Hi, I'm digging into interesting area, what are the best practices to configure DTMF relay between CUCM 8.6 Cluster and several Cisco ISRg2 voice gateways equipped with BRI/PRI HWICs for PSTN access. I know this depends on many specific attributes which are what endpoints are used, what is the signaling protocol between CUCM and end points, etc. Some scenarios requires rfc2833 rtp-nte DTMF, some scenarios requires SIP KPML which is great for SIP phone supporting it. But none of method is universal cure for most of situations. I've got many 6900 (sccp), 7900 (sccp) and 9951 (sip) endpoints deployed. Some of them use rfc2833, some of them use sip-kpml. Currently I've got this configuration on dial-peer to CUCM  "dtmf-relay sip-kpml sip-notify", I'm considering adding rtp-nte as a last 3rd option. But I hope this will not be necessary. On CUCM side I've enabled "Accept unsolicited notification" on SIP Trunk Security Profile to cisco voice GW's so it accepts "sip-notify". On SIP trunk there is "No preference" option as DTMF method. I'm afraid if I enable "OOB and rfc2833" on SIP Trunk CUCM will use both methods for every single digit pressed which can lead into more intensive MTP utilization (which is said in SRND8.x). Whats your opinion? How would you solve simillar scenarios? Thanks, J. ... View more

I've deployed Zone Based Firewall with serveral zones at customer site. I'm trying to get some services (ssh and RDP) be accessible on inside hosts NATed to outside interface IP address. With ACL and inspect its easy, but can't get it working with ZBFW. Traces (audit trails) are showing some communication, but never get thru :-( Oct 24 14:38:53.693: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop user-etd-rd:25020) sent 0 bytes -- responder (10.37.61.10:3389) sent 0 bytes As I've read in Cisco Press Book Cisco Firewalls on page 391: "Translation of the source address happens before inspection." I'm allowing source from outside to inside based on inside specificaions (inside IP and inside destination port). Cisco 881 with IOS Version 15.2(1)T. Can anyone please help me address where is the problem with inspection and why I can't connect trhu ZBFW? Scenario: ZBFW Building Blocks Zones: interface Vlan5 (IP 10.0.0.252/24) - zone LAN interface Fa4.100 (IP 1.1.1.1/29) - zone OUTSIDE Zone-Pairs: Zone-pair name OUTSIDE_LAN     Source-Zone OUTSIDE  Destination-Zone LAN     service-policy Internet-to-LAN Policy: Policy Map type inspect Internet-to-LAN     Class SERVERY_RDP       Inspect INSP     Class SERVERY_SSH       Inspect INSP     Class class-default       Drop log Classes: Class Map type inspect match-all SERVERY_SSH    Match protocol ssh    Match access-group name SERVERY_SSH Class Map type inspect match-all SERVERY_RDP    Match protocol user-etd-rdp    Match access-group name SERVERY_RDP ACLs: Extended IP access list SERVERY_RDP     10 permit ip any host 10.0.0.10 (14 matches)     20 permit ip any host 10.0.0.24 (4 matches) Extended IP access list SERVERY_SSH     10 permit ip any host 10.0.0.48 (3 matches)     20 permit ip any host 10.0.0.47 NAT: - correctly I believe, works flawlessly without ZBFW Relevant parts of config are attached below: interface FastEthernet4.100 description Internet (data) encapsulation dot1Q 100 ip address 1.1.1.1 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE no cdp enable interface Vlan5 description DATA ip address 10.0.0.252 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security LAN zone security OUTSIDE zone security LAN zone-pair security OUTSIDE_LAN source OUTSIDE destination LAN service-policy type inspect Internet-to-LAN policy-map type inspect Internet-to-LAN class type inspect SERVERY_RDP   inspect INSP class type inspect SERVERY_SSH   inspect INSP class class-default   drop log class-map type inspect match-all SERVERY_RDP match protocol user-etd-rdp match access-group name SERVERY_RDP class-map type inspect match-all SERVERY_SSH match protocol ssh match access-group name SERVERY_SSH ip access-list extended SERVERY_RDP permit ip any host 10.0.0.10 permit ip any host 10.0.0.24 ip access-list extended SERVERY_SSH permit ip any host 10.0.0.48 permit ip any host 10.0.0.47 ip port-map user-etd-rdp port tcp from 3389 to 3390 parameter-map type inspect INSP audit-trail on ip nat inside source static tcp 10.0.0.10 3389 interface FastEthernet4.100 3389 ip nat inside source static tcp 10.0.0.24 3390 interface FastEthernet4.100 3390 ip nat inside source static tcp 10.0.0.48 22 interface FastEthernet4.100 4122 ip nat inside source route-map rmnat interface FastEthernet4.100 overload route-map rmnat permit 10 match ip address nat ip access-list extended nat remark ** NoNAT RFC 1918 ** deny   ip any 192.168.0.0 0.0.255.255 deny   ip any 172.16.0.0 0.15.255.255 deny   ip any 10.0.0.0 0.255.255.255 remark ** NAT DATA LAN ** permit ip 10.0.0.0 0.0.0.255 any When I'm tring to get thru from outside network with RDP to 1.1.1.1:3389 I get following log: Oct 24 15:12:26.572: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Start user-etd-rdp session: initiator (2.2.2.2:45452) -- responder (10.0.0.10:3389) Oct 24 15:12:57.217: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop user-etd-rdp session: initiator ( 2.2.2.2:45452) sent 0 bytes -- responder (10.0.0.10:3389) sent 0 bytes And "show ip nat translation": tcp 1.1.1.1:3389        10.0.0.10:3389      2.2.2.2:45452     2.2.2.2:45452 tcp 1.1.1.1:3389        10.0.0.10:3389      ---                   --- Nothing goes thru so far , any ideas why? Thanks a lot, regards, jiri ... View more

Hello, I'm trying to find SNMP OID (and MIB in which OID contain) to monitor L2 of ISDN PRI line. I've configured Nagios check for interface, but even serial 0/x/0:15 is up/up, that doesn't mean its working on L2. What I need is to distinguish between states: L1/L2 DOWN, L1 ACTIVE and L2 DOWN or L2 TEI_ASSIGNED or L2 MULTIPLE_FRAME_ESTABLISHED - working line on L2. Can you please point me to right way or OID/MIB? I've found several discussions but any of them doesn't solving similar issue. Thank you in advance, Jiri ... View more