Hi everybody, I would like to ask how WebEx scheduling from Outlook works and how WebEx updates meetings if they are changed in Outlook especially for recurring meetings. When somebody schedule recurring meeting from Outlook, it is in fact ONE meeting (one id) with "recurring" parameter created via WebEx Productivity Tools. Very similarily I can schedule meeting directly from WebEx enterprise web page (plan meeting, set reccurence, etc..). This works perfectly, but... Situation cames in when only one meeting instance from recurring meeting row needs to be rescheduled/postponed. If I change time or date of this one meeting instance in Outlook, it does not update this particular instance of WebEx meeting. I suppose this happens because WebEx works with reccuring meeting as it is in fact only one meeting (with one meeting ID) with exactly defined reccuring parameter. Does anybody experience simillar situation? I didn't found anything in WebEx documentation.. Thank you, Jiri
... View more
I can confirm Jabber IM 9.0.5.882 and Jabber 9.1.2.3324 are working on intl. Samsung Galaxy S2 GT-9100 with android 4.0.4. Any update for Nexus 4?
... View more
So I digged deeper and found that ITL certificates are 8.x version feature called "Security by Default" which is not supported on 6900 phones. 7900/8900/9900 are supported thus if tftp/https cert changes on CUCM, phone don't trust it anymore. It is necessary to delete ITL from phone manually in order to get new one. Found somewhere information that CUCM 9.5 or 10 release could support ITL certificate reporting and management tool, this would be awesome! :-)
... View more
Thanks for this thread. I've got similar issue. Is there any official reference that 7900 and 8900/9900 phones uses ITL certificates to provide "Security by default" to authenticate phone services, verify firmware and config files? I went thru CUCM 8.6 Security Guide and several 6900 phone admin guides and release notes but didn't find anything :-( Thank you in advance, Jiri
... View more
I've overcome most of the issues with configuring DTMF between CUCM and Voice GW's/CUBE's like "sip-kpml sip-notify", and DTMF to ITSP provider like "rtp-nte". Seems it's working and if provider supports RFC2833 its a best way how to do it.
... View more
Hi, I'm digging into interesting area, what are the best practices to configure DTMF relay between CUCM 8.6 Cluster and several Cisco ISRg2 voice gateways equipped with BRI/PRI HWICs for PSTN access. I know this depends on many specific attributes which are what endpoints are used, what is the signaling protocol between CUCM and end points, etc. Some scenarios requires rfc2833 rtp-nte DTMF, some scenarios requires SIP KPML which is great for SIP phone supporting it. But none of method is universal cure for most of situations. I've got many 6900 (sccp), 7900 (sccp) and 9951 (sip) endpoints deployed. Some of them use rfc2833, some of them use sip-kpml. Currently I've got this configuration on dial-peer to CUCM "dtmf-relay sip-kpml sip-notify", I'm considering adding rtp-nte as a last 3rd option. But I hope this will not be necessary. On CUCM side I've enabled "Accept unsolicited notification" on SIP Trunk Security Profile to cisco voice GW's so it accepts "sip-notify". On SIP trunk there is "No preference" option as DTMF method. I'm afraid if I enable "OOB and rfc2833" on SIP Trunk CUCM will use both methods for every single digit pressed which can lead into more intensive MTP utilization (which is said in SRND8.x). Whats your opinion? How would you solve simillar scenarios? Thanks, J.
... View more
You mean not to use "match-all" to Protocol and general IP ACL, but use Extended ACL instead? I've tried but with no luck :-( I changed ACL to looks like this: ip access-list extended SERVERY_RDP permit tcp any host 10.0.0.10 eq 3389 and CM to look like this: class-map type inspect match-all SERVERY_RDP match access-group name SERVERY_RDP Output logs: Oct 25 12:24:59.264: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Start tcp session: initiator (2.2.2.2:47393) -- responder (10.0.0.10:3389) #sh policy-firewall session zone-pair OUTSIDE_LAN Zone-pair: OUTSIDE_LAN Service-policy inspect : Internet-to-LAN Class-map : SERVERY_RDP(match-all) Half-open Sessions = 1 Session 8663A6E0 (2.2.2.2:47393)=>(10.0.0.10:3389) tcp SIS_OPENING/TCP_SYNSENT Created 00:00:25, Last heard 00:00:25 Bytes sent (initiator:responder) [0:0] Class-map : class-default(match-any) Oct 25 12:25:29.677: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop tcp session: initiator (2.2.2.2:47393) sent 0 bytes -- responder (10.0.0.10:3389) sent 0 bytes #sh access-list SERVERY_RDP Extended IP access list SERVERY_RDP 10 permit tcp any host 10.37.61.10 eq 3389 (7 matches) I don't understand why is the session only half-open and 3way handshake wont proceed. ZBFW should open hole dynamicly on reverse direction.
... View more
No, not a typo, I made a mistake when writing a config down here. Corrected.. But concept is right, isn't it? I have to match Protocol AND IP range (if I want to narrow firewall hole by it) with use of Internal addresses.. Bad thing is SSH is not working either, it's not only in "custom ports" RDP protocol issue. Regards, Jiri
... View more
I've deployed Zone Based Firewall with serveral zones at customer site. I'm trying to get some services (ssh and RDP) be accessible on inside hosts NATed to outside interface IP address. With ACL and inspect its easy, but can't get it working with ZBFW. Traces (audit trails) are showing some communication, but never get thru :-( Oct 24 14:38:53.693: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop user-etd-rd:25020) sent 0 bytes -- responder (10.37.61.10:3389) sent 0 bytes As I've read in Cisco Press Book Cisco Firewalls on page 391: "Translation of the source address happens before inspection." I'm allowing source from outside to inside based on inside specificaions (inside IP and inside destination port). Cisco 881 with IOS Version 15.2(1)T. Can anyone please help me address where is the problem with inspection and why I can't connect trhu ZBFW? Scenario: ZBFW Building Blocks Zones: interface Vlan5 (IP 10.0.0.252/24) - zone LAN interface Fa4.100 (IP 1.1.1.1/29) - zone OUTSIDE Zone-Pairs: Zone-pair name OUTSIDE_LAN Source-Zone OUTSIDE Destination-Zone LAN service-policy Internet-to-LAN Policy: Policy Map type inspect Internet-to-LAN Class SERVERY_RDP Inspect INSP Class SERVERY_SSH Inspect INSP Class class-default Drop log Classes: Class Map type inspect match-all SERVERY_SSH Match protocol ssh Match access-group name SERVERY_SSH Class Map type inspect match-all SERVERY_RDP Match protocol user-etd-rdp Match access-group name SERVERY_RDP ACLs: Extended IP access list SERVERY_RDP 10 permit ip any host 10.0.0.10 (14 matches) 20 permit ip any host 10.0.0.24 (4 matches) Extended IP access list SERVERY_SSH 10 permit ip any host 10.0.0.48 (3 matches) 20 permit ip any host 10.0.0.47 NAT: - correctly I believe, works flawlessly without ZBFW Relevant parts of config are attached below: interface FastEthernet4.100 description Internet (data) encapsulation dot1Q 100 ip address 1.1.1.1 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE no cdp enable interface Vlan5 description DATA ip address 10.0.0.252 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security LAN zone security OUTSIDE zone security LAN zone-pair security OUTSIDE_LAN source OUTSIDE destination LAN service-policy type inspect Internet-to-LAN policy-map type inspect Internet-to-LAN class type inspect SERVERY_RDP inspect INSP class type inspect SERVERY_SSH inspect INSP class class-default drop log class-map type inspect match-all SERVERY_RDP match protocol user-etd-rdp match access-group name SERVERY_RDP class-map type inspect match-all SERVERY_SSH match protocol ssh match access-group name SERVERY_SSH ip access-list extended SERVERY_RDP permit ip any host 10.0.0.10 permit ip any host 10.0.0.24 ip access-list extended SERVERY_SSH permit ip any host 10.0.0.48 permit ip any host 10.0.0.47 ip port-map user-etd-rdp port tcp from 3389 to 3390 parameter-map type inspect INSP audit-trail on ip nat inside source static tcp 10.0.0.10 3389 interface FastEthernet4.100 3389 ip nat inside source static tcp 10.0.0.24 3390 interface FastEthernet4.100 3390 ip nat inside source static tcp 10.0.0.48 22 interface FastEthernet4.100 4122 ip nat inside source route-map rmnat interface FastEthernet4.100 overload route-map rmnat permit 10 match ip address nat ip access-list extended nat remark ** NoNAT RFC 1918 ** deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 10.0.0.0 0.255.255.255 remark ** NAT DATA LAN ** permit ip 10.0.0.0 0.0.0.255 any When I'm tring to get thru from outside network with RDP to 1.1.1.1:3389 I get following log: Oct 24 15:12:26.572: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Start user-etd-rdp session: initiator (2.2.2.2:45452) -- responder (10.0.0.10:3389) Oct 24 15:12:57.217: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop user-etd-rdp session: initiator ( 2.2.2.2:45452) sent 0 bytes -- responder (10.0.0.10:3389) sent 0 bytes And "show ip nat translation": tcp 1.1.1.1:3389 10.0.0.10:3389 2.2.2.2:45452 2.2.2.2:45452 tcp 1.1.1.1:3389 10.0.0.10:3389 --- --- Nothing goes thru so far , any ideas why? Thanks a lot, regards, jiri
... View more
I don't really know if there is a chance to save them into external repository. Internal prompt repository is used by default. But I'm handling similar situation by sending recorded messages to an email via create and send email steps. You can customize messages as you want. i.e. add calling number to subject, different informations into body, etc...
... View more
Hello, I'm trying to find SNMP OID (and MIB in which OID contain) to monitor L2 of ISDN PRI line. I've configured Nagios check for interface, but even serial 0/x/0:15 is up/up, that doesn't mean its working on L2. What I need is to distinguish between states: L1/L2 DOWN, L1 ACTIVE and L2 DOWN or L2 TEI_ASSIGNED or L2 MULTIPLE_FRAME_ESTABLISHED - working line on L2. Can you please point me to right way or OID/MIB? I've found several discussions but any of them doesn't solving similar issue. Thank you in advance, Jiri
... View more
Thanks, this helps a lot. In which section of partner web is this and similar whitepapers located? Sales > Borderless net > ? Thanks in advance for info..
... View more
Hi ctychan and everyone, I would also appreciate this information, if anyone can figure it our, please let us know. I believe Cisco has a lot of internal materials, but router performance tables in partner section are not updated as well. Thanx, J.
... View more