Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About dtbullock
Stats
Member since
02-18-2008
65
Posts
5
Helpful
0
Solutions
Created by
dtbullock
in IP Telephony and Phones
in IP Telephony and Phones
10-10-2011
11:40 PM
10-10-2011
11:40 PM
Site "BranchOffice" has 4 phone handsets and a QoS-capable WAN connection to HeadOffice. Site "HeadOffice" has a dozen phone handsets, a SIP trunk, and Call Manager Express on a 2900 series router. Solution: Make the 4 BranchOffice phones register with the CME in HeadOffice over the WAN link. But: There are 2 PSTN lines terminating at BranchOffice and which can't (according to the telco) be made to terminiate at HeadOffice. The customer doesn't want to disconnect the existing extensively-advertised and geographically-indicative numbers. So how can calls on the PSTN lines at BrarnchOffice get incorporated into the CME hosted at HeadOffice? A) put a CME at BranchOffice too? B) put an FXO-SIP gateway at BranchOffice, and have CME treat it as a SIP trunk? i) with 3rd party gateway; ii) with Cisco gateway (what?) C) something else Design constraints: * WAN bandwidth between offices is already a sunk cost. * BranchOffice is unlikely to grow. * BranchOffice's existing edge router (an 800-series) can be re-deployed. * Ideally, HeadOffice will be able to monitor busy state of extensions in BranchOffice. I hope that makes sense. thanks, David.
... View more
Labels:
09-11-2011
06:18 AM
Yes, I was just thinking about that ... the output interface has already been chosen by the time the inside source NAT is applied, so selecting the NAT route-map via match interface is the best approach! Thanks!
... View more
09-11-2011
05:59 AM
Verdict! This works: ip nat inside source route-map ROUTE-MAP-DATA interface Dialer0 overload ip nat inside source route-map ROUTE-MAP-VOICE interface Dialer1 overload ip access-list extended ROUTE-DATA deny ip 10.9.0.0 0.0.255.255 host 211.29.132.12 deny ip 10.9.0.0 0.0.255.255 host 198.142.0.51 deny ip 10.9.0.0 0.0.255.255 211.29.144.0 0.0.7.255 permit ip 10.9.0.0 0.0.255.255 any ip access-list extended ROUTE-VOICE permit ip 10.9.0.0 0.0.255.255 host 211.29.132.12 permit ip 10.9.0.0 0.0.255.255 host 198.142.0.51 permit ip 10.9.0.0 0.0.255.255 211.29.144.0 0.0.7.255 route-map ROUTE-MAP-DATA permit 10 match ip address ROUTE-DATA route-map ROUTE-MAP-VOICE permit 10 match ip address ROUTE-VOICE It is not as neat as marwanshawi's solution, which uses policy-based routing on the ingress interface to set the egress interface, and then uses the match interface selector to discriminate between NAT route-maps. (Which is v.nice). For the moment I'm sticking with my solution because I'm not yet ready to leap headfirst from my routing table with policy-based routing! (And because I've already got it working ... ). However, I will definitely follow the marwanshawi zen when I need to choose a link based on criteria other than destination address (such as whether the route is up, or load-balancing concerns, or protocol, etc).
... View more
09-10-2011
09:46 PM
Largely based on information in NAT Support for Multiple Pools Using Route Maps, I'm contemplating a configuration like the following: ip nat inside source route-map ROUTE-MAP-VOICE interface Dialer 1 overload ip nat inside source route-map ROUTE-MAP-DATA interface Dialer 0 overload route-map ROUTE-MAP-VOICE permit 10 match ip address ROUTE-VOICE route-map ROUTE-MAP-DATA permit 10 match ip address ROUTE-DATA ip access-list extended ROUTE-VOICE permit ip 10.9.0.0 0.0.255.255 211.29.132.12 0.0.0.0 permit ip 10.9.0.0 0.0.255.255 198.142.0.51 0.0.0.0 permit ip 10.9.0.0 0.0.255.255 211.29.144.0 0.0.7.255 ip access-list extended ROUTE-DATA permit ip 10.9.0.0 0.0.255.255 0.0.0.0 255.255.255.255 However, with the above configuration, a packet from 10.9.9.254 to 198.142.0.51 could match either ROUTE-VOICE or ROUTE-DATA. Since there are apparently no rules ordering which ip nat inside source route-map gets evaluate first, it is ambiguous which route-map will be applied. (?!) Conceptually, if only the route-map could feedback to the NAT process via a 'set' command (eg. via "set interface"), I could do this instead: ip nat inside source route-map ROUTE-MAP overload route-map ROUTE-MAP permit 10 match ip address ROUTE-VOICE set interface Dialer 1 set default interface Dialer 0 ip access-list extended ROUTE-VOICE permit ip 10.9.0.0 0.0.255.255 211.29.132.12 0.0.0.0 permit ip 10.9.0.0 0.0.255.255 198.142.0.51 0.0.0.0 permit ip 10.9.0.0 0.0.255.255 211.29.144.0 0.0.7.255 ... but unfortunately it would seem that ip nat inside source route-map really wants me to specify a pool or interface, and it is difficult to imagine that it would allow this to be overridden because of a route-map's execution. So I think I'm going to have to do this: ip nat inside source route-map ROUTE-MAP-VOICE interface Dialer 1 overload ip nat inside source route-map ROUTE-MAP-DATA interface Dialer 0 overload route-map ROUTE-MAP-VOICE permit 10 match ip address ROUTE-VOICE route-map ROUTE-MAP-DATA permit 10 match ip address ROUTE-DATA ip access-list extended ROUTE-VOICE permit ip 10.9.0.0 0.0.255.255 211.29.132.12 0.0.0.0 permit ip 10.9.0.0 0.0.255.255 198.142.0.51 0.0.0.0 permit ip 10.9.0.0 0.0.255.255 211.29.144.0 0.0.7.255 ip access-list extended ROUTE-DATA deny ip 10.9.0.0 0.0.255.255 211.29.132.12 0.0.0.0 deny ip 10.9.0.0 0.0.255.255 198.142.0.51 0.0.0.0 deny ip 10.9.0.0 0.0.255.255 211.29.144.0 0.0.7.255 permit ip 10.9.0.0 0.0.255.255 any ... to ensure that ip nat inside source route-map can only choose 1 route-map or the other. Seems a little bit ugly, but I'll let y'all know how it works. Message was edited by: David Bullock ... fixes to some ACL masks. Message was edited by: David Bullock ... fixes to some bad syntax.
... View more
09-10-2011
08:36 PM
It seems like I might be looking for something like: ip nat inside source route-map foo interface Dialer 1 overload Any comments?
... View more
09-10-2011
08:02 PM
I have 2 routes to my ISP (over separate ATM PVC's, each with their own dialer). I want traffic for DNS and VoIP to go via dialer 1 to the ISP's private network (10.204.x.y), and generic data to go via dialer 0 (58.108.x.y). At the moment, since I can identify traffic for dialer 1 via its destination IP address, I'm approaching this task using static routing. (eg. ip route 198.x.x.x 255.255.255.255 Dialer 1) This works fine when I (for example) force a DNS request from the router. The router correctly selects dialer 1 to send a packet with dialer 1's IP address. However, it does not work for transit traffic which is subject to NAT - the router receives the packet from the LAN and then NATs the source address to dialer 0's IP address and sends it over dialer 1. The ISP wisely drops the packet. The highlighted line from the following debug ip packet tells the tale: IP: s=10.9.9.254 (BVI1), d=198.142.0.51, len 75, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=10.9.9.254 (BVI1), d=198.142.0.51, len 75, input feature, Ingress-NetFlow(17), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=10.9.9.254 (BVI1), d=198.142.0.51, len 75, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=10.9.9.254 (BVI1), d=198.142.0.51, len 75, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=10.9.9.254 (BVI1), d=198.142.0.51, len 75, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=10.9.9.254 (BVI1), d=198.142.0.51, len 75, input feature, TCP Adjust MSS(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=10.9.9.254 (BVI1), d=198.142.0.51 (Dialer1), len 75, output feature, CCE Output Classification(5), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Dialer1), len 75, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Dialer1), len 75, output feature, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Dialer1), len 75, output feature, Firewall (NAT)(33), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Dialer1), len 75, output feature, Firewall (inspect)(38), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Dialer1), len 75, output feature, TCP Adjust MSS(40), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Dialer1), len 75, output feature, Post-Ingress-NetFlow(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Dialer1), len 75, output feature, Dialer idle reset(66), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Dialer1), g=198.142.0.51, len 75, forward IP: s=58.108.162.121 (BVI1), d=198.142.0.51 (Virtual-Access3), len 75, sending full packet Clearly, my NAT configuration is at fault. The above is unsurprising, since I have ip nat inside source list 1 interface Dialer0 overload and access list 1 has the line: 30 permit 10.9.9.0, wildcard bits 0.0.0.255 ... but how would I tell NAT to behave differently when the destination IP is one of those I want routed to Dialer1? thanks! David.
... View more
- Tags:
- ip_routing
- nat
Labels:
09-10-2011
05:58 PM
Resources I referred to included: Troubleshooting PPP (CHAP or PAP) authentication Understanding debug ppp negotiation Output the Configuring Unidirectional CHAP section of PPP Authentication Using the ppp chap hostname and ppp authentication chap callin Commands
... View more
09-10-2011
05:50 PM
Hey guys, my understanding of the callin argument to ppp authentication is that it says "only bother authenticating the remote peer if it called me". It does not say anything about whether I need to authenticate to the remote peer or not ... that is decided by them. In the debug ppp negotiation output, it clearly is an outbound call: Vi4 PPP: Treating connection as a callout If I configure my dialer with simply: ppp authentication pap ppp pap sent-username foo password foo then when I send my first outbound CONFREQ, I say "hey, authenticate yourself with PAP": Vi4 LCP: O CONFREQ [Closed] id 1 len 14 Vi4 LCP: AuthProto PAP (0x0304C023) Vi4 LCP: MagicNumber 0x2C2857C0 (0x05062C2857C0) Vi4 LCP: I CONFREQ [REQsent] id 129 len 18 Vi4 LCP: MRU 1492 (0x010405D4) Vi4 LCP: AuthProto PAP (0x0304C023) Vi4 LCP: MagicNumber 0x73FE221B (0x050673FE221B) However, if I don't care about authenticating the peer I'm calling: ppp authentication pap callin ppp pap sent-username foo password foo then I attempt to dictate less to the peer: Vi3 LCP: O CONFREQ [Closed] id 1 len 10 Vi3 LCP: MagicNumber 0x24D3F426 (0x050624D3F426) Vi3 LCP: I CONFREQ [REQsent] id 220 len 18 Vi3 LCP: MRU 1492 (0x010405D4) Vi3 LCP: AuthProto PAP (0x0304C023) Vi3 LCP: MagicNumber 0x3DCE5388 (0x05063DCE5388) Yes, the "directionality" of PPP language is a headache!
... View more
09-09-2011
03:55 AM
Thanks for your help. Using the debugs I was able to establish that the authenticator (ie. the ISP's router) sent a PPP CONFREQ asking my peer to use PAP authentication. I was able to add the following to my int dial: ppp authentication pap callin ppp pap sent-username foo password foo Happily, even though I couldn't use the "ppp pap sent-username" to specify a null or empty username or password, the remote authenticator was happy with "foo", and gave me an IP address!
... View more
09-08-2011
09:43 PM
Great Peter, I will schedule some downtime and give that a try. thanks, David.
... View more
09-08-2011
09:26 PM
I am trying to copy a setup from a Nortel IAX100 where the carrier provides two ATM PVC's over ADSL - one for voice (VoIP) and one for data (IP). Relevant lines from the backup of the IAX's configuration include the following for the PPP authentication over the voice circuit: <wan_8_32> <entry1 vccId="1" conId="1" name="Voice" protocol="PPPOE" encap="LLC" firewall="enable" nat="enable" igmp="disable" vlanId="-1" service="enable" instanceId="1509949441"/> </wan_8_32> <pppsrv_8_32> <ppp_conId1 userName="" password="" serviceName="" idleTimeout="0" ipExt="disable" auth="auto" useStaticIpAddr="0" localIpAddr="255.255.255.255" /> </pppsrv_8_32> The null username and password for the PPP connection have me a bit stumped. Does the PPP connection not use any authenetication at all? (Is that possible/likely? How could I deubg it?) Or does does the IAX100 supply a chap/pap response with null credentails? (If so, how would I duplicate that using an instruction to a dialer interface? I am configuring an 877 with 12.4T and advanced IP services. Can anyone familiar with PPPoE and multiple ATM circuits help me along my path? thanks, David.
... View more
Labels:
Created by
dtbullock
in Voice Systems
in Voice Systems
06-27-2010
05:41 PM
06-27-2010
05:41 PM
Marcos, did the product manager get back to you yet?
... View more
Created by
dtbullock
in Voice Systems
in Voice Systems
06-13-2010
05:30 AM
06-13-2010
05:30 AM
Sooo ... what did the product manager say?
... View more
Created by
dtbullock
in Small Business Switches
in Small Business Switches
06-10-2010
10:35 PM
06-10-2010
10:35 PM
OK, so if using the router admin I: 1. go to 'VLAN & Port Settings' -> 'Address Tables' -> 'Static' and add some VLAN/MAC/port triplets; then 2. go to 'Security' -> 'Traffic Control' (what the?!) -> 'Port Security' and set the learning mode to 'Classic Lock' ... then does the classic lock use the static address table to decide what is and is not allowed on that port? (This is only implied in the switch documentation). thanks, David.
... View more
- Tags:
- esw
- mac
- port_security
Labels:
Created by
dtbullock
in Small Business Switches
in Small Business Switches
06-10-2010
10:25 PM
06-10-2010
10:25 PM
To get some visibility into the RADIUS exchange, you could configure logging on NPS. In the log is the name of the network policy which was ultimately used to evaluate the request. If it selects 'Connections to other access servers' (the lowest-priority policy that functions as a 'default deny'), then you'll know that for some reason the Conditions on *your* network policy are too specific to be matched.
... View more
Created by
dtbullock
in IP Telephony and Phones
10-11-2011
10-11-2011
Which country are you from? If you have Number Portability regulations,
you must be able to port the...
Created by
dtbullock
in IP Telephony and Phones
10-10-2011
10-10-2011
Site "BranchOffice" has 4 phone handsets and a QoS-capable WAN
connection to HeadOffice.Site "HeadOf...
Created by
dtbullock
in Voice Systems
06-27-2010
06-27-2010
Marcos, did the product manager get back to you yet?
Created by
dtbullock
in Voice Systems
06-13-2010
06-13-2010
Sooo ... what did the product manager say?
Created by
dtbullock
in Small Business Switches
06-10-2010
06-10-2010
OK, so if using the router admin I:1. go to 'VLAN & Port Settings' ->
'Address Tables' -> 'Static' a...
Public Statistics
| Date Registered | 02-18-2008 10:44 PM |
| Date Last Visited | 08-18-2017 03:55 AM |
| Total Messages Posted | 65 |
| Total Helpful Votes Received | 5 |
Helpful Votes Given To
| User | Helpful Count |
|---|---|
| 5 | |
| 5 | |
| 3 | |
| 2 | |
| 3 |
.jpg "Hall of Fame Guru"){kind=icon}
