Telnet & Rlogin

Hi,
I need to disable the telnet and rlogin services in The Solaris Server where SAP is installed.
Do you know if there is a problem with that ?
I have SAP 5.0,Solaris 10 and Oracle 9
I´m going to use SSH instead telnet.
Regards
Emilio

That should not be a problem IMHO.

Similar Messages

Inetd services (telnet, rlogin ,rsh) in Solaris 9 Branded Zone

Hi,
I've got two Solaris 9 Branded Zones running on an M3000. They both use exclusive IP.
When I try and telnet, rlogin or rsh to either of my Solaris 9 zones from the other I get an error. With the r* commands I get a "Protocol error" message, and telnet just reports a terminated connection. I've tried Mr. Google, the results I get make sense for a physical host - i.e Protocol Error would occur if the server executable (in.rlogind, etc) was somehow messed up.
Just to complicate things slightly the exclusive IP NICs are on a physically separate switch from the other NICs.
I'd forgotten that with the Branded Zones some native features are actually handled by the underlying global zone (i.e. Solaris 10).
Anyway, has anybody else had this same problem and how did you resolve it?
Thanks
Tim Shaw.

I found out that the services in the Global Zone had been disabled. Simply enabling them fixed the problem :)

Telnet, rlogin, ssh not ok on sun 240 with solaris 5.10 on it

Hello,
I am facing some problems with connecting througth telnet, rlogin or ssh on a SUN 240 server carying solaris 10 software on it. When I try to connect througth the serial port, it gives me this error:
telnet 10.151.145.6 2100Trying 10.151.145.6...
Connected to 10.151.145.6.
Escape character is '^]'.
rel4gold_sam_1_7_1 console login: Dec 22 18:21:33 rel4gold_sam_1_7_1 uplink: uplink1: Standby link failure - not receiving heartbeats (B)
Dec 22 18:23:33 rel4gold_sam_1_7_1 last message repeated 1 time
INIT: Command is respawning too rapidly. Check for possible errors.
id: cn "/opt/CCPUsrvr/bin/ccnd -s 38400 -f none -l /dev/term/b #CCPU CCNd"
Dec 22 18:25:34 rel4gold_sam_1_7_1 uplink: uplink1: Standby link failure - not receiving heartbeats (B)
rel4gold_sam_1_7_1 console login: root
Dec 22 18:25:51 rel4gold_sam_1_7_1 login: open_module: /usr/lib/security/pam_authtok_get.so.1 failed: ld.so.1: login: fatal: passwdutil.so.1: open failed: No such file or directory
Dec 22 18:25:51 rel4gold_sam_1_7_1 login: load_modules: can not open module /usr/lib/security/pam_authtok_get.so.1
Ping is working properly. Do you have any ideea how can i fix this problem?
Thank you.

Yeahh, guys!!!
I was trying to establish a two-node cluster using VirtualBox + Solaris x86 + Sun Cluster 3.2. The node where I was running scinstall to configure my cluster environment was rebooting the other node in the end of the configuration process but it was hanging in the "Rebooting node01..." message just because it was not able to establish the cluster.
After see your comments, I changed Solaris x86 to Solaris Express Community Edition and Sun Cluster to Cluster Express and now everything is working fine!
Thanks!
Jansen Sena <[email protected]>

How to enable rsh/telnet/rlogin

Hi Followed the instructions at:
http://docs.info.apple.com/article.html?artnum=106274
to enable rsh/telnet/rlogin services, and restarted the
machine (MacBook Pro, OS X 1.4, Darwin Kernel Version 8.6.1).
Still I can't remotely do telnet/rsh/rlogin to the mac
(get conenction refused error) from a Unix machine.
Could someone tell me how to enable these services
(right now ssh is the only one enabled by default,
the machine is within a firewall, and for some applications,
we need to enable rsh/rlgoin/telnet/ftp etc).
Thanks.
Macbook Pro Mac OS X (10.4)

Hi Followed the instructions at:
ttp://docs.info.apple.com/article.html?artnum=106274
to enable rsh/telnet/rlogin services, and restarted
the
machine (MacBook Pro, OS X 1.4, Darwin Kernel Version
8.6.1).
Still I can't remotely do telnet/rsh/rlogin to the
mac
(get conenction refused error) from a Unix machine.
If your firewall is activated
then you have to add 3 new filter rules:<pre>
Port Name: Other
TCP Port Number(s): 514
UDP Port Number(s):
Description: rsh
Port Name: Other
TCP Port Number(s): 513
UDP Port Number(s):
Description: rlogin
Port Name: Other
TCP Port Number(s): 23
UDP Port Number(s):
Description: telnet
</pre>
You don't have to restart your Mac or your session.
You could test it pretty quickly by doing a:<pre>
telnet localhost
rlogin localhost
rsh localhost pwd
</pre>
dan

Not Able to use telnet and Rlogin

Hi, since two of my system had unclean shutdown i am not been able to use Telnet and Rlogin or even SSh from my both of my system. the file in "/etc/default/login" is commented and there are system's entry in /etc/hosts file also. but still am not able to login i can ping both the system with each other. i am not even able to telnet localhost..!
"sunshine# telnet localhost
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused"
Thanks
atif

are you sure your services are UP ?
you can try :
netstat -an | grep 23
in order to see if port 23 is in LISTEN.
or ps -ef | grep inetd
to see if (x)inetd is running (inetd is the daemon who launches telnet/rlogin)
and if you're under solaris 10, just do something like :
svcs -a | grep telnet
to see if the daemon is online (if he's in maintenance, do a svcs -l telnet, and check the logfile associated to the service to see what happened)

I want open the ports and allow the telnet port also

Dear sir
dis is my router configurations
router#show running-config
Building configuration...
Current configuration : 1588 bytes
! Last configuration change at 06:58:58 UTC Tue Apr 8 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname INFOVEE
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
ip name-server 182.xx.xx.xx
ip name-server 182.xx.xx.xx
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO1941/K9 sn FGL172820EP
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 103.xx.xx.xx 255.255.xx.xx
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source static 10.0.0.10 103.xx.xx.xx
ip nat inside source static 10.0.0.11 103.xx.xx.xx
ip nat inside source static 10.0.0.12 103.xx.xx.xx
ip nat inside source static 10.0.0.14 103.xx.xx.xx
ip nat inside source static 10.0.0.15103.xx.xx.xx
ip nat inside source static 10.0.0.16 103.xx.xx.xx
ip nat inside source static 10.0.0.9 103.xx.xx.xx
ip route 0.0.0.0 0.0.0.0 103.xx.xx.xx
control-plane
line con 0
password 12345
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 1235
login
transport input all
scheduler allocate 20000 1000
end
we have server only .. we want allow particular ports allow to my server how to open the ports in router please help me ... if any configuration mistakes please help me ....
Thank you

I'd advise you to download and use Cisco Configuration Professional (CCP) if you want to secure your router and setup some access-lists for your servers.
Right now your setup is very insecure (no authentication beyond a simple plain text password on the vty lines). CCP has a security audit feature that will remedy that and other issues.
For your servers, you will need an extended access-list applied to your outside interface Gi0/1 restricting access to the NATted server addresses on the ports you want to allow.

Cannot Telnet into 1921 router

Please Help, I cannot telnet into my 1921 router and not sure how to fix this. See below.
line con 0
password 7 XXXXX
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 XXXXXX
logging synchronous
login local
length 0
transport input none

Hello Brad,
Try entering
line vty 0 4
transport input telnet
Hope this helps,
if so, please rate.

Displayed Telnet ID

Dear all,
Anyone know how to remove the display of userid at telnet/rlogin login (like the password=> you type it, but nothing displayed)
Thank you in advance,
Benoit Tomson

What are you trying to accomplish?

Cisco SIP Phone 9971 won't register on CME 8.6 or 8.5 Please HELP

Please help me , I have problem with registering Cisco SIP phone 9971 with CME 8.6 on ISR 2901.
I configured CME for SIP clients, then I add configuration for 9971 phone and create profiles. Phone downloaded SEP...xml file from CME,after that phone look for g4-tones.xml and gd-sip.jar files, I added them to CME after that phone downloaded them and reboot. Now phone is stuck in some kind of loop and does not register on CME.
On phone log I can see repeting next few messeges.
12:01:58a No DNS Server IP
12:01:59a Updating Trust list
12:01:59a No Trust List instaled
12:01:59a SEP04C5AB03B0D.cnf.xml (TFTP) // at this time phone download SEP...xml file from CME
12:02:00a VPN Error: VPN is not Configured
on CME if issue DEBUG TFTP EVENTS i receive next few lines
*Aug 18 18:20:19.891: TFTP: Looking for CTLSEP04C5A4B03B0D.tlv
*Aug 18 18:20:19.987: TFTP: Looking for ITLSEP04C5A4B03B0D.tlv
*Aug 18 18:20:20.083: TFTP: Looking for ITLFile.tlv
*Aug 18 18:20:20.347: TFTP: Looking for SEP04C5A4B03B0D.cnf.xml
*Aug 18 18:20:20.351: TFTP: Opened flash:/SEP04C5A4B03B0D.cnf.xml, fd 14, size 4585 for process 141
*Aug 18 18:20:20.363: TFTP: Finished flash:/SEP04C5A4B03B0D.cnf.xml, time 00:00:00 for process 141
here you can see verison info of CME
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 24-Mar-11 15:31 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
ELTOSAN_ROUTER uptime is 1 hour, 50 minutes
System returned to ROM by reload at 16:29:20 UTC Thu Aug 18 2011
System image file is "flash:/c2900-universalk9-mz.SPA.151-4.M.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
Cisco CISCO2901/K9 (revision 1.0) with 471040K/53248K bytes of memory.
Processor board ID FGL1508252Y
3 Gigabit Ethernet interfaces
2 terminal lines
1 Virtual Private Network (VPN) Module
4 Voice FXO interfaces
4 Voice FXS interfaces
1 Internal Services Module (ISM) with Services Ready Engine (SRE)
   Survivable Remote Site Voicemail (SRSV) on Cisco Unity Express (CUE) 8.5.1 in slot/sub-slot 0/0
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device#   PID                   SN
*0        CISCO2901/K9          xxxxxxxxxxxxx
Technology Package License Information for Module:'c2900'
Technology    Technology-package          Technology-package
              Current       Type          Next reboot
ipbase        ipbasek9      Permanent     ipbasek9
security      securityk9    Permanent     securityk9
uc            uck9          Permanent     uck9
data          None          None          None
Configuration register is 0x2102
this is RUNNING CONFIGURATION
! Last configuration change at 16:10:12 UTC Thu Aug 18 2011
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ELTOSAN_ROUTER
boot-start-marker
boot system flash:/c2900-universalk9-mz.SPA.151-4.M.bin
boot-end-marker
no aaa new-model
no ipv6 cef
ip source-route
no ip routing
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp excluded-address 192.168.5.200 192.168.5.255
ip dhcp pool phone
   network 192.168.5.0 255.255.255.0
   default-router 192.168.5.251
   option 150 ip 192.168.5.251
ip dhcp pool data
   relay source 192.168.2.0 255.255.255.0
   relay destination 192.168.2.201
multilink bundle-name authenticated
crypto pki token default removal timeout 0
voice-card 0
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
fax protocol pass-through g711alaw
sip
registrar server expires max 3600 min 120
voice register global
mode cme
source-address 192.168.5.251 port 5060
max-dn 6
max-pool 6
load 9971 sip9971.9-1-1SR1.loads
authenticate register
tftp-path flash:
create profile sync 0005135312289902
voice register dn 1
number 207
allow watch
name GossaVM
label 207
voice register dn 3
number 101
name Dejan
label 101
mwi
voice register pool 1
id mac 000C.29C5.0011
number 1 dn 1
dtmf-relay sip-notify
username testvm password testera
codec g711alaw
voice register pool 3
id mac 04C5.A4B0.3B0D
type 9971
number 3 dn 3
presence call-list
dtmf-relay rtp-nte
username dejan password 1234
codec g711alaw
no vad
license udi pid CISCO2901/K9 sn xxxxxxxxxxxx
hw-module ism 0
hw-module pvdm 0/0
redundancy
interface GigabitEthernet0/0
description INTERFACE INTERNAL
no ip address
no ip route-cache
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/0.2
description LAN DATA
encapsulation dot1Q 2
ip address 192.168.2.251 255.255.255.0
no ip route-cache
interface GigabitEthernet0/0.5
description LAN VOICE
encapsulation dot1Q 5
ip address 192.168.5.251 255.255.255.0
no ip route-cache
interface ISM0/0
no ip address
no ip route-cache
shutdown
!Application: SRSV-CUE Running on ISM
interface GigabitEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
shutdown
interface Vlan1
no ip address
no ip route-cache
shutdown
ip forward-protocol nd
no ip http server
no ip http secure-server
snmp-server community public RO
tftp-server flash:dkern9971.100609R2-9-1-1SR1.sebn alias dkern9971.100609R2-9-1-1SR1.sebn
tftp-server flash:kern9971.9-1-1SR1.sebn alias kern9971.9-1-1SR1.sebn
tftp-server flash:rootfs9971.9-1-1SR1.sebn alias rootfs9971.9-1-1SR1.sebn
tftp-server flash:sboot9971.031610R1-9-1-1SR1.sebn alias sboot9971.031610R1-9-1-1SR1.sebn
tftp-server flash:skern9971.022809R2-9-1-1SR1.sebn alias skern9971.022809R2-9-1-1SR1.sebn
tftp-server flash:sip9971.9-1-1SR1.loads alias sip9971.9-1-1SR1.loads
tftp-server flash:United_States/g4-tones.xml
tftp-server flash:English_United_States/gd-sip.jar
control-plane
voice-port 0/0/0
voice-port 0/0/1
voice-port 0/0/2
voice-port 0/0/3
voice-port 0/1/0
voice-port 0/1/1
voice-port 0/1/2
voice-port 0/1/3
mgcp profile default
gatekeeper
shutdown
line con 0
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password jebiga
login
transport input all
end
I did not have any kind of problem with X-LITE to register to CME. also try with few SCCP phones 7940 and I did not any kind of problem .
this is content of SEP....xml file for 9971
<device>
<deviceProtocol>SIP</deviceProtocol>
<devicePool>
<dateTimeSetting>
<dateTemplate>M/D/YA</dateTemplate>
<timeZone>Pacific Standard/Daylight Time</timeZone>
<ntps>
<ntp priority="0">
<name>0.0.0.0</name>
<ntpMode>unicast</ntpMode>
</ntp>
</ntps>
</dateTimeSetting>
<callManagerGroup>
<members>
<member priority="0">
<callManager>
<ports>
<sipPort>5060</sipPort>
</ports>
<processNodeName>192.168.5.251</processNodeName>
</callManager>
</member>
</members>
</callManagerGroup>
</devicePool>
<sipProfile>
<sipProxies>
<registerWithProxy>true</registerWithProxy>
</sipProxies>
<sipCallFeatures>
<cnfJoinEnabled>true</cnfJoinEnabled>
<localCfwdEnable>true</localCfwdEnable>
<callForwardURI>service-uri-cfwdall</callForwardURI>
<callPickupURI>service-uri-pickup</callPickupURI>
<callPickupGroupURI>service-uri-gpickup</callPickupGroupURI>
<callHoldRingback>2</callHoldRingback>
<semiAttendedTransfer>true</semiAttendedTransfer>
<anonymousCallBlock>2</anonymousCallBlock>
<callerIdBlocking>2</callerIdBlocking>
<dndControl>2</dndControl>
<remoteCcEnable>true</remoteCcEnable>
</sipCallFeatures>
<sipStack>
<remotePartyID>true</remotePartyID>
</sipStack>
<sipLines>
<line button="1" lineIndex="1">
<featureID>9</featureID>
<featureLabel></featureLabel>
<proxy>USECALLMANAGER</proxy>
<port>5060</port>
<name></name>
<displayName></displayName>
<autoAnswer>
<autoAnswerEnabled>2</autoAnswerEnabled>
</autoAnswer>
<callWaiting>1</callWaiting>
<authName>dejan</authName>
<authPassword>1234</authPassword>
<sharedLine>false</sharedLine>
<messagesNumber></messagesNumber>
<ringSettingActive>5</ringSettingActive>
<forwardCallInfoDisplay>
<callerName>true</callerName>
<callerNumber>true</callerNumber>
<redirectedNumber>true</redirectedNumber>
<dialedNumber>true</dialedNumber>
</forwardCallInfoDisplay>
</line>
<line button="2" lineIndex="2">
<featureID>9</featureID>
<featureLabel>101</featureLabel>
<proxy>USECALLMANAGER</proxy>
<port>5060</port>
<name>101</name>
<displayName>Dejan Rakic</displayName>
<autoAnswer>
<autoAnswerEnabled>2</autoAnswerEnabled>
</autoAnswer>
<callWaiting>1</callWaiting>
<authName>dejan</authName>
<authPassword>1234</authPassword>
<sharedLine>false</sharedLine>
<messagesNumber></messagesNumber>
<ringSettingActive>5</ringSettingActive>
<forwardCallInfoDisplay>
<callerName>true</callerName>
<callerNumber>true</callerNumber>
<redirectedNumber>true</redirectedNumber>
<dialedNumber>true</dialedNumber>
</forwardCallInfoDisplay>
</line>
</sipLines>
<enableVad>true</enableVad>
<preferredCodec>g711alaw</preferredCodec>
<dialTemplate></dialTemplate>
<kpml>1</kpml>
<phoneLabel></phoneLabel>
<stutterMsgWaiting>2</stutterMsgWaiting>
<disableLocalSpeedDialConfig>true</disableLocalSpeedDialConfig>
<dscpForAudio>184</dscpForAudio>
<dscpVideo>136</dscpVideo>
</sipProfile>
<commonProfile>
<phonePassword>1234</phonePassword>
<callLogBlfEnabled>2</callLogBlfEnabled>
</commonProfile>
<featurePolicyFile>featurePolicyDefault.xml</featurePolicyFile>
<loadInformation>sip9971.9-1-1SR1.loads</loadInformation>
<vendorConfig>
</vendorConfig>
<commonConfig>
<videoCapability>0</videoCapability>
<ciscoCamera>0</ciscoCamera>
</commonConfig>
<sshUserId>dejan</sshUserId>
<sshPassword>1234</sshPassword>
<userId></userId>
<phoneServices>
<provisioning>2</provisioning>
<phoneService type="1" category="0">
<name>Missed Calls</name>
<phoneLabel></phoneLabel>
<url>Application:Cisco/MissedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService type="1" category="0">
<name>Received Calls</name>
<phoneLabel></phoneLabel>
<url>Application:Cisco/ReceivedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService type="1" category="0">
<name>Placed Calls</name>
<phoneLabel></phoneLabel>
<url>Application:Cisco/PlacedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService type="2" category="0">
<name>Voicemail</name>
<phoneLabel></phoneLabel>
<url>Application:Cisco/Voicemail</url>
<vendor></vendor>
<version></version>
</phoneService>
</phoneServices>
<versionStamp>0131511014412102</versionStamp>
<userLocale>
<name>English_United_States</name>
<langCode>en</langCode>
</userLocale>
<networkLocale>United_States</networkLocale>
<networkLocaleInfo>
<name>United_States</name>
</networkLocaleInfo>
<authenticationURL></authenticationURL>
<directoryURL></directoryURL>
<servicesURL>http://192.168.5.251:80/CMEserverForPhone/serviceurl</servicesURL>
<dscpForSCCPPhoneServices>0</dscpForSCCPPhoneServices>
<dscpForCm2Dvce>96</dscpForCm2Dvce>
<transportLayerProtocol>2</transportLayerProtocol>
</device>

Hello,
I'm facing exactly the same problem, that is:
a Cisco SIP Phone 9971 won't register on CME 8.6 running on a 2811
I have read all the postings to this Forum, but I have not been able to solve it.
In my case the commands voice register dn and voice register pool are OK.
So frankly, I have no idea what I could be missing.
I'm pasting the Router's config.
I hope somebody is able to point me in the right direction.
Here is the config. Thank you!
C2811#sh run
Building configuration...
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname C2811
no aaa new-model
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 172.25.140.1 172.25.140.10
ip dhcp excluded-address 172.35.140.1 172.35.140.10
ip dhcp pool Data
network 172.25.140.0 255.255.255.0
default-router 172.25.140.1
option 150 ip 172.25.140.1
dns-server 172.25.140.1
ip dhcp pool Voice
network 172.35.140.0 255.255.255.0
default-router 172.35.140.1
option 150 ip 172.35.140.1
dns-server 172.35.140.1
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
voice service voip
allow-connections sip to sip
sip
registrar server expires max 3600 min 120
voice register global
mode cme
source-address 172.25.140.1 port 5060
max-dn 40
max-pool 42
load 9971 sip9971.9-4-1-9.loads
authenticate register
authenticate realm cisco
tftp-path flash:
create profile sync 0004820400584603
voice register dn 1
number 1010
allow watch
name Phone10
label Phone10
mwi
voice register pool 1
id mac 189C.5DB6.BD09
type 9971
number 1 dn 1
presence call-list
dtmf-relay rtp-nte
username adm password adm
call-forward b2bua busy 68600
codec g711ulaw
no vad
camera
video
voice-card 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879153754
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879153754
revocation-check none
rsakeypair TP-self-signed-1879153754
crypto pki certificate chain TP-self-signed-1879153754
certificate self-signed 01
(details ommited)
license udi pid CISCO2811 sn FTX1146A44H
username admin privilege 15 password 0 admin
redundancy
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.25
description Data VLAN
encapsulation dot1Q 25
ip address 172.25.140.1 255.255.255.0
interface FastEthernet0/0.35
description Voice VLAN
encapsulation dot1Q 35
ip address 172.35.140.1 255.255.255.0
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
tftp-server flash:P00308010200.bin
tftp-server flash:P00308010200.sbn
tftp-server flash:P00308010200.sb2
tftp-server flash:P00308010200.loads
tftp-server flash:SCCP42.9-3-1SR3-1S.loads
tftp-server flash:apps42.9-3-1ES19.sbn
tftp-server flash:cnu42.9-3-1ES19.sbn
tftp-server flash:cvm42sccp.9-3-1ES19.sbn
tftp-server flash:dsp42.9-3-1ES19.sbn
tftp-server flash:jar42sccp.9-3-1ES19.sbn
tftp-server flash:term42.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:SCCP45.9-3-1SR3-1S.loads
tftp-server flash:apps45.9-3-1ES19.sbn
tftp-server flash:cnu45.9-3-1ES19.sbn
tftp-server flash:cvm45sccp.9-3-1ES19.sbn
tftp-server flash:dsp45.9-3-1ES19.sbn
tftp-server flash:jar45sccp.9-3-1ES19.sbn
tftp-server flash:term45.default.loads
tftp-server flash:term65.default.loads
tftp-server flash:/Ringtones/Ringlist.xml alias Ringlist.xml
tftp-server flash:/Ringtones/DistinctiveRingList.xml alias DistinctiveRingList.x
ml
tftp-server flash:sip9971.9-4-1-9.loads
tftp-server flash:kern9971.9-4-1-9.sebn
tftp-server flash:rootfs9971.9-4-1-9.sebn
tftp-server flash:dkern9971.100609R2-9-4-1-9.sebn
tftp-server flash:sboot9971.031610R1-9-4-1-9.sebn
tftp-server flash:skern9971.022809R2-9-4-1-9.sebn
tftp-server flash:/g4-tones.xml alias United_States/g4-tones.xml
tftp-server flash:/gd-sip.jar alias English_United_States/gd-sip.jar
control-plane
mgcp profile default
telephony-service
max-ephones 24
max-dn 48
ip source-address 172.25.140.1 port 2000
cnf-file location flash:
load 7960-7940 P00308010200
load 7942 SCCP42.9-3-1SR3-1S.loads
load 7945 SCCP45.9-3-1SR3-1S.loads
load 7962 SCCP42.9-3-1SR3-1S.loads
load 7965 SCCP45.9-3-1SR3-1S.loads
max-conferences 8 gain -6
dn-webedit
transfer-system full-consult
create cnf-files version-stamp 7960 Feb 11 2014 07:18:32
ephone-dn 1
number 1001
description Phone 1
name Phone 1
hold-alert 30 originator
ephone-dn 2
number 1002
description Phone 2
name Phone 2
hold-alert 30 originator
ephone-dn 3
number 1003
description Phone 3
name Phone 3
hold-alert 30 originator
ephone 1
device-security-mode none
mac-address 001C.58FB.6E0F
button 1:1
ephone 2
device-security-mode none
mac-address 0014.A981.7F8A
button 1:2
ephone 3
device-security-mode none
mac-address 0006.5356.A4B8
button 1:3
alias exec con conf t
alias exec sib show ip int brief
alias exec srb show run | b
alias exec sri show run int
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
scheduler allocate 20000 1000
ntp master 1
end
C2811#

Trouble with my T1's and E1's in the lab - please help.... :-)

I'm working through my CCIE Voice/Collaboration training materials and am just about finished with the physical construction of the lab. At this time I'm just going to install a new T1 card into my BR1 router and I'm trying to get my T1 to HQ (HQ router) and my E1 to BR2 (Branch2 router) up and running. I am enclosing the "show run", "show isdn status" and "show e1/t1 controller" outputs. I am using a 2801 for my HQ router, a 2851 for my PSTN/IP-WAN router, and a 2811 for my BR2 router.
I am using a T1 cable RJ-48C/RJ-48C. I'm embarassed to say it - but I don't have a cable tester at the time. I lended my backup out to a friend and my primary one is not working. I'm also not 100% sure that I'm using the correct cable. I have VWIC2-2MFT-T1/E1 cards in my routers and I have a 2851 (PSTN router) setup to give connectivity via the T1's to HQ and BR1 and E1 connectivity to BR2. I have taken the liberty of attaching my configs, as mentioned I don't think I have cable issues because this is the case with all my cables.
Main issue, in the "show isdn stat" the layer 1 status is "deactivated" and when I do a shut/no shut the status goes to "shutdown" and doesn't come back up despite my efforts to enable the interface. The only way to fix it is to reboot the router. I've got to be missing something - I just want to get my T1's and E1 up for my CCIE Lab. I'm building my lab based on the CCIE Voice specification and have the ability to get it modified eventually to fit the CCIE Collaboration lab.
***PLEASE go easy on me - I'm sure there is a fundamental configuration item or concept I'm not thinking about so I'm preparing to look like a fool - but that's okay....it's part of learning. :-) ***
Any help would be so much appreciated. All configs are pasted below.......
==========================================================
=================START OF BR2 CONFIG=======================
BR2_RTR#show controllers e1
E1 0/0/0 is down.
Applique type is Channelized E1 - balanced
Transmitter is sending remote alarm.
Receiver has loss of signal.
alarm-trigger is not set
Version info Firmware: 20100222, FPGA: 13, spm_count = 0
Framing is CRC4, Line Code is HDB3, Clock Source is Line.
Data in current interval (895 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 895 Unavail Secs
Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs
BR2_RTR#show isdn stat
Global ISDN Switchtype = primary-net5
ISDN Serial0/0/0:15 interface
        dsl 0, interface ISDN Switchtype = primary-net5
    Layer 1 Status:
        DEACTIVATED
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
    Layer 3 Status:
        0 Active Layer 3 Call(s)
    Active dsl 0 CCBs = 0
    The Free Channel Mask: 0x00000000
    Number of L2 Discards = 0, L2 Session ID = 0
    Total Allocated ISDN CCBs = 0
BR2_RTR#show inventory
NAME: "2811 chassis", DESCR: "2811 chassis"
PID: CISCO2811         , VID: V06 , SN: FTX1328A0D3
NAME: "VWIC2-1MFT-T1/E1 - 1-Port RJ-48 Multiflex Trunk - T1/E1 on Slot 0 SubSlot 0", DESCR: "VWIC2-1MFT-T1/E1 - 1-Port RJ-48 Multiflex Trunk - T1/E1"
PID: VWIC2-1MFT-T1/E1 , VID: V01 , SN: FOC11271UAU
NAME: "WAN Interface Card - Serial 2T on Slot 0 SubSlot 1", DESCR: "WAN Interface Card - Serial 2T"
PID: WIC-2T            , VID: V01, SN: 35759031
NAME: "PVDMII DSP SIMM with three DSPs on Slot 0 SubSlot 5", DESCR: "PVDMII DSP SIMM with three DSPs"
PID: PVDM2-48          , VID: V01 , SN: FOC12221GJE
NAME: "AIM Service Engine 0", DESCR: "AIM Service Engine"
PID: AIM-CUE           , VID: V03 , SN: FOC11505K9D
NAME: "16 Port 10BaseT/100BaseTX EtherSwitch on Slot 1", DESCR: "16 Port 10BaseT/100BaseTX EtherSwitch"
PID: NM-16ESW=         , VID: 1.0, SN: FOC09245Q0H
NAME: "Power daughter card for 16 port EtherSwitch NM on Slot 1 SubSlot 0", DESCR: "Power daughter card for 16 port EtherSwitch NM"
PID:                     , VID: 1.0, SN: FOC09243VGH
NAME: "Gigabit(1000BaseT) module for EtherSwitch NM on Slot 1 SubSlot 1", DESCR: "Gigabit(1000BaseT) module for EtherSwitch NM"
PID:                     , VID: 1.0, SN: FOC092034R1
BR2_RTR#
BR2_RTR#
BR2_RTR#
BR2_RTR#
BR2_RTR#
BR2_RTR#show run
Building configuration...
Current configuration : 9148 bytes
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname BR2_RTR
boot-start-marker
boot-end-marker
card type e1 0 0
enable secret 5 $1$kYuC$TYARPnIw8mjqiVM3CqM15.
no aaa new-model
clock timezone CET 1 0
clock summer-time CET recurring 1 Sun Apr 1:00 last Sun Oct 1:00
network-clock-participate wic 0
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 192.168.30.1 192.168.30.49
ip dhcp excluded-address 192.168.30.70 192.168.30.254
ip dhcp pool PHONES
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
option 150 ip 3.3.3.3
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
isdn switch-type primary-net5
voice service voip
allow-connections sip to sip
sip
bind control source-interface Loopback0
bind media source-interface Loopback0
registrar server expires max 600 min 60
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice class h323 1
h225 timeout tcp establish 3
voice register global
mode cme
source-address 3.3.3.3 port 5060
max-dn 20
max-pool 10
load 7960-7940 P0S3-08-6-00
authenticate register
tftp-path flash:
create profile sync 1684632613172238
voice register dn 1
number 3005
name BR2_Phone3
voice register dn 2
number 3006
name BR2_Phone4
voice register template 1
no conference enable
voice register dialplan 1
type 7940-7960-others
pattern 1 3...
pattern 2 999
voice register pool 1
id mac 0008.E31B.7CD4
type 7960
number 1 dn 1
template 1
dtmf-relay sip-notify
username 3005 password cisco
description 3214-3005
codec g711ulaw
voice translation-rule 1
rule 1 /^$3...$$/ /3214\1/
voice translation-rule 2
rule 1 /^32143/ /3/
rule 2 /^\+3432143/ /3/
voice translation-rule 3000
rule 1 /^3000/ /1002/
voice translation-profile 3000
translate called 3000
voice translation-profile 4digitDNIS
translate called 2
voice translation-profile 8digitANI
translate calling 1
voice-card 0
crypto pki token default removal timeout 0
license udi pid CISCO2811 sn FTX1328A0D3
redundancy
controller E1 0/0/0
pri-group timeslots 1-3,16
interface Loopback0
ip address 3.3.3.3 255.255.255.255
h323-gateway voip bind srcaddr 3.3.3.3
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface Service-Engine0/0
no ip address
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet0/1.21
description BR2-PHONES(RTR on a stick)
encapsulation dot1Q 21
ip address 192.168.30.1 255.255.255.0
interface FastEthernet0/1.22
description BR2-DATA(RTR on a stick)
encapsulation dot1Q 22
ip address 192.168.31.1 255.255.255.0
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
isdn bchan-number-order ascending
isdn outgoing display-ie
no cdp enable
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
interface Serial0/1/1
description BR2-RTR_IP-WAN
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
interface Serial0/1/1.1 point-to-point
ip address 10.1.1.2 255.255.255.128
frame-relay interface-dlci 301
interface FastEthernet1/0
description BR2-PHONE1
switchport mode trunk
switchport voice vlan 40
no ip address
spanning-tree portfast
interface FastEthernet1/1
description BR2-PHONE2
switchport mode trunk
switchport voice vlan 40
no ip address
spanning-tree portfast
interface FastEthernet1/2
no ip address
interface FastEthernet1/3
no ip address
interface FastEthernet1/4
no ip address
interface FastEthernet1/5
no ip address
interface FastEthernet1/6
no ip address
interface FastEthernet1/7
no ip address
interface FastEthernet1/8
no ip address
interface FastEthernet1/9
no ip address
interface FastEthernet1/10
no ip address
interface FastEthernet1/11
no ip address
interface FastEthernet1/12
no ip address
interface FastEthernet1/13
no ip address
interface FastEthernet1/14
no ip address
interface FastEthernet1/15
no ip address
interface GigabitEthernet1/0
no ip address
interface Vlan1
no ip address
interface Vlan30
description PHONES-VLAN-FOR-LAYER3-SWITCHING
no ip address
shutdown
interface Vlan31
description DATA-VLAN-FOR-LAYER3-SWITCHING
no ip address
shutdown
router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.31.0 0.0.0.255 area 0
network 192.168.0.0 0.0.255.255 area 0
ip forward-protocol nd
ip http server
no ip http secure-server
ip http path flash:/GUI
ip route 192.168.100.0 255.255.255.0 10.1.1.1
tftp-server flash:Desktops/320x212x12/CampusNight.png
tftp-server flash:Desktops/320x212x12/CiscoFountain.png
tftp-server flash:Desktops/320x212x12/MorroRock.png
tftp-server flash:Desktops/320x212x12/NantucketFlowers.png
tftp-server flash:Desktops/320x212x12/TN-CampusNight.png
tftp-server flash:Desktops/320x212x12/TN-CiscoFountain.png
tftp-server flash:Desktops/320x212x12/TN-Fountain.png
tftp-server flash:Desktops/320x212x12/TN-MorroRock.png
tftp-server flash:Desktops/320x212x12/TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x12/Fountain.png
tftp-server flash:Desktops/320x212x12/CiscoLogo.png
tftp-server flash:Desktops/320x212x12/TN-CiscoLogo.png
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:ringtones/Analog1.raw
tftp-server flash:ringtones/Analog2.raw
tftp-server flash:ringtones/AreYouThere.raw
tftp-server flash:ringtones/AreYouThereF.raw
tftp-server flash:ringtones/Bass.raw
tftp-server flash:ringtones/CallBack.raw
tftp-server flash:ringtones/Chime.raw
tftp-server flash:ringtones/Classic1.raw
tftp-server flash:ringtones/Classic2.raw
tftp-server flash:ringtones/ClockShop.raw
tftp-server flash:ringtones/DistinctiveRingList.xml
tftp-server flash:ringtones/Drums1.raw
tftp-server flash:ringtones/Drums2.raw
tftp-server flash:ringtones/FilmScore.raw
tftp-server flash:ringtones/HarpSynth.raw
tftp-server flash:ringtones/Jamaica.raw
tftp-server flash:ringtones/KotoEffect.raw
tftp-server flash:ringtones/MusicBox.raw
tftp-server flash:ringtones/Piano1.raw
tftp-server flash:ringtones/Piano2.raw
tftp-server flash:ringtones/Pop.raw
tftp-server flash:ringtones/Pulse1.raw
tftp-server flash:ringtones/Ring1.raw
tftp-server flash:ringtones/Ring2.raw
tftp-server flash:ringtones/Ring3.raw
tftp-server flash:ringtones/Ring4.raw
tftp-server flash:ringtones/Ring5.raw
tftp-server flash:ringtones/Ring6.raw
tftp-server flash:ringtones/Ring7.raw
tftp-server flash:ringtones/RingList.xml
tftp-server flash:ringtones/Sax1.raw
tftp-server flash:ringtones/Sax2.raw
tftp-server flash:ringtones/Vibe.raw
tftp-server flash:PHONE/7940-7960/P0S3-08-6-00.loads alias P0S3-08-6-00.loads
tftp-server flash:PHONE/7940-7960/P0S3-08-6-00.sb2 alias P0S3-08-6-00.sb2
tftp-server flash:PHONE/7940-7960/P0S3-08-6-00.bin alias P0S3-08-6-00.bin
tftp-server flash:PHONE/7940-7960/P0S3-08-6-00.sbn alias P0S3-08-6-00.sbn
control-plane
voice-port 0/0/0:15
translation-profile outgoing 4digitDNIS
mgcp profile default
dial-peer voice 999 pots
translation-profile outgoing 8digitANI
destination-pattern 999
port 0/0/0:15
forward-digits 3
dial-peer voice 1 voip
incoming called-number .
dial-peer voice 901134 pots
destination-pattern 901134T
port 0/0/0:15
dial-peer voice 3000 voip
translation-profile outgoing 3000
destination-pattern 3000
session target ipv4:192.168.15.23
voice-class codec 1
voice-class h323 1
telephony-service
no auto-reg-ephone
max-ephones 10
max-dn 20
ip source-address 3.3.3.3 port 2000
network-locale ES
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
web admin system name admin password cisco
dn-webedit
transfer-system full-consult
create cnf-files version-stamp 7960 Jan 23 2014 05:43:52
ephone-template 1
softkeys connected Hold Select Trnsfer Endcall HLog Park
ephone-dn 1
number 3001
name BR2_Phone1
ephone-dn 2
number 3002
name BR2_Phone2
ephone 1
device-security-mode none
description 3214-3001
mac-address 0008.A3FD.3A32
ephone-template 1
max-calls-per-button 5
busy-trigger-per-button 3
type 7960
button 1:1
ephone 2
device-security-mode none
description 3214-3002
mac-address 0017.E0C6.E232
ephone-template 1
max-calls-per-button 5
busy-trigger-per-button 3
type 7961
button 1:2
banner motd ^CBR2 ROUTER CUCME/CUE^C
line con 0
password cisco
logging synchronous
login
line aux 0
line 194
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password cisco
login
transport input all
line vty 5 15
password cisco
login
transport input all
scheduler allocate 20000 1000
ntp server 172.30.1.2
end
===========END OF BR2 CONFIG=================
===========START OF HQ CONFIG================
HQ-RTR#show inventory
NAME: "chassis", DESCR: "2801 chassis"
PID: CISCO2801         , VID: V02 , SN: FTX1016Y07Z
NAME: "motherboard", DESCR: "C2801 Motherboard with 2 Fast Ethernet"
PID: CISCO2801         , VID: V02 , SN: FOC10140N6M
NAME: "WIC/VIC 2", DESCR: "Two port T1 voice interface daughtercard"
PID: VWIC-2MFT-T1=     , VID: 1.0, SN: 32867042
NAME: "WIC/VIC/HWIC 3", DESCR: "WAN Interface Card - Serial 2T"
PID: WIC-2T=           , VID: 1.0, SN: 32195023
NAME: "PVDM 0", DESCR: "PVDMII DSP SIMM with three DSPs"
PID: PVDM2-48          , VID: V01 , SN: FOC132935YB
HQ-RTR#
HQ-RTR#show controllers t1
T1 0/2/0 is down.
Applique type is Channelized T1
Cablelength is long gain36 0db
Transmitter is sending remote alarm.
Receiver has loss of signal.
alarm-trigger is not set
Soaking time: 3, Clearance time: 10
AIS State:Clear LOS State:Clear LOF State:Clear
Version info Firmware: 20090113, FPGA: 20, spm_count = 0
Framing is ESF, Line Code is B8ZS, Clock Source is Line.
CRC Threshold is 320. Reported from firmware is 320.
Data in current interval (709 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 709 Unavail Secs
Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs
T1 0/2/1 is down.
Applique type is Channelized T1
Cablelength is long gain36 0db
Transmitter is sending remote alarm.
Receiver has loss of signal.
alarm-trigger is not set
Soaking time: 3, Clearance time: 10
AIS State:Clear LOS State:Clear LOF State:Clear
Version info Firmware: 20090113, FPGA: 20, spm_count = 0
Framing is ESF, Line Code is B8ZS, Clock Source is Line.
CRC Threshold is 320. Reported from firmware is 320.
Data in current interval (709 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 709 Unavail Secs
Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs
HQ-RTR#show isdn stat
Global ISDN Switchtype = primary-ni
ISDN Serial0/2/0:23 interface
        dsl 0, interface ISDN Switchtype = primary-ni
    Layer 1 Status:
        DEACTIVATED
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
    Layer 3 Status:
        0 Active Layer 3 Call(s)
    Active dsl 0 CCBs = 0
    The Free Channel Mask: 0x00000000
    Number of L2 Discards = 0, L2 Session ID = 0
    Total Allocated ISDN CCBs = 0
HQ-RTR#
HQ-RTR#show run
Building configuration...
Current configuration : 6734 bytes
! Last configuration change at 02:32:03 UTC Tue Feb 4 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HQ-RTR
boot-start-marker
boot-end-marker
logging buffered 512000 informational
enable secret 5 $1$K8GP$JbYRetpgnaxvy2wnjrPDW/
no aaa new-model
network-clock-participate wic 2
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.11.1 192.168.11.10
ip dhcp excluded-address 192.168.12.1 192.168.12.10
ip dhcp excluded-address 192.168.13.1 192.168.13.10
ip dhcp excluded-address 192.168.14.1 192.168.14.10
ip dhcp excluded-address 192.168.16.1 192.168.16.10
ip dhcp excluded-address 192.168.17.1 192.168.17.10
ip dhcp pool HQ-BR1-Pool
import all
network 192.168.11.0 255.255.255.0
option 150 ip 10.10.210.10
default-router 192.168.11.1
domain-name proctorlabs.com
dns-server 8.8.4.4 8.8.8.8
lease 8
ip dhcp pool BR2-Pool
import all
network 192.168.12.0 255.255.255.0
option 150 ip 10.10.202.1
default-router 192.168.12.1
domain-name proctorlabs.com
dns-server 8.8.4.4 8.8.8.8
lease 8
ip dhcp pool PSTN-Pool
import all
network 192.168.13.0 255.255.255.0
option 150 ip 10.10.100.2
default-router 192.168.13.1
domain-name proctorlabs.com
dns-server 8.8.4.4 8.8.8.8
lease 8
ip dhcp pool Laptop-Pool
import all
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
domain-name proctorlabs.com
dns-server 8.8.4.4 8.8.8.8
lease 8
ip dhcp pool WIRELESS-HOME
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 4.2.2.2
domain-name proctorlabs.com
lease 8
ip cef
no ip domain lookup
ip domain name proctorlabs.com
no ipv6 cef
multilink bundle-name authenticated
isdn switch-type primary-ni
voice service voip
sip
bind control source-interface Loopback0
bind media source-interface Loopback0
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice-card 0
crypto pki token default removal timeout 0
license udi pid CISCO2801 sn FTX1016Y07Z
archive
log config
hidekeys
controller T1 0/2/0
pri-group timeslots 1-3,24
controller T1 0/2/1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
description (Outside Public Interface)
ip address dhcp
ip access-group FW-IN in
no ip unreachables
ip mtu 1300
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet0/1.11
description (Inside Private Interface)
encapsulation dot1Q 11
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/1.12
description (Inside Private Interface)
encapsulation dot1Q 12
ip address 192.168.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/1.13
description (Inside Private Interface)
encapsulation dot1Q 13
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/1.14
description (Inside Private Interface)
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/1.15
description LAB-SERVERS
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/1.16
description WIRELESS-HOME
encapsulation dot1Q 16
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/1.17
description LAB-HQ-PHONES
encapsulation dot1Q 17
ip address 192.168.17.1 255.255.255.0
ip helper-address 192.168.15.22
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/1.18
description LAB-HQ-DATA
encapsulation dot1Q 18
ip address 192.168.18.1 255.255.255.0
ip helper-address 192.168.15.22
ip nat inside
ip virtual-reassembly in
interface FastEthernet0/1.501
description PSTN-RTR_MGMT-NETWORK
encapsulation dot1Q 501
ip address 172.30.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Serial0/2/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn outgoing display-ie
no cdp enable
interface Serial0/3/0
description HQ-RTR_IP-WAN
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
interface Serial0/3/0.1 point-to-point
ip address 10.1.1.1 255.255.255.128
ip ospf mtu-ignore
snmp trap link-status
frame-relay interface-dlci 103
interface Serial0/3/0.2 point-to-point
ip address 10.1.1.129 255.255.255.128
ip ospf mtu-ignore
snmp trap link-status
frame-relay interface-dlci 102
interface Serial0/3/1
no ip address
shutdown
clock rate 2000000
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0
network 172.30.1.0 0.0.0.3 area 0
network 192.168.0.0 0.0.255.255 area 0
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.1 254
ip route 192.168.100.0 255.255.255.0 172.30.1.2
ip route 0.0.0.0 0.0.0.0 dhcp
access-list 101 deny   ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit udp any any eq bootps
access-list 102 permit udp any any eq bootpc
access-list 102 permit udp any eq bootpc any
access-list 102 permit udp any eq bootps any
disable-eadi
control-plane
voice-port 0/2/0:23
mgcp fax t38 ecm
mgcp profile default
dial-peer voice 91212 pots
description PSTN-CALLS-TO-NYC-AREA-CODE
destination-pattern 91212T
port 0/2/0:23
forward-digits all
dial-peer voice 1 pots
description INCOMING-DIAL-PEER_PSTN
incoming called-number .
direct-inward-dial
port 0/2/0:23
dial-peer voice 1000 voip
destination-pattern 2123941...
session protocol sipv2
session target ipv4:192.168.15.23
incoming called-number .
voice-class codec 1
dtmf-relay rtp-nte
no vad
dial-peer voice 1001 voip
preference 1
destination-pattern 2123941...
session protocol sipv2
session target ipv4:192.168.15.22
incoming called-number .
voice-class codec 1
dtmf-relay rtp-nte
no vad
sip-ua
retry invite 2
timers trying 300
line con 0
password cisco
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 30 0
privilege level 15
password cisco
logging synchronous
login
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
password cisco
logging synchronous
login
transport input telnet ssh
scheduler allocate 20000 1000
end
HQ-RTR#
=============END OF HQ CONFIG=============
=======START OF PSTN-IP-WAN_RTR CONFIG=========
PSTN_IP-WAN_RTR#show inventory
NAME: "2851 chassis", DESCR: "2851 chassis"
PID: CISCO2851         , VID: V01 , SN: FTX0922A1E7
NAME: "VWIC2-2MFT-T1/E1 - 2-Port RJ-48 Multiflex Trunk - T1/E1 on Slot 0 SubSlot 0", DESCR: "VWIC2-2MFT-T1/E1 - 2-Port RJ-48 Multiflex Trunk - T1/E1"
PID: VWIC2-2MFT-T1/E1 , VID: V01 , SN: FOC11063UF9
NAME: "WAN Interface Card - Serial 2T on Slot 0 SubSlot 1", DESCR: "WAN Interface Card - Serial 2T"
PID: WIC-2T      , VID: V01, SN: 35845606
NAME: "Two port T1 voice interface daughtercard on Slot 0 SubSlot 2", DESCR: "Two port T1 voice interface daughtercard"
PID: VWIC-2MFT-T1=     , VID: 1.0, SN: 29803060
NAME: "WAN Interface Card - Serial 2T on Slot 0 SubSlot 3", DESCR: "WAN Interface Card - Serial 2T"
PID: WIC-2T=           , VID: 1.0, SN: 23188546
NAME: "PVDMII DSP SIMM with Two DSPs on Slot 0 SubSlot 4", DESCR: "PVDMII DSP SIMM with Two DSPs"
PID: PVDM2-32          , VID: V01 , SN: FOC12045356
PSTN_IP-WAN_RTR#show controllers t1
T1 0/2/0 is down.
Applique type is Channelized T1
Cablelength is long gain36 0db
Description: HQ_T1
Transmitter is sending remote alarm.
Receiver has loss of signal.
alarm-trigger is not set
Soaking time: 3, Clearance time: 10
AIS State:Clear LOS State:Clear LOF State:Clear
Version info Firmware: 20071129, FPGA: 20, spm_count = 0
Framing is ESF, Line Code is B8ZS, Clock Source is Internal.
CRC Threshold is 320. Reported from firmware is 320.
Data in current interval (852 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 852 Unavail Secs
Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs
T1 0/2/1 is down.
Applique type is Channelized T1
Cablelength is long gain36 0db
Description: BR1_T1
Transmitter is sending remote alarm.
Receiver has loss of signal.
alarm-trigger is not set
Soaking time: 3, Clearance time: 10
AIS State:Clear LOS State:Clear LOF State:Clear
Version info Firmware: 20071129, FPGA: 20, spm_count = 0
Framing is ESF, Line Code is B8ZS, Clock Source is Internal.
CRC Threshold is 320. Reported from firmware is 320.
Data in current interval (854 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 854 Unavail Secs
Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs
PSTN_IP-WAN_RTR#show controllers e1
E1 0/0/0 is down.
Applique type is Channelized E1 - balanced
Cablelength is Unknown
Description: BR2_E1
Transmitter is sending remote alarm.
Receiver has loss of signal.
alarm-trigger is not set
Version info Firmware: 20071011, FPGA: 13, spm_count = 0
Framing is CRC4, Line Code is HDB3, Clock Source is Internal.
Data in current interval (862 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 862 Unavail Secs
Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs
E1 0/0/1 is down.
Applique type is Channelized E1 - balanced
Cablelength is Unknown
Transmitter is sending remote alarm.
Receiver has loss of signal.
alarm-trigger is not set
Version info Firmware: 20071011, FPGA: 13, spm_count = 0
Framing is CRC4, Line Code is HDB3, Clock Source is Internal.
Data in current interval (864 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 864 Unavail Secs
Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs
PSTN_IP-WAN_RTR#
PSTN_IP-WAN_RTR#
PSTN_IP-WAN_RTR#show isdn status
Global ISDN Switchtype = primary-net5
ISDN Serial0/0/0:15 interface
        ******* Network side configuration *******
        dsl 0, interface ISDN Switchtype = primary-net5
    Layer 1 Status:
        DEACTIVATED
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
    Layer 3 Status:
        0 Active Layer 3 Call(s)
    Active dsl 0 CCBs = 0
    The Free Channel Mask: 0x00000000
    Number of L2 Discards = 0, L2 Session ID = 0
ISDN Serial0/0/1:15 interface
        ******* Network side configuration *******
        dsl 1, interface ISDN Switchtype = primary-net5
    Layer 1 Status:
        DEACTIVATED
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
    Layer 3 Status:
        0 Active Layer 3 Call(s)
    Active dsl 1 CCBs = 0
    The Free Channel Mask: 0x00000000
    Number of L2 Discards = 0, L2 Session ID = 0
ISDN Serial0/2/0:23 interface
        ******* Network side configuration *******
        dsl 2, interface ISDN Switchtype = primary-ni
    Layer 1 Status:
        DEACTIVATED
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
    Layer 3 Status:
        0 Active Layer 3 Call(s)
    Active dsl 2 CCBs = 0
    The Free Channel Mask: 0x00000000
    Number of L2 Discards = 0, L2 Session ID = 0
ISDN Serial0/2/1:23 interface
        ******* Network side configuration *******
        dsl 3, interface ISDN Switchtype = primary-ni
    Layer 1 Status:
        DEACTIVATED
    Layer 2 Status:
        TEI = 0, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
    Layer 3 Status:
        0 Active Layer 3 Call(s)
    Active dsl 3 CCBs = 0
    The Free Channel Mask: 0x00000000
    Number of L2 Discards = 0, L2 Session ID = 0
    Total Allocated ISDN CCBs = 0
PSTN_IP-WAN_RTR#
PSTN_IP-WAN_RTR#show run
Building configuration...
Current configuration : 6518 bytes
! Last configuration change at 23:02:02 CST Tue Feb 4 2014
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PSTN_IP-WAN_RTR
boot-start-marker
boot-end-marker
card type e1 0 0
logging message-counter syslog
enable secret 5 $1$rLlG$MPPST59p5rs0FfXu8OXp1.
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
network-clock-participate wic 0
network-clock-participate wic 2
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 192.168.100.1 192.168.100.10
ip dhcp pool PSTN-PHONE
   network 192.168.100.0 255.255.255.0
   default-router 192.168.100.1
   option 150 ip 192.168.100.1
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
frame-relay switching
isdn switch-type primary-net5
voice translation-rule 1
rule 1 /^011$.*$/ /\1/
rule 2 /^1$.*$/ /&/
rule 3 /^00$.*$/ /\1/
rule 4 /^617$.*$/ /1&/
rule 5 /^212$.*$/ /1&/
voice translation-rule 2
rule 1 /^617/ /1&/
rule 2 /^212/ /1&/
voice translation-rule 3
rule 1 /^212/ /1&/
rule 2 /^34/ /&/
voice translation-rule 4
rule 1 /^617/ /1&/
rule 2 /^34/ /&/
voice translation-profile BR1-OUT
translate calling 3
voice translation-profile BR2-OUT
translate calling 2
voice translation-profile HQ-OUT
translate calling 4
voice translation-profile PSTN-IN
translate called 1
voice-card 0
crypto pki token default removal timeout 0
archive
log config
hidekeys
controller E1 0/0/0
clock source internal
pri-group timeslots 1-3,16
description BR2_E1
controller E1 0/0/1
clock source internal
pri-group timeslots 1-3,16
controller T1 0/2/0
clock source internal
pri-group timeslots 1-3,24
description HQ_T1
controller T1 0/2/1
clock source internal
pri-group timeslots 1-3,24
description BR1_T1
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.13
description PSTN-PHONE_LAN
encapsulation dot1Q 13
ip address 192.168.100.1 255.255.255.0
interface GigabitEthernet0/1
description MGMT-CONNECTION-via-WIFI
ip address 172.30.1.2 255.255.255.0
duplex auto
speed auto
interface Serial0/0/0:15
description BR2-PSTN-CONNECTION
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn protocol-emulate network
isdn incoming-voice voice
no cdp enable
interface Serial0/0/1:15
description BR2-PSTN-CONNECTION
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn protocol-emulate network
isdn incoming-voice voice
no cdp enable
interface Serial0/1/0
description FR_to_BR2-RTR
no ip address
encapsulation frame-relay IETF
clock rate 64000
frame-relay lmi-type ansi
frame-relay intf-type dce
frame-relay route 301 interface Serial0/3/0 103
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
interface Serial0/2/0:23
description HQ-PSTN-CONNECTION
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn protocol-emulate network
isdn incoming-voice voice
no cdp enable
interface Serial0/2/1:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn protocol-emulate network
isdn incoming-voice voice
no cdp enable
interface Serial0/3/0
description FR_to_HQ-RTR_point-to-point-BR1andBR2
no ip address
encapsulation frame-relay IETF
clock rate 64000
frame-relay lmi-type ansi
frame-relay intf-type dce
frame-relay route 102 interface Serial0/3/1 201
frame-relay route 103 interface Serial0/1/0 301
interface Serial0/3/1
description FR_to_BR1-RTR-to-HQ-RTR
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
frame-relay intf-type dce
frame-relay route 201 interface Serial0/3/0 102
ip forward-protocol nd
ip route 1.1.1.1 255.255.255.255 172.30.1.1
ip route 2.2.2.2 255.255.255.255 172.30.1.1
ip route 3.3.3.3 255.255.255.255 172.30.1.1
ip route 10.1.1.0 255.255.255.0 172.30.1.1
ip route 192.168.14.0 255.255.255.0 172.30.1.1
ip route 192.168.15.0 255.255.255.0 172.30.1.1
ip route 192.168.16.0 255.255.255.0 172.30.1.1
ip route 192.168.17.0 255.255.255.0 172.30.1.1
ip route 192.168.20.0 255.255.255.0 172.30.1.1
ip route 192.168.21.0 255.255.255.0 172.30.1.1
ip route 192.168.30.0 255.255.255.0 172.30.1.1
ip route 192.168.31.0 255.255.255.0 172.30.1.1
no ip http server
no ip http secure-server
tftp-server flash:P0030801SR02.bin
tftp-server flash:P0030801SR02.loads
tftp-server flash:P0030801SR02.sb2
tftp-server flash:P0030801SR02.sbn
tftp-server P0030801SR02.txt
control-plane
voice-port 0/0/0:15
voice-port 0/2/0:23
voice-port 0/0/1:15
voice-port 0/2/1:23
ccm-manager fax protocol cisco
mgcp fax t38 ecm
dial-peer voice 1 pots
incoming called-number .
direct-inward-dial
dial-peer voice 10 pots
description HQ-NATIONAL-CALLS-DIAL-PEER
destination-pattern 2123941...
port 0/2/0:23
forward-digits all
dial-peer voice 20 pots
description BR1-NATIONAL-CALLS-DIAL-PEER
destination-pattern 6178632...
port 0/2/1:23
forward-digits all
dial-peer voice 30 pots
description BR2-NATIONAL-CALLS-DIAL-PEER
destination-pattern 32143...
port 0/0/0:15
forward-digits all
dial-peer voice 31 pots
description BR2-INTL-CALLS-DIAL-PEER
destination-pattern 3432143...
port 0/0/0:15
forward-digits all
telephony-service
em logout 0:0 0:0 0:0
max-ephones 2
max-dn 10
ip source-address 192.168.100.1 port 2000
load 7960-7940 P00303020214
keepalive 10
max-conferences 4 gain -6
transfer-system full-consult
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-dn 1
number 12123945001
label +8087812321
description NYC
name NYC-PSTN
ephone-dn 2
number 16178635001
label 911+999
description BOSTON
name BOSTON-PSTN
ephone-dn 3
number 32145001
label 18005551234
description SPAIN
name SPAIN-PSTN
ephone-dn 4
number 3432145002
description SPAIN
name SPAIN-PSTN-INTL
ephone-dn 5
number 5005
label 7812321
description 7812321
ephone-dn 6
number 5006
label x5005
description OFFICE PHONE
ephone 1
device-security-mode none
mac-address 0008.A3FD.39FF
type 7960
button 1:1 2:2 3:3 4:4
button 5:5
banner motd ^CC PSTN-IP-WAN ROUTER ^C
line con 0
password cisco
logging synchronous
login
line aux 0
line vty 0 4
password cisco
login
transport input all
line vty 5 15
password cisco
login
transport input all
scheduler allocate 20000 1000
ntp master
end
PSTN_IP-WAN_RTR#

I have went ahead and re-enabled the voice-ports just because I left that out of my original output. See below.....
Do you think I ordered 3 factory made T1 cables from BlackBox and ALL of them came back to me bad? Or perhaps they might not have made them as cross over cables......hmm...any other suggestions?
BR2_RTR(config)#voice-port 0/0/0:15
BR2_RTR(config-voiceport)#no shut
BR2_RTR(config-voiceport)#do sh voice port summ
BR2_RTR(config-voiceport)#do sh voice port summ
                                           IN       OUT
PORT            CH   SIG-TYPE   ADMIN OPER STATUS   STATUS   EC
=============== == ============ ===== ==== ======== ======== ==
0/0/0:15        01 isdn-voice up    down none     none     y
0/0/0:15        02 isdn-voice up    down none     none     y
0/0/0:15        03 isdn-voice up    down none     none     y
50/0/1          1      efxs     up    dorm on-hook idle     y
50/0/2          1      efxs     up    dorm on-hook idle     y
PWR FAILOVER PORT        PSTN FAILOVER PORT
=================        ==================
HQ-RTR(config)#voice-port 0/2/0:23
HQ-RTR(config-voiceport)#no shut
HQ-RTR(config-voiceport)#
HQ-RTR(config-voiceport)#
HQ-RTR(config-voiceport)#do sh voice port summ
                                           IN       OUT
PORT            CH   SIG-TYPE   ADMIN OPER STATUS   STATUS   EC
=============== == ============ ===== ==== ======== ======== ==
0/2/0:23        01 isdn-voice up    down none     none     y
0/2/0:23        02 isdn-voice up    down none     none     y
0/2/0:23        03 isdn-voice up    down none     none     y
PWR FAILOVER PORT        PSTN FAILOVER PORT
=================        ==================
PSTN_IP-WAN_RTR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PSTN_IP-WAN_RTR(config)#voice-p
PSTN_IP-WAN_RTR(config)#voice-port 0/0/0:15
PSTN_IP-WAN_RTR(config-voiceport)#no shut
PSTN_IP-WAN_RTR(config-voiceport)#exit
PSTN_IP-WAN_RTR(config)#voice-por
PSTN_IP-WAN_RTR(config)#voice-port 0/2/0:23
PSTN_IP-WAN_RTR(config-voiceport)#no shut
PSTN_IP-WAN_RTR(config-voiceport)#exit
PSTN_IP-WAN_RTR(config)#voice-por
PSTN_IP-WAN_RTR(config)#voice-port 0/0/1:15
PSTN_IP-WAN_RTR(config-voiceport)#no shut
PSTN_IP-WAN_RTR(config-voiceport)#exit
PSTN_IP-WAN_RTR(config)#voice-port 0/2/1:23
PSTN_IP-WAN_RTR(config-voiceport)#no shut
PSTN_IP-WAN_RTR(config-voiceport)#exit
PSTN_IP-WAN_RTR(config)#
PSTN_IP-WAN_RTR(config)#
PSTN_IP-WAN_RTR(config)#
PSTN_IP-WAN_RTR(config)#do sh voice port summ
                                           IN       OUT
PORT            CH   SIG-TYPE   ADMIN OPER STATUS   STATUS   EC
=============== == ============ ===== ==== ======== ======== ==
0/0/0:15        01 isdn-voice up    dorm none     none     y
0/0/0:15        02 isdn-voice up    dorm none     none     y
0/0/0:15        03 isdn-voice up    dorm none     none     y
0/2/0:23        01 isdn-voice up    dorm none     none     y
0/2/0:23        02 isdn-voice up    dorm none     none     y
0/2/0:23        03 isdn-voice up    dorm none     none     y
0/0/1:15        01 isdn-voice up    dorm none     none     y
0/0/1:15        02 isdn-voice up    dorm none     none     y
0/0/1:15        03 isdn-voice up    dorm none     none     y
0/2/1:23        01 isdn-voice up    dorm none     none     y
0/2/1:23        02 isdn-voice up    dorm none     none     y
0/2/1:23        03 isdn-voice up    dorm none     none     y
50/0/1          1      efxs     up    dorm on-hook idle     y
50/0/2          1      efxs     up    dorm on-hook idle     y
50/0/3          1      efxs     up    dorm on-hook idle     y
50/0/4          1      efxs     up    dorm on-hook idle     y
50/0/5          1      efxs     up    dorm on-hook idle     y
50/0/6          1      efxs     up    up   on-hook idle     y
PWR FAILOVER PORT        PSTN FAILOVER PORT
=================        ==================
PSTN_IP-WAN_RTR(config)#

Calling issue with Cisco 7937 conference station

Hi Friends,
I am facing issue wiht Cisco 7937 conference station, our customer have various branch offices accross the world. All branches are connected over MPLS through service provider( SIP service provider) . there is a centralized CUCM and remote office have SIP Voice gateways .
When making calls from once remote site to another using Cisco 6921 phones calls working fine
When making calls from once remote site to another using Cisco 7937 conference station to make call any phone at remote office, calls are getting disconneted, remote phone rings when calls, but its gets fast busy tone when other party picks up the phone and not able to talk.
I suspect the issue with Codec but we have configured transcoders in VG and registered with CUCM
Please help me if any one experience such issue earlier.
Regards
Siva

hi Basant,
1. Actually tow phones A and B are registerd with centralized CUCM, A and B are located in two different locations, RTP traffic between And B pass through service provider.
Call Flow --> Phone A ---->CUCMRouterpattern--> SIP trunk ----> Voice gateway--->Service provider cloud---> Respective Voice Gateway---> CUCM -- Phone B
Show Run
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.27 15:14:52 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 12139 bytes
! Last configuration change at 06:35:59 UTC Tue Feb 25 2014
! NVRAM config last updated at 11:16:38 UTC Mon Feb 24 2014 by administrator
! NVRAM config last updated at 11:16:38 UTC Mon Feb 24 2014 by administrator
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname eucamvgw01
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M5.bin
boot-end-marker
card type e1 0 0
logging buffered 51200 warnings
no logging console
no aaa new-model
no network-clock-participate wic 0
no ipv6 cef
ip source-route
ip traffic-export profile cuecapture mode capture
bidirectional
ip cef
ip multicast-routing
ip domain name drreddys.eu
ip name-server 10.197.20.1
ip name-server 10.197.20.2
multilink bundle-name authenticated
stcapp ccm-group 2
stcapp
stcapp feature access-code
stcapp feature speed-dial
stcapp supplementary-services
port 0/1/0
fallback-dn 5428025
port 0/1/1
fallback-dn 5428008
port 0/1/2
fallback-dn 5421462
port 0/1/3
fallback-dn 5421463
isdn switch-type primary-net5
crypto pki token default removal timeout 0
voice-card 0
dsp services dspfarm
voice call send-alert
voice call disc-pi-off
voice call convert-discpi-to-prog
voice rtp send-recv
voice service voip
ip address trusted list
ipv4 10.198.0.0 255.255.255.0
ipv4 152.63.1.0 255.255.255.0
address-hiding
allow-connections sip to sip
no supplementary-service h225-notify cid-update
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
fax-relay ans-disable
sip
rel1xx supported "track"
privacy pstn
no update-callerid
early-offer forced
call-route p-called-party-id
voice class uri 100 sip
host 41.206.187.71
voice class codec 10
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 ilbc
codec preference 4 g729r8
codec preference 5 g729br8
voice class codec 20
codec preference 1 g729br8
codec preference 2 g729r8
voice moh-group 1
moh flash:moh/Panjo.alaw.wav
description MOH G711 alaw
multicast moh 239.1.1.2 port 16384 route 10.198.2.9
voice translation-rule 1
rule 1 /^012237280$..$/ /54280\1/
rule 2 /^012236514$..$/ /54214\1/
rule 3 /^01223651081/ /5428010/
rule 4 /^01223506701/ /5428010/
voice translation-rule 2
rule 1 /^00$.+$/ /+\1/
rule 2 /^0$.+$/ /+44\1/
rule 3 /^$[0-9].+$/ /+\1/
voice translation-rule 3
rule 1 /^9$.+$/ /\1/
rule 2 /^\+44$.+$/ /0\1/
rule 3 /^\+$.+$/ /00\1/
voice translation-rule 4
rule 1 /^54280$..$/ /12237280\1/
rule 2 /^54214$..$/ /12236514\1/
rule 3 /^\+44$.+$/ /\1/
rule 4 /^.54280$..$/ /12237280\1/
rule 5 /^.54214$..$/ /12236514\1/
voice translation-rule 9
rule 1 /^$....$/ /542\1/
voice translation-rule 10
voice translation-rule 11
rule 1 /^\+44122372$....$/ /542\1/
rule 2 /^\+44122365$....$/ /542\1/
voice translation-rule 12
voice translation-rule 13
rule 1 /^$[18]...$/ /542\1/
voice translation-rule 14
voice translation-profile MPLS-incoming
translate calling 10
translate called 9
voice translation-profile MPLS-outgoing
translate calling 11
translate called 12
voice translation-profile PSTN-incoming
translate calling 2
translate called 1
voice translation-profile PSTN-outgoing
translate calling 4
translate called 3
voice translation-profile SRST-incoming
translate calling 14
translate called 13
license udi pid CISCO2921/K9 sn FGL145110RE
hw-module ism 0
hw-module pvdm 0/0
username administrator privilege 15 secret 5 $1$syu5$DsxdOgfS7Wltx78o4PV.60
redundancy
controller E1 0/0/0
ip tcp path-mtu-discovery
ip scp server enable
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description internal LAN
ip address 10.198.2.9 255.255.255.0
duplex auto
speed auto
interface ISM0/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.198.2.8 255.255.255.0
!Application: CUE Running on ISM
service-module ip default-gateway 10.198.2.9
interface GigabitEthernet0/1
description to TATA NGN
ip address 115.114.225.122 255.255.255.252
duplex auto
speed auto
interface GigabitEthernet0/2
description SIP Trunks external
ip address 79.121.254.83 255.255.255.248
ip access-group SIP-InBound in
ip traffic-export apply cuecapture size 8000000
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
shutdown
interface Vlan1
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.198.2.1
ip route 10.198.2.8 255.255.255.255 ISM0/0
ip route 41.206.187.0 255.255.255.0 115.114.225.121
ip route 77.37.25.46 255.255.255.255 79.121.254.81
ip route 83.245.6.81 255.255.255.255 79.121.254.81
ip route 83.245.6.82 255.255.255.255 79.121.254.81
ip route 95.223.1.107 255.255.255.255 79.121.254.81
ip route 192.54.47.0 255.255.255.0 79.121.254.81
ip access-list extended SIP-InBound
permit ip host 77.37.25.46 any
permit ip host 83.245.6.81 any
permit ip host 83.245.6.82 any
permit ip 192.54.47.0 0.0.0.255 any
permit icmp any any
permit ip host 95.223.1.107 any
deny ip any any log
control-plane
voice-port 0/1/0
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/1
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/2
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/3
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
no ccm-manager fax protocol cisco
ccm-manager music-on-hold bind GigabitEthernet0/0
ccm-manager config server 152.63.1.19 152.63.1.100 172.27.210.5
ccm-manager sccp local GigabitEthernet0/0
ccm-manager sccp
mgcp profile default
sccp local GigabitEthernet0/0
sccp ccm 10.198.2.9 identifier 3 priority 3 version 7.0
sccp ccm 152.63.1.19 identifier 4 version 7.0
sccp ccm 152.63.1.100 identifier 5 version 7.0
sccp ccm 172.27.210.5 identifier 6 version 7.0
sccp
sccp ccm group 2
bind interface GigabitEthernet0/0
associate ccm 4 priority 1
associate ccm 5 priority 2
associate ccm 6 priority 3
associate ccm 3 priority 4
associate profile 1002 register CFB_UK_CAM_02
associate profile 1001 register XCODE_UK_CAM_02
associate profile 1000 register MTP_UK_CAM_02
dspfarm profile 1001 transcode
codec ilbc
codec g722-64
codec g729br8
codec g729r8
codec gsmamr-nb
codec pass-through
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
maximum sessions 18
associate application SCCP
dspfarm profile 1002 conference
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
maximum sessions 2
associate application SCCP
dspfarm profile 1000 mtp
codec g711alaw
maximum sessions software 200
associate application SCCP
dial-peer cor custom
name SRSTMode
dial-peer cor list SRST
member SRSTMode
dial-peer voice 100 voip
description *** Inbound CUCM ***
translation-profile incoming PSTN-incoming
incoming called-number .
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 500 voip
description *** Inbound TATA MPLS ***
translation-profile incoming MPLS-incoming
session protocol sipv2
session target sip-server
incoming called-number ....
incoming uri from 100
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 510 voip
description *** Outbound TATA MPLS ***
translation-profile outgoing MPLS-outgoing
destination-pattern 54[013-9]....
session protocol sipv2
session target ipv4:41.206.187.71
session transport udp
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 520 voip
description *** Outbound TATA MPLS ***
translation-profile outgoing MPLS-outgoing
destination-pattern 5[0-35-9].....
session protocol sipv2
session target ipv4:41.206.187.71
session transport udp
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 200 voip
description *** Inbound M12 *** 01223651081, 01223651440 - 01223651489
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 0122365....
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 201 voip
description *** Inbound M12 *** 012237280XX
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 012237280..
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 202 voip
description *** Inbound M12 *** 01223506701
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 01223506701
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 210 voip
description *** Outbound M12 ***
translation-profile outgoing PSTN-outgoing
destination-pattern +...T
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 211 voip
description *** Outbound ISDN for SRST and emergency ***
translation-profile outgoing PSTN-outgoing
destination-pattern 9.T
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 212 voip
description *** Outbound ISDN for emergency ***
translation-profile outgoing PSTN-outgoing
destination-pattern 11[02]
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 2000 voip
description *** Outbound to CUCM Primary ***
preference 1
destination-pattern 542....
session protocol sipv2
session target ipv4:152.63.1.19
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 2001 voip
description *** Outbound to CUCM Secondary ***
preference 2
destination-pattern 542....
session protocol sipv2
session target ipv4:152.63.1.100
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 2002 voip
description *** Outbound to CUCM Teritiary ***
preference 3
destination-pattern 542....
session protocol sipv2
session target ipv4:172.27.210.5
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 999010 pots
service stcapp
port 0/1/0
dial-peer voice 999011 pots
service stcapp
port 0/1/1
dial-peer voice 999012 pots
service stcapp
port 0/1/2
dial-peer voice 999013 pots
service stcapp
port 0/1/3
sip-ua
no remote-party-id
gatekeeper
shutdown
call-manager-fallback
secondary-dialtone 9
max-conferences 4 gain -6
transfer-system full-consult
ip source-address 10.198.2.9 port 2000
max-ephones 110
max-dn 400 dual-line no-reg
translation-profile incoming SRST-incoming
moh flash:/moh/Panjo.ulaw.wav
multicast moh 239.1.1.1 port 16384 route 10.198.2.9
time-zone 22
time-format 24
date-format dd-mm-yy
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 131
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
session-timeout 60
exec-timeout 60 0
privilege level 15
login local
transport input all
line vty 5 15
session-timeout 60
exec-timeout 60 0
privilege level 15
login local
transport input all
scheduler allocate 20000 1000
ntp server 10.1.30.1
end
eucamvgw01#
Sh SCCP
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.03.03 17:57:44 =~=~=~=~=~=~=~=~=~=~=~=
SCCP Admin State: UP
Gateway Local Interface: GigabitEthernet0/0
IPv4 Address: 10.198.2.9
Port Number: 2000
IP Precedence: 5
User Masked Codec list: None
Call Manager: 10.198.2.9, Port Number: 2000
Priority: 3, Version: 7.0, Identifier: 3
Call Manager: 152.63.1.19, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 4
Trustpoint: N/A
Call Manager: 152.63.1.100, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 5
Trustpoint: N/A
Call Manager: 172.27.210.5, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 6
Trustpoint: N/A
MTP Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1000
Reported Max Streams: 400, Reported Max OOS Streams: 0
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
TLS : ENABLED
Transcoding Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1001
Reported Max Streams: 36, Reported Max OOS Streams: 0
Supported Codec: ilbc, Maximum Packetization Period: 120
Supported Codec: g722r64, Maximum Packetization Period: 30
Supported Codec: g729br8, Maximum Packetization Period: 60
Supported Codec: g729r8, Maximum Packetization Period: 60
Supported Codec: gsmamr-nb, Maximum Packetization Period: 60
Supported Codec: pass-thru, Maximum Packetization Period: N/A
Supported Codec: g711ulaw, Maximum Packetization Period: 30
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: g729ar8, Maximum Packetization Period: 60
Supported Codec: g729abr8, Maximum Packetization Period: 60
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
Conferencing Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1002
Reported Max Streams: 16, Reported Max OOS Streams: 0
Supported Codec: g711ulaw, Maximum Packetization Period: 30
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: g729ar8, Maximum Packetization Period: 60
Supported Codec: g729abr8, Maximum Packetization Period: 60
Supported Codec: g729r8, Maximum Packetization Period: 60
Supported Codec: g729br8, Maximum Packetization Period: 60
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
TLS : ENABLED
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070080
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070081
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070082
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070083
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
eucamvgw01#

Cannot connect to local network while connected with EasyVPN

Hi All,
I'm looking on many forums for an answer, but I cannot get it working.
I have configured EasyVPN with CCP and also with CLI. I had it both working perfect, except the most important thing.
I can connect with the Cisco VPN client to the router, but i'm not able to connect or even ping a system inside the remote network. My laptop gets an IP address from the address pool of the router.
I really hope someone can help me before my manager is losing his patience :-)
Here is my config. (before someone is mentioning it, i have to clean up my config a bit...I mean, look at the acl's )
Current configuration : 13939 bytes
! Last configuration change at 12:26:53 UTC Thu Jan 9 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 10240
logging console critical
enable secret 4 ********
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
no process cpu extended history
crypto pki trustpoint TP-self-signed-********
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-********
revocation-check none
rsakeypair TP-self-signed-********
crypto pki certificate chain TP-self-signed-********
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303239 34303934 3438301E 170D3133 30343032 30353436
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30323934
30393434 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9C3 F8E6BD43 3351D861 68398114 D31AACC1 CE16CDDA 7F0876BC 6E55EA3C
5F258D90 20FC882D 42C90257 92DB9113 B461DD81 4080153F 6AE041AD E5BDDF7E
7C21BD1B 35F05CCB F6D34A4D 6B04C309 F39D8426 865E2BFE 9E8051F2 6F411A49
D71FBF0C 1AC85BEE 355563FB 2353D0C7 28D49071 840AF99B AF59D768 FCDCDF03
94FF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 145ACD47 89D51095 70BE5400 595E826A 6A9E5E95 71301D06
03551D0E 04160414 5ACD4789 D5109570 BE540059 5E826A6A 9E5E9571 300D0609
2A864886 F70D0101 05050003 8181003B 1988FFCD 93112A99 707B7AD8 B56A08C0
C274B974 B076AA19 BAFCC868 F118AE7D 4D8A55E2 42D8F9A9 9D617093 7EF6D459
6BC0A990 BF5AF3E8 8E7F2787 41F4BFE2 65A1A3B0 D726033A 47A24D29 159ABF92
16DBCF5C EC6602C2 E6137C0B C1FC7125 37E9CE49 82B45E18 FAB31A36 990BB3BC
30D9EE8E 8B0A9F7C DC0B6C2B FA2740
            quit
no ip source-route
ip cef
no ip bootp server
ip name-server ********
ip name-server ********
no ipv6 cef
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
multilink bundle-name authenticated
license udi pid C3900-SPE100/K9 sn ********
username admin privilege 15 secret 4 ********
username guido privilege 15 secret 4 ********
redundancy
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
reset
policy-map type inspect ccp-pol-outToIn
class type inspect ccp-protocol-http
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
pass
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group jmgvpn
key ****
pool SDM_POOL_1
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group jmgvpn
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Null0
no ip unreachables
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
interface GigabitEthernet0/0
description JMG$FW_INSIDE$
ip address 10.0.14.*** 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
glbp 10 ip 10.0.14.***
glbp 10 authentication text JMG
glbp 10 forwarder preempt delay minimum 100
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description Cloud$ETH-LAN$$FW_INSIDE$
ip address 10.3.15.*** 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/2
description Internet (Only in use on R01)$FW_OUTSIDE$$ETH-WAN$
ip address 46.144.***.*** 255.255.255.240
no ip redirects
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
media-type rj45
no mop enabled
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 10 interface GigabitEthernet0/2 overload
ip nat inside source list 11 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 10.0.14.*** 443 interface GigabitEthernet0/2 443
ip nat inside source static tcp 10.0.14.*** 80 interface GigabitEthernet0/2 80
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 permanent
ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1 permanent
ip route 10.1.14.*** 255.255.255.0 10.0.14.*** permanent
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.3.15.24 0.0.0.3
access-list 1 permit 10.0.14.0 0.0.0.255
access-list 1 deny   any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.5.14.0 0.0.0.255
access-list 3 permit 10.0.14.0 0.0.0.255
access-list 5 remark CCP_ACL Category=2
access-list 5 permit 10.0.14.0 0.0.0.255
access-list 6 remark CCP_ACL Category=2
access-list 6 permit 10.0.14.0 0.0.0.255
access-list 7 remark CCP_ACL Category=2
access-list 7 permit 10.0.14.0 0.0.0.255
access-list 8 remark CCP_ACL Category=2
access-list 8 permit 10.0.14.0 0.0.0.255
access-list 9 remark CCP_ACL Category=2
access-list 9 permit 10.0.14.0 0.0.0.255
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 10.0.14.0 0.0.0.255
access-list 11 remark CCP_ACL Category=2
access-list 11 permit 10.0.14.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.253.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.0.14.153
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.0.14.173
no cdp run
control-plane
banner login ^CCCPlease login. Or leave if you have no right to be here.^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
scheduler interval 500
end

Remove the ip nat outside command for a moment during a permitted downtime.
I have a feeling you should do some NAT excemption for the VPN traffic (deny vpn traffic for nat policies).

How to configure multiple outgoing interfaces + NAT + PfR

Hello,
I have the following config running on Cisco2851.
Five interfaces (four ADSL and one LAN 10Mb/s) connected to Internet using pppoe.
Local policy is used to make working route tracking.
The PfR also configured to load balance traffic coming from LAN to Internet.
PAT is also configured with "oer" keyword at the end of string to not relocate working translations.
But the router is not performing good. :-(
After investigation I found that the selection of the exit interface and setting source ip for
NAT is not synchronized. The provider's router just drops the incoming packet due to uRPF check.
Also, the selection of the exit interface is not PFR aware (mode select-exit best) during
NAT session setup, and router selects one of the possible exit interfaces randomly.
I have two questions:
1. How to make synchronization of NAT and Routing to build matching pair of Out_IP=Out_Interface and make my setup working?
2. How to select the less loaded interface during setup of NAT phase and Routing phase and really involve PfR?
Actually, these two questions is just my one requirement: during setup of NAT session, I need
to find less loaded interface (PfR should check current rx/tx load), select it, and keep it untouched.
Thanks,
Sergey
Config:
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname bif
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M8.bin
boot-end-marker
enable secret 5 $1$3ggj$huERPVt0luOX6qo6
no aaa new-model
crypto pki token default removal timeout 0
dot11 syslog
no ip source-route
ip cef
no ip domain lookup
ip domain name zzz.mgm
no ipv6 cef
multilink bundle-name authenticated
key chain PFR
key 0
key-string 7 107E2F2B
voice-card 0
pfr master
logging
border 192.168.254.254 key-chain PFR
interface Dialer5 external
interface Dialer4 external
interface Dialer3 external
interface Dialer2 external
interface Dialer1 external
interface GigabitEthernet0/0 internal
mode select-exit best
pfr border
logging
local Loopback0
master 192.168.254.254 key-chain PFR
license udi pid CISCO2851 sn FCZ0929
username se privilege 15 secret 5 $1$DUbm$RuZKP8X.19uBtm21
username ru privilege 15 secret 5 $1$1V.h$iotp/bjhUg4ho93d
redundancy
ip ssh version 2
track 1 ip sla 1 reachability
delay down 30 up 15
track 2 ip sla 2 reachability
delay down 30 up 15
track 3 ip sla 3 reachability
delay down 30 up 15
track 4 ip sla 4 reachability
delay down 30 up 15
track 5 ip sla 5 reachability
delay down 30 up 15
interface Loopback0
ip address 192.168.254.254 255.255.255.255
interface GigabitEthernet0/0
description ### LAN ###
ip address 192.168.68.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description ### WDSL link to Dialer 5 ###
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 5
interface ATM0/0/0
description ### DSL link 1 to Dialer 1 ###
no ip address
no atm ilmi-keepalive
shutdown
pvc 1/32
pppoe-client dial-pool-number 1
interface ATM0/1/0
description ### DSL link 2 to Dialer 2 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 2
interface ATM0/2/0
description ### DSL link 3 to Dialer 3 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 3
interface ATM0/3/0
description ### DSL link 4 to Dialer 4 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 4
interface GigabitEthernet1/0
description ### Virtual interface to NME-16ES-1G-P ###
ip address 192.168.254.253 255.255.255.254
interface Dialer1
description ### Dialer for line 1 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer2
description ### Dialer for line 2 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer3
description ### Dialer for line 3 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 3
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer4
description ### Dialer for line 4 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 4
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer5
description ### Dialer for WDSL line ###
bandwidth 10000
bandwidth receive 10001
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 5
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
ip local policy route-map LOCAL-PBR
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map NAT1 interface Dialer1 overload oer
ip nat inside source route-map NAT2 interface Dialer2 overload oer
ip nat inside source route-map NAT3 interface Dialer3 overload oer
ip nat inside source route-map NAT4 interface Dialer4 overload oer
ip nat inside source route-map NAT5 interface Dialer5 overload oer
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer5-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer2-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer3-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer4-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.230 21 $$$Dialer1-IP$$$ 21 extendable
ip nat inside source static tcp 192.168.68.160 25 $$$Dialer1-IP$$$ 25 extendable
ip nat inside source static tcp 192.168.68.22 143 $$$Dialer1-IP$$$ 143 extendable
ip nat inside source static tcp 192.168.68.22 443 $$$Dialer1-IP$$$ 443 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer1-IP$$$ 2222 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 track 2
ip route 0.0.0.0 0.0.0.0 Dialer3 track 3
ip route 0.0.0.0 0.0.0.0 Dialer4 track 4
ip route 0.0.0.0 0.0.0.0 Dialer5 track 5
ip sla 1
icmp-echo 8.8.8.8 source-ip $$$Dialer1-IP$$$
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-ip $$$Dialer2-IP$$$
timeout 1000
frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.8.8.8 source-ip $$$Dialer3-IP$$$
timeout 1000
frequency 5
ip sla schedule 3 life forever start-time now
ip sla 4
icmp-echo 8.8.8.8 source-ip $$$Dialer4-IP$$$
timeout 1000
frequency 5
ip sla schedule 4 life forever start-time now
ip sla 5
icmp-echo 8.8.8.8 source-ip $$$Dialer5-IP$$$
timeout 1000
frequency 5
ip sla schedule 5 life forever start-time now
access-list 100 permit ip any any
access-list 101 permit ip host $$$Dialer1-IP$$$ any
access-list 102 permit ip host $$$Dialer2-IP$$$ any
access-list 103 permit ip host $$$Dialer3-IP$$$ any
access-list 104 permit ip host $$$Dialer4-IP$$$ any
access-list 105 permit ip host $$$Dialer5-IP$$$ any
access-list 199 permit ip 192.168.68.0 0.0.0.255 any
route-map LOCAL-PBR permit 10
match ip address 101
set interface Dialer1
route-map LOCAL-PBR permit 20
match ip address 102
set interface Dialer2
route-map LOCAL-PBR permit 30
match ip address 103
set interface Dialer3
route-map LOCAL-PBR permit 40
match ip address 104
set interface Dialer4
route-map LOCAL-PBR permit 50
match ip address 105
set interface Dialer5
route-map LOCAL-PBR permit 100
match ip address 100
set global
route-map NAT3 permit 10
match ip address 199
match interface Dialer3
route-map NAT2 permit 10
match ip address 199
match interface Dialer2
route-map NAT1 permit 10
match ip address 199
match interface Dialer1
route-map NAT5 permit 10
match ip address 199
match interface Dialer5
route-map NAT4 permit 10
match ip address 199
match interface Dialer4
control-plane
mgcp profile default
line con 0
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
session-timeout 15
login local
transport input all
line vty 5 15
session-timeout 15
login local
transport input all
scheduler allocate 20000 1000
end
Show ip route:
sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0 (connected), candidate default path
Routing Descriptor Blocks:
    directly connected, via Dialer5
      Route metric is 0, traffic share count is 1
* directly connected, via Dialer3
      Route metric is 0, traffic share count is 1
    directly connected, via Dialer4
      Route metric is 0, traffic share count is 1
    directly connected, via Dialer2
      Route metric is 0, traffic share count is 1
Log:
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, Ingress-NetFlow(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, TCP Adjust MSS(82), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 192.168.68.2 dst 8.8.4.4
*Apr 16 07:04:18.103: FIBfwd-proc: Default:0.0.0.0/0 process level forwarding
*Apr 16 07:04:18.103: FIBfwd-proc: depth 0 first_idx 3 paths 4 long 0(0)
*Apr 16 07:04:18.103: FIBfwd-proc: try path 3 (of 4) v4-ap-Dialer5 first short ext 0(-1)
*Apr 16 07:04:18.103: FIBfwd-proc: v4-ap-Dialer5 valid
*Apr 16 07:04:18.103: FIBfwd-proc: Dialer5 no nh type 3 - deag
*Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none deag 1 chg_if 0 via fib 0 path type attached prefix
*Apr 16 07:04:18.103: FIBfwd-proc: packet routed to Dialer5 p2p(0)
*Apr 16 07:04:18.103: FIBipv4-packet-proc: packet routing succeeded
*Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 ttlexp 0
*Apr 16 07:04:18.103: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103:     UDP src=61183, dst=53, CCE Post NAT Classification(38), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107:     UDP src=61183, dst=53, Firewall (firewall component)(39), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107:     UDP src=61183, dst=53, TCP Adjust MSS(50), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107:     UDP src=61183, dst=53, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107:     UDP src=61183, dst=53, Post-Ingress-NetFlow(68), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107:     UDP src=61183, dst=53, Dialer idle reset(84), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107:     UDP src=61183, dst=53, Dialer idle reset(85), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), g=8.8.4.4, len 66, forward
*Apr 16 07:04:18.107:     UDP src=61183, dst=53
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Virtual-Access3), len 66, sending full packet
*Apr 16 07:04:18.107:     UDP src=61183, dst=53

hi,is this question is ok?
if you forget do this config like below:
pfr master
learn
delay
throughput
periodic-interval 3
monitor-period 1
pfr master
delay threshold 200
jitter threshold 50
mode route control
mode monitor passive
mode select-exit best
i will do like this,four ADSL connect a switch ,this switch connect a router 2911(with data license)
at 2911 do four pppoe
i want to load balance at this four adsl.

NAT on sub-interface with no internet access

Good morning,
Please I have a router 2901, which I configured tow sub-interfaces for Voice and Data. Everything seems to be working fine but I can't access the internet after configuring NAT.
Config below
Router1#sh config
Using 5392 out of 262136 bytes
! No configuration change since last restart
! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
version 15.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname A
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
logging buffered 51200 warnings
enable secret 4 U3/EVMmZsx9ys3vbB8aDhHy.5h4qh2V8/DkTGNsxvTA
enable password 7 06150E2C5F5B071E
aaa new-model
aaa authentication login default local
aaa session-id common
memory-size iomem 25
ip cef
ip dhcp excluded-address 10.10.36.1 10.10.36.25
ip dhcp excluded-address 10.10.36.200 10.10.36.254
ip dhcp pool DATA
network 10.10.36.0 255.255.255.0
default-router 10.10.36.1
dns-server 8.8.8.8 4.2.2.2
ip dhcp pool VOICE
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.10.36.4
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3112445314
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3112445314
revocation-check none
rsakeypair TP-self-signed-3112445314
crypto pki certificate chain TP-self-signed-3112445314
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
voice-card 0
license udi pid CISCO2901/K9 sn FCZ1808C4L8
hw-module pvdm 0/0
username a password 7 1416111F05557C
username e privilege 15 password 7 1437455E0E2A25382525260B67
username c password 7 030B580E0701284F165B5C
username a password 7 01000709481E0808
redundancy
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address #.#.#.58 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.10.36.1 255.255.255.0
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
ip route 0.0.0.0 0.0.0.0 #.#.#.57
ip access-list extended LAN_NAT_POLICY
permit ip 10.0.0.0 0.255.255.255 any
access-list 23 permit 10.10.36.0 0.0.0.255
access-list 23 permit 10.10.0.0 0.0.0.255
access-list 23 permit 10.10.0.0 0.0.255.255
access-list 101 permit tcp 10.10.36.0 0.0.0.255 host 10.10.36.1 eq telnet
control-plane
mgcp profile default
gatekeeper
shutdown
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you hav
already used the username "cisco" to login to the router and your IOS imag
supports the "one-time" user option, then this username has already expire
You will not be able to login to the router with this username after you e
this session.
It is strongly suggested that you create a new username with a privilege l
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want
use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
password 7 13041406025D52
line aux 0
exec-timeout 0 1
no exec
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 094D4D1D105441
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp master
ntp server 10.10.36.1
end
Please I need a quick response
Thank you.

Can you change the interface to outside interface in this command
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
can you try this below command
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/0 ov
Regards
PrajithTR

Remote site to site VPN user cannot access LAN resources

Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.
What do I need to do to fix this?
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SFGallery
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.16.0.1 172.16.3.99
ip dhcp excluded-address 172.16.3.200 172.16.3.254
ip dhcp pool SFGallery172
import all
network 172.16.0.0 255.255.252.0
domain-name xxxxxxxxxxxx
dns-server 10.10.10.10
default-router 10.10.10.94
netbios-name-server 10.10.10.10
ip domain name gpgallery.com
ip name-server 10.10.10.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.10.10.80
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki trustpoint SFGallery_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair SFGallery_Certificate_RSAKey 512
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain SFGallery_Certificate
certificate self-signed 01
xxxxxx
quit
license udi pid CISCO2911/K9 sn FTX1542AKJ3
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
hw-module sm 1
object-group network Corp
172.16.4.0 255.255.252.0
10.10.10.128 255.255.255.224
object-group network SFGallery
172.16.0.0 255.255.252.0
10.10.10.0 255.255.255.128
object-group network NY
10.10.10.160 255.255.255.224
172.16.16.0 255.255.252.0
object-group network GPAll
group-object SFGallery
group-object NY
group-object Corp
username xxx
username xxx
username xxx
username xxx
redundancy
no ip ftp passive
ip ssh version 1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TempVPN1# address xx.xx.xx.xx
crypto isakmp client configuration group SFGallery
key Peters2011
dns 10.10.10.10 10.10.10.80
wins 10.10.10.10 10.10.10.80
domain gpgallery.com
pool SDM_POOL_1
acl 111
save-password
split-dns gpgallery.com
max-users 25
max-logins 3
netmask 255.255.252.0
banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group SFGallery
client authentication list ciscocp_vpn_xauth_ml_3
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP-3DES-SHA3
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxx.xx.xx.xx
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA1
match address 107
reverse-route
interface Loopback1
ip address 192.168.5.1 255.255.255.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description T1 Cybermesa$ETH-WAN$
ip address xx.xx.xx.xx 255.255.255.240
ip access-group 105 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
interface GigabitEthernet0/1
description LANOverloadNet$ETH-WAN$
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
description LAN$ETH-LAN$
ip address 10.10.10.2 255.255.255.128
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0/0
ip address 192.168.100.1 255.255.255.0
ip access-group ReplicationIN out
duplex auto
speed auto
interface GigabitEthernet1/0
description $ETH-LAN$
ip address 172.16.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
interface Virtual-Template2
ip unnumbered Loopback1
zone-member security sslvpn-zone
interface Virtual-Template3 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
no ip address
ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 60000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable
ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable
ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable
ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent
ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent
ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent
ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent
ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent
ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent
ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended ReplicationIN
remark CCP_ACL Category=1
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny   ip any any
ip access-list extended ReplicationOUT
remark CCP_ACL Category=1
deny   ip any any
no logging trap
logging 10.10.10.107
access-list 1 permit 192.168.1.2
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 72.216.51.56 0.0.0.7
access-list 1 permit 172.16.0.0 0.0.3.255
access-list 1 permit 172.16.4.0 0.0.3.255
access-list 1 permit 10.10.10.128 0.0.0.31
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 permit xx.xx.xx.xx 0.0.0.15
access-list 1 permit 10.10.10.0 0.0.0.127
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp object-group GPAll object-group NY eq www
access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2
access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2
access-list 100 permit ip any host 10.10.10.2
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
access-list 100 deny   tcp any host 10.10.10.2 eq telnet
access-list 100 deny   tcp any host 10.10.10.2 eq 22
access-list 100 deny   tcp any host 10.10.10.2 eq www
access-list 100 deny   tcp any host 10.10.10.2 eq 443
access-list 100 deny   tcp any host 10.10.10.2 eq cmd
access-list 100 deny   udp any host 10.10.10.2 eq snmp
access-list 100 permit udp any eq domain host 10.10.10.2
access-list 100 permit udp host 10.10.10.80 eq domain any
access-list 100 permit udp host 10.10.10.10 eq domain any
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 72.216.51.56 0.0.0.7 any
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 172.16.4.0 0.0.3.255 any
access-list 101 permit ip 10.10.10.128 0.0.0.31 any
access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any
access-list 101 permit ip host 192.168.1.2 any
access-list 101 permit ip 10.10.10.0 0.0.0.127 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 72.216.51.56 0.0.0.7 any
access-list 102 permit ip 172.16.0.0 0.0.3.255 any
access-list 102 permit ip 172.16.4.0 0.0.3.255 any
access-list 102 permit ip 10.10.10.128 0.0.0.31 any
access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any
access-list 102 permit ip host 192.168.1.2 any
access-list 102 permit ip 10.10.10.0 0.0.0.127 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
access-list 103 deny   tcp any host 172.16.0.1 eq telnet
access-list 103 deny   tcp any host 172.16.0.1 eq 22
access-list 103 deny   tcp any host 172.16.0.1 eq www
access-list 103 deny   tcp any host 172.16.0.1 eq 443
access-list 103 deny   tcp any host 172.16.0.1 eq cmd
access-list 103 deny   udp any host 172.16.0.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31
access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd
access-list 105 deny   tcp any host xx.xx.xx.xx eq telnet
access-list 105 deny   tcp any host xx.xx.xx.xx eq 22
access-list 105 deny   tcp any host xx.xx.xx.xx eq www
access-list 105 deny   tcp any host xx.xx.xx.xx eq 443
access-list 105 deny   tcp any host xx.xx.xx.xx eq cmd
access-list 105 deny   udp any host xx.xx.xx.xx eq snmp
access-list 105 permit tcp any host xx.xx.xx.xx eq 443
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
access-list 105 permit udp any eq domain host xx.xx.xx.xx
access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx
access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx
access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp
access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 105 permit ip any any
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 106 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 106 remark IPSec Rule
access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 106 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 106 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 107 remark IPSec Rule
access-list 107 deny   ip 172.16.0.0 0.0.255.255 host 10.10.10.177
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 108 permit ip 70.56.215.0 0.0.0.255 any
access-list 109 remark CCP_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 109 remark IPSec Rule
access-list 109 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 109 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 109 remark IPSec Rule
access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 109 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 109 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 109 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.10.10.0 0.0.0.127 any
access-list 111 permit ip 10.10.10.128 0.0.0.31 any
access-list 111 permit ip 172.16.0.0 0.0.3.255 any
access-list 111 permit ip 172.16.4.0 0.0.3.255 any
access-list 111 permit ip 10.10.10.160 0.0.0.31 any
route-map SDM_RMAP_4 permit 1
match ip address 109
route-map SDM_RMAP_1 permit 1
match ip address 106
route-map SDM_RMAP_2 permit 1
match ip address 108
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps c3g
snmp-server enable traps ds3
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps bgp
snmp-server enable traps isis
snmp-server enable traps rf
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps ipsla
snmp-server enable traps bfd
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host 10.10.10.107 public
radius-server host 10.10.10.10 key HelloSFGal1#
control-plane
banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
access-class 102 in
transport input telnet
line vty 5 15
access-class 101 in
transport input telnet
scheduler allocate 20000 1000
end

Thanks so much, Herbert.
As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
I would delete these lines:
no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable
no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable
no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable
no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable
no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable
and replace with these
ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable
Then add:
access-list 150 deny   ip host 10.10.10.95 10.10.10.160 0.0.0.31
access-list 150 deny   ip host 10.10.10.95 172.16.8.0 0.0.3.255
access-list 150 deny   ip host 10.10.10.130 10.10.10.160 0.0.0.31
access-list 150 deny   ip host 10.10.10.130 172.16.8.0 0.0.3.255
access-list 150 permit ip host 10.10.10.95 any
access-list 150 permit ip host 10.10.10.130 any
route-map nonat permit 10
match ip address 150

Telnet & Rlogin

Similar Messages

Maybe you are looking for