Cisco

Cisco 4G LTE Setup – EE UK Configuration

0

This was setup using a Cisco 1911 Router and the 4G Card (EHWIC-4G-LTE-G)

The EHWIC-4G-LTE-G actually turns up with the antennas and the extended cables for the Antennas which i am surprised at as normally Cisco charge extra.

This particular example the Sim Card was for the EE Network in the UK (Orange,T-Mobile,EE)

I thing to note always you cannot bridge the cellular interface if anyone is thinking of handing this off to a ASA or similar firewall you will need to double NAT. If anyone has found a way please do email or drop me a comment.

Below is just the selected bits of the config to get the connection working:

Router#(config)chat-script lte “” “AT!CALL1″ TIMEOUT 30 “OK”

 

controller Cellular 0/0

 

Router#(config-if)
interface Cellular0/0/0

ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive

Router#(config-if)
interface Dialer1
no ip address

Router#(config)
ip nat inside source list 101 interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0

 

Router#(config)
access-list 101 permit ip 172.16.32.0 0.0.0.255 any
dialer-list 1 protocol ip permit

line 0/0/0
script dialer lte
modem InOut
no exec
rxspeed 100000000
txspeed 50000000

 

 

 

 

Cisco IOS Transparent Bridged Mode Inspection/ACL

0

Recently I needed to install a small Cisco 2811 Router in front on my Lync 2013 setup as the Mediation/FrontEnd server didnt like the 1:1 NAT and the Cisco IOS would either cause a 1 way audio or no call connection so I decided on this route.

I have a layer 2 switch which has the internet feed, Main Firewall feed and a feed going to port F0/0 on the 2811.

I basically am going to create a bridge between F0/0 and F0/1 and enable inspection and some access-lists in order to protect the SIP Trunk.

Create the Bridge Group:
Router(config)# bridge 1 irb
Router(config)# bridge 1 protocol ieee

Assign Interfaces to Bridge Group:
Router(config)# interface f0/0
Router(config-if)# bridge-group 1

Router(config)# interface f0/1
Router(config-if)# bridge-group 1

You can create the Bridge Virtual Interface but I haven’t

Router(config)# interface bvi 1
Router(config-if)# ip address 10.20.0.200 255.255.255.0
Router(config-if)# no shut

Router(config)# sh bridge group

Bridge Group 1 is running the IEEE compatible Spanning Tree protocol

Port 2 (FastEthernet0/0) of bridge group 1 is forwarding
Port 3 (FastEthernet0/1) of bridge group 1 is forwarding

Inspection Configuration

Router(config)#  ip inspect name LYNC-IN tcp
Router(config)#  ip inspect name LYNC-IN udp
Router(config)#  ip inspect name LYNC-IN icmp

Create ACL (permit ip any any is just for show put in what you need)

Router(config)# ip access-list extended LYNC-IN
Router(config-ext-nacl)# permit ip any any

My first draft ACL was like this as X.X.X.X is my SIP provider and I wanted to block 5060 tcp/udp from everywhere else.

Extended IP access list LYNC-IN
10 permit tcp host X.X.X.X any eq 5060 (179 matches)
20 permit udp host X.X.X.X any range 20000 60000 (8438 matches)
180 deny tcp any any eq 5060
181 deny udp any any eq 5060 (26 matches)
200 permit ip any any (475520 matches)

Now Apply to the Interface: (F0/0 is my external Interface)

interface FastEthernet0/0
description **INTERNET FACING – PUBLIC IP**
no ip address
ip access-group LYNC-IN in
ip inspect LYNC-IN in
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
end

interface FastEthernet0/1
description **WIZLYNC13 – Server**
no ip address
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
end

I have used this example specifically to secure a Lync 2013 Mediation server but a Transparent IOS Firewall can be used for many purposed.

 

 

 

 

Cisco CME/CUCME SIP Trunk Configuration Guide/Setup

0

This is a quick post on how to configure a SIP trunk in CME as I have had a few emails now requesting it.

SIP trunk configuration is very simple as you only need to find a SIP Provider and in this example I use a company called OrbTalk (I am based in the UK)

All the configuration is done in SIP-UA under global configuration mode:

sip-ua
credentials username USERNAME password 0 PASSWORD realm orbtalk
authentication username USERNAME password 0 PASSWORD
no remote-party-id
retry invite 2
retry register 10
retry options 1
timers connect 100
registrar dns:sipgw3.orbtalk.co.uk expires 1800
sip-server dns:sipgw3.orbtalk.co.uk
host-registrar

You can check the SIP registration status by using this command:

Show Sip-ua register status and it should show the following:

Cisco2901#show sip-ua register status
Line                                                                           peer                    expires(sec)           registered           P-Associ-URI
================================ ========== ============ ========== ============
USERNAME                                                                -1                      38                           yes
Cisco2901#

What you are looking for is registered = yes.

Although I have an expires of 1800 second Orbtalk have 60 seconds so we always go by the shortest time.

You then need a dial-peer, voice translation-rules and profile and you can start getting calls sent to the SIP provider.

 

Internal / External Call Forwarding Cisco CCME/CME Call Manager Express SIP Trunk

0

I have a client who has a Cisco 2921 Router running CCME and the simplest task would not work which is to call forward to a mobile phone.

When I say internal and external what I mean is the following two scenarios:

External:

0207 888 8888 dials 0203 555 1007 this call forwards to 07540111222

We got this working by adding “calling-number local secondary” to the telephony-service.

But then internal call forwards would not work. Example:

Internal Extension 1010 dials 1007 this call forward to 07540111222 (we would just get a busy tone)

The problem was the SIP trunk provider was getting the SIP header information incorrect so I called Cisco TAC and this is the solution they came up with:

Create a new SIP Call Profile:

voice class sip-profiles 7
request INVITE sip-header Diversion copy “.*<sip:(.*)@.*” u01
request INVITE sip-header From copy “.*<sip:(.*)@.*” u02
request INVITE sip-header From modify “(.*)<sip:1…@(.*)” “\1<sip:44203555\u01@\2″
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″
request INVITE sip-header From modify “(.*)<sip:@(.*)” “\1<sip:\u02@\2″

New voice translation rules and profiles created like below:

voice translation-rule 20
rule 1 /\(^10..\)/ /44203555\1/

voice translation-rule 3
rule 2 /^999$/ /999/
rule 5 /^9\(.*\)/ /\1/

voice translation-profile SIPPrefix
translate calling 20
translate called 3

On the Dial-peer for outgoing calls reference this voice class:

dial-peer voice 3 voip
description **Outgoing Calls to Any Number **
translation-profile outgoing SIPPrefix
destination-pattern 9T
session protocol sipv2
session target sip-server
incoming called-number .
voice-class sip profiles 7
dtmf-relay rtp-nte
codec g711ulaw
no vad

I don’t yet fully understand the logic for the above as I have never written anything like this but as far as I can tell u01 and u02 are used for storing variables.

The logic behind this is the call-forwarding number has to start with 0 and can be any number of digits (look at the line below)
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″

The last line is for normal outgoing calls to allow anything as normal.

Once I research into this some more ill write up a deeper explanation.

CiscoRouterDownload-1

Cisco Router – Slow / Dropping Internet Downloads

1

Recently had a problem with a Cisco Router Failover pair causing me some grief where when you download a large file it was just cutting out or stopping. I tried a few attempts and even tried downloading on our own firewall and the download worked fine so I knew there was no problem at the remote end (Microsoft)

Was trying to download SQL 2012 Express at the time and this kept happening:

CiscoRouterDownload-1

First thing I done was open an ssh  session with the Router and enabled terminal monitor:

Log in and type:

Once that was done I noticed quite a few errors like this appear:

%FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3558911335 1500 bytes is out-of-order; expected seq:3558888055. Reason: TCP reassembly queue overflow – session 10.0.X.X:52435 to XX.XX.XX.XX:231424

I added this command to global config mode:

All the command above does is increase the size of the tcp queue which has solved this problem.

Downloads are now working perfectly!

VPNNAT-1

Cisco Router NAT Internal Traffic over VPN

0

Recently had a request where I needed to setup a IPSEC VPN tunnel (no problem) but NAT the internal traffic to a new range to go over the tunnel and for it not too interfere with the normal NAT Translation going out to the internet.

Bit of background information:

MPLS Network with over 100+ sites
Each site has a 192.168.X.X range (e.g. 192.168.22.X and 192.168.44.X)
Centralized HSRP Failover Cisco Firewalls on a 10.20.X.X range

Each site has a server on the .200 address so 192.168.22.200 and 192.168.44.200.

These servers needed to be NAT’d to a 10.60.0.X range to go over the VPN to 10.29.13.X/24

To keep things fairly tidy I kept the NAT translations in some sort of pattern so for example:

192.168.22.200 would become 10.60.0.22
192.168.44.200 would become 10.60.0.44

I created the tunnel and tested it using a loopback adapter on the routers with a 10.29.13.x address just to confirm the IPSEC tunnel is working successfully.

We have an IP range of 64 public address that had a NAT translation of all stores IP’s to 1 of them for easy management.

192.168.0.0 0.0.255.255 mapped to –> 2.2.2.60 for example

NAT Translation for store to global IP:

ip nat pool SNAT-STORES 2.2.2.60 2.2.2.60 netmask 255.255.255.192

ip nat inside source route-map SNAT-STORES pool SNAT-STORES mapping-id 101 overload

NOTE: mapping-id is for statefull NAT on the HSRP router pair :)

Access-lists:

IP access list extended PBRNAT
permit ip 192.168.0.0 0.0.255.255 10.29.13.0 0.0.0.255

Access List PBRNAT is just to specify when the NAT translation should happen which is when any of the 192.168.0.0 addresses try to access the other side of the VPN (10.29.13.0/24). Note you need to use the original un-nat’d address in order to get the match.

IP access list extended SNAT-STORES
5 deny ip 192.168.0.0 0.0.255.255 10.29.13.0 0.0.0.255
10 permit ip 192.168.25.0 0.0.0.255 any 
20 permit ip 192.168.104.0 0.0.0.255 any
30 permit ip 192.168.107.0 0.0.0.255 any
40 permit ip 192.168.101.0 0.0.0.255 any
50 permit ip 192.168.105.0 0.0.0.255 any

Notice the deny statement under SNAT-STORES which is important as you need to set the criteria for when you want the NAT translation to be true. You do not want the global NAT translation to happen when trying to access the other side of the VPN (10.29.13.0/24).
Route maps needs to be created as they are used in the NAT translation rule and used for mapping to the access-lists.

route-map PBRNAT permit 10
match ip address PBRNAT

route-map SNAT-STORES permit 10
match ip address SNAT-STORES

Few of the NAT Translations

ip nat inside source static 192.168.112.200 10.60.0.112 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.114.200 10.60.0.114 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.115.200 10.60.0.115 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.116.200 10.60.0.116 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.117.200 10.60.0.117 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.118.200 10.60.0.118 route-map PBRNAT redundancy HSRP-Internal

The interesting traffic for the VPN would be

permit ip 10.60.0.0 0.0.0.255 10.29.13.0 0.0.0.255

10.60.0.0 = Local Side (NAT’d addresses)
10.29.13.0 = Remote VPN Side

Just to show it working I pinged 10.29.13.21 from 192.168.22.200

VPNNAT-1
Primary Cisco Router showing the correct NAT Statement:

VPNNAT-2

Sorry if this appears to be a bit rushed I am off on holiday tomorrow and wanted to get done before I go while its still fresh :)

 

CiscoCallTransfer

Cisco CME Call Transfer Issue – SIP Trunk

1

Have a client with a Cisco 2921 Router running latest version of CME 9.1 (currently)

Had a weird issue with Call Transfer and the call flow would go like this:

Ext 1001 would dial a external number 0800111222 and then transfer the call to Ext 1002.

The Call then dropped and disconnected after a few seconds.

A incoming call received by Ext 1001 from 0800 111 222 then transferred to Ext 1002 works fine.

So incoming calls works but outbound based calls don’t.

Running “debug ccsip messsages” show an UPDATE message is sent when the call is transferred to the SIP provider and because this was replied to it caused the call to drop.

Adding “no update-callerid” to voice service voip under sip resolved the issue (took days to diagnose and fix this silly issue!)

CiscoCallTransfer

 

Cisco IOS – Basic QoS, Traffic Shape and Police

0

 

Right I have used this configuration several times now so I have decided to put it up here so I have quick access to it when I need it :) No point re-writing it all over every time when I can just copy/paste and tweak:

Started with an Access-List for our SIP Provider:

Extended IP access list ORBTALK
10 permit ip host 193.104.103.6 any
20 permit ip host 193.104.103.2 any
30 permit ip host 193.104.103.11 any
40 permit ip any host 193.104.103.6
50 permit ip any host 193.104.103.2
60 permit ip any host 193.104.103.1

 

Class Maps Created:
As you can see below I only created a few categories for WEBTRAFFIC, VOIP, limit traffic e.g. facebook, twitter etc and allow full speed when running a speedtest:

class-map match-any WEBTRAFFIC
description **HTTP/HTTPS TRAFFIC**
match protocol http
match protocol secure-http
class-map match-any VOXHUB-VOIP
description **VOIP Traffic for ORBTALK**
match protocol sip
match protocol rtp audio
match ip dscp ef
match ip dscp cs3
match access-group name ORBTALK
class-map match-any TRAFFIC-LIMIT
description **Traffic Limited to 10Mb**
match protocol http host “*facebook.com*”
match protocol http host “*facebook*”
match protocol http host “*twitter*”
match protocol http host “*instagram*”
class-map match-all group1
match access-group 2
class-map match-any SPEEDTEST
description **Allow Speed Test @ 100Mbps – Use: www.speedtest.bbmax.co.uk**
match protocol http host “*speedtest*”
match access-group name SPEEDTEST

 

Policy Maps:

policy-map police
class group1
police 2048000 2000 4000
policy-map POLICE
class SPEEDTEST
police rate percent 100
conform-action transmit
exceed-action drop
class VOXHUB-VOIP
police rate percent 10
conform-action transmit
exceed-action drop
class TRAFFIC-LIMIT
police rate percent 10
conform-action transmit
exceed-action drop
class WEBTRAFFIC
police rate percent 50
conform-action transmit
exceed-action drop
class class-default
police rate percent 80
conform-action transmit
exceed-action drop
policy-map SHAPE
class SPEEDTEST
shape average percent 100
class VOXHUB-VOIP
shape average percent 10
class TRAFFIC-LIMIT
shape average percent 10
class WEBTRAFFIC
shape average percent 50
class class-default
shape average percent 80

Under WAN Interface:

interface FastEthernet0/3/0
ip address 31.221.89.2 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
duplex auto
speed 100
crypto map Wizard
service-policy input POLICE
service-policy output SHAPE
end

Hope this helps and gives you a base to work from.

 

Cisco Sound/Voice through Handset and Headset

0

Recently had an issue with Jabra headsets leaking sound through both the Headset and Handset. I believe this was just for outgoing calls but cannot confirm.

I first thought this was a bug and found this: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz35375

Turns out its the default behavior of Cisco phones to do this with a headset. To Disable you need to do the following:

Router(config)#telephony-service
Router(config-telephony)#service phone handsetHeadsetMonitor 0
Router(config-telephony)#create cnf-files

Restart the phones for this to work!

HSRP-NAT

Cisco HSRP External/Internal Interface SSO VPN IPSEC Failover Part 2

0

Static NAT is more straight forward to configure so to do this you need to do the following:

When you do the NAT Translation just reference the Internal HSRP Group e.g:

ip nat inside source static tcp 10.0.0.55 3389 77.11.12.10 3855 redundancy HSRP-Internal extendable

Remember to do this on both Routers as they both must Match!

Dynamic NAT is done like the following:

You need to create a Stateful ID as you need to link the NAT pool to this ID. (Again same on both routers)

ip nat Stateful id 1
redundancy HSRP-Internal
mapping-id 101
protocol udp

Define NAT Pool:

ip nat pool VOIP 77.11.12.62 77.11.12.62 netmask 255.255.255.192

Create the Access-List to define what matches this rule:

Extended IP access list VOIP
10 permit ip 10.5.0.0 0.0.0.255 any (35533 matches)
20 permit ip 10.15.0.0 0.0.0.255 any (5760 matches)

Now the Overload Statement:

ip nat inside source list VOIP pool VOXHUB-VOIP mapping-id 101 overload

Thats all there is too it!

If you do “Show ip nat translations” on the secondary router you will see the NAT translations replicated from the Primary!

I have used this on a PWAN project that has over 100 sites and the two main sites has VOIP phones that work on a 10.5.X.X and 10.15.X.X Network so I nat’ted them straight out using a unique public IP. Less hassle this way especially where SIP is concerned!

See Image below showing both Putty sessions open for Both Routers showing exactly the same NAT translations although only the Primary Router is active!

HSRP-NAT

 

 

Go to Top