09-24-2010 04:13 PM - edited 03-21-2019 03:03 AM
Hello,
I,ve problems with CCA 2.2(5) making a backup of the config and installing new software. So I found the nice articel "CCA Prerequisites for UC500 connection - check list" and tried it. I'm stuck at check routing CUE->PC. I can't ping the default gateway. My UC has 192.168.1.199 and this can't be pinged from the CUE prompt. Any ideas?
Please help
Ognian
Solved! Go to Solution.
09-27-2010 07:48 AM
Here are the relevant portions of the base config for CUE connectivity.
interface Loopback0
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 101 in
ip nat inside
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address dhcp
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
interface Integrated-Service-Engine0/0
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
!
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui/
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp any 10.1.10.0 0.0.0.3 range 16384 32767
access-list 103 permit udp 10.1.10.0 0.0.0.3 range 16384 32767 any
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any
!
!
FYI, you can pull this out of the UC5xx ZIP file. It's the .cfg file in the package:
09-24-2010 06:20 PM
Hi Ognian,
I am not sure I completely understand your question, but English is not my first language.
But it sure sound like a problem I once had when my PC was using a Windows based DHCP server and the UC520 data VLAN IP address was not the gateway for PC clients.
I'm guessing that your PC is getting it's IP address from something other than the UC500.
I am wondering if you have to add a static route in the PC to point to the 10.1.x.x network, maybe something like the following;
route add 10.1.0.0 mask 255.255.0.0 192.168.1.199
I'm guessing the CUE module can ping your PC , but your PC is sending replies to it's default gateway (which may not be the UC500).
regards Dave
09-25-2010 09:06 AM
Is your computer firewall blocking the PINGS? Can you ping anything else on the same subnet?
What is your PC default gateway? What is the default gateway
09-25-2010 11:34 AM
Hello,
thanks for the replies.
The problem is within the UC. I can't even ping the UC or the loopback adapter from within the CUE prompt:
In CUE:
ping 10.1.10.1 OK (this is ping on itself)
ping 10.1.10.2 -> 10.1.10.1 reports host unreachable (this is CUE is pinging UC's loopback if, and cant ping)
ping 192.168.1.199 -> failed (this is CUE is pinging UC-> Not OK)
this means i have a problem with the uc<->cue connection, but the following is checked:
UC500#sh ip int brief
UC500#sh interfaces int0/0
UC500-CUE#sh ip route
Sounds crazy but i'm missing something...
Ognian
09-26-2010 06:50 PM
Hi Ognian,
At least I am seeing the following from my UC520;
se-10-1-10-1# sh ip rou
Main Routing Table:
DEST GATE MASK IFACE
10.1.10.0 0.0.0.0 255.255.255.252 eth0
0.0.0.0 10.1.10.2 0.0.0.0 eth0
Might i humbly suggest that you call your local SBSC via the following URL for assistance;
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
regards dave
09-27-2010 06:02 AM
If you let me know if this is a UC520, UC540, or UC560, then I can provide you with a sample config, which will get you good for CME->CUE connectivity. The UC520 and 540/60 configs differ slightly, though, so I need to know what specific platform you are on first.
09-27-2010 07:22 AM
Hello,
It would be great to get a sample config, it is a UC520
Thanks
Ognian
09-27-2010 07:48 AM
Here are the relevant portions of the base config for CUE connectivity.
interface Loopback0
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 101 in
ip nat inside
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address dhcp
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
interface Integrated-Service-Engine0/0
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
!
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui/
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp any 10.1.10.0 0.0.0.3 range 16384 32767
access-list 103 permit udp 10.1.10.0 0.0.0.3 range 16384 32767 any
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any
!
!
FYI, you can pull this out of the UC5xx ZIP file. It's the .cfg file in the package:
09-28-2010 12:56 AM
Hello,
thanks a lot for your help. With the above config I've been able to find the problem:
Instead of
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine 0/0
I had
ip route 10.1.10.1 255.255.255.255 Loopback0
No idea how this happend, but it is possible that someone else played with the box before...
I'm now able to transfer from CUE via tftp to my notebook.
CCA has still a problem with SW update, but I have to investigate further...
Thanks
Ognian
02-14-2018 01:42 PM
Took me a couple of hours to find this fix but it worked
I also had the wrong ip route to the loopback
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide