Trunk SIP between two UC-320W
Hi,
Would it be possible to establish a SIP trunk (or anything else) between 2 UC-320W located in two sites ?
Thanks for your replies....
For your decision, keep in mind that both the UC320 and also the UC5x0 are announced EOS/EOL. But the (not EOL) CUCME (the Express-Version that runs on the router) can easily handle remote-phones.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Similar Messages
-
Trunk config between two 6500 cat switches
Hi All,
What is the recommended trunk configuration between 2 cisco 6500 switches including hsrp scenario.
ThanksHi Samir,
In almost all scenarios, its recommended to have 'dot1q' encapsulation and a static trunk config 'switchport mode trunk'. Matching the native VLAN on both sides is required and will be VLAN1 by default.
When configuring trunks, you should be mindful of VTP, trunk and STP states. Reviewing the following for mismatches between your Cat6K will help:
- show vtp status
- show interfaces trunk
- show spanning-tree
In terms of HSRP, it is also recommended to run HSRP active in the same location as STP Root to avoid any asynchronous routing problems.
/ijay -
HTTP Authentication Digest for SIP messages in a trunk SIP CUCME
Hello,
we would like to implement HTTP Authentication Digest for SIP messages in a trunk SIP between a Cisco 2851 and an Asterisk server.
We are using CUCM Express with 15.1(4)M (CME 8.6) as voice gateway to connect to PSTN.
According to Cisco documentation:
"To configure a gateway to use HTTP Authentication Digest, give the following command in each dial peer or SIP-UA configuration mode:
authentication username username password password [realm realm]."
The problem is that when call is from CISCO to ASTERISK, Asterisk sends a challenge to Cisco to do Authentication:
INVITE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 10.0.70.11:5060;branch=z9hG4bK3E205D
Remote-Party-ID: "DN1001" <sip:[email protected]>;party=calling;screen=no;privacy=off
From: "DN1001" <sip:[email protected]>;tag=5317D4-2271
To: <sip:[email protected]>
Date: Thu, 20 Feb 2014 10:55:56 GMT
Call-ID: [email protected]
Supported: 100rel,timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 1679566433-2572423651-2156454406-1292596908
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Max-Forwards: 70
Timestamp: 1392893756
Contact: <sip:[email protected]:5060>
Expires: 180
Allow-Events: telephone-event
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 208
<--- Reliably Transmitting (no NAT) to 10.0.70.11:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.0.70.11:5060;branch=z9hG4bK3E205D;received=10.0.70.11
From: "DN1001" <sip:[email protected]>;tag=5317D4-2271
To: <sip:[email protected]>;tag=as665c9410
Call-ID: [email protected]
CSeq: 101 INVITE
Server: Asterisk PBX 11.7.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="559bd1d2"
Content-Length: 0
However, when call is for ASTERISK to Cisco, there is no challenge sent.
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c
Max-Forwards: 70
From: "JOSE MANUEL" <sip:[email protected]>;tag=as2f789a9f
To: <sip:[email protected]>
Contact: <sip:[email protected]:5060>
Call-ID: [email protected]:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 11.7.0
Date: Thu, 20 Feb 2014 09:58:27 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 282
<--- SIP read from UDP:10.0.70.11:60829 --->
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c
From: "JOSE MANUEL" <sip:[email protected]>;tag=as2f789a9f
To: <sip:[email protected]>
Date: Thu, 20 Feb 2014 10:58:27 GMT
Call-ID: [email protected]:5060
CSeq: 102 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 10.1.32.70:5060;branch=z9hG4bK0c57d67c
From: "JOSE MANUEL" <sip:[email protected]>;tag=as2f789a9f
To: <sip:[email protected]>;tag=556830-757
Date: Thu, 20 Feb 2014 10:58:27 GMT
Call-ID: [email protected]:5060
CSeq: 102 INVITE
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Remote-Party-ID: "DN1001" <sip:[email protected]>;party=called;screen=no;privacy=off
Contact: <sip:[email protected]:5060>
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
My configuration in Cisco device is:
dial-peer voice 1 voip
description **Calls to ASTERISK **
destination-pattern 9T
session protocol sipv2
session target sip-server
codec g711ulaw
sip-ua
keepalive target ipv4:10.1.32.70
authentication username CCME password 7 070E234F4A realm asterisk
sip-server ipv4:10.1.32.70:5060
To avoid that the ASTERISK is blocked by Cisco TOLLFRAUD_APP I have added:
voice service voip
ip address trusted list
ipv4 10.1.32.70 255.255.255.255
allow-connections sip to sip
sip
registrar server
The issue is that I would like that Cisco also send a challenge to asterisk server to authenticate SIP messages.
Any ideas?.
Regards.Hello,
yes, but credentials command configure credentials that are used when Cisco UA must register in a server.
I do not need register Cisco into Asterisk server. What I want is that Cisco authenticate SIP messages that receive. I know
that can be enough with TOLLFRAUD_AP where remote IP is checked, but I want to do something like others routing
protocols (as OSPF, BGP) where every message must be authenticated.
Thanks.
Regards. -
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts" -
Single Channel between two 10 Gb data Muxponders band C
I would like to install a direct trunk link between the trunk ports of two muxponders on a 15454. Does it need any special configuration using CTC or it's automatic? The client ports will be GE abd FC. Should i use GCC Termination ?
Thanks in advanceU have got the answer that u can carry GE/FC over your muxponder card.
My 2 cents regarding access management. From one of your message that u r directly connecting these cards.
So ur r using SONET (SDCC/RSDCC) as ur using this as SONET card not DWDM. These SDCC/RSDCC are accessed through ur ethernet port to manage both equipment.
If u take this muxponder over Normal DWDM box then OSC is used. This is out band management channel (or out band siganlling for management of node) OC-3 rate.
If u take this muxponder over GMPLS ready DWDM box then that box will add GCC (like RDCC of SONET)to this rate. Like RDCC, GCC is also a in band signalling.
"GCC channel does not work like an OSC channel to manage both equipments.
As per my knowledge GCC can manage ur both equipment plus it has feature of dropping GCC to Non ONS node (or third party) and see that non ONS node in ur management.
I think GCC is better than OSC, as in GMPLS network provisioning is much easier and powerful than OSC based network. -
Create line extension between two SPA-3102
I`m having problems to create a line extension between two SPA-3102
I have one SPA-3102 connected to an analog PBX system with IP 192.168.0.201, and the other SPA-3102 with analog phone and IP 192.168.0.200
I succesfully setup them to make a call from the first to the second
But I couldn`t setup them to make a call from the second (192.168.0.200) and give me the dialtone of the PBX connected to the first SPA-3102 (192.168.0.201).
I could setup a hot line on the second SPA-3102 (192.168.0.200) and call to 192.168.0.201, but it doesn`t take the line to hear the pstn dialtone.
I saw many answers about this problem, but no one resolve the problem, i have the latest firmware. please, anyone could help me and if it`s possible to work please send me all the configuration needed.
Thanks againHi Jeremy,
I have a similar problem, I have one PSTN line (say Line1) with free minutes to mobiles, so its good for outgoing calls. The other line (say Line2) which i have is acually VoIP but it comes with its own hardware (magicJack if you have heard) so I can't use a SIP client and have to use the supplied Hw client, but it does give me an option to connect any normal phone to this magicJack (i suppose that would make it a fxs port). Now this magicJack is cheap for other people to call me.
I want to find a solution so that all the calls I receive on Line2 get forwarded to my mobile number via Line1. And if I receive any calls on Line1 they should be treated normally (my home phone rings). Do you have some idea how I can achieve this with minimal spend? Thanx
Atif -
Wireless Bridging between two 1242 AP's
Hello All,
I have a trailer at a client that I'am trying to connect to the main building via a wireless bridge using two 1242 AP's. I'am trunking on the connection to each AP using dot1q. I don't mind all the vlans going to the trailer so I'am not limiting the vlans. What do I have to do on the AP's to get this to work exactly? Are there any guides on this? thanks
JasonHi Jason,
If you're unfamiliar with the CLI, you should probably use the GUI. Here's what's needed to establish a bridge link between two APs:
1. Only one SSID is needed, regardless of the number of VLANs
2. The SSID should be placed in the native VLAN (as only one VLAN can be associate to an SSID)
3. Encryption for the link should be attached to the native VLAN
4. The SSID should be configured for infrastructure mode only
5. Every other VLAN should be created, but not assigned to anything.
6. The radio role/mode must be set to root bridge on side and non-root bridge on the other side
The critical realization is that only one SSID is used. It's perhaps what's most confusing about bridges. To my knowledge, you need to configure every VLAN you want to traverse the link. I do not know of any way to simply allow all VLANs.
Also, know that the channel can be set on the root side (and should be hard set to channel 1, 6, or 11 if using 2.4GHz), but you cannot configure the channel on the non-root. This is because the non-root scans all channels and matches to the root.
Let me know if you need assistance with any of this. I or someone else on the boards would be glad to help.
Jeff -
Etherchannel between two 2950 switches
I have a etherchannel defined between 2 L2 switches using LACP as shown below. The etherchannel works fine, however when I hard code speed/duplex on both ends the etherchannel fails. What is causing this behaviour?
SW02:
interface Port-channel5
interface GigabitEthernet1/0/1
switchport mode trunk
channel-group 5 mode active
interface GigabitEthernet1/0/2
switchport mode trunk
channel-group 5 mode active
SW02:
interface Port-channel5
interface GigabitEthernet1/0/1
switchport mode trunk
channel-group 5 mode active
interface GigabitEthernet1/0/2
switchport mode trunk
channel-group 5 mode activeThank you for the rating.
Regarding your replacement scenario, I'll give the standard engineering answer ("it depends"), but actually follow up with something I hope is more helpful. I'm sincerely interested to see other's viewpoint on this as well, as it has changed over the years.
Many years ago (let's say a decade) I ran into problems with some devices not being able to auto-negotiate properly. There was a tendancy for devices to fail or negotiate to half-duplex mode when a full-duplex connection was warranted. At the time, the problems we experienced were mainly with traffic shaping devices and some other gear. There were others using fixed settings as a standard practice, and we did the same since we had verifiable issues.
Fast forward to now. I personally have not experienced auto-negotiation problems in a long time and am reading more from others in the field that auto-negotiation is the way to go (such as from the link provided). Indeed, I've now run into the opposite scenario: I had a particular situation where a link between two devices defaulted to half-duplex EVEN THOUGH they were both set to 100/Full. It turned out to be a race condition between a device and a Cisco router...the other device booted faster, didn't see anything on the link, and "helpfully" dropped down to half-duplex. I confirmed the issue with the device vendor, who recommended setting ports to auto-negotiate as the fix (their software would not be updated for a bit of time).
I would recommend auto-negotiate as a standard practice, with the exception of areas where you have encountered specific problems. Those latter cases should be caught through your pre-deployment testing, and discussed with the respective vendors so that you fully understand why the devices are behaving the way they are so that the proper mitigation measures can be put in place (i.e. - It is going to act the same way every time, and you can work with that).
Good luck! -Ed -
VLAN between two Cisco 300 switches
Is it possible to share a VLAN between two Cisco 300 series switches?
Make sure that your port 27 is NOT configured as an access port - it should be a trunk (that's the default). I believe the setting is under VLAN Management > Interface settings.
Also ensure you are setup to tag frames (under the "Port to VLAN" settings). -
Passing Information from UCCX call variables through trunk SIP to Astersik
Hi All,
We need to pass some informations from our UCCX 8.5SU3/CUCM 8.6.2a to our Asterisk Server.
This two PBX are connected by a trunk sip.
Is it possible to do it?I've read about sip header,but i've never work on it.
Is it possible with a javascript?
Could you please help us?
Thanks
StefanoNo. CCX uses JTAPI (CTI/QBE) to integrate with CUCM, not SIP. As such there is no mechanism for it to manipulate or add extra SIP headers. You would need to use one of the native scripting options (e.g. ODBC, HTTP GET/POST, SMTP) or write a custom Java class that can interface natively with the other application. Examples of this exist such as the excellent documents on SFTP, CIFS, and LDAP.
Please remember to rate helpful responses and identify helpful or correct answers. -
After migration, from PC, files are now shared between two user accounts.I have to switch users to access files. How can I combine them into one account?
See Pondini's Transferring files from one User Account to another, for starters
-
Using Lightroom Cloud to Sync Catalog Between Two Machines
I have use of so many cloud services including the 20gb that Adobe gives me. Is there a way i can sync my catalog on the cloud so that i can have all my metadata on both my laptop and desk top? I also have 300gb of cloud storage though Copy. I would just like some recomendations on how best to go about it. Thanks
Hi Pat,
Using Lightroom Cloud to Sync Catalog Between Two Machines
If you’re running Lightroom on a laptop during your location shoots, you might want to take all the edits, keywords, metadata, and of course the photos themselves, and add them to the Lightroom catalog on your studio computer. It’s easier than it sounds: basically, you choose which catalog to export from your laptop, then you take the folder it creates over to your studio computer and import it.
You need to decide whether you want to export a folder (all the imported photos from your shoot), or a collection (just your Picks from the shoot). In this case, we’ll go with a collection, so go to the Collections panel and click on the collection you want to merge with your main catalog back in your studio. (If you had chosen a folder, the only difference would be you’d go to the Folders panel and click on the folder from that shoot instead. Either way, all the metadata you added, and any edits you made in Lightroom, will still be transferred over to the other machine.)
Please refer to http://www.peachpit.com/articles/article.aspx?p=1930499 for more details.
Thanks!
Eshant Jindal -
Working days between two date fields and Changing Factory Calendar
Hi,
I have to calculate working days between two date fields excluding the weekends and public holidays for Switzerland.
I have written the routine using factory calender and its working fine except for two problems now:
1. If any one of the date field is empty then teh rsult should be zero.
2. And the below code is working from 1996 but my cleints wants it to work for years before 1996 as well.
I also tried to change the Start date in SCAL for factory calendar but it says enter values between 1995 to 2020.
I am new to ABAP. Please help me how i can achieve these for below code.
DATA: IT_HOLIDAYS type TABLE OF ISCAL_DAY,
IS_HOLIDAYS TYPE ISCAL_DAY.
DATA: T_DATE TYPE SY-DATUM,
P_DATE TYPE SY-DATUM.
DATA : X_DATE(4) TYPE C.
DATA: CNT TYPE I.
REFRESH : IT_HOLIDAYS.
CLEAR : IT_HOLIDAYS.
T_DATE = SOURCE_FIELDS-/BIC/ZCCCHP812.
P_DATE = SOURCE_FIELDS-/BIC/ZCCCHP810.
CALL FUNCTION 'HOLIDAY_GET'
EXPORTING
HOLIDAY_CALENDAR = 'CH'
FACTORY_CALENDAR = 'CH'
DATE_FROM = P_DATE
DATE_TO = T_DATE
TABLES
HOLIDAYS = IT_HOLIDAYS
EXCEPTIONS
FACTORY_CALENDAR_NOT_FOUND = 1
HOLIDAY_CALENDAR_NOT_FOUND = 2
DATE_HAS_INVALID_FORMAT = 3
DATE_INCONSISTENCY = 4
OTHERS = 5.
DESCRIBE TABLE IT_HOLIDAYS LINES CNT.
X_DATE = T_DATE - P_DATE - CNT.
RESULT = X_DATE.
Please help
Regards
Zabina
Edited by: Syed786 on Nov 2, 2011 9:15 AMHi Zabina,
Try this function module 'DURATION_DETERMINE'.
Give the factory calendar and unit as DAY
With regards,
Rajesh -
Using a FireWire cable between two Macs and the Migration Assistance feature, will al my apps, bookmarks, contacts and files be tranferred?
See Pondini's Setup New Mac guide
-
How to find particular date lies in between two given dates
hi,
i have a problem. i have to find if particular day lies in between two given dates.
example two dates are joindate and expirydate.
1.joindate is 1/03/2007
expdate is 1/03/2008
now i have to find if 29 feb is in between this joindate and expirydate.
if any1 has ny idea please reply asap.
thanks.The Date class has a before() and after() method you can use to compare Date objects.
Maybe you are looking for
-
"the ipod cannot be synced. An Unknown error occured (13019)
when ever i try to put music on my ipod a message that says "the ipod cannot be synced. An Unknown error occured (13019)" what can i do so i can put music on it??
-
Labview 7 - How do I tell if the default printer is connected?
I have an HP USB printer as the default. It works fine when I print to it in LabVIEW. But, if I disconnect it, no errors occur. So I can't tell that my report did not print!
-
Dynamically Changing Language of web content
Hi guys, here's my situation, i'm building a web application, and the user needs to be able to select the language of choice for displaying content.. as far as implementing this , i'm a bit lost, can anyboby out there point me in the right direction
-
I am in Canada, but want an app that is not available to me (US only), is there any way I can get this appÉ (TV Guide). Thanks.
-
Trouble making an iPhoto library copy
Hi. I've just dragged my iPhotos library to a new EHD but can't seem to create a copy of it - the message says I don't have the permission rights. I want to be able to delete some of the albums on my internal drive but keep them on the external copy.