On occasion, I have to setup a site to site vpn on an IOS router. It seems a little odd, but the IOS router will do this just fine, just like an ASA. Commands are different, but not difficult at all. Below, I outline what you need to do to configure an IOS router (1841 in this case) to get the vpn up and running. Nothing special in this, just the basics of getting the vpn up and running.
You wont be able to use a base image. Below, I have an advance security image.
boot system flash:c1841-advsecurityk9-mz.124-3h.bin
Set your domain name on your router.
ip domain name company.com
Here is your Phase I info.
-------- Beginning of Phase I ----------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key key! address 98.98.98.98 no-xauth <------ No Authentication needed
crypto isakmp keepalive 20 3 periodic
Here is your Phase II info.
------- Phase II -----------------
crypto ipsec transform-set to_remotesite esp-3des esp-md5-hmac
Here is your crypto map for the vpn.
--------- Crypto Map for VPN ----------------
crypto map to_remotesite 5 ipsec-isakmp
set peer 98.98.98.98 <------- Peer address
set transform-set to_remotesite <------ Use this Phase II policy (above)
match address 121 <------ Match this ACL for encryption
Apply the crypto map to your serial interface.
interface Serial0/0/0
ip address 12.94.221.218 255.255.255.252
ip nat outside
crypto map to_remotesite <------- Apply this CryptoMap to Int S0/0/0
Here is your encryption ACL. This says "encrypt across the vpn".
----------- Encryption ACL ---------------------------------
access-list 121 permit ip 192.168.101.0 0.0.0.255 192.168.75.0 0.0.0.255
If you have to "NOT NAT", then you have to tell the router. Below is the config to NAT 192.168.101.0 to any, but NOT NAT 192.168.101.0 to 192.168.75.0. Notice the Deny statement for NOT NAT'ing.
------------------------- No Nat ACL, NAT statement, and Route-map for NO-NAT'ing ----------------------
access-list 104 deny ip 192.168.101.0 0.0.0.255 192.168.75.0 0.0.0.255
access-list 104 permit ip 192.168.101.0 0.0.0.255 any
ip nat inside source route-map nonat interface Serial0/0/0 overload
route-map nonat permit 10
match ip address 104
Thats all there is to it. I hope this helps.
Tuesday, December 27, 2011
Monday, December 26, 2011
Collecting logs for ShoreTel TAC: What to do
I had to do some troubleshooting one day, and I was asked to collect logs and send them in to ShoreTel. I wasnt sure what all they wanted, so they send me these instructions. I thought this would be helpful to you who need to do the same. See these instructions below:
Collect the appropriate logs and files. Package them up and attach to the case.
Please create a folder named SR NUMBER (eg 1-41234567) and COPY (not move) the following data into it.
NOTE: All logs should reflect the date of the issue being escalated, as should call GUIDs.
NOTE: If your server is a Windows Server 2008 machine, please ensure that event logs are saved in Comma Separated Value (CSV) and/or Plain Text (TXT) format, as we cannot open EVTX files.
NOTE: This document assumes the ShoreTel application is installed to the C: drive and data is stored on the D: drive in the default directories. Your installation may differ.
1. Server SYSTEM INFO:
START / All Programs / Accessories / System Tools / System Information
File / Save (Saves as an .NFO file)
File / Export (Saves as an .TXT file)
2. Server REGISTRY DUMP:
START / Run / “regedit”
Right-click “My Computer” / Export (Saves as a .REG file)
3. Server EVENT LOGS:
For Windows Server 2003:
START / Programs / Admin Tools / Event Viewer /
Select the APPLICATION LOG, and then "Save Log File As..."
Enter application as filename.
Select the SYSTEM LOG, and then "Save Log File As..."
Enter system as filename.
For Windows Server 2008:
START / Programs / Admin Tools / Event Viewer / Windows Logs
Select the APPLICATION LOG, then "Save Log File As..."
Select CSV (Comma Separated Values) as FILE TYPE
Enter application as filename.
Select the APPLICATION LOG, then "Save Log File As..."
Select EVTX (EventX) as the FILE TYPE
Enter application as filename.
Select the SYSTEM LOG, and then "Save Log File As..."
Select CSV (Comma Separated Values) as FILE TYPE
Enter system as filename.
Select the SYSTEM LOG, and then "Save Log File As..."
Select EVTX (EventX) as the FILE TYPE
Enter application as filename.
4. Server LOGS:
All the logs for that date – pay close attention to the date embedded in the file name, and do not rely on the Windows “Date Modified” stamp. Please place these log files in a subfolder called “logs” (eg, C:\1-4123456\logs\ ) You may use the search function and find all files matching the bold string below:
*YYMMDD*.*
where YY is the year, MM is the month, and DD is the day, eg, *100823*.* would be all log files for August 23rd, 2010.
Log files are located in the following folder by default: D:\Shoreline Data\Logs
Be advised that log files are deleted automatically based the SYSTEM PARAMETERS / OTHER / Log File Storage setting in Director, so be sure to copy the files with in this timer frame. Otherwise they will be removed.
5. Call GUIDs and Examples:
Include call GUIDs, source and destination extension/number, and time and date stamp of the call. More call GUIDs are always better than fewer. Please provide as much information as possible! You may use the following template to describe the issue.
Who? Is experiencing the problem?
What? Is the exact issue?
Where? At what site (both physically and logically) is the issue occurring?
When? At what time did the issue occur in this example, and how often does it occur?
How? Exactly what process, step-by-step, results in the error?
Extra Info? Is there any extra information you are aware of that may be helpful?
Here’s an example:
Who? John Doe at extension 1234 and Jane Doe at extension 1567
What? Choppy audio on the phone call.
Where? John is at Sunnyvale, CA (HQ) and Jane is at Austin, TX (AUS)
When? The problem occurs every Wednesday between 5pm and midnight CST.
How? John at 1234 calls Jane on his ShoreTel IP560 by picking up the handset and dialing Jane’s extension. Jane answers by clicking “Answer” in the pop-up using her softphone in Communicator. Jane is speaking to John on her USB headset, and John is using the handset.
Extra Info? Jane tried using her desk phone (a ShoreTel IP230 at the Sunnyvale HQ site) to call John and experienced the same problem.
6. CDR LOGS:
Copy the appropriate LOG file from: D:\Shoreline Data\Call Record 2\
7. ShoreTel DATABASE dump:
For pre ST8, please copy the database (Shoreware.MDB):
D:\Shoreline Data\Database
For ST8, perform a MySQL database dump by opening a CMD prompt in the following directory:
C:\Program Files\Shoreline Communications\ShoreWare Server\MySQL\MySQL Server 5.0\bin
Then enter:
mysqldump.exe --add-drop-table --routines --user=root --password=shorewaredba --database shoreware>C:\\shoreware_db.sql
For ST10.1+
mysqldump.exe --add-drop-table --routines --user=root --password=shorewaredba --database shoreware>C:\\shoreware_db.sql --port=4308
These commands place the dump file in the root of the C:\ drive, named “shoreware_db.sql”.
8. CDR DATABASE dump:
For pre ST7, please copy the CDR.mdb from the following folder:
D:\Shoreline Data\Call Records 2
For ST7+, perform a MySQL database dump by opening a CMD prompt in the following directory:
C:\Program Files\Shoreline Communications\ShoreWare Server\MySQL\MySQL Server 5.0\bin
For ST7 – ST9.2, enter:
mysqldump.exe --add-drop-table --routines --user=root --password=shorewaredba --database shorewarecdr>C:\\shoreware_cdr.sql
For ST10.1+, enter:
mysqldump.exe --add-drop-table --routines --user=root --password=shorewaredba --database shorewarecdr>C:\\shoreware_cdr.sql --port=4309
These commands place the dump file in the root of the C:\ drive, named “shoreware_db.sql”.
9. EXTRA Info
Please include any additional screen shots, videos, or files that either have been requested or you feel will be helpful.
Please compress the folder you created into a ZIP file with all the above files in it. You can do this by right-clicking the folder and selecting “Send To…”, “Compressed (ZIPPED) Folder”. Make sure the name of this ZIP file is SRNUMBER.zip (eg, “1-4123456.zip”) and attach it to the SR via our web page, http://support.shoretel.com, or upload it to our FTP server at ftp://ftp2.shoretel.com .
For FTP credentials, you may use the following case-sensitive credentials:
ftp2.shoretel.com
Username: XXXXXXXXX
Password: XXXXXXXX
Please update the Service Request online when your upload or attachment is complete so a notification is generated for your Technical Support Engineer. If you require assistance with this process, please call into the TAC at 800-742-2348 and any available engineer can assist you.
Sunday, December 25, 2011
ShoreTel CallerID problem: shows main number instead of DID
All, I got stuck the other day on an issue where every phone in the company that called out has a callerID of the main corporate number. I had in the BTN of the trunk group the main number, and that was the number the callerID showed for everyone. Well, they didnt want that. They wanted each individuals number to show up. That made sense, but I couldnt seem to find where to override this and make it show the DID of the individual. Well, I did find it. It was under the "Trunk Group" and specific Trunk, where "Enable Original Caller Information" was checked. Simply uncheck it and the DID shows up.
I got banned from a forum today... :)
Something funny happened to me the other night. I signed up at a forum called ShoreTelforums.com and I got banned within an hour of signing up, because I posted a link to the two "cheat sheets" I created on this blog. Boy, I tell you, you try to help so folks out by posting something helpful to people and you get "banned for life". I though that forums where to help each other out in the technical arena? I guess not. Anyway, I did put the links in on ShoreTel's Official forum (forums.shoretel.com), and I didn't get banned. I think ShoreTel's own forums actually like to help people. :) Merry Christmas all.
CallManager Express (CME): config explanations (notes)
Merry Chirstmas all! I hope all has had a good Christmas today. I came across a "CME explained" document that I created some time back of an old config I had of an CallManager Express, where I put some explanations of key config statements and what they do. I hope this helps some of you who do CMEs and need some explanations of things. See below the config (in black) and explanations (in blue). I deleted some of this so it wouldnt be so long.
CME2821#show run
Building configuration...
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CME2821
!
boot-start-marker
boot system
flash:c2800nm-advipservicesk9-mz.124-4.XC7.bin This
IOS image MUST be compatible with the CME version that is on here.
We are using 4.0(3), and this image is the “least” image we can
have for 4.0(3) to run properly on our 2821 router.
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa session-id common
resource policy
clock timezone central -6
clock summer-time zone recurring
network-clock-participate wic 1
network-clock-select 1 T1 0/1/0
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.75.1
192.168.75.10
Exclusion that will not allow client IPs of .1 through .10 to be
handed out to clients. This scope will start at .11 .
!
ip dhcp pool phone
Name of the DHCP pool is “phone”.
import all
network 192.168.75.0 255.255.255.0
option 150 ip 192.168.75.1
Option 150 tells the phones where to look for the TFTP server, so
that it knows where to get its phone loads.
default-router 192.168.75.1
ip domain name company.net
!
isdn switch-type primary-ni
Type of PRI used is Primary NI 2 is used.
!
voice-card 0
no dspfarm
voice service voip
The allow statements allow calls from protocol to protocol. H323 to
H323, H323 to SIP, etc.
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
h323
default
sip
default
header-passing
default
registrar server expires max 3600 min
3600
default
!
voice class codec 1
codec preference 1 g711ulaw
use uncompressed voice, for internal LANs, you don’t need to
compress the voice. You only need compression when going over a T1,
Frame-Relay, etc.
!
voice translation-rule 1
This is voice translation-rule 1. You reference this much like
access-list 1 in an ACL. Notice down in the “voice
translation-profile strip9” that the “translate called 1”
references this translation-rule. This rule is not applied to
anything, because the 9 is stripped off by default. No need to
apply.
rule 1 /^9\(.*\)/ /\1/
This rule strips the 9 off the from of the digits. EX. When you
push 9 to get an outside line, it takes that 9 off before handing it
over to the PRI, or in our case, the Cisco IAD.
!
Below, this translation-rule below (2) adds digits to the numbers
going out. Rule #1 in this translation-rule states that any call
with an extension of 83XX should have added to it a “205413”, at
the front. Because, in this case, the NoVux Cisco IAD expects to see
10 digits from our CME. This IS configurable on their side. Rule #2
states to add a “205876” to anything coming in from the LAN with
a 4 digit string of “15XX”. Our block of numbers are
205.876.1500 – 1532. Same for rule #3, where our two main lines
4490 and 4494 need to have a “205986” in front of the two
extensions before being forwarded out to the Cisco IAD. If these
rules where not in place, you would not be able to get past the Cisco
IAD, therefore you would get a fast busy signal.
*****NOTE*****
If you get another dialtone AFTER you dial your number, that means
that the IAD (in this case) is expecting digits from ONLY the DIDs
they have listed and it is programmed into the Cisco IAD (Nuvox
owned). This is a security feature, and it will only allow calls
from the DIDs they list. If you get dial tone and digits are sent
without problem to the IAD, the IAD is the issue.
voice translation-rule 2
rule 1 /^\(83..\)$/ /205413\1/
rule 2 /^\(15..\)$/ /205876\1/
rule 3 /^\(44..\)$/ /205986\1/
!
Below, this translation-rule (3) was for test purposes in
troubleshooting an issue, not relevant to this config.
voice translation-rule 3
rule 1 /.*/ /2054138323/
!
voice translation-profile callerid
translate calling 3
!
Below, this was named “fix_clid” because the NuVox Cisco IAD
expects 10 digits, and we have to provide a way to do so. Therefore,
if you look down at voice-port 0/1/0:23, you will notice that this
profile is applied to that voice-port. Hence, 10 digits are
forwarded to the NuVox Cisco IAD.
voice translation-profile fix_clid
translate calling 2
!
Below, this is a translation-profile which a translation-rule goes
into. OR the translation-rule is referenced by the
translation-profile. Remember this one is not being used, because
the 9 is stripped off the number before being sent out by default.
“strip9” is what the translation-profile is called.
voice translation-profile strip9
translate called 1
“1” is the translation-rule that is referenced (voice
translation-rule 1). Kindof like your portfolio has pictures in it,
where a translation-profile has a translation-rule in it.
!
crypto pki trustpoint
TP-self-signed-1571388936
enrollment selfsigned
subject-name
cn=IOS-Self-Signed-Certificate-1571388936
revocation-check none
rsakeypair TP-self-signed-1571388936
!
username company privilege 15 password
7 XXXXXXX
!
controller T1 0/1/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
controller T1 0/1/1
framing esf
linecode b8zs
pri-group timeslots 1-24
!
interface GigabitEthernet0/0
description LAN
no ip address
duplex auto
speed auto
!
===============================================
These two
sub-interfaces are for the voice and data vlans. They connect to a
trunk port on the 3560.
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.73.4 255.255.255.0
no snmp trap link-status
!
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 192.168.75.1 255.255.255.0
no snmp trap link-status
===============================================
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/3/0
switchport mode trunk
switchport voice vlan 5
!
interface FastEthernet0/3/1
switchport mode trunk
switchport voice vlan 5
!
interface FastEthernet0/3/2
switchport mode trunk
switchport voice vlan 5
!
interface FastEthernet0/3/3
switchport mode trunk
switchport voice vlan 5
!
interface Serial0/1/0:23
no ip address
NO ip address needed
encapsulation ppp
Usually ppp, but router defaults to HDLC
isdn switch-type primary-ni
switch type named from phone company
isdn incoming-voice voice
voice calls come in
!
interface Serial0/1/1:23
no ip address
encapsulation ppp
shutdown
isdn switch-type primary-ni
isdn incoming-voice voice
!
interface Service-Engine1/0
This interface is for Unity Express.
ip unnumbered GigabitEthernet0/0.1
service-module ip address 192.168.73.8
255.255.255.0
MUST be on the same network as the router LAN scheme.
service-module ip default-gateway
192.168.73.4
Notice on same LAN IP scheme also.
!
interface Vlan1
You need an IP address on these two vlans if you are going to use the
4 port switch module in the router. Do not use it for vlan 1 or vlan
5, but you can for other vlans if need be.
no ip address
!
interface Vlan5
no ip address
!
ip route 0.0.0.0 0.0.0.0 192.168.73.1
ip route 192.168.73.8 255.255.255.255
Service-Engine1/0
Tells the router where to route to for the CUE config.
!
ip http server
Must have on if you are going to do any admin work via the GUI.
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life
86400 requests 10000
!
snmp-server community 4star$ RO
!
Below are the TFTP phone loads, ring tones, etc. Do not delete
any of these. Remember “option 150” in your DHCP scope? This is
what its after, depending on the type of phone you have. DO NOT
DELETE ANY OF THESE.
tftp-server flash:P0030702T023.bin
tftp-server flash:P00405000700.bin
tftp-server flash:P0030702T023.loads
tftp-server flash:P0030702T023.sb2
tftp-server flash:P0030702T023.sbn
tftp-server flash:CVM70.2-0-0-112.sbn
tftp-server flash:Jar70.2-9-0-117.sbn
tftp-server flash:TERM70.7-0-1-0s.LOADS
tftp-server flash:TERM70.DEFAULT.loads
tftp-server flash:TERM71.DEFAULT.loads
tftp-server flash:cnu70.2-7-4-134.sbn
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
!
control-plane
!
voice-port 0/0/0
voice-port 0/0/1
voice-port 0/1/0:23
translation-profile outgoing fix_clid
voice-port 0/1/1:23
!
Below, this dial peer is for voice-mail. The pilot number for
voicemail is 7000. Notice the IP address in the “target” is the
CUE module. G711 is also used.
dial-peer voice 5 voip
destination-pattern 7...
session protocol sipv2
session target ipv4:192.168.73.8
dtmf-relay sip-notify
codec g711ulaw
no vad
!
These dial-peers have a description that explain themselves.
Notice on all that a port is listed for where they will be forwarded
out, or in. Also, notice they are “pots” dial-peers and not
“voip” dial peers, meaning they are coming from or going to the
PRI.
dial-peer voice 1 pots
description ===== INBOUND CALLS =====
===== INBOUND CALLS =====
incoming called-number .
direct-inward-dial
port 0/1/0:23
!
dial-peer voice 2 pots
description ===== 911 CALLS =====
===== 911 CALLS =====
destination-pattern 911
port 0/1/0:23
prefix 911
!
dial-peer voice 3 pots
description ===== LOCAL CALLS =====
===== LOCAL CALLS =====
destination-pattern 9[2-9]......
clid override rdnis
port 0/1/0:23
!
dial-peer voice 4 pots
description ===== 911 CALLS STRIP 9
===== ===== 911 CALLS STRIP 9 =====
destination-pattern 9911
port 0/1/0:23
prefix 911
!
dial-peer voice 6 pots
description ===== LONG DISTANCE CALLS
===== ===== LONG DISTANCE CALLS =====
destination-pattern
91[2-9]..[2-9]......
clid override rdnis
port 0/1/0:23
prefix 1
!
dial-peer voice 7 pots
description ===== INTERNATIONAL CALLS
===== ===== INTERNATIONAL CALLS =====
destination-pattern 9011T
port 0/1/0:23
prefix 011
!
Below, you have the telephony-service where you tell it several
things like what load to use for what phone, no auto-registration of
the phones (they have to be manually added for security reasons),
maximum of 52 phones supported, maximum of 192 extensions, voicemail
pilot, call forwarding, pushing “9” to get outside dialtone,
etc.
telephony-service
no auto-reg-ephone
load 7960-7940 P0030702T023
load 7941GE SCCP41.8-0-4SR3AS
load 7941 SCCP41.8-0-4SR3AS
load 7970 SCCP70.8-0-4SR3AS
max-ephones 52
max-dn 192
ip source-address 192.168.75.1 port
2000
dialplan-pattern 1 205XXXXXXX
extension-length 4 extension-pattern XXXX
voicemail 7000
max-conferences 8 gain -6
call-forward pattern .T
transfer-system full-consult
transfer-pattern .T
secondary-dialtone 9
create cnf-files version-stamp 7960
Sep 24 2007 20:25:01
!
The extensions below in the “ephone-dn” section. Description
shows up in the top right corner of the phone, where name shows up
when you are calling someone (it tells them who you are instead of
the extension), and the number is the actual extension number.
ephone-dn 1 dual-line
number 8323
description Joey XXXXX
name Joey XXXXX
!
ephone-dn 2 dual-line
number 4490
name XXXXXXX
!
These two are the message waiting indicators numbers. CUE uses
the number 8000 plus your extension number to turn the light on your
phone on or off.
ephone-dn 100
number 8000....
mwi on
!
ephone-dn 101
number 8001....
mwi off
!
Below is where the actual physical phones start. You put in the
mac-address of the phone, tell it what type of phone so it knows what
kind of phone load to look for, and you assign the extension with the
“button” command. The “button” command goes like this:
button (physical button on the side of your phone:ephone-dn #). So,
“button 1:1” would refer to first button on the right side of the
phone, and extension 8323, which is Joey’s.
ephone 1
device-security-mode none
mac-address 001B.5494.A209
type 7970
mwi-line 2
button 1:1 2:2 3:4 4:50
!
ephone 2
device-security-mode none
mac-address 001A.E22A.C835
type 7940
button 1:5
banner login ^C******This is a private
network********^C
!
line con 0
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output all
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180269
ntp server 140.221.9.20
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Wednesday, December 21, 2011
Cheat Sheet: MultiTech FaxFinder integration with ShoreTel 12.1
Cheat Sheet: Integrating MultiTech FaxFinder with ShoreTel 12.1
I have to be honest on this. I have had a hard time with this integration, and so I owe a lot of thanks to Oliver at ShoreTel TAC. I talked with about 6 engineers from ShoreTel on this. He seems to be the only one that knew anything about this. So, with his help, I got through this on the ShoreTel side of config and I thought Id share what had to be done to get this thing going.
First, I have ShoreTel 12.1. Second, I have a FF230 (MultiTech FaxFinder model 230). The MultiTech 230 is a dual analog device, meaning capable of only have two calls at a time on it. It connects to my customer's ShoreTel 24A, so it acts like a station endpoint. With that said, lets move on.
My customer has a different fax number than they do for their voice extension. So, I have in my example 7405 (the fax) and 7404 (the phone extension). The call flow goes like this: Call comes in across the PRI. It hits the ShoreTel phone system, where I have a DNIS entry pointing 7405 to be mapped to 7404. This DNIS entry is under Trunk --> Trunk Group --> (name of PRI) --> "edit DNIS map" button. The fax gets forwarded to the phone extension. Now, this is important. Under Sites --> (Site name) --> FAX Redirect Extension:, you put the user you configure for the analog line #1 of the FaxFinder 230 as the destination (FaxFinder1 - ext. 4050 in my case). This is connected to the 24A port 14 and this is an extension only, no mailbox. On that user's properties, go down to the "Fax Support" portion, and click the down menu and select "Fax Server". Under Personal Options of this user, go down to Edit Call Handling Modes: Standard Mode. Select "No Answer/Busy", and forward "Busy Destination" and "No Answer Destination" to the second user that holds that analog line. In my case, it is user FaxFinder2 - ext. 4051. On that extension, same thing, except I dont forward to anything on Busy/No Answer.
Now, on the MultiTech FaxFinder. Go to System Configuration tab, and fill in the Network parameters. Fill in the SMTP and Time properties also. Oh yeah, upgrade the firmware also. Two days ago they came out with an upgrade. You will want to do this, according to MultiTech.
On the Fax Configuration tab, configure Routing as DTMF Digits. No need to change anything else except "Max Extension Digits", where mine was 4 digits for the number of my digits in my extensions. Under Inbound Routing, run the size of the email size limit up to 100000K or higher. The default I found was too low, which I think was 5000K. Under Users tab, add your users. Input all info on them, and make sure at the bottom that you select the "Add Route" check box, and the appropriate extension. IF you do not check that box and add that extension, you wont get faxes to your email. Oh yeah, Im sending faxes to email here, which is configurable under Fax Configuration --> Inbound Routing --> edit user.
Thats all. I hope this helps out. To me, the MultiTech was easier than the ShoreTel piece. But, its in and working. Oh yeah, dont forget to put in a admin email address. All faxes that go there that dont match a user will go to the admin. That might be important if you dont want to miss a fax.
Now, one thing I dont care for that I actually tried to setup. I thought I could forward the FAX Redirect Extension (under Sites) to a Hunt Group instead, which had both 4050 and 4051 in it. It wouldnt work. According to ShoreTel TAC, it wont work. In fact, there is NO way to make it work. That hurts.
I have to be honest on this. I have had a hard time with this integration, and so I owe a lot of thanks to Oliver at ShoreTel TAC. I talked with about 6 engineers from ShoreTel on this. He seems to be the only one that knew anything about this. So, with his help, I got through this on the ShoreTel side of config and I thought Id share what had to be done to get this thing going.
First, I have ShoreTel 12.1. Second, I have a FF230 (MultiTech FaxFinder model 230). The MultiTech 230 is a dual analog device, meaning capable of only have two calls at a time on it. It connects to my customer's ShoreTel 24A, so it acts like a station endpoint. With that said, lets move on.
My customer has a different fax number than they do for their voice extension. So, I have in my example 7405 (the fax) and 7404 (the phone extension). The call flow goes like this: Call comes in across the PRI. It hits the ShoreTel phone system, where I have a DNIS entry pointing 7405 to be mapped to 7404. This DNIS entry is under Trunk --> Trunk Group --> (name of PRI) --> "edit DNIS map" button. The fax gets forwarded to the phone extension. Now, this is important. Under Sites --> (Site name) --> FAX Redirect Extension:, you put the user you configure for the analog line #1 of the FaxFinder 230 as the destination (FaxFinder1 - ext. 4050 in my case). This is connected to the 24A port 14 and this is an extension only, no mailbox. On that user's properties, go down to the "Fax Support" portion, and click the down menu and select "Fax Server". Under Personal Options of this user, go down to Edit Call Handling Modes: Standard Mode. Select "No Answer/Busy", and forward "Busy Destination" and "No Answer Destination" to the second user that holds that analog line. In my case, it is user FaxFinder2 - ext. 4051. On that extension, same thing, except I dont forward to anything on Busy/No Answer.
Now, on the MultiTech FaxFinder. Go to System Configuration tab, and fill in the Network parameters. Fill in the SMTP and Time properties also. Oh yeah, upgrade the firmware also. Two days ago they came out with an upgrade. You will want to do this, according to MultiTech.
On the Fax Configuration tab, configure Routing as DTMF Digits. No need to change anything else except "Max Extension Digits", where mine was 4 digits for the number of my digits in my extensions. Under Inbound Routing, run the size of the email size limit up to 100000K or higher. The default I found was too low, which I think was 5000K. Under Users tab, add your users. Input all info on them, and make sure at the bottom that you select the "Add Route" check box, and the appropriate extension. IF you do not check that box and add that extension, you wont get faxes to your email. Oh yeah, Im sending faxes to email here, which is configurable under Fax Configuration --> Inbound Routing --> edit user.
Thats all. I hope this helps out. To me, the MultiTech was easier than the ShoreTel piece. But, its in and working. Oh yeah, dont forget to put in a admin email address. All faxes that go there that dont match a user will go to the admin. That might be important if you dont want to miss a fax.
Now, one thing I dont care for that I actually tried to setup. I thought I could forward the FAX Redirect Extension (under Sites) to a Hunt Group instead, which had both 4050 and 4051 in it. It wouldnt work. According to ShoreTel TAC, it wont work. In fact, there is NO way to make it work. That hurts.
Monday, December 19, 2011
Does ShoreTel Support NFAS Configuration?
Ok, let me start off this post by saying that there are many things that I do like about the ShoreTel phone system. However, I have to say that I dont like that ShoreTel doesnt support NFAS for "bonded" PRIs. When I learned this today from a TAC case I had opened, I was really disappointed. In fact, IF a customer has this configuration and they dont want to go away from this, ShoreTel is automatically out as a VoIP choice. Reliability is of upmost importance to businesses with call centers, governments, etc (and PRIs are the most reliable in my opinion). Maybe in the future ShoreTel will support the NFAS configuration for bonded PRIs, but as of today, they dont.
Thursday, December 15, 2011
Brocade (Foundry): "PoE Error: Memory allocation failed" / "Error: LLDP can't allocate memory for generating any of the location ID config"
I was at a customer site yesterday and I was getting ready to do a ShoreTel install. I noticed that I was having some PoE issues, and that is when I came across an even bigger issue. It appeared that my Brocade switches were really NOT happy, for when I consoled into one of my switch stacks to find the PoE issue, I got this message continously scrolling down the page:
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
Well, no wonder Im having PoE issues, and now I have no idea what this error means. So, I rebooted the switch and it cleared things up, for the moment.
That is when I got into another switch that was having an issue. I was getting this message when I got into it:
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the network policy config
Hmmm. I dont know what all that means, but I notice one common thing in both messages: Memory. So, I called up Brocade TAC and it turns out that I have an IOS version that has a bug, specifically a memory leak. Well, I did the upgrade of the IOS and all seems to be well now. But, here is what I did to do the upgrade of the IOS:
First, I needed to upgrade the boot image. Here is the command:
"copy tftp flash 172.24.14.125 grz07100.bin boot"
Second, here is the command for upgrading the IOS:
"copy tftp flash 172.24.14.125 FCXS07202e.bin pri"
Next, reload the switch and you are done:
"reload"
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
Well, no wonder Im having PoE issues, and now I have no idea what this error means. So, I rebooted the switch and it cleared things up, for the moment.
That is when I got into another switch that was having an issue. I was getting this message when I got into it:
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the network policy config
Hmmm. I dont know what all that means, but I notice one common thing in both messages: Memory. So, I called up Brocade TAC and it turns out that I have an IOS version that has a bug, specifically a memory leak. Well, I did the upgrade of the IOS and all seems to be well now. But, here is what I did to do the upgrade of the IOS:
First, I needed to upgrade the boot image. Here is the command:
"copy tftp flash 172.24.14.125 grz07100.bin boot"
Second, here is the command for upgrading the IOS:
"copy tftp flash 172.24.14.125 FCXS07202e.bin pri"
Next, reload the switch and you are done:
"reload"
Sunday, December 11, 2011
Cisco: How To Decrypt The PCF Group Authentication Password
Do you ever get tired of NOT knowing the vpn group authentication password in a pcf file? I do. But, here is a way to decrypt those starred out characters. Its been very handy to me. Go to the pcf file and open it up in notepad. C:\Program Files\Cisco Systems\VPN Client\Profiles is where the profiles are located. Find the place where it reads "enc_GroupPwd=". Highlight the key underneath and copy it. Paste it into the box in the link below. Then, hit "decode" and its spits out your key down at the middle of the page. Easy.
Decode Group Authentication Passwords HERE
Decode Group Authentication Passwords HERE
ShoreTel: Amphenol cable pinout for the ShoreGear 24A
Ok, why am I concerned with the amphenol cable? Well, because if you do any ShoreGear 24A devices, you will need to know this. I do not know by heart the cable to pin out. So, I often refer to this diagram. I thought Id share with you all. Here it is.
Brocade (Foundry): PoE insufficiency - "detection failed - out of range capacitor"
One of the cool things I have found out from my local Brocade engineer, is that when it comes to POE, you can actually control how much power is given on each port. If you are on the ethernet interface, you can type in "inline power ?". It will give you an interesting option.
interface ethernet 1/1/2
dual-mode 25
inline power power-by-class 2 <--- Interesting option here to me.
trust dscp
sflow forwarding
Notice that on this configuration on the interface, you see "inline power power-by-class 2". You can change the power output based on what power class your device is. I notice VoIP phones mainly. In this case, I had to look up how much power a ShoreTel IP230 phone took. It was a class two PoE device, according to the specs. Hence the command you see. It wont give more than a class 2 power rating on that interface.
Why would you want to do this? Because if you don't specify lesser power when you only need a smaller amount, then you will find that some of your ports on your switch wont give out power. It will be an insufficient amount. So, by running the power down by the above command, you give your other ports that wouldn't normally have a chance at having power the opportunity to give out power. Pretty cool.
So you can see, this is what you get by default when you do a show inline power:
telnet@ConfRoom#sh inline power
Power Capacity: Total is 410000 mWatts. Current Free is 20000 mWatts.
Power Allocations: Requests Honored 26 times
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
1/1/1 Off Off 0 0 n/a n/a 3 n/a
1/1/2 On Off 0 0 n/a n/a 3 n/a
1/1/3 On Off 0 0 n/a n/a 3 n/a
1/1/4 On Off 0 0 n/a n/a 3 n/a
1/1/5 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/6 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/7 On Off 0 0 n/a n/a 3 n/a
1/1/8 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/9 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/10 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/11 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/12 On On 188 30000 Legacy n/a 3 n/a
1/1/13 On Off 0 0 n/a n/a 3 n/a
1/1/14 On Off 0 30000 n/a n/a 3 n/a
1/1/15 On Off 0 30000 n/a n/a 3 n/a
1/1/16 On Off 0 30000 n/a n/a 3 n/a
1/1/17 On Off 0 30000 n/a n/a 3 n/a
the rest omitted...
Notice above the 30000 mWatts allocated. But, this is what you get when you modify the power output to be a class 2 output:
telnet@ConfRoom#sh inline power
Power Capacity: Total is 410000 mWatts. Current Free is 165000 mWatts.
Power Allocations: Requests Honored 48 times
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
1/1/1 On Off 0 7000 n/a n/a 3 n/a
1/1/2 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/3 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/4 On Off 0 0 n/a n/a 3 n/a
1/1/5 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/6 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/7 On Off 0 0 n/a n/a 3 n/a
1/1/8 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/9 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/10 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/11 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/12 On On 188 7000 Legacy n/a 3 n/a
1/1/13 On Off 0 0 n/a n/a 3 n/a
1/1/14 On Off 0 7000 n/a n/a 3 n/a
1/1/15 On Off 0 7000 n/a n/a 3 n/a
1/1/16 On Off 0 7000 n/a n/a 3 n/a
1/1/17 On Off 0 7000 n/a n/a 3 n/a
rest ommited...
See the 7000 mWatts instead. Makes life a little better in the PoE world.
interface ethernet 1/1/2
dual-mode 25
inline power power-by-class 2 <--- Interesting option here to me.
trust dscp
sflow forwarding
Notice that on this configuration on the interface, you see "inline power power-by-class 2". You can change the power output based on what power class your device is. I notice VoIP phones mainly. In this case, I had to look up how much power a ShoreTel IP230 phone took. It was a class two PoE device, according to the specs. Hence the command you see. It wont give more than a class 2 power rating on that interface.
Why would you want to do this? Because if you don't specify lesser power when you only need a smaller amount, then you will find that some of your ports on your switch wont give out power. It will be an insufficient amount. So, by running the power down by the above command, you give your other ports that wouldn't normally have a chance at having power the opportunity to give out power. Pretty cool.
So you can see, this is what you get by default when you do a show inline power:
telnet@ConfRoom#sh inline power
Power Capacity: Total is 410000 mWatts. Current Free is 20000 mWatts.
Power Allocations: Requests Honored 26 times
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
1/1/1 Off Off 0 0 n/a n/a 3 n/a
1/1/2 On Off 0 0 n/a n/a 3 n/a
1/1/3 On Off 0 0 n/a n/a 3 n/a
1/1/4 On Off 0 0 n/a n/a 3 n/a
1/1/5 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/6 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/7 On Off 0 0 n/a n/a 3 n/a
1/1/8 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/9 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/10 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/11 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/12 On On 188 30000 Legacy n/a 3 n/a
1/1/13 On Off 0 0 n/a n/a 3 n/a
1/1/14 On Off 0 30000 n/a n/a 3 n/a
1/1/15 On Off 0 30000 n/a n/a 3 n/a
1/1/16 On Off 0 30000 n/a n/a 3 n/a
1/1/17 On Off 0 30000 n/a n/a 3 n/a
the rest omitted...
Notice above the 30000 mWatts allocated. But, this is what you get when you modify the power output to be a class 2 output:
telnet@ConfRoom#sh inline power
Power Capacity: Total is 410000 mWatts. Current Free is 165000 mWatts.
Power Allocations: Requests Honored 48 times
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
1/1/1 On Off 0 7000 n/a n/a 3 n/a
1/1/2 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/3 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/4 On Off 0 0 n/a n/a 3 n/a
1/1/5 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/6 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/7 On Off 0 0 n/a n/a 3 n/a
1/1/8 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/9 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/10 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/11 On Off 0 0 n/a n/a 3 detection failed - out of range capacitor
1/1/12 On On 188 7000 Legacy n/a 3 n/a
1/1/13 On Off 0 0 n/a n/a 3 n/a
1/1/14 On Off 0 7000 n/a n/a 3 n/a
1/1/15 On Off 0 7000 n/a n/a 3 n/a
1/1/16 On Off 0 7000 n/a n/a 3 n/a
1/1/17 On Off 0 7000 n/a n/a 3 n/a
rest ommited...
See the 7000 mWatts instead. Makes life a little better in the PoE world.
VPN remote-access into a Cisco IOS router.
One of the things I think is cool is that you dont necessarily need a firewall to do VPN remote-access. You can do this with a Cisco router just as well. This is really good if you have a Cisco router laying around not being used for anything. Lets look at the configuration for this.
This was on a 1841 Cisco router. Lets first define what we will NAT and what we will not NAT. The deny statements are what you do NOT want to NAT. The permit statements DO NAT.
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 10.5.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 10.1.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip any any
Now, lets make an ACL that will do the encryption. Source and Destination. Notice that in both of these ACLs, the subnet mask is backwards. It can be a little confusing, but its just the way the IOS is.
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.5.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.1.10.0 0.0.0.255 192.168.50.0 0.0.0.255
Now, the DHCP pool for the Cisco remote-access clients:
ip local pool ippool 192.168.50.50 192.168.50.250
The NAT statement on what to NAT. Place this on the external interface:
ip nat inside source list 111 interface FastEthernet1/0 overload
Lets tell the router to use local authentication:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
Create a username and password for local authentication:
username tech password passwordstring
Configure Phase I:
crypto isakmp policy 3
encr aes-256
hash sha
authentication pre-share
group 2
Create Phase II:
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
Configure the group, pcf password, DNS name, DHCP pool to use, and the encryption ACL to use:
crypto isakmp client configuration group vpnclient
key companypassword
company.com
pool ippool
acl 101
Create the crypto piece where you will apply Phase II:
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
Crypto Maps:
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
Apply to the external interface:
interface FastEthernet1/0
crypto map clientmap
Now, test your Cisco VPN client and verify you can log in with the local credentials. Thats it.
This was on a 1841 Cisco router. Lets first define what we will NAT and what we will not NAT. The deny statements are what you do NOT want to NAT. The permit statements DO NAT.
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 10.5.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 10.1.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip any any
Now, lets make an ACL that will do the encryption. Source and Destination. Notice that in both of these ACLs, the subnet mask is backwards. It can be a little confusing, but its just the way the IOS is.
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.5.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.1.10.0 0.0.0.255 192.168.50.0 0.0.0.255
Now, the DHCP pool for the Cisco remote-access clients:
ip local pool ippool 192.168.50.50 192.168.50.250
The NAT statement on what to NAT. Place this on the external interface:
ip nat inside source list 111 interface FastEthernet1/0 overload
Lets tell the router to use local authentication:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
Create a username and password for local authentication:
username tech password passwordstring
Configure Phase I:
crypto isakmp policy 3
encr aes-256
hash sha
authentication pre-share
group 2
Create Phase II:
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
Configure the group, pcf password, DNS name, DHCP pool to use, and the encryption ACL to use:
crypto isakmp client configuration group vpnclient
key companypassword
company.com
pool ippool
acl 101
Create the crypto piece where you will apply Phase II:
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
Crypto Maps:
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
Apply to the external interface:
interface FastEthernet1/0
crypto map clientmap
Now, test your Cisco VPN client and verify you can log in with the local credentials. Thats it.
Friday, December 9, 2011
Cisco ASA: NAT'ing site to site VPN traffic - NOT NOT NAT
So I have come across a few times where I needed to NAT VPN traffic to a certain IP address. They remote end (usually a place that has a lot of VPN connections) wouldn't allow private addressing to be used. So, I needed to have an IP address or range to use that was public. With that said, I decided I wanted my 10.0.0.0 subnet to be NAT'ed to the 174.X.X.167 address. They will accept this on their remote end, as my client will be sending traffic only to them. They will not be sending traffic to us. With that said, we only need one IP address, since they are not trying to get to multiple servers here at my customer.
Lets look at the config:
Phase I:
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
Phase II:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Tunnel creation:
tunnel-group 62.X.X.233 type ipsec-l2l
tunnel-group 62.X.X.233 ipsec-attributes
pre-shared-key passkey
Now the fun stuff. Remember, we ARE NAT'ing our traffic. We want to NAT our 10.0.0.0 private network to 174.X.X.167. So, we need to define what internal traffic gets NAT'ed to the destination of 206.X.X.210.
NAT ACL:
access-list policy-nat extended permit ip 10.0.0.0 255.0.0.0 host 206.X.X.210
Now, lets do the encryption ACL. If you are coming from the 10.0.0.0 network you get NAT'ed to be 174.X.X.167 and are destined to 206.X.X.210, then the following encryption ACL will do for traffic across the VPN.
Encryption ACL:
access-list customer-access extended permit ip host 174.X.X.167 host 206.X.X.210
Now, we have to tell it to NAT. We do this with a static NAT translation. We say if the ACL policy-nat is matched, then NAT to 174.X.X.167.
static (inside,outside) 174.X.X.167 access-list policy-nat
Then go add the crypto map.
crypto map outside_map 20 match address customer-access
crypto map outside_map 20 set peer 62.X.X.233
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
Apply to the outside interface:
crypto map outside_map interface outside
crypto isakmp enable outside
Done. Now you are NAT'ing your vpn traffic across the site to site VPN.
Lets look at the config:
Phase I:
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
Phase II:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Tunnel creation:
tunnel-group 62.X.X.233 type ipsec-l2l
tunnel-group 62.X.X.233 ipsec-attributes
pre-shared-key passkey
Now the fun stuff. Remember, we ARE NAT'ing our traffic. We want to NAT our 10.0.0.0 private network to 174.X.X.167. So, we need to define what internal traffic gets NAT'ed to the destination of 206.X.X.210.
NAT ACL:
access-list policy-nat extended permit ip 10.0.0.0 255.0.0.0 host 206.X.X.210
Now, lets do the encryption ACL. If you are coming from the 10.0.0.0 network you get NAT'ed to be 174.X.X.167 and are destined to 206.X.X.210, then the following encryption ACL will do for traffic across the VPN.
Encryption ACL:
access-list customer-access extended permit ip host 174.X.X.167 host 206.X.X.210
Now, we have to tell it to NAT. We do this with a static NAT translation. We say if the ACL policy-nat is matched, then NAT to 174.X.X.167.
static (inside,outside) 174.X.X.167 access-list policy-nat
Then go add the crypto map.
crypto map outside_map 20 match address customer-access
crypto map outside_map 20 set peer 62.X.X.233
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
Apply to the outside interface:
crypto map outside_map interface outside
crypto isakmp enable outside
Done. Now you are NAT'ing your vpn traffic across the site to site VPN.
Cisco ASA to Pix site to site VPN template
Here is a sample site to site vpn template for an ASA to a Pix. Thought someone might be interested in having something like this. Its been handy for me. Its good to just modify to your needs and cut and paste in. All in notepad.
ASA config:
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list huntsville_remote extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list huntsville_remote extended permit ip 10.10.0.0 255.255.0.0 192.168.30.0 255.255.255.0
nat (inside) 0 access-list nonat
tunnel-group13.X.X.226 type ipsec-l2l
tunnel-group13.X.X.226 ipsec-attributes
pre-shared-key passkey!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address huntsville_remote
crypto map outside_map 10 set peer13.X.X.226
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
cryp map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal
PIX config:
crypto map vpn_map 10 ipsec-isakmp
crypto map vpn_map 10 match address bham_main
crypto map vpn_map 10 set peer 66.X.X.130
crypto map vpn_map 10 set transform-set bham_main
crypto ipsec transform-set bham_main esp-aes-256 esp-sha-hmac
isakmp key passkey! address 66.X.X.130 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto map vpn_map interface outside
isakmp enable outside
isakmp nat-traversal 10
nat (inside) 0 access-list nonat
access-list nonat permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.30.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list bham_main permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list bham_main permit ip 192.168.30.0 255.255.255.0 10.10.0.0 255.255.0.0
ASA config:
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list huntsville_remote extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list huntsville_remote extended permit ip 10.10.0.0 255.255.0.0 192.168.30.0 255.255.255.0
nat (inside) 0 access-list nonat
tunnel-group13.X.X.226 type ipsec-l2l
tunnel-group13.X.X.226 ipsec-attributes
pre-shared-key passkey!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address huntsville_remote
crypto map outside_map 10 set peer13.X.X.226
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
cryp map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal
PIX config:
crypto map vpn_map 10 ipsec-isakmp
crypto map vpn_map 10 match address bham_main
crypto map vpn_map 10 set peer 66.X.X.130
crypto map vpn_map 10 set transform-set bham_main
crypto ipsec transform-set bham_main esp-aes-256 esp-sha-hmac
isakmp key passkey! address 66.X.X.130 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto map vpn_map interface outside
isakmp enable outside
isakmp nat-traversal 10
nat (inside) 0 access-list nonat
access-list nonat permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.30.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list bham_main permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list bham_main permit ip 192.168.30.0 255.255.255.0 10.10.0.0 255.255.0.0
Doing Cisco configs in notepad first
Ever do configs in notepad? It is so much easier than just getting on the ASA/Router/Switch itself and doing it. I dont know why. I just find that if you know the cli pretty well, to me it seems easier to just write all the config out in notepad (cut and paste and modify mostly) and then cut and paste a final product into the device itself. Any thoughts on that? Here is what I have for tonight's config of an ASA:
config t
int vlan 2
no ip add
ip add 13.X.X.218 255.255.255.248
exit
no ip route 0.0.0.0 0.0.0.0 67.X.X.73
ip route 0.0.0.0 0.0.0.0 13.X.X.217
no static (inside,outside) tcp interface citrix-ica 192.168.168.209 citrix-ica netmask 255.255.255.255
no static (inside,outside) udp interface 1494 192.168.168.209 1494 netmask 255.255.255.255
no static (inside,outside) tcp interface https 192.168.168.209 https netmask 255.255.255.255
no static (inside,outside) tcp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
no static (inside,outside) udp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
no static (inside,outside) tcp interface pptp 192.168.168.250 pptp netmask 255.255.255.255
no static (inside,outside) tcp 67.X.X.76 3389 192.168.168.250 3389 netmask 255.255.255.255
no static (inside,outside) tcp interface 2067 192.168.168.49 2067 netmask 255.255.255.255
no static (inside,outside) 67.X.X.77 192.168.168.55 netmask 255.255.255.255
no static (inside,outside) 67.X.X.78 192.168.168.245 netmask 255.255.255.255
no access-list 101
access-list 101 extended permit tcp any host 13.X.X.218 eq citrix-ica
access-list 101 extended permit udp any host 13.X.X.218 eq 1494
access-list 101 extended permit tcp any host 13.X.X.218 eq https
access-list 101 extended permit tcp any host 13.X.X.218 eq 1604
access-list 101 extended permit udp any host 13.X.X.218 eq 1604
access-list 101 extended permit tcp any host 13.X.X.218 eq pptp
access-list 101 extended permit ip any host 13.X.X.220
access-list 101 extended permit tcp any host 13.X.X.219 eq 3389
access-list 101 extended permit ip any host 13.X.X.221
access-list 101 extended permit tcp any host 13.X.X.218 eq 2067
static (inside,outside) tcp interface citrix-ica 192.168.168.209 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.168.209 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.168.209 https netmask 255.255.255.255
static (inside,outside) tcp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
static (inside,outside) udp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.168.250 pptp netmask 255.255.255.255
static (inside,outside) tcp 13.X.X.219 3389 192.168.168.250 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 2067 192.168.168.49 2067 netmask 255.255.255.255
static (inside,outside) 13.X.X.220 192.168.168.55 netmask 255.255.255.255
static (inside,outside) 13.X.X.221 192.168.168.245 netmask 255.255.255.255
wr mem
exit
reload (The ASA will reboot after you type this in.)
Tomorrow, I should be able to just cut and paste this whole thing in all at once and be done with it quickly while onsite. Anyway, not much technical on this post, but I just thought it was a good note for tonight. Notepad can be a good thing sometimes.
config t
int vlan 2
no ip add
ip add 13.X.X.218 255.255.255.248
exit
no ip route 0.0.0.0 0.0.0.0 67.X.X.73
ip route 0.0.0.0 0.0.0.0 13.X.X.217
no static (inside,outside) tcp interface citrix-ica 192.168.168.209 citrix-ica netmask 255.255.255.255
no static (inside,outside) udp interface 1494 192.168.168.209 1494 netmask 255.255.255.255
no static (inside,outside) tcp interface https 192.168.168.209 https netmask 255.255.255.255
no static (inside,outside) tcp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
no static (inside,outside) udp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
no static (inside,outside) tcp interface pptp 192.168.168.250 pptp netmask 255.255.255.255
no static (inside,outside) tcp 67.X.X.76 3389 192.168.168.250 3389 netmask 255.255.255.255
no static (inside,outside) tcp interface 2067 192.168.168.49 2067 netmask 255.255.255.255
no static (inside,outside) 67.X.X.77 192.168.168.55 netmask 255.255.255.255
no static (inside,outside) 67.X.X.78 192.168.168.245 netmask 255.255.255.255
no access-list 101
access-list 101 extended permit tcp any host 13.X.X.218 eq citrix-ica
access-list 101 extended permit udp any host 13.X.X.218 eq 1494
access-list 101 extended permit tcp any host 13.X.X.218 eq https
access-list 101 extended permit tcp any host 13.X.X.218 eq 1604
access-list 101 extended permit udp any host 13.X.X.218 eq 1604
access-list 101 extended permit tcp any host 13.X.X.218 eq pptp
access-list 101 extended permit ip any host 13.X.X.220
access-list 101 extended permit tcp any host 13.X.X.219 eq 3389
access-list 101 extended permit ip any host 13.X.X.221
access-list 101 extended permit tcp any host 13.X.X.218 eq 2067
static (inside,outside) tcp interface citrix-ica 192.168.168.209 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.168.209 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.168.209 https netmask 255.255.255.255
static (inside,outside) tcp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
static (inside,outside) udp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.168.250 pptp netmask 255.255.255.255
static (inside,outside) tcp 13.X.X.219 3389 192.168.168.250 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 2067 192.168.168.49 2067 netmask 255.255.255.255
static (inside,outside) 13.X.X.220 192.168.168.55 netmask 255.255.255.255
static (inside,outside) 13.X.X.221 192.168.168.245 netmask 255.255.255.255
wr mem
exit
reload (The ASA will reboot after you type this in.)
Tomorrow, I should be able to just cut and paste this whole thing in all at once and be done with it quickly while onsite. Anyway, not much technical on this post, but I just thought it was a good note for tonight. Notepad can be a good thing sometimes.
Tuesday, December 6, 2011
ShoreTel: The lack of multiple extension capability.
One of the things I come across quite a bit is that a company has users who have multiple extensions. Its really a common request, for whatever reason. Cisco does this without any issue, and its very easy to configure a phone to have multiple extensions. You just go to the phone and you select the line appearance and put in the number you want it to have. ShoreTel, unfortunately, does not have this option. They want you to do a "monitor extension" or a hunt group to accomplish this. I am not a fan of this, because I feel like this can limit you on some "out of the box" thinking, not to mention you can not fulfill a request for simply having two regular extensions.
I have talked with a ShoreTel pre-sales guy about this, and he says it can be done. However, he has never installed a phone system before. I am always cautious about pre-sales engineers, simply because of what I consider to be "lack of real world experience".
As of version 12.1, I talked with a ShoreTel TAC engineer about this. Im pasting this piece of the chat below.
2:22 PM Me: Ok, it would be nice to just be able to have two regular extensions that act the same way, just two separate extensions. But Im thinking that it cant be done on this system, correct?
2:23 PM ShoreTel TAC: That is a great suggestion Shane, you may want to review this link and provide feedback. http://blog.shoretel.com/2011/07/shoretel-suggestions-goes-live/
2:24 PM ShoreTel TAC: However, as you saw via the configuration you cannot assign two separate extensions to one user. So based on the user's requirements I will help provide the best configuration solution.
To me, its very frustrating that you can not do this. Maybe in the future ShoreTel will incorporate this. I can say, that there have been situations where I have recommended Cisco over ShoreTel solely because of this.
EDITED POST: Ok, I know you are saying, as some have directly to me, why not just use BCA? Well, because BCA doesnt work the same way as an extension. It works differently than a "shared" line. Read the documentation.
I have talked with a ShoreTel pre-sales guy about this, and he says it can be done. However, he has never installed a phone system before. I am always cautious about pre-sales engineers, simply because of what I consider to be "lack of real world experience".
As of version 12.1, I talked with a ShoreTel TAC engineer about this. Im pasting this piece of the chat below.
2:22 PM Me: Ok, it would be nice to just be able to have two regular extensions that act the same way, just two separate extensions. But Im thinking that it cant be done on this system, correct?
2:23 PM ShoreTel TAC: That is a great suggestion Shane, you may want to review this link and provide feedback. http://blog.shoretel.com/2011/07/shoretel-suggestions-goes-live/
2:24 PM ShoreTel TAC: However, as you saw via the configuration you cannot assign two separate extensions to one user. So based on the user's requirements I will help provide the best configuration solution.
To me, its very frustrating that you can not do this. Maybe in the future ShoreTel will incorporate this. I can say, that there have been situations where I have recommended Cisco over ShoreTel solely because of this.
EDITED POST: Ok, I know you are saying, as some have directly to me, why not just use BCA? Well, because BCA doesnt work the same way as an extension. It works differently than a "shared" line. Read the documentation.
Saturday, December 3, 2011
Cant add route-map to the Cisco 3750 vlan interface for policy based routing
Well, today I had quite a day re-doing a topology for a customer. But there was one thing in particular that was worthy of writing about. One of my goals was to add a route-map into a pair of 3750s that were acting as a redundant core. They were merging two companies onto the same network, but wanted some boundaries. They wanted to keep each other off each other's resources, but needed to share the network infrastructure because of the redundancy built in. They were saving money by sharing resources, but still implementing security across the network. One of the things they wanted to do was to still utilize their own Internet pipe. Each of them had their own ASAs in place, with their own amount of bandwidth.
So, with that said, the goal here was to add a route-map on the 3750 cores, and separate the Internet traffic from there, across each company's own firewalls. Ok, so lets look at the route-map.
Ok, here is the access list to determine what happens. I want all traffic coming from 10.10.1.0 and 10.10.2.0 to go out Internet 2, unless they are going to each other. Then, we dont want them to match the criteria. The first four are denies (dont go to the Internet 2), then the permits. The permits say go to Internet 2 ASA. Then a deny anything else.
access-list 105 deny ip 10.10.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 105 deny ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 105 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 deny ip 10.10.2.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 permit ip 10.10.1.0 0.0.0.255 any
access-list 105 permit ip 10.10.2.0 0.0.0.255 any
access-list 105 deny ip any any
!
Now for the route-map. The match 105 says to look at ACL 105 for the matching criteria. Then if it matches, set the next hop to be 10.10.2.2, which is Internet 2.
route-map SBS permit 10
match ip address 105
set ip next-hop 10.10.2.2
!
Now, lets apply the policy to the vlan we want to implement this on. Lets look at the vlan interface:
interface Vlan102
description *** Company 2 Network ***
ip address 10.10.2.254 255.255.255.0
ip helper-address 10.10.1.17
ip policy route-map SBS <--- *** Here is where it is implemented onto the vlan interface ***
standby 102 ip 10.10.2.1
Now, here is the real reason Im writing this blog: At first, and for the next two or three times, the policy would not apply. AND, it never gave me any indication that it DIDNT apply. I didnt know why, but it wasnt working. When I went to ipchicken.com, it wouldnt give me the public address of company 2. So, what was wrong? Well after some research, I found that I had to add a command on the 3750 (and probably any L3 switch Im guessing). So, here is what I did:
Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload
I can not tell you exactly what this "sdm prefer routing" command does at this point, but I have every intention of reading more about this. I know it refers to how resources are allocated within the 3750. Here is what Im planning on reading: Thanks Cisco for explaining this.
So, after a reload, the 3750s come back up and I am now able to apply the route-map to the interface with the "ip policy route-map" command. Give it a good read. I know I will.
So, with that said, the goal here was to add a route-map on the 3750 cores, and separate the Internet traffic from there, across each company's own firewalls. Ok, so lets look at the route-map.
Ok, here is the access list to determine what happens. I want all traffic coming from 10.10.1.0 and 10.10.2.0 to go out Internet 2, unless they are going to each other. Then, we dont want them to match the criteria. The first four are denies (dont go to the Internet 2), then the permits. The permits say go to Internet 2 ASA. Then a deny anything else.
access-list 105 deny ip 10.10.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 105 deny ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 105 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 deny ip 10.10.2.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 permit ip 10.10.1.0 0.0.0.255 any
access-list 105 permit ip 10.10.2.0 0.0.0.255 any
access-list 105 deny ip any any
!
Now for the route-map. The match 105 says to look at ACL 105 for the matching criteria. Then if it matches, set the next hop to be 10.10.2.2, which is Internet 2.
route-map SBS permit 10
match ip address 105
set ip next-hop 10.10.2.2
!
Now, lets apply the policy to the vlan we want to implement this on. Lets look at the vlan interface:
interface Vlan102
description *** Company 2 Network ***
ip address 10.10.2.254 255.255.255.0
ip helper-address 10.10.1.17
ip policy route-map SBS <--- *** Here is where it is implemented onto the vlan interface ***
standby 102 ip 10.10.2.1
Now, here is the real reason Im writing this blog: At first, and for the next two or three times, the policy would not apply. AND, it never gave me any indication that it DIDNT apply. I didnt know why, but it wasnt working. When I went to ipchicken.com, it wouldnt give me the public address of company 2. So, what was wrong? Well after some research, I found that I had to add a command on the 3750 (and probably any L3 switch Im guessing). So, here is what I did:
Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload
I can not tell you exactly what this "sdm prefer routing" command does at this point, but I have every intention of reading more about this. I know it refers to how resources are allocated within the 3750. Here is what Im planning on reading: Thanks Cisco for explaining this.
So, after a reload, the 3750s come back up and I am now able to apply the route-map to the interface with the "ip policy route-map" command. Give it a good read. I know I will.
Subscribe to:
Posts (Atom)