Cisco 4G LTE Setup – EE UK Configuration


This was setup using a Cisco 1911 Router and the 4G Card (EHWIC-4G-LTE-G)

The EHWIC-4G-LTE-G actually turns up with the antennas and the extended cables for the Antennas which i am surprised at as normally Cisco charge extra.

This particular example the Sim Card was for the EE Network in the UK (Orange,T-Mobile,EE)

I thing to note always you cannot bridge the cellular interface if anyone is thinking of handing this off to a ASA or similar firewall you will need to double NAT. If anyone has found a way please do email or drop me a comment.

Below is just the selected bits of the config to get the connection working:

Router#(config)chat-script lte “” “AT!CALL1″ TIMEOUT 30 “OK”


controller Cellular 0/0


interface Cellular0/0/0

ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive

interface Dialer1
no ip address

ip nat inside source list 101 interface Cellular0/0/0 overload
ip route Cellular0/0/0


access-list 101 permit ip any
dialer-list 1 protocol ip permit

line 0/0/0
script dialer lte
modem InOut
no exec
rxspeed 100000000
txspeed 50000000





Cisco IOS Transparent Bridged Mode Inspection/ACL


Recently I needed to install a small Cisco 2811 Router in front on my Lync 2013 setup as the Mediation/FrontEnd server didnt like the 1:1 NAT and the Cisco IOS would either cause a 1 way audio or no call connection so I decided on this route.

I have a layer 2 switch which has the internet feed, Main Firewall feed and a feed going to port F0/0 on the 2811.

I basically am going to create a bridge between F0/0 and F0/1 and enable inspection and some access-lists in order to protect the SIP Trunk.

Create the Bridge Group:
Router(config)# bridge 1 irb
Router(config)# bridge 1 protocol ieee

Assign Interfaces to Bridge Group:
Router(config)# interface f0/0
Router(config-if)# bridge-group 1

Router(config)# interface f0/1
Router(config-if)# bridge-group 1

You can create the Bridge Virtual Interface but I haven’t

Router(config)# interface bvi 1
Router(config-if)# ip address
Router(config-if)# no shut

Router(config)# sh bridge group

Bridge Group 1 is running the IEEE compatible Spanning Tree protocol

Port 2 (FastEthernet0/0) of bridge group 1 is forwarding
Port 3 (FastEthernet0/1) of bridge group 1 is forwarding

Inspection Configuration

Router(config)#  ip inspect name LYNC-IN tcp
Router(config)#  ip inspect name LYNC-IN udp
Router(config)#  ip inspect name LYNC-IN icmp

Create ACL (permit ip any any is just for show put in what you need)

Router(config)# ip access-list extended LYNC-IN
Router(config-ext-nacl)# permit ip any any

My first draft ACL was like this as X.X.X.X is my SIP provider and I wanted to block 5060 tcp/udp from everywhere else.

Extended IP access list LYNC-IN
10 permit tcp host X.X.X.X any eq 5060 (179 matches)
20 permit udp host X.X.X.X any range 20000 60000 (8438 matches)
180 deny tcp any any eq 5060
181 deny udp any any eq 5060 (26 matches)
200 permit ip any any (475520 matches)

Now Apply to the Interface: (F0/0 is my external Interface)

interface FastEthernet0/0
no ip address
ip access-group LYNC-IN in
ip inspect LYNC-IN in
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1

interface FastEthernet0/1
description **WIZLYNC13 – Server**
no ip address
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1

I have used this example specifically to secure a Lync 2013 Mediation server but a Transparent IOS Firewall can be used for many purposed.





Cisco CME/CUCME SIP Trunk Configuration Guide/Setup


This is a quick post on how to configure a SIP trunk in CME as I have had a few emails now requesting it.

SIP trunk configuration is very simple as you only need to find a SIP Provider and in this example I use a company called OrbTalk (I am based in the UK)

All the configuration is done in SIP-UA under global configuration mode:

credentials username USERNAME password 0 PASSWORD realm orbtalk
authentication username USERNAME password 0 PASSWORD
no remote-party-id
retry invite 2
retry register 10
retry options 1
timers connect 100
registrar expires 1800

You can check the SIP registration status by using this command:

Show Sip-ua register status and it should show the following:

Cisco2901#show sip-ua register status
Line                                                                           peer                    expires(sec)           registered           P-Associ-URI
================================ ========== ============ ========== ============
USERNAME                                                                -1                      38                           yes

What you are looking for is registered = yes.

Although I have an expires of 1800 second Orbtalk have 60 seconds so we always go by the shortest time.

You then need a dial-peer, voice translation-rules and profile and you can start getting calls sent to the SIP provider.


Internal / External Call Forwarding Cisco CCME/CME Call Manager Express SIP Trunk


I have a client who has a Cisco 2921 Router running CCME and the simplest task would not work which is to call forward to a mobile phone.

When I say internal and external what I mean is the following two scenarios:


0207 888 8888 dials 0203 555 1007 this call forwards to 07540111222

We got this working by adding “calling-number local secondary” to the telephony-service.

But then internal call forwards would not work. Example:

Internal Extension 1010 dials 1007 this call forward to 07540111222 (we would just get a busy tone)

The problem was the SIP trunk provider was getting the SIP header information incorrect so I called Cisco TAC and this is the solution they came up with:

Create a new SIP Call Profile:

voice class sip-profiles 7
request INVITE sip-header Diversion copy “.*<sip:(.*)@.*” u01
request INVITE sip-header From copy “.*<sip:(.*)@.*” u02
request INVITE sip-header From modify “(.*)<sip:1…@(.*)” “\1<sip:44203555\u01@\2″
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″
request INVITE sip-header From modify “(.*)<sip:@(.*)” “\1<sip:\u02@\2″

New voice translation rules and profiles created like below:

voice translation-rule 20
rule 1 /\(^10..\)/ /44203555\1/

voice translation-rule 3
rule 2 /^999$/ /999/
rule 5 /^9\(.*\)/ /\1/

voice translation-profile SIPPrefix
translate calling 20
translate called 3

On the Dial-peer for outgoing calls reference this voice class:

dial-peer voice 3 voip
description **Outgoing Calls to Any Number **
translation-profile outgoing SIPPrefix
destination-pattern 9T
session protocol sipv2
session target sip-server
incoming called-number .
voice-class sip profiles 7
dtmf-relay rtp-nte
codec g711ulaw
no vad

I don’t yet fully understand the logic for the above as I have never written anything like this but as far as I can tell u01 and u02 are used for storing variables.

The logic behind this is the call-forwarding number has to start with 0 and can be any number of digits (look at the line below)
request INVITE sip-header From modify “(.*)<sip:0.*@(.*)” “\1<sip:\u01@\2″

The last line is for normal outgoing calls to allow anything as normal.

Once I research into this some more ill write up a deeper explanation.


Cisco Router – Slow / Dropping Internet Downloads


Recently had a problem with a Cisco Router Failover pair causing me some grief where when you download a large file it was just cutting out or stopping. I tried a few attempts and even tried downloading on our own firewall and the download worked fine so I knew there was no problem at the remote end (Microsoft)

Was trying to download SQL 2012 Express at the time and this kept happening:


First thing I done was open an ssh  session with the Router and enabled terminal monitor:

Log in and type:

Once that was done I noticed quite a few errors like this appear:

%FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3558911335 1500 bytes is out-of-order; expected seq:3558888055. Reason: TCP reassembly queue overflow – session 10.0.X.X:52435 to XX.XX.XX.XX:231424

I added this command to global config mode:

All the command above does is increase the size of the tcp queue which has solved this problem.

Downloads are now working perfectly!


Cisco Router NAT Internal Traffic over VPN


Recently had a request where I needed to setup a IPSEC VPN tunnel (no problem) but NAT the internal traffic to a new range to go over the tunnel and for it not too interfere with the normal NAT Translation going out to the internet.

Bit of background information:

MPLS Network with over 100+ sites
Each site has a 192.168.X.X range (e.g. 192.168.22.X and 192.168.44.X)
Centralized HSRP Failover Cisco Firewalls on a 10.20.X.X range

Each site has a server on the .200 address so and

These servers needed to be NAT’d to a 10.60.0.X range to go over the VPN to 10.29.13.X/24

To keep things fairly tidy I kept the NAT translations in some sort of pattern so for example: would become would become

I created the tunnel and tested it using a loopback adapter on the routers with a 10.29.13.x address just to confirm the IPSEC tunnel is working successfully.

We have an IP range of 64 public address that had a NAT translation of all stores IP’s to 1 of them for easy management. mapped to –> for example

NAT Translation for store to global IP:

ip nat pool SNAT-STORES netmask

ip nat inside source route-map SNAT-STORES pool SNAT-STORES mapping-id 101 overload

NOTE: mapping-id is for statefull NAT on the HSRP router pair :)


IP access list extended PBRNAT
permit ip

Access List PBRNAT is just to specify when the NAT translation should happen which is when any of the addresses try to access the other side of the VPN ( Note you need to use the original un-nat’d address in order to get the match.

IP access list extended SNAT-STORES
5 deny ip
10 permit ip any 
20 permit ip any
30 permit ip any
40 permit ip any
50 permit ip any

Notice the deny statement under SNAT-STORES which is important as you need to set the criteria for when you want the NAT translation to be true. You do not want the global NAT translation to happen when trying to access the other side of the VPN (
Route maps needs to be created as they are used in the NAT translation rule and used for mapping to the access-lists.

route-map PBRNAT permit 10
match ip address PBRNAT

route-map SNAT-STORES permit 10
match ip address SNAT-STORES

Few of the NAT Translations

ip nat inside source static route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static route-map PBRNAT redundancy HSRP-Internal
ip nat inside source static route-map PBRNAT redundancy HSRP-Internal

The interesting traffic for the VPN would be

permit ip = Local Side (NAT’d addresses) = Remote VPN Side

Just to show it working I pinged from

Primary Cisco Router showing the correct NAT Statement:


Sorry if this appears to be a bit rushed I am off on holiday tomorrow and wanted to get done before I go while its still fresh :)



Cisco CME Call Transfer Issue – SIP Trunk


Have a client with a Cisco 2921 Router running latest version of CME 9.1 (currently)

Had a weird issue with Call Transfer and the call flow would go like this:

Ext 1001 would dial a external number 0800111222 and then transfer the call to Ext 1002.

The Call then dropped and disconnected after a few seconds.

A incoming call received by Ext 1001 from 0800 111 222 then transferred to Ext 1002 works fine.

So incoming calls works but outbound based calls don’t.

Running “debug ccsip messsages” show an UPDATE message is sent when the call is transferred to the SIP provider and because this was replied to it caused the call to drop.

Adding “no update-callerid” to voice service voip under sip resolved the issue (took days to diagnose and fix this silly issue!)



Cisco IOS – Basic QoS, Traffic Shape and Police



Right I have used this configuration several times now so I have decided to put it up here so I have quick access to it when I need it :) No point re-writing it all over every time when I can just copy/paste and tweak:

Started with an Access-List for our SIP Provider:

Extended IP access list ORBTALK
10 permit ip host any
20 permit ip host any
30 permit ip host any
40 permit ip any host
50 permit ip any host
60 permit ip any host


Class Maps Created:
As you can see below I only created a few categories for WEBTRAFFIC, VOIP, limit traffic e.g. facebook, twitter etc and allow full speed when running a speedtest:

class-map match-any WEBTRAFFIC
description **HTTP/HTTPS TRAFFIC**
match protocol http
match protocol secure-http
class-map match-any VOXHUB-VOIP
description **VOIP Traffic for ORBTALK**
match protocol sip
match protocol rtp audio
match ip dscp ef
match ip dscp cs3
match access-group name ORBTALK
class-map match-any TRAFFIC-LIMIT
description **Traffic Limited to 10Mb**
match protocol http host “**”
match protocol http host “*facebook*”
match protocol http host “*twitter*”
match protocol http host “*instagram*”
class-map match-all group1
match access-group 2
class-map match-any SPEEDTEST
description **Allow Speed Test @ 100Mbps – Use:**
match protocol http host “*speedtest*”
match access-group name SPEEDTEST


Policy Maps:

policy-map police
class group1
police 2048000 2000 4000
policy-map POLICE
police rate percent 100
conform-action transmit
exceed-action drop
police rate percent 10
conform-action transmit
exceed-action drop
police rate percent 10
conform-action transmit
exceed-action drop
police rate percent 50
conform-action transmit
exceed-action drop
class class-default
police rate percent 80
conform-action transmit
exceed-action drop
policy-map SHAPE
shape average percent 100
shape average percent 10
shape average percent 10
shape average percent 50
class class-default
shape average percent 80

Under WAN Interface:

interface FastEthernet0/3/0
ip address
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
duplex auto
speed 100
crypto map Wizard
service-policy input POLICE
service-policy output SHAPE

Hope this helps and gives you a base to work from.


Cisco Sound/Voice through Handset and Headset


Recently had an issue with Jabra headsets leaking sound through both the Headset and Handset. I believe this was just for outgoing calls but cannot confirm.

I first thought this was a bug and found this:

Turns out its the default behavior of Cisco phones to do this with a headset. To Disable you need to do the following:

Router(config-telephony)#service phone handsetHeadsetMonitor 0
Router(config-telephony)#create cnf-files

Restart the phones for this to work!


Cisco HSRP External/Internal Interface SSO VPN IPSEC Failover Part 2


Static NAT is more straight forward to configure so to do this you need to do the following:

When you do the NAT Translation just reference the Internal HSRP Group e.g:

ip nat inside source static tcp 3389 3855 redundancy HSRP-Internal extendable

Remember to do this on both Routers as they both must Match!

Dynamic NAT is done like the following:

You need to create a Stateful ID as you need to link the NAT pool to this ID. (Again same on both routers)

ip nat Stateful id 1
redundancy HSRP-Internal
mapping-id 101
protocol udp

Define NAT Pool:

ip nat pool VOIP netmask

Create the Access-List to define what matches this rule:

Extended IP access list VOIP
10 permit ip any (35533 matches)
20 permit ip any (5760 matches)

Now the Overload Statement:

ip nat inside source list VOIP pool VOXHUB-VOIP mapping-id 101 overload

Thats all there is too it!

If you do “Show ip nat translations” on the secondary router you will see the NAT translations replicated from the Primary!

I have used this on a PWAN project that has over 100 sites and the two main sites has VOIP phones that work on a 10.5.X.X and 10.15.X.X Network so I nat’ted them straight out using a unique public IP. Less hassle this way especially where SIP is concerned!

See Image below showing both Putty sessions open for Both Routers showing exactly the same NAT translations although only the Primary Router is active!




Go to Top