Cisco

Internal / External Call Forwarding Cisco CCME/CME Call Manager Express SIP Trunk

0

I have a client who has a Cisco 2921 Router running CCME and the simplest task would not work which is to call forward to a mobile phone.

When I say internal and external what I mean is the following two scenarios:

External:

0207 888 8888 dials 0203 555 1007 this call forwards to 07540111222

We got this working by adding “calling-number local secondary” to the telephony-service.

But then internal call forwards would not work. Example:

Internal Extension 1010 dials 1007 this call forward to 07540111222 (we would just get a busy tone)

The problem was the SIP trunk provider was getting the SIP header information incorrect so I called Cisco TAC and this is the solution they came up with:

Create a new SIP Call Profile:

voice class sip-profiles 7
request INVITE sip-header Diversion copy “.*<sip:(.*)@.*” u01
request INVITE sip-header From copy “.*<sip:(.*)@.*” u02
request INVITE sip-header From modify “(.*)<sip:1…@(.*)” “\1<sip:44203555\u01@\2″
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″
request INVITE sip-header From modify “(.*)<sip:@(.*)” “\1<sip:\u02@\2″

New voice translation rules and profiles created like below:

voice translation-rule 20
rule 1 /\(^10..\)/ /44203555\1/

voice translation-rule 3
rule 2 /^999$/ /999/
rule 5 /^9\(.*\)/ /\1/

voice translation-profile SIPPrefix
translate calling 20
translate called 3

On the Dial-peer for outgoing calls reference this voice class:

dial-peer voice 3 voip
description **Outgoing Calls to Any Number **
translation-profile outgoing SIPPrefix
destination-pattern 9T
session protocol sipv2
session target sip-server
incoming called-number .
voice-class sip profiles 7
dtmf-relay rtp-nte
codec g711ulaw
no vad

I don’t yet fully understand the logic for the above as I have never written anything like this but as far as I can tell u01 and u02 are used for storing variables.

The logic behind this is the call-forwarding number has to start with 0 and can be any number of digits (look at the line below)
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″

The last line is for normal outgoing calls to allow anything as normal.

Once I research into this some more ill write up a deeper explanation.

CiscoRouterDownload-1

Cisco Router – Slow / Dropping Internet Downloads

1

Recently had a problem with a Cisco Router Failover pair causing me some grief where when you download a large file it was just cutting out or stopping. I tried a few attempts and even tried downloading on our own firewall and the download worked fine so I knew there was no problem at the remote end (Microsoft)

Was trying to download SQL 2012 Express at the time and this kept happening:

CiscoRouterDownload-1

First thing I done was open an ssh  session with the Router and enabled terminal monitor:

Log in and type:

Once that was done I noticed quite a few errors like this appear:

%FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3558911335 1500 bytes is out-of-order; expected seq:3558888055. Reason: TCP reassembly queue overflow – session 10.0.X.X:52435 to XX.XX.XX.XX:231424

I added this command to global config mode:

All the command above does is increase the size of the tcp queue which has solved this problem.

Downloads are now working perfectly!

VPNNAT-1

Cisco Router NAT Internal Traffic over VPN

0

Recently had a request where I needed to setup a IPSEC VPN tunnel (no problem) but NAT the internal traffic to a new range to go over the tunnel and for it not too interfere with the normal NAT Translation going out to the internet.

Bit of background information:

MPLS Network with over 100+ sites
Each site has a 192.168.X.X range (e.g. 192.168.22.X and 192.168.44.X)
Centralized HSRP Failover Cisco Firewalls on a 10.20.X.X range

Each site has a server on the .200 address so 192.168.22.200 and 192.168.44.200.

These servers needed to be NAT’d to a 10.60.0.X range to go over the VPN to 10.29.13.X/24

To keep things fairly tidy I kept the NAT translations in some sort of pattern so for example:

192.168.22.200 would become 10.60.0.22
192.168.44.200 would become 10.60.0.44

I created the tunnel and tested it using a loopback adapter on the routers with a 10.29.13.x address just to confirm the IPSEC tunnel is working successfully.

We have an IP range of 64 public address that had a NAT translation of all stores IP’s to 1 of them for easy management.

192.168.0.0 0.0.255.255 mapped to –> 2.2.2.60 for example

NAT Translation for store to global IP:

ip nat pool SNAT-STORES 2.2.2.60 2.2.2.60 netmask 255.255.255.192

ip nat inside source route-map SNAT-STORES pool SNAT-STORES mapping-id 101 overload

NOTE: mapping-id is for statefull NAT on the HSRP router pair :)

Access-lists:

IP access list extended PBRNAT
permit ip 192.168.0.0 0.0.255.255 10.29.13.0 0.0.0.255

Access List PBRNAT is just to specify when the NAT translation should happen which is when any of the 192.168.0.0 addresses try to access the other side of the VPN (10.29.13.0/24). Note you need to use the original un-nat’d address in order to get the match.

IP access list extended SNAT-STORES
5 deny ip 192.168.0.0 0.0.255.255 10.29.13.0 0.0.0.255
10 permit ip 192.168.25.0 0.0.0.255 any 
20 permit ip 192.168.104.0 0.0.0.255 any
30 permit ip 192.168.107.0 0.0.0.255 any
40 permit ip 192.168.101.0 0.0.0.255 any
50 permit ip 192.168.105.0 0.0.0.255 any

Notice the deny statement under SNAT-STORES which is important as you need to set the criteria for when you want the NAT translation to be true. You do not want the global NAT translation to happen when trying to access the other side of the VPN (10.29.13.0/24).
Route maps needs to be created as they are used in the NAT translation rule and used for mapping to the access-lists.

route-map PBRNAT permit 10
match ip address PBRNAT

route-map SNAT-STORES permit 10
match ip address SNAT-STORES

Few of the NAT Translations

ip nat inside source static 192.168.112.200 10.60.0.112 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.114.200 10.60.0.114 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.115.200 10.60.0.115 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.116.200 10.60.0.116 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.117.200 10.60.0.117 route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static 192.168.118.200 10.60.0.118 route-map PBRNAT redundancy HSRP-Internal

The interesting traffic for the VPN would be

permit ip 10.60.0.0 0.0.0.255 10.29.13.0 0.0.0.255

10.60.0.0 = Local Side (NAT’d addresses)
10.29.13.0 = Remote VPN Side

Just to show it working I pinged 10.29.13.21 from 192.168.22.200

VPNNAT-1
Primary Cisco Router showing the correct NAT Statement:

VPNNAT-2

Sorry if this appears to be a bit rushed I am off on holiday tomorrow and wanted to get done before I go while its still fresh :)

 

CiscoCallTransfer

Cisco CME Call Transfer Issue – SIP Trunk

1

Have a client with a Cisco 2921 Router running latest version of CME 9.1 (currently)

Had a weird issue with Call Transfer and the call flow would go like this:

Ext 1001 would dial a external number 0800111222 and then transfer the call to Ext 1002.

The Call then dropped and disconnected after a few seconds.

A incoming call received by Ext 1001 from 0800 111 222 then transferred to Ext 1002 works fine.

So incoming calls works but outbound based calls don’t.

Running “debug ccsip messsages” show an UPDATE message is sent when the call is transferred to the SIP provider and because this was replied to it caused the call to drop.

Adding “no update-callerid” to voice service voip under sip resolved the issue (took days to diagnose and fix this silly issue!)

CiscoCallTransfer

 

Cisco IOS – Basic QoS, Traffic Shape and Police

0

 

Right I have used this configuration several times now so I have decided to put it up here so I have quick access to it when I need it :) No point re-writing it all over every time when I can just copy/paste and tweak:

Started with an Access-List for our SIP Provider:

Extended IP access list ORBTALK
10 permit ip host 193.104.103.6 any
20 permit ip host 193.104.103.2 any
30 permit ip host 193.104.103.11 any
40 permit ip any host 193.104.103.6
50 permit ip any host 193.104.103.2
60 permit ip any host 193.104.103.1

 

Class Maps Created:
As you can see below I only created a few categories for WEBTRAFFIC, VOIP, limit traffic e.g. facebook, twitter etc and allow full speed when running a speedtest:

class-map match-any WEBTRAFFIC
description **HTTP/HTTPS TRAFFIC**
match protocol http
match protocol secure-http
class-map match-any VOXHUB-VOIP
description **VOIP Traffic for ORBTALK**
match protocol sip
match protocol rtp audio
match ip dscp ef
match ip dscp cs3
match access-group name ORBTALK
class-map match-any TRAFFIC-LIMIT
description **Traffic Limited to 10Mb**
match protocol http host “*facebook.com*”
match protocol http host “*facebook*”
match protocol http host “*twitter*”
match protocol http host “*instagram*”
class-map match-all group1
match access-group 2
class-map match-any SPEEDTEST
description **Allow Speed Test @ 100Mbps – Use: www.speedtest.bbmax.co.uk**
match protocol http host “*speedtest*”
match access-group name SPEEDTEST

 

Policy Maps:

policy-map police
class group1
police 2048000 2000 4000
policy-map POLICE
class SPEEDTEST
police rate percent 100
conform-action transmit
exceed-action drop
class VOXHUB-VOIP
police rate percent 10
conform-action transmit
exceed-action drop
class TRAFFIC-LIMIT
police rate percent 10
conform-action transmit
exceed-action drop
class WEBTRAFFIC
police rate percent 50
conform-action transmit
exceed-action drop
class class-default
police rate percent 80
conform-action transmit
exceed-action drop
policy-map SHAPE
class SPEEDTEST
shape average percent 100
class VOXHUB-VOIP
shape average percent 10
class TRAFFIC-LIMIT
shape average percent 10
class WEBTRAFFIC
shape average percent 50
class class-default
shape average percent 80

Under WAN Interface:

interface FastEthernet0/3/0
ip address 31.221.89.2 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
duplex auto
speed 100
crypto map Wizard
service-policy input POLICE
service-policy output SHAPE
end

Hope this helps and gives you a base to work from.

 

Cisco Sound/Voice through Handset and Headset

0

Recently had an issue with Jabra headsets leaking sound through both the Headset and Handset. I believe this was just for outgoing calls but cannot confirm.

I first thought this was a bug and found this: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz35375

Turns out its the default behavior of Cisco phones to do this with a headset. To Disable you need to do the following:

Router(config)#telephony-service
Router(config-telephony)#service phone handsetHeadsetMonitor 0
Router(config-telephony)#create cnf-files

Restart the phones for this to work!

HSRP-NAT

Cisco HSRP External/Internal Interface SSO VPN IPSEC Failover Part 2

0

Static NAT is more straight forward to configure so to do this you need to do the following:

When you do the NAT Translation just reference the Internal HSRP Group e.g:

ip nat inside source static tcp 10.0.0.55 3389 77.11.12.10 3855 redundancy HSRP-Internal extendable

Remember to do this on both Routers as they both must Match!

Dynamic NAT is done like the following:

You need to create a Stateful ID as you need to link the NAT pool to this ID. (Again same on both routers)

ip nat Stateful id 1
redundancy HSRP-Internal
mapping-id 101
protocol udp

Define NAT Pool:

ip nat pool VOIP 77.11.12.62 77.11.12.62 netmask 255.255.255.192

Create the Access-List to define what matches this rule:

Extended IP access list VOIP
10 permit ip 10.5.0.0 0.0.0.255 any (35533 matches)
20 permit ip 10.15.0.0 0.0.0.255 any (5760 matches)

Now the Overload Statement:

ip nat inside source list VOIP pool VOXHUB-VOIP mapping-id 101 overload

Thats all there is too it!

If you do “Show ip nat translations” on the secondary router you will see the NAT translations replicated from the Primary!

I have used this on a PWAN project that has over 100 sites and the two main sites has VOIP phones that work on a 10.5.X.X and 10.15.X.X Network so I nat’ted them straight out using a unique public IP. Less hassle this way especially where SIP is concerned!

See Image below showing both Putty sessions open for Both Routers showing exactly the same NAT translations although only the Primary Router is active!

HSRP-NAT

 

 

HSRP-1

Cisco HSRP External/Internal Interface SSO VPN IPSEC Failover Part 1

0

What I wanted to achieve here was a complete fail-over of a Cisco Router pair. I know Cisco ASA’s can do a better smoother job but I detest ASA’s as they don’t follow the normal IOS commands :)

In this configuration I am using two Cisco 2921 Routers with Security Bundle and I also have two Internet connections both with the Same IP range being used on both.

Basics:

Router #1
Internal 10.20.0.250
HSRP: 10.20.0.254
External 77.12.11.4
HSRP: 77.12.11.6

Default Route – 77.12.11.3

Router #2
Internal 10.20.0.252
HSRP: 10.20.0.254
External 77.12.11.5
HSRP: 77.12.11.6

Default Route – 77.12.11.3

HSRP-1

Also to Note is the ISP is also running HSRP and using 77.12.11.1 as Primary, 77.12.11.2 as Secondary and 77.12.11.3 as HSRP address which is our Default Gateway…

Configure the Interfaces and in my case I have configured:

GigabitEthernet 0/0 = WAN

GigabitEthernet 0/1 = Internal

You need to create two HSRP Groups using the following:

Primary-Router
interface GigabitEthernet 0/0

description ** 100Mb Internet**
bandwidth 102400
ip address 77.12.11.4 255.255.255.192
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
standby mac-refresh 8
standby delay minimum 10 reload 60
standby 0 ip 77.12.11.6
standby 0 timers 1 3
standby 0 preempt delay reload 7 sync 7
standby 0 name HSRP-External
standby 0 track 1 decrement 20

interface GigabitEthernet0/1
description **LAN 1Gbps / HSRP**
ip address 10.20.0.250 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby mac-refresh 8
standby delay reload 50
standby 1 ip 10.20.0.254
standby 1 preempt
standby 1 name HSRP-Internal
standby 1 track 1 decrement 20
duplex auto
speed auto
end

Secondary-Router
interface GigabitEthernet 0/0

description ** 100Mb Internet**
bandwidth 102400
ip address 77.12.11.5 255.255.255.192
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
standby mac-refresh 8
standby delay minimum 10 reload 60
standby 0 ip 77.12.11.6
standby 0 timers 1 3
standby 0 priority 90
standby 0 preempt delay reload 7 sync 7
standby 0 name HSRP-External
standby 0 track 1 decrement 20

interface GigabitEthernet0/1
description **LAN 1Gbps / HSRP**
ip address 10.20.0.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby mac-refresh 8
standby delay reload 50
standby 1 ip 10.20.0.254
standby 1 priority 90
standby 1 preempt
standby 1 name HSRP-Internal
standby 1 track 1 decrement 20
duplex auto
speed auto
end

Use Show Standy to Confirm as you will see Active on the Primary Router on Both Interfaces!

1) Default Priority is 100 (higher is better)
So you need to set the Secondary Router with a slightly lower Value

2) preempt needs to be set only if you want the active router to take back the role once a failover as occured.

3) I have configured an SLA track on the primary Router which tracks the default gateway 77.12.11.3. I have done this because I want to failover if the router can no longer reach the Default gateway as this is more likely than a interface problem. As you can see from the below I am tracking the default gateway across both internal and external interfaces on Primary Router (best way of doing this – if it fails then it drops the priority by 20 making the Secondary Active)

SLA Configuration:

ip sla 1
icmp-echo 77.12.11.3 source-ip 10.20.0.250
frequency 5
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

NOTE: The router HAS to reboot when its state changes as its the only way the router can rejoin as a secondary. Bit poor on Cisco’s part and I am confident this will be changed in new releases (I hope). In my opinion this is the only problem that makes the ASA’s a better choice.

Once this is done you can get on to configure the stateful VPN IPSEC failover as well as Stateful Static NAT and Dynamic NAT.

Configuring Stateful VPN fail-over is very simple and all you need to do is add the Crypto Map under the External interface as your normally would except add “redundancy HSRP-External stateful”. Note “HSRP-External” is the name I used in my previous post.

Interface GigabitEthernet 0/0
crypto map IPSEC-VPN redundancy HSRP-External stateful

Do this on both Primary and Secondary Routers and the following is a list of show commands to verify all of the above is working correctly:

show redundancy states
show standby brief
show crypto isakmp sa
show crypto isakmp sa standby
show crypto ipsec sa
show crypto ipsec sa standby

Examples:

Cisco2921-Primary#sh redundancy states
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit ID = 0

Maintenance Mode = Disabled
Manual Swact = enabled
Communications = Up

client count = 14
client_notification_TMR = 30000 milliseconds
RF debug mask = 0×0

Cisco2921-Primary#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0 0 100 P Active local 77.11.12.5 77.11.12.6
Gi0/1 1 100 P Active local 10.20.0.252 10.20.0.254

Static / Dynamic Stateful NAT I will put in part 2 of the guide just to break it up a little bit.

gold-star

Cisco BT Infinity – No White Modem – Cisco 887VA

7

A user posted to me on there that they have got a configuration working with BT Infinity without the use of the white modem. I saw that this was possible when Draytek announced their 2830 device to work with BT Infinity and after further digging around it appears BT removed that the white modem needs to be used under their T&C’s.

Anyway I recently took delivery of a lot of the Cisco 887VA Routers and a Cisco 2901, 2911 with EHWIC-VA-DSL-A cards so I took this opportunity to try the below configuration out:

This Config is a re-write of a previous post I done and is based and 100% tested on a Cisco 887VA

First thing is to Disable the ATM Interface (you cannot have the ATM interface enabled and use VDSL – its either or)

interface ATM0
no ip address
shutdown
no atm ilmi-keepalive

Next configure the VDSL Interface (Ethernet 0):

interface Ethernet0
no ip address

In the UK (BT Infinity) it uses VLAN 101 so you need to configure a Sub interface and tag the traffic: You need to set the dial-pool member to the same number used for the dialer interface

interface Ethernet0.101
encapsulation dot1Q 101
pppoe-client dial-pool-number 1

 

interface dialer 1
description **BT INFINITY**

mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname bt@btinternet.com
ppp chap password 0 password
ppp ipcp address accept
no cdp enable

Username and password does not matter for a HOME Connection but in for a BUSINESS connection you will need to specify username/password

I noticed I was getting a global IP of 172.X.X.X when I removed the “ppp ipcp address accept” command from Dialer 1. When put back I was getting a IP range in the range of 80/81.X.X.X and the internet worked correctly.

You just need to add the normal command’s in for inside/outside NAT etc. Briefly described config below:

interface BVI1
description **Internal Interface**
ip address 172.16.32.254 255.255.255.0
ip nat inside
ip virtual-reassembly in

ip nat inside source route-map INFINITY interface Dialer1 overload

route-map INFINITY permit 1
match ip address INFINITY

ip access-list extended INFINITY
permit ip 172.16.32.0 0.0.0.255 any

Router# show controllers vdsl 0

VDSL-1

VDSL-2

Cisco CME – Configure SIP Trunk

0

Configuring a SIP Trunk is fairly simple. Once you have the telephony server all configured and the Phones communication with each other internally you can now configure the SIP Trunk.

Start by setting up the voice server voip like this:

voice service voip
ip address trusted list
ipv4 X.X.X.X 255.255.255.255
ipv4 X.X.X.X 255.255.255.255
ipv4 X.X.X.X 255.255.255.255
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
registrar server

X.X.X.X section is highly recommend to do as it will protect the SIP trunk from toll fraud. Put your SIP trunks providers IP addresses in there!

Create a Voice Translation profile like this if you want to have a 9 for an outside line and for it to be stripped off before sending the digits down the trunk:

voice translation-rule 3
rule 2 /^999$/ /999/
rule 5 /^9\(.*\)/ /\1/

voice translation-profile SIPPrefix
translate calling 2
translate called 3

Rule 2 is basically so that if you dial 999 or 9999 it will still be able to dial Emergency Services (I am Based in the UK :) ) In an Emergency users may forget to dial 9 and this way you are covered!

Dial-peer is configured next like so:

dial-peer voice 5 voip
description **Outgoing Calls to Any Number – SIP TRUNK**
translation-profile outgoing SIPPrefix
destination-pattern 9T
b2bua
session protocol sipv2
session target sip-server
incoming called-number .%
voice-class codec 1
dtmf-relay rtp-nte
no vad

destination-pattern 9T is so that the 9 is dialed to access this dial-peer for an outside line. You can change the 9 to any digit or digit combination you like

Now configure the actual SIP Trunk:

sip-ua
credentials username *USERNAME* password 0 *PASSWORD*
authentication username *USERNAME* password 0 *PASSWORD*
no remote-party-id
retry invite 2
retry register 10
retry options 1
timers connect 100
registrar dns:*SIP TRUNK DNS NAME* expires 3600
sip-server dns:*SIP TRUNK DNS NAME*
host-registrar

use “show sip-ua register status” to see if the Trunk is online:

Line                                         peer                   expires(sec)             registered            P-Associ-URI
================== ========== ============ ========== ============
*USERNAME*                        -1                     48                            yes

 

While I was configuring this I had an attack and the internet was only connected to this box for 10 minutes while I pulled the config:

Jan 24 15:43:24.893: %SEC-6-IPACCESSLOGP: list INTERNET denied udp 198.245.60.182(5076) -> MY.IP.ADDRESS.X(5060), 1 packet

So you MUST lock down port 5060 and 2000!

Good Luck!

Go to Top