Voip with hipath siemens 3800 and cisco router 2951

Similar Messages

• Mavericks VPN dropouts with native VPN client and Cisco IPSec

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• Vlans and cisco router

  I have a netgear managed switch and a cisco 1750 router. I would like to set up 2 vlans. the first one is a wan, with a residential cable model connected to it. the other vlan is for my private lan. I will then have the cisco router connected to one port on the switch set up as a trunk. I'm no pro, but from what I've read so far, it should work that way, right? the part I need help with is setting up the cisco router as a gateway and dns proxy, accepting the dynamic ip, gateway, and dns addresses from the cable modem.
  I did see this http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcef50
  router in a stick *write that down* so my setup should work if I can figure out the router configuration. a good online tutorial or something would be helpful for this. I have plenty of cisco books, but maybe something for dummies would help me get started, before digging into the tough stuff.

  In order to set up inter vlan routing or a "router on a stick" with a netgear switch you will need a router that supports IEEE 802.1q VLAN Support.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#28767
  On the router interface that is "trunked" to the switch you will need to have a configuration that looks like the what I have below.
  Router(config)#interface FastEthernet0/1.1
  Router(config-subif)#encapsulation dot1Q 1 native
  Router(config-subif)#ip address 10.xx.xx.16 255.255.255.xxx
  Router(config-subif)#interface FastEthernet0/1.2
  Router(config-subif)#encapsulation dot1Q 2
  Router(config-subif)#ip address 10.xx.xx.130 255.255.255.xxx
  The sub-interface 1."2" corresponds to the vlan id on the trunk. In this case the .2 is vlan 2.
  I have attahced a link that exlains the intricate details on inter vlan routing below:
  http://www.cisco.com/warp/public/473/50.shtml
  Lastly you may want to check the Cisco IOS feature Navigator. I was looking at it and I did not see that the 1750 has IEEE 802.1q VLAN Support. It looks like the 1751 is the first platform in the 1700 series that does.

• Administration of ASA5520 and cisco router mpls 1900

  Hi
  i just want to administor cisco
  ASA5520 and cisco router mpls 1900
  can some tell me as admin what to check as u get into office /reguraly in cisco asa 5520 and vpn mpls router for administrator ,right now its working as configured by supplier for remote sites to connect HQ and access several server
  My interest to know what are the basic day to day checkup on cisco asa5520 working as ips and cisco asa 5520 working as content filtering and cisco vpn mpls
  thx ,attached pic for ur view
  J

  Hello Malai,
  This question is subjective, I mean you can check the statistics on the CSC module for logs of the users going to blacklisted sites.
  You can check the CPU for the ASA's and IPS.
  You can monitor the amount of traffic traversing the interfaces of the ASA, you can determine witch host is using most of the bandwith,etc.
  Its pretty basic administration stuff
  Regards,
  Julio
  Rate all the helpful posts

• IEEE 802.11k roaming with client and cisco router

  I found information that Cisco supports IEEE802.11k WLAN standard with their routers.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_010.html
  If read this article I think for assisted roaming I only need neigbor reports but IEEE 802.11k standard also defines several reports like channel load report etc.
  Do I need these other reports also for roaming decisions if my device is a client?

  The reason why you can't remote desktop is because you have configured the following static PAT statement that unfortunately take precedence over your NAT exemption:
  ip nat inside source static tcp 10.10.1.2 3389 192.198.46.14 3389 extendable
  Do you require RDP with the public IP? if you don't and only require RDP via VPN, then please take the static PAT statement out, and RDP via VPN will work.

• Not able to telnet or ssh to outside interface of ASA and Cisco Router

  Dear All
  Please help me with following question, I have set up testing lab, but still not work.
  it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
  Hub -- Juniper SRX
  Spoke One - Cisco ASA with version 9.1(5)
  spoke two - Cisco router with version 12.3
  site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
  Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
  Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
  When I tested it, of cause site to site vpn still up and running.
  Thanks
  YK

  Hello YK,
  On this case on the ASA, you should have the following:
  CConfiguring Management Access Over a VPN Tunnel
  If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
  To specify an interface as a mangement-only interface, enter the following command:
  hostname(config)# management access management_interface
  where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
  You can define only one management-access interface
  Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
    SSH
  - ssh 0 0 outside
  - aaa authentication ssh console LOCAL
  - Make sure you have a default RSA key, or create a new one either ways, with this command:
      *crypto key generate rsa modulus 2048
  Telnet
  - telnet 0 0 outside
  - aaa authentication telnet console LOCAL
  Afterwards, if this works you can define the subnets that should be permitted.
  On the router:
  !--- Step 1: Configure the hostname if you have not previously done so.
  hostname Router
  !--- aaa new-model causes the local username and password on the router
  !--- to be used in the absence of other AAA statements.
  aaa new-model
  username cisco password 0 cisco
  !--- Step 2: Configure the router's DNS domain.
  ip domain-name yourdomain.com
  !--- Step 3: Generate an SSH key to be used with SSH.
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  !--- Step 4: By default the vtys' transport is Telnet. In this case, 
  !--- Telnet and SSH is supported with transport input all
  line vty 0 4
  transport input All
  *!--- Instead of aaa new-model, the login local command may be used.
  no aaa new-model
  line vty 0 4
    login local
  Let me know how it works out!
  Please don't forget to Rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Time Capsule and Cisco router

  Will Time Capsule work with a Cisco Router E4200 that is connected to a Worldbook NAS?
  I do not need it to serve as a router, only a sytematic backup solution fro all of our Macs in the network.  We use the NAS as a company client File store and share internally to our staff.

  The TC can be bridged and plonked into the network with no problems.
  Decide how you will treat wireless.. you can handle it several different ways.. but completely off might be best. Or if you are buying a new AC model, then turn off the wireless in the E4200 and see if the TC works better.
  Or if you have some ethernet cabling.. place the TC in wireless dark area and set it up in roaming profile.
  That means you set the same SSID=Wireless name. Same Security WPA2 AES = WPA2 Personal. Same password. But lock channels on both devices.. make sure each is as far apart as possible.. so for example for 2.4ghz wireless set one to channel 1 and the other to channel 11. For 5ghz similarly set them sufficiently far apart that there can be no overlap.

• Connecting 2 routers: T1 Router and Cisco Router

  Hi, thanks for reading this.
  My company has a T1 line that goes into the provider's Netopia router. I'd like to connect that router to our Cisco 1811 router to take advantage of the firewall, DHCP, VLAN, and NAT features. So, this is what I'm trying to do:
  Internet -- T1 Router -- Cisco 1811 -- Servers and Workstations
  The Netopia router is a T1 router with 1 WAN port and 8 built-in Ethernet ports. The Cisco 1811 has 2 WAN FE ports and 8 Managed Switch ports.
  First of all, I'd like to ask if this is even possible to do. If it is, please tell me how to physically connect the routers (what port to what port, and what kind of cable).
  Thank you.

  I don't know the Netopia routers but what you want to do should be possible. On the physical level you have to connect one of the Netopia ethernet ports to one of the WAN FE ports, probably using an ethernet cross-over cable.
  Now comes the fun part: configuration.

• Site-Site VPN PIX501 and CISCO Router

  Hello Experts,
  I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:
  www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
  and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).
  Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.

  YES! IT FINALLY WORKS NOW! Here's the updated running-config
  : Saved
  PIX Version 7.2(2)
  hostname PIX
  domain-name aida.com
  enable password 2KFQnbNIdI.2KYOU encrypted
  names
  name 172.21.1.0 network2 description n2
  interface Ethernet0
  speed 100
  duplex full
  nameif OUTSIDE
  security-level 0
  ip address 1.1.1.1 255.255.255.252
  interface Ethernet1
  nameif INSIDE
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  dns server-group DefaultDNS
  domain-name aida.com
  access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
  access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
  pager lines 24
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image flash:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (OUTSIDE) 1 interface
  nat (INSIDE) 0 access-list nonat
  nat (INSIDE) 1 192.168.1.0 255.255.255.0
  route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  username mark password MwHKvxGV7kdXuSQG encrypted
  http server enable
  http 192.168.1.3 255.255.255.255 INSIDE
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
  crypto map MYMAP 10 set peer 2.2.2.2
  crypto map MYMAP 10 set transform-set MYSET
  crypto map MYMAP interface OUTSIDE
  crypto isakmp enable OUTSIDE
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
  pre-shared-key *
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  prompt hostname context
  Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
  : end
  ROUTER:
  R9#sh run
  Building configuration...
  Current configuration : 3313 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R9
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login default local
  aaa authorization config-commands
  aaa authorization exec default local
  aaa session-id common
  resource policy
  memory-size iomem 5
  ip cef
  no ip domain lookup
  ip domain name aida.com
  ip ssh version 2
  crypto pki trustpoint TP-self-signed-998521732
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-998521732
  revocation-check none
  rsakeypair TP-self-signed-998521732
  crypto pki certificate chain TP-self-signed-998521732
  A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
    A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
    9EE305FF 63
    quit
  username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key cisco address 1.1.1.1 255.255.255.252
  crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
  crypto map MYMAP 10 ipsec-isakmp
  set peer 1.1.1.1
  set transform-set MYSET
  match address TO_ENCRYPT_TRAFFIC
  interface FastEthernet0/0
  ip address 2.2.2.2 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map MYMAP
  interface FastEthernet0/1
  ip address 172.21.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 2.2.2.1
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list NAT_IP interface FastEthernet0/0 overload
  ip access-list extended NAT_IP
  deny   ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 172.21.1.0 0.0.0.255 any
  ip access-list extended TO_ENCRYPT_TRAFFIC
  permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  line aux 0
  line vty 0 4
  transport input ssh
  end

• Time Capsule with Dt. Telekom Entertain and Speedport Router

  Hi
  I have read quite a number of posts in various internet sources that using Apple Time Capsule with VDSL requires a specific setup, and possibly also additional hardware able to translate the VDSL specific channels in order to be able to use Dt Telekom Entertain (VOD and TV streaming).
  My current setup is as follows (I have not tried any possible connections with the Time Capsule and the macbook pro as of yet, as I want to avoid frustration and spending lengthy time in sorting out options by trial and error):
  Internet Provider: Dt. Telekom
  Package: Entertain Premium IP with VDSL 50 and VOIP telephony
  Router: Speedport W722V
  Media Receiver: Entertain MR303
  Currently the router is directly connecting (cable) to the landline (fibre) via a splitter
  The MR303 is cable-connected (LAN/Ethernet), and I plan to maintain this cable connection, so no need for wifi'ing this connection
  A variety of device is wirelessly connected to the router, such as game console, two iphones, two ipads, a TV, two windows laptops (which are soon to be thrown out, as we are swithcing from PC to macbook)
  Thus far all good, my question(s):
  Can anyone advise on the best possible options to setup my new TimeCapsule (latest model) as router, thus degrading the speedport router to a mere modem, and with best possible I am particularly interested in:
  * Entertain (VOD and streaming) to work as smoothly as today (ie. no streaming lapses, outages etc)
  * VOIP to still run as smoothly as today
  * leveraging the benefit of WLAN speed and capability of the Time Capsule for all wirelessly connected devices
  cheers
  Joe

  is this easy enough to do - ie. a find- and clickable option upon setup?
  As regards roaming - where would I need to configure this? as far as I am aware I have not seen this option in my speedport, nor the network connections on my PC type notebooks.
  Bridge is best done manually.. if you use the v6 utility it has ability to automatically setup what it thinks is the best configuration but in reality is often not.. ie it will tend to not use bridge. So you simply click edit in the airport utility and go to the network tab. Bridge is a single option.
  Once configured in bridge the TC will do all the necessary changes. eg WAN port is transferred to LAN.. to make it as effective as possible in that mode. You set the wireless tab to still create a wireless network.
  Roaming is purely a setup which you do yourself.
  See the doco. http://support.apple.com/kb/HT4260
  It doesn't matter that you are not using two Apple routers.
  It is simple setup... trivial even.
  Set the wireless name in the TC to the same as the existing router's SSID
  Set the security to the same level.. that should always be WPA2 AES now which apple calls WPA2 Personal.
  Same password.
  It is good but not required to separate the two devices by a couple of meters. Even using the TC in another room connected back by ethernet would be excellent.. but not at all required. Both devices having wireless for 2.4ghz set to auto is not the best.. I would manually set at least one..
  The AC works only on 5ghz and is not going to be affected by the speedport at all.
  Why do you want the TC as router??
  Soimply put: Because I understood it could act as one? And it promised at first sight to provide a more powerful WLAN connectivity as opposed to my current speedport, which runs n standard but not ac standard
  thx
  The WLAN power is unaffected by using the TC in bridge or router mode.
  You have multiple options.. as mentioned .. roaming is only one.. you can simply turn the wireless off on the speedport. Wireless is still active on the TC in bridge mode.
  BUT you do lose one function.. that is guest wireless.. when you bridge the TC. If you would like to still have a guest wireless you can do that by using the speedport wireless with a different name to the TC.. ie you have exactly the same setup as guest wireless.. only instead of using a single wireless router you have two which is far superior.
  Anything that doesn't make sense.. it is probably easier to figure out after Christmas and you can play with the real world device.. post again if you have issues and we are happy to offer solutions.
  Merry Christmas.

• Help with Remote access VPN on Cisco router 3925 via Dialer Interface

  Hi Everybody,
  I need help for my work now, I appreciate if someone can fix my problem.I have a Cisco router 3925 and access Internet via PPPoE link.  I want config VPN Remote Access and using software Cisco VPN client. But it doesn't  work.. Here my config router :
  HUNRE#show running-config
  Building configuration...
  Current configuration : 5515 bytes
  ! No configuration change since last restart
  version 15.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname HUNRE
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$vEFw$rLfvLglzUgddCVwXDx03K.
  enable password cisco
  aaa new-model
  aaa session-id common
  crypto pki trustpoint TP-self-signed-1050416327
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1050416327
   revocation-check none
   rsakeypair TP-self-signed-1050416327
  crypto pki certificate chain TP-self-signed-1050416327
   certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31303530 34313633 3237301E 170D3134 30393235 31313534
    31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353034
    31363332 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100CC79 74FCFABE 81183B70 5A9F4A53 EB609754 7D5F8587 9150B76E 3207A86E
    5B65F9E9 6CDAC21A 6D69221D 1FF61632 14763308 43B2A1CC 8EE5ABAC EF07530E
    3F0D35FE F08C955B 60B52B92 F8F54D53 DD6DD623 01F83493 02F9C49A F0C3483D
    3B48A008 8D96700E 88924BFE DE00201B DE5965DE 32898CAD 9012AB55 76B6F39B
    2D470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14C3418C BC35F3D9 B26B2475 2BB5F826 060525AB B3301D06
    03551D0E 04160414 C3418CBC 35F3D9B2 6B24752B B5F82606 0525ABB3 300D0609
    2A864886 F70D0101 05050003 81810070 AC7C26C6 4606A551 1A3FD6C5 2A5AEAE8
    35DAC86E F8885E26 51F6EEAE 7565D3AA D532C8F3 55F6656F D103F38C 8FBDE7F1
    83E77143 76469040 7FEA41E8 14963DB3 F7F28EA0 C5F2F42C B186B75C AAB04900
    15F9CB38 A16964F5 4E7B4378 35041AA8 AE8EC181 D58D6A62 676E286A 7B9D80E6
    35A0B9FB FB76E976 3D2A19D7 006078
          quit
  ip name-server 210.245.1.253
  ip name-server 210.245.1.254
  ip cef    
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group 1
  vpdn-group 2
  license udi pid C3900-SPE100/K9 sn FOC1823839B
  license boot module c3900 technology-package securityk9
  username cisco privilege 15 secret 5 $1$aAjB$D3iLyPFTE7O1bHPnKSJcH0
  username kdhong privilege 15 secret 5 $1$nfyX$FO1BPTabCUaE6uKQwpLT.1
  redundancy
  track 1 ip sla 1 reachability
  track 2 ip sla 2 reachability
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp client configuration group VPN-HUNRE
   key hunre
   dns 8.8.8.8
   domain hunre
   pool IP-VPN
   acl 199
   max-users 100
  crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
   mode tunnel
  crypto dynamic-map DYNMAP 1
   set transform-set encrypt-method-1
  crypto map VPN client configuration address respond
  crypto map VPN 65535 ipsec-isakmp dynamic DYNMAP
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   ip address 192.168.1.1 255.255.255.0
   ip mtu 1492
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   description FPT
   no ip address
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 1
  interface GigabitEthernet0/2
   description Connect to CMC
   no ip address
   ip mtu 1442
   ip nat outside
   ip virtual-reassembly in
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 2
   no cdp enable
  interface Dialer1
   ip address negotiated
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname [USERNAME]
   ppp chap password 0 [PASSWORD]
   ppp pap sent-username [USERNAME] password 0 [PASSWORD]
   ppp ipcp dns request
   crypto map VPN
  interface Dialer2
   description Logical ADSL Interface 2
   ip address negotiated
   ip mtu 1442
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1344
   dialer pool 2
   dialer-group 2
   ppp authentication chap pap callin
   ppp chap hostname [USERNAME]
   ppp chap password 0 [PASSWORD]
   ppp pap sent-username [USERNAME] password 0 [PASSWORD]
   ppp ipcp address accept
   no cdp enable
  ip local pool IP-VPN 10.252.252.2 10.252.252.245
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 10 interface Dialer1 overload
  ip nat inside source list 11 interface Dialer2 overload
  ip nat inside source static 10.159.217.10 interface Dialer1
  ip nat inside source list 199 interface Dialer1 overload
  ip nat inside source static tcp 10.159.217.10 80 210.245.54.49 80 extendable
  ip nat inside source static tcp 10.159.217.10 3389 210.245.54.49 3389 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.159.217.0 255.255.255.0 192.168.1.8
  ip sla auto discovery
  ip sla responder
  dialer-list 1 protocol ip permit
  dialer-list 2 protocol ip permit
  access-list 10 permit any
  access-list 11 permit any
  access-list 101 permit icmp any any
  access-list 199 permit ip any any
  control-plane
  line con 0
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   password cisco
   transport input all
  line vty 5 15
   password cisco
   transport input all
  scheduler allocate 20000 1000
  ntp master
  end
  However, I cannot ping interfac Dialer 1. I using Cisco vpn client software ver 5.0.07.0290.
  Hopeful for your answers !
  Thanks

  Hi David Castro,
  Thanks for your answer,
  I configed following your guide, but it have not worked yet. I saw that I cannot ping IP gateway Internet . I using ADSL Internet and config PPPoE  and my router receive IP from ISP. Here show ip int brief :
  GigabitEthernet0/0         192.168.1.1     YES NVRAM  up                    up      
  GigabitEthernet0/1         unassigned      YES NVRAM  up                    up      
  GigabitEthernet0/2         unassigned      YES NVRAM  up                    up      
  Dialer1                    210.245.54.49   YES IPCP   up                    up      
  Dialer2                    101.99.7.73     YES IPCP   up                    up      
  NVI0                       192.168.1.1     YES unset  up                    up      
  Virtual-Access1            unassigned      YES unset  up                    up      
  Virtual-Access2            unassigned      YES unset  up                    up      
  Virtual-Access3            unassigned      YES unset  up                    up 
  But I cannot ping Interface Dialer 1, so may be VPN is does not worked. Do you have some ideal ?
  Thanks very much !

• OS X 10.6.8 and Cisco Router WRT110

  Just upgraded my Macbook Pro to OS X 10.6.8 and am having to reboot my Cisco router continuously to maintain internet connectivity.  Is it the 2 year old router?

  Make sure your firmware is updated for the router.

• Cisco IP 7960 and Cisco Router 2611....

  Greetings,
  I currently have 2 IP phones and a 2611 series router running 2600-ik902s2-mz.122-15.t5 IOS... Can anyone point me in the right direction on where/or how to start building a mini voice network? Any links, tutorials, info, advice would be greatly appreciated.
  Thanks,
  Gabe

  Hi
  The best thing to setup a mini voip network would be to use the ITS solution where your IP phones will register directly with the 2611 router. The 2611 would act as a mini call manager where these ip phones talk to the router through skinny protocol and your outgoing calls can still go out through your FXO or digital port to the PSTN.
  I would suggest to review the following doc. It is fairly complete.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide_book09186a008017fd13.html
  If you dont have voice mail, you dont have to worry about that. The above URL is for ITS version 2.1. If you want to run the lates ITS version (3.0) you would need 12.2.15ZJ1 IOS on the router and the information can be found at:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide_book09186a00801812e4.html
  Hope that helps.