROR
Flag: N/A
Function: N/A
Source: N/A
Local Time: 01/23/2015-09:42:24.249
Sequence# : 00000375
CorrelationId : N/A
ThreadId : 1138
ProcessId : 1134
CpuId : 0
Original Log Entry :
01/23/2015|09:42:24.249 1134:1138 ERROR :: SIP_URL::InternalInitialize ParseSipUrl(sip:John Quincy) failed 80ee0012

Hi,
For the VPN, when users connect to the corporate network using a VPN client, Lync media traffic is sent through the VPN tunnel. This configuration can create additional latency and jitter because media traffic must pass through an additional layer of encryption
and decryption.
The recommend way is to use a split tunnel for VPN. Then Lync client connects to the Access Edge Server for all signaling connections when on the corporate VPN. In addition, media sessions don’t be allowed to establish connectivity through the VPN tunnel.
Media sessions will be routed through the A/V Edge Server public interface.
More details:
http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

Best practice DNS in VPN environment for Lync2013 clients

So I do have those site2site VPNs to connect the small branch offices to the main office. Internal DNS makes sure, that the branch offices can acess all the servers/services in the main office with their domain.local namespace.
In such a scenario will the Lync2013 clients connect through the VPN to the internal sites due to both lyncdiscover and lyncdiscoverinternal being available?
Wouldn't it cause way less burden on the VPN routers if clients would simply go out to the internet and connect from the external side so all the Lync traffic does not have to be stuffed through the VPN pipe? I dont see the point to encrypt the traffice
once more.
Thanks for your suggestions about best practices!
HST

Hi,
When users connect to the corporate network using a VPN client, Lync media traffic is sent through the VPN tunnel. This configuration can create additional latency and jitter because media traffic must pass through an additional layer of encryption and
decryption. The issue is compounded when the VPN concentrator is busy.
If you want to connect Lync server from public network you need to deploy an Edge server.
The solution to force VPN traffic through the Edge Servers must allow external Lync clients connected through VPN, you can refer to the part of "Solution Configuration" in the link below:
http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

Safe to expose samba fileserver publicly, or access through VPN?

I have a Mavericks server running filesharing and VPN services through OSX server 3.2.2. My users connect to the VPN from the internet, then access the fileserver from within the private network. Recently, some changes to the network broke the VPN for windows clients. But, if I open ports TCP 139 (SMB) and TCP 548 (AFP) windows users can still access the filerserver (bypassing the VPN).
Is it safe to bypass the VPN and expose the fileserver directly? I've been able to find some information on security issues in samba, but it all seems pretty dated.

This isn't even a discussion, locally. VPN. Any other way just invites the riffraff to poke at the open ports, and even if there's no exposed passwords and no weak passwords, you're still going to get piles of log chatter as they poke and prod, and you're still potentially open to the discovery of a vulnerability in the protocol.
L2TP/IPSec is reasonably secure, with either two-factor or some decently-gonzo settings. Traffic is also encrypted.
AFP data traffic was not encrypted, when last I checked. The contents of the served files can be exposed to anyone with a privileged network position.
Local preference and local recommendations: No open ports. None. Not unless there's an absolute need for specific ports to be open, such as a public-facing web server. Everything (else) is VPN, usually into the firewall (with an integrated VPN server) or into a dedicated VPN server. If you need public-facing ports open, put the host in a DMZ, and don't let any unintended traffic off that host either back to the Internet, or into your internal network.

ACE to bypass IPSec traffic

HI All,
we are getting ready to do a POC with ACE, Hurray !!!!!!!!!
One problem though. The customer (who is a service provider) is going to loadbalance traffic to a web proxy, but wants to bypass IPSec VPN traffic from getting loadbalanced to proxies.
I think we can do this if the clients are using IPSec tunnel mode, but it seems there would be a problem in identifying the traffic if the clients are using IPSec transport mode or transparent tunneling. Any idea how i can prevent all of the VPN traffic from going to the proxies ?
Thanks

If you only loadbalance traffic with destination port 80 or port 8080 than there is no problem.
I don't think ipsec would use those ports.
Gilles.

14 of the most popular VPNs on the market, they found out that at least 11 of them leaked user information

Hello, recently I read an article which warns of the failures of some of the biggest VPN operators ! To be more precise of a group of fourteen, eleven showed leak . This leak consisted of various behaviors, such as interacting with the website. The first reason for this trail is the protocol used by operators, called Internet Protocol Version 6 (IPv6)! I liked to be clarified by F-Secure, for the safety of Freedome for this behavior! Gareth Tyson, the co-author of this study from Queen Mary University of London said that "There are a variety of reasons why someone might want to hide their identity online and it’s worrying that they might be vulnerable despite using a service that is specifically designed to protect them".

Hello,
I've just posted a longer reply to another message on the same subject.
In short, Freedome provides IPv6 to clients to prevent IPv6 traffic from bypassing the VPN.

Lync Desktop sharing is not working via Remote Access Server / VPN

Sometimes, few users using RAS (Remote Access Server) / VPN are not able to share desktop.
It is irrespective of other user (from other end) is using VPN or Office wired network.
Note - we have enabled VPN split tunnelling for our environment and the issue is happening after that only.
Also, it is happening with few users not all.
laptop is : HP elitebook 2570p
any resolution ?

Hi,
Did these issued users also meet the issue internal the corporation?
1. Please double check if the split tunnel VPN setting configure correctly with the help of the link below:
http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx
2. As the issue only happen for a few users who using VPN, please try to delete Lync user profile and then test again.
3. Please also try to change another computer with the issued Lync account using VPN to test the issue.
4. Please also try to test the issue with Internet network instead of VPN to test the issue again.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

Lync 2013 client switches connection after a VPN connection

have read that if you are working remote, it's better to go through the Edge server instead of establishing a VPN connectionn first before starting Lync. Reason is VPN is encrypted and so is Lync traffic so the double encryption will tend to slow
things down. When I work remote, I fire up Lync first and make a connection to the Edge server. After that, I establish a VPN tunnel to work to access network drives etc....
In about 5-10 minutes, my Lync client disconnects and then immediately reconnects but this time its connecting directly to an internal FE over the VPN which is what I don't want. Any idea on how to keep this from happening? Its not causing a major problems
at this time but we are just doing IM right now. Once conferencing starts, it could be an issue.

Hi Shadowtuck,
Have a read through this guide on how to stop this from happening:
http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx
Basically, the overview of this is to:
Split tunnel the traffic, so the Lync traffic continues to flow via the Internet
Block the Lync traffic from going over the VPN
Configure DNS pinpoint entries so that when VPN'd in the Lync client resolves the external Edge IP addresses.
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
Georg Thomas | Lync MVP
Blog www.lynced.com.au | Twitter
@georgathomas
Lync Edge Port Check (Beta)

Split tunnel works... but only for one IP

Hi All,
Dealing with a really frustrating problem. Our setup, roughly, is as follows:
- We have a remote access VPN that users connect to with any connect; in turn, they are assigned a local LAN address: 10.1.11.192-10.1.11.200
- We have a site-to-site VPN that connects to Amazon AWS to access 10.0.249.0 and other subnets, and now certain hosts on the Amazon *public* network (e.g, 54.1.2.3). This is done via a split tunnel.
What we're seeing is this:
- Users connect to the VPN and are assigned one of the addresses above. Let's use 10.1.11.192 for this example.
- They can then access anything in the 10.0.249.0 subnet (via the split tunnel) just fine. This goes across both ASA devices.
- They can then access anything in the public Amazon network (via the split tunnel) just fine. This should only use the remote access ASA.
So, it seemed like everything was working. When connected to the VPN, Amazon hosts in both 10.x.x.x networks and public IPs that I had specifically tunneled (we plan to transition these to a VPC soon) were accessible, and access happened via the remote access VPN IP (i.e, when connecting to 54.1.2.3, it showed the user being logged in from the Cisco's gateway's IP address, as opposed to the local client IP).
Now, here's where things got weird: *public* tunneled hosts at Amazon only works with the first address in the pool, 10.1.11.192. No other addresses work. 10.0.249.x is always available, regardless of assigned IP. 54.x.y.z is only available with .192.
I've used the same computer with different assigned IPs (10.1.11.193-10.1.11.200), and none work. I've connected using different computers.. they work if assigned .192, but not any other addresses. Other users report the same issue.
TCP handshaking is failing
I'll use our IRC server (and sometimes ssh server) for testing. I can see my client laptop with a SYN_SENT on that specific connection. I can see the IRC server with a SYN_RECV, and the ASA shows a SYN timeout after 30 seconds. Thus, it looks as though packets from the IRC server can't make their way back through the ASA to my client laptop.
I suspect this has something to do with dynamic vs. static NAT, etc., but I've fiddled with every setting I can, and coming up blank.
I'm also baffled as to why .192 works, but no other addresses do.
I've attached our configuration, minus keys and passwords and certain IPs/hostnames. It's a little bit ugly because it has some poor attempts at fixing this, things I'll probably remove after it works, but.. Could it have anything to do with TCP sequence randomization?
Thank you in advance for any help.

Hi Jouni! Thank you so much for your quick reply. Mine was delayed because I've continued to fight the ASA this afternoon! Apologies for my verbosity, always found it better to include too much info than too little!
To clarify, ideally, a VPN client that connects to this ASA (10.1.11.5) should have three possible destinations:
- The internet at large - this should not go through the ASA, but should go through the client's own gateway, bypassing this VPN entirely. This works.
- My servers in an Amazon VPC (10.0.249.x and some others) - this should come in to this ASA (10.1.11.5), which in turn is already successfully routed to another ASA (10.1.11.4 in the config). This works, too.
- My servers at Amazon AWS that are on the public internet (example below: 107.22.xxx.yyy). This should only involve the one ASA in question (10.1.11.5). This is where I'm running into issues.
The split tunnel, thus, includes the networks 10.0.249.x and specific public AWS hosts like 107.22.xxx.yyy, etc. I want 10.0.249.x to go to Amazon via the other ASA 10.1.11.4 (again, this works) and I want 107.22.xxx.yyy, etc. to go to Amazon via *this* ASA (10.1.11.5). Basically, it's this last part that's causing problems: it works only one in very, very narrow situation: when the client is assigned the address 10.1.11.192. If a user logs in and is assigned any other address, they won't be able to access the "public" AWS servers.
I began by taking your advice and moving the IP assignment to an entirely different subnet: 10.1.12.100-10.1.12.200. I then spent a decent chunk of the afternoon adjusting NAT rules (and removing ACLs, per your suggestion). The only brief success I had was when I had about a bajillion NAT rules, and somehow I made it on to the IRC server! Oddly, my connection used the ASA's address itself, rather than the ASA gateway's address. Unfortunately, I stopped being able to reach 10.0.249.x at the time :/ I tried to adjust further, but cannot restore/recall what the NAT rules were.
I'm miffed because 10.1.11.192 works, and *nothing* else does. There is nothing special about this address in the config - I've tried everything I can to figure out why this one address is different. I've also looked in places that *shouldn't* matter because this bypasses the VPC entirely (AWS security groups, AWS iptables rules, VPC options, etc.)
Again, the behavior of 10.1.11.193-200 is a partial TCP handshake: the local computer sees SYN_SENT, and the remote server has SYN_RECV, but no connection is ultimately established. This is why I think it could be a NAT issue, but I'm obviously a bit lost here Here's a sample connection attempt, with DNS traffic removed:
2013-10-17 18:29:09.100 [DEBUG] Message from Host: 10.1.11.5 - Message - %ASA-6-302013: Built inbound TCP connection 43606 for outside:10.1.11.193/56626 (10.1.11.193/56626)(LOCAL\justinsTestMac) to outside:107.22.xxx.yyy/6667 (107.22.xxx.yyy/6667) (justinsTestMac) (pid:25912)2013-10-17 18:29:39.129 [DEBUG] Message from Host: 10.1.11.5 - Message - %ASA-6-302014: Teardown TCP connection 43606 for outside:10.1.11.193/56626(LOCAL\justinsTestMac) to outside:107.22.xxx.yyy/6667 duration 0:00:30 bytes 0 SYN Timeout (justinsTestMac) (pid:25912)2013-10-17 18:29:45.293 [DEBUG] Message from Host: 10.1.11.5 - Message - %ASA-6-302013: Built inbound TCP connection 43612 for outside:10.1.11.193/56626 (10.1.11.193/56626)(LOCAL\justinsTestMac) to outside:107.22.xxx.yyy/6667 (107.22.xxx.yyy/6667) (justinsTestMac) (pid:25912)102 (justinsTestMac) (pid:25912)2013-10-17 18:30:15.322 [DEBUG] Message from Host: 10.1.11.5 - Message - %ASA-6-302014: Teardown TCP connection 43612 for outside:10.1.11.193/56626(LOCAL\justinsTestMac) to outside:107.22.xxx.yyy/6667 duration 0:00:30 bytes 0 SYN Timeout (justinsTestMac) (pid:25912)2013-10-17 18:30:17.976 [DEBUG] Message from Host: 10.1.11.5 - Message - %ASA-6-302013: Built inbound TCP connection 43617 for outside:10.1.11.193/56626 (10.1.11.193/56626)(LOCAL\justinsTestMac) to outside:107.22.xxx.yyy/6667 (107.22.xxx.yyy/6667) (justinsTestMac) (pid:25912)2013-10-17 18:30:48.400 [DEBUG] Message from Host: 10.1.11.5 - Message - %ASA-6-302014: Teardown TCP connection 43617 for outside:10.1.11.193/56626(LOCAL\justinsTestMac) to outside:107.22.xxx.yyy/6667 duration 0:00:30 bytes 0 SYN Timeout (justinsTestMac) (pid:25912)
Thanks for any insight you have!

Watch/Monitor Buttons do not show the correct state

I programmed several Watch buttons on SPA500 module and some buttons stay lit red even though the phones are not used. When pressing the button it does call the Vacant phone.
How can I fix the state to be correct and only be lit red when the corrsponding phone is used?

Hi Guys,
Was this problem ever resolved?
I am having the same issue. Cisco CME on 2851 router. We have several Cisco 7970 IP Phones all provisioned at the same time, and all working fine. I have a 7914 module monitoring the phones and one is showing as off hook. (BLF -1).
The phone that is showing offhook is ephone 7, it is being monitored by ephone 4. I have done factory reset, firmware upgrade, reset and everything recommended above but still having the issue. The red light indicates that the phone is offhook or not present although it is cleary registered to the CME.
You can see from the show ephone register below (ephone 4 is monitoring ephone 7) that ephone 7 is showing as offhook when it is not and is also registered and working. It shows:
button 33: cw:1 ccw:(0 0)
dn 22 number 122 CH1   IDLE         CH2   IDLE         watch(BLF on phone -1) shared with monitor-ring
I have attached config and tftp debug below. If any one can shed some light it would be much appreciated.
------------------ show running-config ------------------
Building configuration...
Current configuration : 33299 bytes
! Last configuration change at 18:09:53 AEST Mon Jun 4 2012
! NVRAM config last updated at 18:09:56 AEST Mon Jun 4 2012
! NVRAM config last updated at 18:09:56 AEST Mon Jun 4 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CISCO
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M1.bin
boot-end-marker
card type t1 0 0
! card type command needed for slot/vwic-slot 0/1
enable password
aaa new-model
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone AEST 10 0
no network-clock-participate wic 0
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.199
ip dhcp pool cisco
network 10.0.0.0 255.255.255.0
option 150 ip 10.0.0.1
default-router 10.0.0.138 10.0.0.1
dns-server x.x.x.x x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
voice service voip
ip address trusted list
ipv4 204.9.161.164
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
h323
vpn-group 1
vpn-gateway 1 http://10.0.0.15
vpn-trustpoint 1 trustpoint _Certificate leaf
vpn-hash-algorithm sha-1
vpn-profile 1
host-id-check disable
sip
registrar server expires max 3600 min 3600
localhost dns:sip.skype.com
voice class codec 1
codec preference 1 g711ulaw
voice class permanent 1
signal timing oos restart 50000
signal timing oos timeout disabled
signal keepalive disabled
signal sequence oos no-action
voice class custom-cptone telstra
dualtone disconnect
frequency 425
cadence 375 375
voice class custom-cptone conference
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 100 200 100 200 100
voice register global
mode cme
source-address 10.0.0.1 port 5060
max-dn 25
max-pool 25
authenticate register
timezone 47
hold-alert
mwi stutter
voicemail 999
tftp-path flash:
create profile sync 0007934814052285
voice register dn 1
number 201
name B iPhone
no-reg
label 201
voice register dn 2
number 202
name D iPhone
no-reg
label 202
voice register dn 3
number 203
name C iPhone
no-reg
label 203
voice register dn 4
number 204
name K iPad
no-reg
label 204
voice register pool 1
registration-timer max 720 min 660
id mac 50EA.D669.27A3
session-transport tcp
type CiscoMobile-iOS
number 1 dn 1
dtmf-relay rtp-nte
username user201 password 201
no vad
voice register pool 2
registration-timer max 720 min 660
id mac 148F.C646.6CFA
session-transport tcp
type CiscoMobile-iOS
number 1 dn 2
dtmf-relay rtp-nte
username user202 password 202
no vad
voice register pool 3
registration-timer max 720 min 660
id mac DC2B.6198.4F3D
session-transport tcp
type CiscoMobile-iOS
number 1 dn 3
dtmf-relay rtp-nte
username user203 password 203
no vad
voice register pool 4
registration-timer max 720 min 660
id mac 70DE.E239.73B8
session-transport tcp
type CiscoMobile-iOS
number 1 dn 4
dtmf-relay rtp-nte
username user204 password 204
no vad
voice translation-rule 1
rule 1 /$.*$/ /100/
voice translation-rule 2
rule 1 /^.*/ /xxxxxxxxxxxxxx/
voice translation-rule 3
rule 1 /617xxxxxxxx/ /130/
voice translation-rule 4
rule 1 /^004$........$/ /614\1/
rule 2 /^099$.*$/ /\1/
rule 3 /^0$.*$/ /\1/
voice translation-rule 5
rule 1 /617xxxxxxxx/ /130/
rule 2 /$.*$/ /100/
voice translation-profile INBOUND
translate called 5
voice translation-profile PSTN_Outbound
translate calling 2
translate called 4
voice translation-profile SKYPE_IN
translate called 3
voice-card 0
dspfarm
dsp services dspfarm
interface Loopback0
ip address 11.1.1.1 255.255.255.255
h323-gateway voip interface
h323-gateway voip bind srcaddr 11.1.1.1
interface Loopback2
ip address 10.10.10.10 255.255.255.0
interface Tunnel1
no ip address
interface GigabitEthernet0/0
description ETH-LAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip access-group 2 in
duplex auto
speed auto
no cdp enable
interface Service-Engine1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.0.0.20 255.255.255.0
service-module ip default-gateway 10.0.0.1
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Virtual-Template2
ip unnumbered Loopback2
interface Vif1
ip address 192.168.11.1 255.255.255.252
ip pim dense-mode
ip local pool SDM_POOL_1 10.0.0.75 10.0.0.95
ip local pool SDM_POOL_2 10.1.0.2 10.1.0.50
ip local pool SDM_POOL_3 192.168.1.50 192.168.1.60
no ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:gui
ip flow-export destination 10.0.0.239 2055
ip nat inside source list VPNAccess interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.138
ip access-list standard public
ip access-list extended VPNAccess
remark Allow VPN clients to access LAN
remark CCP_ACL Category=2
remark Allow CPN local LAN
permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
tftp-server flash:term70.default.loads
tftp-server flash:term71.default.loads
tftp-server flash:apps70.8-3-0-50.sbn
tftp-server flash:cnu70.8-3-0-50.sbn
tftp-server flash:cvm70sccp.8-3-0-50.sbn
tftp-server flash:dsp70.8-3-0-50.sbn
tftp-server flash:jar70sccp.8-3-0-50.sbn
tftp-server flash:S00105000300.sbn
tftp-server flash:SCCP70.8-3-1S.loads
tftp-server flash:XMLDefault.cnf.xml
tftp-server flash:United_States/g3-tones.xml
tftp-server flash:English_United_States/td-sccp.jar
tftp-server flash:English_United_States/ipc-sccp.jar
tftp-server flash:P00308000600.bin
tftp-server flash:P00308000600.sb2
tftp-server flash:P00308000600.loads
tftp-server flash:P00308000600.sbn
tftp-server flash:apps70.8-4-1-23.sbn
tftp-server flash:cnu70.8-4-1-23.sbn
tftp-server flash:cvm70sccp.8-4-1-23.sbn
tftp-server flash:dsp70.8-4-1-23.sbn
tftp-server flash:jar70sccp.8-4-1-23.sbn
tftp-server flash:SCCP70.8-4-2S.loads
tftp-server flash:S00105000400.sbn
tftp-server flash:RingList.xml
tftp-server flash:DistinctiveRingList.xml
tftp-server flash:Ring1.raw
tftp-server flash:Ring2.raw
tftp-server flash:Ring3.raw
tftp-server flash:apps70.9-0-3TH1-22.sbn
tftp-server flash:cnu70.9-0-3TH1-22.sbn
tftp-server flash:cvm70sccp.9-0-3TH1-22.sbn
tftp-server flash:dsp70.9-0-3TH1-22.sbn
tftp-server flash:jar70sccp.9-0-3TH1-22.sbn
tftp-server flash:SCCP70.9-0-3S.loads
tftp-server flash:apps45.9-0-3TH1-22.sbn
tftp-server flash:cnu45.9-0-3TH1-22.sbn
tftp-server flash:cvm45sccp.9-0-3TH1-22.sbn
tftp-server flash:dsp45.9-0-3TH1-22.sbn
tftp-server flash:jar45sccp.9-0-3TH1-22.sbn
tftp-server flash:SCCP45.9-0-3S.loads
tftp-server flash:term65.default.loads
tftp-server flash:term45.default.loads
tftp-server flash:cmterm_7936.3-3-21-0.bin
control-plane
voice-port 0/2/0
supervisory disconnect dualtone mid-call
supervisory custom-cptone telstra
no battery-reversal
cptone AU
timeouts interdigit 5
timeouts call-disconnect 2
timeouts wait-release 2
timing hookflash-out 250
impedance complex1
caller-id enable
voice-port 0/2/1
supervisory disconnect dualtone mid-call
supervisory custom-cptone telstra
no battery-reversal
cptone AU
timeouts interdigit 5
timeouts call-disconnect 2
timeouts wait-release 2
timing hookflash-out 250
impedance complex1
caller-id enable
voice-port 0/2/2
supervisory disconnect dualtone mid-call
supervisory custom-cptone telstra
no battery-reversal
cptone AU
timeouts interdigit 5
timeouts call-disconnect 2
timeouts wait-release 2
timing hookflash-out 250
impedance complex1
caller-id enable
voice-port 0/2/3
supervisory disconnect dualtone mid-call
supervisory custom-cptone telstra
no battery-reversal
cptone AU
timeouts interdigit 5
timeouts call-disconnect 2
timeouts wait-release 2
timing hookflash-out 250
impedance complex1
caller-id enable
voice-port 0/3/0
auto-cut-through
voice-port 0/3/1
mgcp profile default
sccp local GigabitEthernet0/0
sccp ccm 10.0.0.1 identifier 1 version 7.0
sccp
sccp ccm group 1
bind interface GigabitEthernet0/0
associate ccm 1 priority 1
associate profile 1 register confdsp1
keepalive retries 5
dspfarm profile 1 conference
codec g711ulaw
codec g729br8
codec g729r8
codec g711alaw
codec g729ar8
codec g729abr8
maximum conference-participants 16
maximum sessions 3
conference-join custom-cptone jointone
conference-leave custom-cptone leavetone
associate application SCCP
dial-peer voice 1 pots
translation-profile incoming INBOUND
preference 3
destination-pattern 0T
direct-inward-dial
port 0/2/0
dial-peer voice 2 pots
translation-profile incoming INBOUND
preference 2
destination-pattern 0T
direct-inward-dial
port 0/2/1
dial-peer voice 3 pots
translation-profile incoming INBOUND
preference 1
destination-pattern 0T
direct-inward-dial
port 0/2/2
dial-peer voice 4 pots
shutdown
port 0/2/3
dial-peer voice 10 voip
destination-pattern 99.
session protocol sipv2
session target ipv4:10.0.0.20
incoming called-number .
dtmf-relay cisco-rtp
codec g711ulaw
no vad
dial-peer voice 100 voip
description **Incoming Call from Skype SIP Trunk**
translation-profile incoming SKYPE_IN
session protocol sipv2
session target sip-server
incoming called-number .%
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
no vad
dial-peer voice 101 voip
description **Outgoing Call from Skype SIP Trunk**
translation-profile outgoing PSTN_Outbound
destination-pattern 004........
session protocol sipv2
session target sip-server
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
no vad
dial-peer voice 5 pots
description **Outgoing Mobile Failover**
preference 4
destination-pattern *04........
direct-inward-dial
port 0/2/2
dial-peer voice 102 voip
description **Outgoing Call to Skype - THAILAND**
translation-profile outgoing PSTN_Outbound
destination-pattern 066.........
session protocol sipv2
session target sip-server
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
no vad
dial-peer voice 103 voip
description **Outgoing Call to Skype - UK**
translation-profile outgoing PSTN_Outbound
destination-pattern 044..........
session protocol sipv2
session target sip-server
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
no vad
dial-peer voice 104 voip
description **Outgoing Call to Skype - Internat-ALL**
translation-profile outgoing PSTN_Outbound
destination-pattern 099T
session protocol sipv2
session target sip-server
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
no vad
dial-peer voice 700 voip
destination-pattern 70.
session protocol sipv2
session target ipv4:10.0.0.20
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 712 voip
destination-pattern A712
session protocol multicast
session target ipv4:237.111.0.0:22222
voice-class permanent 1
dtmf-relay cisco-rtp
codec g711ulaw
vad aggressive
dial-peer voice 713 voip
destination-pattern A713
session protocol multicast
session target ipv4:237.111.0.1:22222
voice-class permanent 1
dtmf-relay cisco-rtp
codec g711ulaw
vad aggressive
dial-peer voice 70 pots
preference 1
destination-pattern 712
dial-peer voice 71 pots
preference 2
destination-pattern 712
dial-peer voice 72 pots
preference 3
destination-pattern 712
sip-ua
credentials username xxxxxxxxxxxxxx password 7 realm sip.skype.com
authentication username xxxxxxxxxxxxxx password 7
no remote-party-id
retry invite 2
retry register 10
registrar dns:sip.skype.com expires 3600
sip-server dns:sip.skype.com
host-registrar
telephony-service
sdspfarm conference mute-on 111 mute-off 222
sdspfarm units 3
sdspfarm tag 1 confdsp1
conference hardware
video
authentication credential xxxxx xxxxx
xml user xxxxx password xxxxx 15
max-ephones 96
max-dn 110 no-reg
ip source-address 10.0.0.1 port 2000
auto assign 1 to 24
service phone videoCapability 1
timeouts interdigit 5
system message xxxxx Pty Ltd
url directories http://10.0.0.1:80/localdirectory
url services http://10.0.0.20/voiceview/common/login.do
url authentication http://10.0.0.1/CCMCIP/authenticate.asp
cnf-file perphone
load 7914 S00105000400
load 7936 cmterm_7936.3-3-21-0
load 7960-7940 P00308000600
load 7965 term65.default
load 7970 term70.default
time-zone 47
time-format 24
date-format dd-mm-yy
live-record 998
voicemail 999
max-conferences 3 gain -6
call-park system application
moh music-on-hold.au
web admin system name xxxxx secret 5 xxxxxxxxxxxxxxxx
dn-webedit
time-webedit
transfer-system full-consult
transfer-pattern 0
transfer-pattern 2..
transfer-pattern 7..
secondary-dialtone 0
directory entry 1 100 name Reception
fac standard
create cnf-files version-stamp 7960 Jun 04 2012 17:24:26
ephone-template 1
url services 2 http://xxxxxxlawyers.com/phone/xmldir/PhoneUI/ xxxxxxLawyers_DIRECTORY
url services 3 http://jivait.com/phone/rss2cisco.pl NEWS@
park reservation-group 1
softkeys idle Dnd Newcall Gpickup Pickup Cfwdall Redial ConfList Join RmLstC Login
softkeys seized Callback Cfwdall Endcall Gpickup HLog Meetme Pickup Redial
softkeys connected Hold Endcall Trnsfer Park TrnsfVM Confrn ConfList Select Join Acct LiveRcd Flash
ephone-template 2
url services 2 http://phone-xml.berbee.com/menu.xml TEST
ephone-template 3
park reservation-group 1
softkeys idle Dnd Newcall Gpickup Pickup Cfwdall Redial Login
softkeys seized Callback Cfwdall Endcall Gpickup HLog Meetme Pickup Redial
softkeys connected Hold Endcall Trnsfer Park TrnsfVM Confrn ConfList Join
ephone-template 4
park reservation-group 1
softkeys seized Meetme Gpickup Pickup Redial
softkeys connected Hold Trnsfer Park LiveRcd Endcall Confrn ConfList Select Join Acct
ephone-dn 1 dual-line
number 100 no-reg primary
pickup-group 1
label xxxxx xxxxx
name Reception
call-forward noan 999 timeout 40
huntstop channel
no huntstop
ephone-dn 2 dual-line
number 100 no-reg primary
pickup-group 1
label xxxxx xxxxx
name Reception2
preference 1
call-forward noan 999 timeout 40
huntstop channel
no huntstop
ephone-dn 3 dual-line
number 100 no-reg primary
pickup-group 1
label xxxxx xxxxx
name Reception3
preference 2
call-forward noan 999 timeout 40
huntstop channel
no huntstop
ephone-dn 4 dual-line
number 100 no-reg primary
pickup-group 1
label xxxxx xxxxx
name Reception4
preference 3
call-forward busy 999
call-forward noan 999 timeout 40
huntstop channel
ephone-dn 9 dual-line
number 130 secondary 617xxxxxxxx no-reg both
pickup-group 1
label Private Line (07 xxxx xxxx)
description 07 xxxx xxxx
name Skype1
ephone-dn 10 dual-line
number 101 no-reg primary
pickup-group 1
label Ben xxxxxx (101)
description Extension 101
name Ben xxxxxx
call-forward busy 999
call-forward noan 999 timeout 25
ephone-dn 11 dual-line
number 102 no-reg primary
pickup-group 1
label Drew xxxxx (102)
description Extension 102
name Drew xxxxx
call-forward busy 999
call-forward noan 999 timeout 25
ephone-dn 12 dual-line
number 103 no-reg primary
pickup-group 1
label xxxxx xxxxxx (103)
description Extension 103
name xxxxx xxxxxx
call-forward busy 999
call-forward noan 999 timeout 25
ephone-dn 13 dual-line
number 104 no-reg primary
pickup-group 1
label Dennis xxxxx (104)
description Extension 104
name Dennis xxxxx
call-forward busy 999
call-forward noan 999 timeout 25
ephone-dn 14 dual-line
number 105 no-reg primary
pickup-group 1
label Meeting Room (105)
description Extension 105
name Meeting Room
call-forward busy 999
call-forward noan 999 timeout 25
ephone-dn 15 dual-line
number 106 no-reg primary
pickup-group 1
label Front Desk
description Extension 106
name Front Desk
call-forward busy 100
call-forward noan 100 timeout 45
ephone-dn 16 dual-line
number 107 no-reg primary
pickup-group 1
label Server
description Extension 107
name Server
call-forward busy 100
call-forward noan 100 timeout 45
ephone-dn 19 dual-line
number 119 no-reg primary
pickup-group 1
label Cordless
description Extension 119
name Cordless
call-forward busy 100
call-forward noan 100 timeout 30
ephone-dn 20 dual-line
number 121 no-reg primary
pickup-group 1
label Front Reception
description Extension 121
name Front Reception
call-forward busy 999
call-forward noan 999 timeout 25
ephone-dn 21 dual-line
number 120 no-reg primary
pickup-group 1
label Conference Phone
description Extension 120
name Conference Phone
call-forward busy 999
call-forward noan 999 timeout 25
ephone-dn 22 dual-line
number 122 no-reg primary
pickup-group 1
label Reception
description Extension 122
name Reception
call-forward busy 999
call-forward noan 999 timeout 25
ephone-dn 25 dual-line
number 126 no-reg primary
pickup-group 1
label xxxxxx SoftPhone
description Extension 126
name SoftPhone1
ephone-dn 51
number 151 no-reg primary
label Line-1(5288)-Monitor ONLY
trunk 1 monitor-port 0/2/0
ephone-dn 52
number 152 no-reg primary
label Line-2(5232)-Monitor ONLY
trunk 1 monitor-port 0/2/1
ephone-dn 53
number 153 no-reg primary
label Line-3(5404)-Monitor ONLY
trunk 1 monitor-port 0/2/2
ephone-dn 98
number 998 no-reg primary
call-forward all 999
ephone 1
device-security-mode none
video
mac-address 0018.73E2.34D9
ephone-template 1
username "user1" password xxxxxx
paging-dn 32
type 7970 addon 1 7914
button 1o1,2,3,4 2:51 3:52 4:53
button 5:54 6m90 7m91 8m92
button 9w10 10w11 11w12 12w13
button 13w14 16:41 17:43 18:45
ephone 2
device-security-mode none
video
mac-address 000A.B84C.483F
ephone-template 1
username "user2" password xxxxxx
paging-dn 32
type 7970
button 1:10 2:9 3:42 4m90
button 5m91
ephone 3
device-security-mode none
video
mac-address 0019.2FE3.95A1
ephone-template 1
username "user3" password xxxxxx
fastdial 1 00413093639 name Catherine
fastdial 2 00432030586 name Ben
paging-dn 32
type 7970
button 1:11 3w10 4w13 5m90
button 6m91 7:46
ephone 4
device-security-mode none
video
mac-address 0019.2FE3.94F6
ephone-template 1
username "user4" password xxxxxx
speed-dial 1 00408760740 label "IT Support"
paging-dn 32
type 7970 addon 1 7914 2 7914
button 1:12 2:9 3o1,2,3,4 9:51
button 10:52 11:53 12:54 15m90
button 16m91 17m92 23:41 24:43
button 25:45 29w10 30w11 31w13
button 32w14 33w22 34w19 35:21
ephone 5
device-security-mode none
mac-address 0019.2FB9.CA32
ephone-template 1
username "user5"
paging-dn 32
type 7970
button 1:13 2:44 3m90 4m91
ephone 6
device-security-mode none
mac-address 000A.B84C.4598
ephone-template 1
username "user6"
paging-dn 32
type 7970
button 1:14 2m90
ephone 7
device-security-mode none
mac-address 0018.73E2.369B
ephone-template 1
username "user7"
paging-dn 32
type 7970
button 1o1,2,3,4 2:22
ephone 8
device-security-mode none
mac-address 0015.5832.54A3
ephone-template 2
type CIPC
button 1:25 2m1
line con 0
exec-timeout 0 0
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
exec-timeout 0 0
password
transport input all
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 150.101.221.106
webvpn gateway gateway_1
ip address 10.0.0.15 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1560239260
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.0.3054-k9.pkg sequence 1
end
============================================================================
Jun 5 00:28:44.922: TFTP: Looking for term70.default.loads
Jun 5 00:28:44.922: TFTP: Opened flash:term70.default.loads, fd 2, size 660 for process 314
Jun 5 00:28:44.930: TFTP: Finished flash:term70.default.loads, time 00:00:00 for process 314
Jun 5 00:28:46.054: TFTP: Looking for jar70sccp.9-0-3TH1-22.sbn
Jun 5 00:28:46.058: TFTP: Opened flash:jar70sccp.9-0-3TH1-22.sbn, fd 2, size 1828680 for process 314
Jun 5 00:28:52.018: TFTP: Finished flash:jar70sccp.9-0-3TH1-22.sbn, time 00:00:05 for process 314
Jun 5 00:28:57.490: TFTP: Looking for cnu70.9-0-3TH1-22.sbn
Jun 5 00:28:57.490: TFTP: Opened flash:cnu70.9-0-3TH1-22.sbn, fd 2, size 506761 for process 314
Jun 5 00:28:59.134: TFTP: Finished flash:cnu70.9-0-3TH1-22.sbn, time 00:00:01 for process 314
Jun 5 00:29:01.242: TFTP: Looking for apps70.9-0-3TH1-22.sbn
Jun 5 00:29:01.246: TFTP: Opened flash:apps70.9-0-3TH1-22.sbn, fd 2, size 3084262 for process 314
Jun 5 00:29:07.243: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-7:SEP001873E2369B IP:10.0.0.204 Socket:11 DeviceType:Phone has unregistered abnormally.
Jun 5 00:29:11.219: TFTP: Finished flash:apps70.9-0-3TH1-22.sbn, time 00:00:09 for process 314
Jun 5 00:29:19.791: TFTP: Looking for dsp70.9-0-3TH1-22.sbn
Jun 5 00:29:19.791: TFTP: Opened flash:dsp70.9-0-3TH1-22.sbn, fd 2, size 540433 for process 314
Jun 5 00:29:21.559: TFTP: Finished flash:dsp70.9-0-3TH1-22.sbn, time 00:00:01 for process 314
Jun 5 00:29:23.619: TFTP: Looking for cvm70sccp.9-0-3TH1-22.sbn
Jun 5 00:29:23.623: TFTP: Opened flash:cvm70sccp.9-0-3TH1-22.sbn, fd 2, size 2166976 for process 314
Jun 5 00:29:30.807: TFTP: Finished flash:cvm70sccp.9-0-3TH1-22.sbn, time 00:00:07 for process 314
Jun 5 00:31:07.536: TFTP: Looking for CTLSEP001873E2369B.tlv
Jun 5 00:31:07.636: TFTP: Looking for ITLSEP001873E2369B.tlv
Jun 5 00:31:07.748: TFTP: Looking for ITLFile.tlv
Jun 5 00:31:08.004: TFTP: Looking for SEP001873E2369B.cnf.xml
Jun 5 00:31:08.004: TFTP: Opened system:/its/vrf1/SEP001873E2369B.cnf.xml, fd 2, size 1543 for process 314
Jun 5 00:31:08.012: TFTP: Finished system:/its/vrf1/SEP001873E2369B.cnf.xml, time 00:00:00 for process 314
Jun 5 00:31:14.424: TFTP: Looking for English_United_States/td-sccp.jar
Jun 5 00:31:14.428: TFTP: Opened flash:English_United_States/td-sccp.jar, fd 2, size 67385 for process 314
Jun 5 00:31:14.756: TFTP: Finished flash:English_United_States/td-sccp.jar, time 00:00:00 for process 314
Jun 5 00:31:15.480: TFTP: Looking for United_States/g3-tones.xml
Jun 5 00:31:15.480: TFTP: Opened flash:United_States/g3-tones.xml, fd 2, size 1036 for process 314
Jun 5 00:31:15.488: TFTP: Finished flash:United_States/g3-tones.xml, time 00:00:00 for process 314
Jun 5 00:31:31.604: %IPPHONE-6-REG_ALARM: 25: Name=SEP001873E2369B Load= term70.default Last=Initialized
Jun 5 00:31:31.652: %IPPHONE-6-REGISTER: ephone-7:SEP001873E2369B IP:10.0.0.204 Socket:11 DeviceType:Phone has registered.
Jun 5 00:31:33.228: %IPPHONE-6-UNREGISTER_NORMAL: ephone-7:SEP001873E2369B IP:10.0.0.204 Socket:11 DeviceType:Phone has unregistered normally.
Jun 5 00:32:34.333: TFTP: Looking for CTLSEP001873E2369B.tlv
Jun 5 00:32:34.413: TFTP: Looking for ITLSEP001873E2369B.tlv
Jun 5 00:32:34.521: TFTP: Looking for ITLFile.tlv
Jun 5 00:32:34.853: TFTP: Looking for SEP001873E2369B.cnf.xml
Jun 5 00:32:34.853: TFTP: Opened system:/its/vrf1/SEP001873E2369B.cnf.xml, fd 2, size 1543 for process 314
Jun 5 00:32:34.861: TFTP: Finished system:/its/vrf1/SEP001873E2369B.cnf.xml, time 00:00:00 for process 314
Jun 5 00:32:39.861: %IPPHONE-6-REG_ALARM: 25: Name=SEP001873E2369B Load= term70.default Last=Initialized
Jun 5 00:32:39.905: %IPPHONE-6-REGISTER: ephone-7:SEP001873E2369B IP:10.0.0.204 Socket:13 DeviceType:Phone has registered.
OLSENCISCO#
=====================================================
ephone-1[0] Mac:0018.73E2.34D9 TCP socket:[17] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 19/17 max_streams=5
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.221 * 52191 7970 sub=1 keepalive 2082 max_line 22 available_line 22
Phone reports 22 Available Lines
button 1: cw:1 ccw:(0 0)
dn 1 number 100 CH1   IDLE         CH2   IDLE         overlay shared
button 2: cw:1 ccw:(0)
dn 51 number 151 CH1   IDLE         shared
button 3: cw:1 ccw:(0)
dn 52 number 152 CH1   IDLE         shared
button 4: cw:1 ccw:(0)
dn 53 number 153 CH1   IDLE         shared
button 5: cw:1 ccw:(0)
dn 54 number 154 CH1   IDLE         shared with monitor-ring
button 6: cw:1 ccw:(0)
dn 90 number 300 CH1   IDLE         monitor-ring shared
button 7: cw:1 ccw:(0)
dn 91 number 301 CH1   IDLE         monitor-ring shared
button 8: cw:1 ccw:(0)
dn 92 number 302 CH1   IDLE         monitor-ring shared
button 9: cw:1 ccw:(0 0)
dn 10 number 101 CH1   IDLE         CH2   IDLE         watch(BLF on phone 2) shared with monitor-ring
button 10: cw:1 ccw:(0 0)
dn 11 number 102 CH1   IDLE         CH2   IDLE         watch(BLF on phone 3) shared with monitor-ring
button 11: cw:1 ccw:(0 0)
dn 12 number 103 CH1   IDLE         CH2   IDLE         watch(BLF on phone 4) shared
button 12: cw:1 ccw:(0 0)
dn 13 number 104 CH1   IDLE         CH2   IDLE         watch(BLF on phone 5) shared with monitor-ring
button 13: cw:1 ccw:(0 0)
dn 14 number 105 CH1   IDLE         CH2   IDLE         watch(BLF on phone 6) shared with monitor-ring
button 16: cw:1 ccw:(0)
dn 41 number A501 auto dial A502 CH1   IDLE         shared with monitor-ring
button 17: cw:1 ccw:(0)
dn 43 number A503 auto dial A504 CH1   IDLE         shared with monitor-ring
button 18: cw:1 ccw:(0)
dn 45 number A505 auto dial A506 CH1   IDLE         shared with monitor-ring
FXO Port Monitoring Status
button: 2 dn: 51 FXO Port: 0/2/0 Status: Idle
button: 3 dn: 52 FXO Port: 0/2/1 Status: Idle
button: 4 dn: 53 FXO Port: 0/2/2 Status: Idle
button: 5 dn: 54 FXO Port: 0/2/3 Status: Idle
overlay 1: 1(100) 2(100) 3(100) 4(100)
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user1 Password:xxxxxxxx
ephone-2[1] Mac:000A.B84C.483F TCP socket:[15] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 19/17 max_streams=5
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.216 * 52908 7970 keepalive 2081 max_line 8 available_line 8
button 1: cw:1 ccw:(0 0)
dn 10 number 101 CH1   IDLE         CH2   IDLE         shared with monitor-ring
button 2: cw:1 ccw:(0 0)
dn 9 number 130 CH1   IDLE         CH2   IDLE         shared
button 3: cw:1 ccw:(0)
dn 42 number A502 auto dial A501 CH1   IDLE
button 4: cw:1 ccw:(0)
dn 90 number 300 CH1   IDLE         monitor-ring shared
button 5: cw:1 ccw:(0)
dn 91 number 301 CH1   IDLE         monitor-ring shared
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user2 Password: xxxxxxxx
ephone-3[2] Mac:0019.2FE3.95A1 TCP socket:[16] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 19/17 max_streams=5
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.223 * 49428 7970 keepalive 2069 max_line 8 available_line 8
button 1: cw:1 ccw:(0 0)
dn 11 number 102 CH1   IDLE         CH2   IDLE         shared with monitor-ring
button 3: cw:1 ccw:(0 0)
dn 10 number 101 CH1   IDLE         CH2   IDLE         watch(BLF on phone 2) shared with monitor-ring
button 4: cw:1 ccw:(0 0)
dn 13 number 104 CH1   IDLE         CH2   IDLE         watch(BLF on phone 5) shared with monitor-ring
button 5: cw:1 ccw:(0)
dn 90 number 300 CH1   IDLE         monitor-ring shared
button 6: cw:1 ccw:(0)
dn 91 number 301 CH1   IDLE         monitor-ring shared
button 7: cw:1 ccw:(0)
dn 46 number A506 auto dial A505 CH1   IDLE
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user3 Password: xxxxxxxx
ephone-4[3] Mac:0019.2FE3.94F6 TCP socket:[19] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 19/17 max_streams=5
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.201 * 52711 7970 sub=2 keepalive 2050 max_line 36 available_line 35
Phone reports 35 Available Lines
button 1: cw:1 ccw:(0 0)
dn 12 number 103 CH1   IDLE         CH2   IDLE         shared
button 2: cw:1 ccw:(0 0)
dn 9 number 130 CH1   IDLE         CH2   IDLE         shared
button 3: cw:1 ccw:(0 0)
dn 1 number 100 CH1   IDLE         CH2   IDLE         overlay shared
button 9: cw:1 ccw:(0)
dn 51 number 151 CH1   IDLE         shared
button 10: cw:1 ccw:(0)
dn 52 number 152 CH1   IDLE         shared
button 11: cw:1 ccw:(0)
dn 53 number 153 CH1   IDLE         shared
button 12: cw:1 ccw:(0)
dn 54 number 154 CH1   IDLE         shared with monitor-ring
button 15: cw:1 ccw:(0)
dn 90 number 300 CH1   IDLE         monitor-ring shared
button 16: cw:1 ccw:(0)
dn 91 number 301 CH1   IDLE         monitor-ring shared
button 17: cw:1 ccw:(0)
dn 92 number 302 CH1   IDLE         monitor-ring shared
button 23: cw:1 ccw:(0)
dn 41 number A501 auto dial A502 CH1   IDLE         shared with monitor-ring
button 24: cw:1 ccw:(0)
dn 43 number A503 auto dial A504 CH1   IDLE         shared with monitor-ring
button 25: cw:1 ccw:(0)
dn 45 number A505 auto dial A506 CH1   IDLE         shared with monitor-ring
button 29: cw:1 ccw:(0 0)
dn 10 number 101 CH1   IDLE         CH2   IDLE         watch(BLF on phone 2) shared with monitor-ring
button 30: cw:1 ccw:(0 0)
dn 11 number 102 CH1   IDLE         CH2   IDLE         watch(BLF on phone 3) shared with monitor-ring
button 31: cw:1 ccw:(0 0)
dn 13 number 104 CH1   IDLE         CH2   IDLE         watch(BLF on phone 5) shared with monitor-ring
button 32: cw:1 ccw:(0 0)
dn 14 number 105 CH1   IDLE         CH2   IDLE         watch(BLF on phone 6) shared with monitor-ring
button 33: cw:1 ccw:(0 0)
dn 22 number 122 CH1   IDLE         CH2   IDLE         watch(BLF on phone -1) shared with monitor-ring
button 34: cw:1 ccw:(0 0)
dn 19 number 119 CH1   IDLE         CH2   IDLE         watch(BLF on phone 16) shared with monitor-ring
button 35: cw:1 ccw:(0 0)
dn 21 number 120 CH1   IDLE         CH2   IDLE         shared with monitor-ring
FXO Port Monitoring Status
button: 9 dn: 51 FXO Port: 0/2/0 Status: Idle
button: 10 dn: 52 FXO Port: 0/2/1 Status: Idle
button: 11 dn: 53 FXO Port: 0/2/2 Status: Idle
button: 12 dn: 54 FXO Port: 0/2/3 Status: Idle
overlay 3: 1(100) 2(100) 3(100) 4(100)
speed dial 1:00408760740 IT Support
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user4 Password: xxxxxxxx
ephone-5[4] Mac:0019.2FB9.CA32 TCP socket:[14] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 19/17 max_streams=5
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.222 * 51034 7970 keepalive 2129 max_line 8 available_line 8
button 1: cw:1 ccw:(0 0)
dn 13 number 104 CH1   IDLE         CH2   IDLE         shared with monitor-ring
button 2: cw:1 ccw:(0)
dn 44 number A504 auto dial A503 CH1   IDLE
button 3: cw:1 ccw:(0)
dn 90 number 300 CH1   IDLE         monitor-ring shared
button 4: cw:1 ccw:(0)
dn 91 number 301 CH1   IDLE         monitor-ring shared
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user5
ephone-6[5] Mac:000A.B84C.4598 TCP socket:[5] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 19/17 max_streams=5
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.219 * 49291 7970 keepalive 2135 max_line 8 available_line 8
button 1: cw:1 ccw:(0 0)
dn 14 number 105 CH1   IDLE         CH2   IDLE         shared with monitor-ring
button 2: cw:1 ccw:(0)
dn 90 number 300 CH1   IDLE         monitor-ring shared
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user6
ephone-7[6] Mac:0018.73E2.369B TCP socket:[13] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 19/17 max_streams=5
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.204 * 50084 7970 keepalive 100 max_line 8 available_line 8
button 1: cw:1 ccw:(0 0)
dn 1 number 100 CH1   IDLE         CH2   IDLE         overlay shared
button 2: cw:1 ccw:(0 0)
dn 22 number 122 CH1   IDLE         CH2   IDLE         shared with monitor-ring
overlay 1: 1(100) 2(100) 3(100) 4(100)
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user7
ephone-11[10] Mac:001F.CA35.5721 TCP socket:[9] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 19/17 max_streams=5
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:9
IP:10.0.0.77 * 53104 7965 keepalive 1214 max_line 6 available_line 6
button 1: cw:1 ccw:(0 0)
dn 27 number 128 CH1   IDLE         CH2   IDLE
button 2: cw:1 ccw:(0 0)
dn 1 number 100 CH1   IDLE         CH2   IDLE         overlay shared
button 3: cw:1 ccw:(0)
dn 51 number 151 CH1   IDLE         shared
button 4: cw:1 ccw:(0)
dn 52 number 152 CH1   IDLE         shared
button 5: cw:1 ccw:(0)
dn 53 number 153 CH1   IDLE         shared
FXO Port Monitoring Status
button: 3 dn: 51 FXO Port: 0/2/0 Status: Idle
button: 4 dn: 52 FXO Port: 0/2/1 Status: Idle
button: 5 dn: 53 FXO Port: 0/2/2 Status: Idle
overlay 2: 1(100) 2(100) 3(100)
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user11 Password: xxxxxxxx
ephone-13[12] Mac:000D.BCE9.7533 TCP socket:[1] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 11/9 max_streams=0
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.235 * 50792 Telecaster 7940 keepalive 2143 max_line 2 available_line 2
button 1: cw:1 ccw:(0 0)
dn 15 number 106 CH1   IDLE         CH2   IDLE
button 2: cw:1 ccw:(0 0)
dn 1 number 100 CH1   IDLE         CH2   IDLE         overlay shared
overlay 2: 1(100) 2(100) 3(100) 4(100)
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none Username: user13 Password: xxxxxxxx
ephone-15[14] Mac:0014.6A87.716A TCP socket:[2] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 11/9 max_streams=1
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.236 * 50649 Telecaster 7940 keepalive 2142 max_line 2 available_line 2
button 1: cw:1 ccw:(0 0)
dn 16 number 107 CH1   IDLE         CH2   IDLE
button 2: cw:1 ccw:(0)
dn 90 number 300 CH1   IDLE         monitor-ring shared
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none
ephone-16[15] Mac:0019.55EC.B6FF TCP socket:[7] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 1/1 max_streams=0
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:7
IP:10.0.0.185 * 10664 ATA Phone keepalive 2139 max_line 1 available_line 0
button 1: cw:1 ccw:(0 0)
dn 19 number 119 CH1   IDLE         CH2   IDLE         shared with monitor-ring
Preferred Codec: g711ulaw
Lpcor Type: none Username: user16 Password: xxxxxxxx
ephone-17[16] Mac:1955.ECB6.FF01 TCP socket:[6] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 1/1 max_streams=0
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:3
IP:10.0.0.185 * 10663 ATA Phone keepalive 2139 max_line 1 available_line 0
button 1: cw:1 ccw:(0 0)
dn 2 number 100 CH1   IDLE         CH2   IDLE         shared
Preferred Codec: g711ulaw
Lpcor Type: none
ephone-18[17] Mac:001B.2AC6.BE43 TCP socket:[3] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 11/9 max_streams=0
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:8
IP:10.0.0.77 * 51863 Telecaster 7940 keepalive 1232 max_line 2 available_line 2
button 1: cw:1 ccw:(0 0)
dn 28 number 129 CH1   IDLE         CH2   IDLE
button 2: cw:1 ccw:(0 0)
dn 12 number 103 CH1   IDLE         CH2   IDLE         silent-ring shared
paging-dn 32
Preferred Codec: g711ulaw
Lpcor Type: none
ephone-19[18] Mac:0004.F2E2.43E0 TCP socket:[8] activeLine:0 whisperLine:0 REGISTERED in SCCP ver 4/3 max_streams=0
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0 caps:4
IP:10.0.0.215 * 1038 7936 keepalive 2567 max_line 1 available_line 0
button 1: cw:1 ccw:(0 0)
dn 21 number 120 CH1   IDLE         CH2   IDLE         shared with monitor-ring
Preferred Codec: g711ulaw
Lpcor Type: none

Mac Pro as Switch/Router

I'm having a difficult time with VPN and the Airport Extreme Base Station. Some searching suggests, that older ABES, basically suck at VPN passthrough. Before I go out and spend a couple hundred dollars on a new router, or smart switch, I'd thought I'd at least confirm that is the case. I've tried 2 different VPN servers, a Windows Server based one, and the Mac's. They work for a couple minutes, and then stop responding, until I reconnect.
So, long story short, I want to try using the Mac Pro, which houses most of the services, as a "router" (internet comes in via one gigabit NIC, goes out the other NIC to the main switch (dummy switch, not capable of routing)) to provide the rest of the office internet. What kind of settings do I need to enable? Net Sharing? What about services that don't run on the Mac Pro - How would I accomplish Port-Forwarding in this case? And what about the AEBS? It still serves a purpose at the very least to provide wireless access.
Any help or suggestions would be great.

IP routing works by having and knowing a local route within the current subnet, and by sending all other packets out via the default route via the default NIC. This might not be the NIC you want, and which can lead to packets that misrouted and never get acknowledged, and all the ensuing "fun". Static routes override that, and cause traffic to be sent to the specified subnet via the specified NIC.
You'll need to look at the static routes that are set on the target dual-NIC box (the path off that box), on the VPN (via Server Admin), and on the client end of the tunnel (which can, for instance, bypass the VPN).
To see where routing sends the requests:
route get host.example.com
or
route get w.x.y.z
or (for everything)
netstat -nrl
Here's the basic command for establishing a route:
sudo route -nv add 10.0.0.0/8 10.x.y.z
Depending on the context, the interface can be necessary. (eg: append -interface en0)
The command to add a route needs to be invoked at each startup, too. There are various ways to perform this, but you can create a small bash script and register it via launchctl. (You'll likely need to look up the launchd and launchctl syntax; I know I do.)
Or you plug in a firewall/VPN/NAT box, and (since you're usually not establishing IP sessions from directly on the firewall) let it figure all this stuff out for you.

Can Identity Firewall work with L2L IPSec

Hello,
One of my customers has requested a L2L IPSec tunnel between a 3rd party ASA5505 and their central office 5510.
The tunnel works fine but they have asked to enable Identity Firewall against the incoming connections in relation to the IPSec tunnel.
I've read about sysopt and vpn filter. So there are 2 choices.
1. Disable access rule bypass for VPN connections via the sysopt command and configure the access rules accordingly.
2. Use the vpn filter mechanism and define the ACL / ACE w/ the Identity Firewall.
This is an excerpt from the Identity Firewall chapter ASA 9.0/ASDM 7.0.
VPN filter—Although VPN does not support identity firewall ACLs in general, you can use configure the ASA to enforce identity-based access rules on VPN traffic. By default, VPN traffic is not subject to access rules. You can force VPN clients to abide by access rules that use an identity firewall ACL (
no sysopt connection permit-vpn
command). You can also use an identity firewall ACL with the VPN filter feature; VPN filter accomplishes a similar effect as allowing access rules in general.
Has anyone attempted and succeeded with such a configuration? If so, did it support AD authentication or LOCAL only?
Thanks in advance for your input.

Anyone??

HT5413 Help filtering internet access

+PAX
Greetings all, and a Merry Christmas!
We're a small monastery. And due to this, we need to implement some Internet filtering. Unfortunately, it's not the basic kind of filtering. Frankly, I'm not sure that all of what we're looking to do can be done. But I'm at a loss about where I can look for this information.
At the moment, we've got a basic network, that you'd find a family home: DSL modem-router, a bunch of Ethernet hubs, and a whole bunch of cables.
The computers are mainly running Fedora Linux. There are 3 windows statioins, and 2 OS X stations.
The perfect solution is to be able to have 1 network, where there are 2 or 3 rooms where the Internet is accessible. And, those who have laptops, that they can bring their laptop to these rooms, and have Internet access, but NOT have access while connected to the network in other places. (Complicated, I know).
If that's not possible, ok. (Frankly, I don't think it is, but am very open to suggestions).
What really do need is to be able to allow an Internet connection, restrict bascially all web-surfing, while allowing e-mail, skype, and updates. The updates are my biggest problem. We already have a rule established on the modem-router that blocks surfing activity at night, but still allows e-mail and skype. Yet, this rule also blocks the apple AppStore updates.
So, I'm wondering if we get OSX server, would this help the situation? Where can I get more info about OSX server's filtering capabilities?
If we can't establish all the blocking that we need, then it'd be great if we could have some type of report of each person's activity.
Thanks for the help!

IMO, OS X Server won't be a good solution as a network filter. It might be useful here, but it very likely won't be your most appropriate choice as a network-gateway-router system.
FWIW, I'd suggest pursuing this in a Fedora-focused networking forum, in general. This given that's your most common platform.
Assuming wired networks, you can divide up the access via managed switches and a VLAN, or via physical network segmentation. WiFi is somewhat harder to segment, short of having a guest network and a private network; you'd need access points (APs) with two networks configured, one of which allows a little more access, and the other that's presumably restricted to the local IP address space.
There are gateway routers around which allow several different segments to be maintained, but they're generally starting in the ~US$250 range and upwards, and usually expect a little more knowledge of IP networking and related topics than the residential routers that are in common use.
Here is Apple's network port list.
As for the updates, OS X Server can cache those, as can the Reposado tool on a Fedora system.
A common solution involves a web proxy filter, where all connections must pass through that device. The connections used for the OS X Server or Reposado server itself to download updates would need to be programmed to allow access, but the other local OS X clients could be aimed at the local server. In your case, your filter can block all outbound connections to TCP 80 and TCP 443 entirely, save for the specified servers loading updates from their respective upstream sources.
Email is fairly easy, as you'll probably want to block outbound TCP 25, but allow POP via SSL and IMAP via SSL and allow the submission ports (TCP 486 and TCP 587).
Now for the somewhat bad news: these general approaches can often be bypassed using VPNs and tunnels, so somebody that's knowledgeable can generally get around simple-minded network filters. Which means you can end up blocking more than a little outbound traffic; more than TCP 80 and TCP 443.
Now for somewhat more bad news: Skype uses TCP 80 and TCP 443 (or requires a whole lot of open ports), and specifically to work around filters and blocks and firewalls and related "defenses". Whether you can get that to work by excepting the supernodes, I don't know.
I'd probably sort out what you do and do not want to allow access to as a more general problem, as getting an update server into a DMZ with exceptions enabled is a comparatively small problem — once you achieve the sorts of network blockages you're seeking. None of this stuff is particularly specific to OS X or OS X Server, either.
This configuration will probably involve installing a network gateway with internal filtering capabilities and a network nanny implementation, as well as some work on the internal network configuration. That may well be possible with Fedora, DD-WRT, Tomato or some other similar open source (it's likely best to ask for discussions and tradeoffs of those options elsewhere), and can be implemented with a commercial offering. Your needs here are probably even a little simpler in some ways, as you want and need just a few web connections.

SIP bypass of VPN

Similar Messages

Maybe you are looking for