01-06-2012 05:50 PM - edited 03-21-2019 05:09 AM
Hello,
My client has a UC540 system. We are trying to connect it to internet. We have got a static ip address, subnet mask, default gateway, primary and secondary DNS ip address from ISP. Can anyone help me configure UC540 so that we can configure our system to connect to internet using CLI. I would also like to access this particular router remotely.
I was trying to use CCA but unable to do so. Will have to use CLI and I am very new to CLI.
I have configured ip address for fastethernet 0/0 (WAN interface of UC540).
But can anyone help me configure the default gateway primary and secondary DNS server and remote connectivity to the router using CLI.
Please help.
Thank you for your time and consideration
Veeral
Solved! Go to Solution.
01-07-2012 12:10 AM
Hi Veeral,
Before provide any CLI configuration for this, can you advise why you cannot use CCA? It certainly can be done using CCA and it can be done quickly and easily as well.
I would like to be absolutely certain you cannot use CCA before providing CLI support, if someone else wants to that would be their decision
Cheers,
David.
01-08-2012 05:43 PM
Hi Veeral,
It is an interesting issue you have there with CCA and I have a guess as to the problem, just out of interest are you using CCA 3.1.1?
I don't feel comfortable with providing CLI support knowing full well that I am assisting an engineering in potentially taking their system out of support scope However I also cant leave someone to be hung out to dry...
I am working of the top of my head for this so I hope I have covered all the configuration you need, it will be a start anyway at best.
The following is the CLI configuration to get you started:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
ip dhcp pool data
network 192.168.10.0 255.255.255.0 << Enter here the Subnet if the UC is doing the DHCP for data
default-router 192.168.10.254 <<< Point this to your endge WAN router or SBS Server
dns-server XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY <<< Enter the DNS address your ISP gave you
The above code is for when the UC is the network concentrator (Controller as it might also be known as), the above should be CCA compliant of the top of my head.
Next Configuration:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
ip name-server XXX.XXX.XXX.XXX <<< Enter the DNS address your ISP gave you
ip name-server YYY.YYY.YYY.YYY <<< Enter the DNS address your ISP gave you
The above is the same as the DHCP pool addresses and should be CCA compliant, I.E what ever your ISP gave you, or alternatively you can use the free one that Google provides, but note that some ISP's do not like you using this and they could be blocked.
Nect Configuration:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.0 <<< Enter here the static IP address, if it is DHCP then use the DHCP command
ip access-group 104 in <<< Please pay particular attention to this
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
Again please pay attention to the notes in RED as they demark importance, this is also a CCA compliant configuration (Well I am sure it is anyway).
Next Configuration:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
ip nat inside source list 1 interface interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 interface FastEthernet0/0 <<< "OR" the static IP given to you by the ISP
Again pay attention to the RED text, this part is very important, as it stands now the above code should work for you unless there is some weird configuration that needs to be put in, we can cross that bridge when we get there I guess, this should also be CCA compliant, but just know that it might cause issues with CCA "IF" I have missed any important code to support its CCA Compliance.
Next Configuration:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_25##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 192.168.10.XXX eq 5060 any <<< ACL to support SIP Local services
access-list 104 permit udp host 192.168.10.XXX any eq 5060 <<< ACL to support SIP Local services
access-list 104 permit udp host XXX.XXX.XXX.XXX eq 5060 any <<< Your Static IP from the ITSP goes hereaccess-list 104 permit udp host XXX.XXX.XXX.XXX any eq 5060 <<< Your Static IP from the ITSP goes here
access-list 104 permit udp any any range 16384 32767
access-list 104 permit udp any host XXX.XXX.XXX.XXX eq non500-isakmp <<< Your ISP static IP and this is for IPSEC
access-list 104 permit udp any host XXX.XXX.XXX.XXX eq isakmp <<< Your ISP static IP and this is for IPSEC
access-list 104 permit esp any host XXX.XXX.XXX.XXX <<< Must put your ISP Static IP address in here "MUST"
access-list 104 permit ahp any host XXX.XXX.XXX.XXX<<< Must put your ISP Static IP address in here "MUST"
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp host 192.168.10.1 eq domain any
access-list 104 permit icmp any host XXX.XXX.XXX.XXX echo-reply <<< Must put your ISP Static IP address in here "MUST"
access-list 104 permit icmp any host XXX.XXX.XXX.XXX time-exceeded <<< Must put your ISP Static IP address in here "MUST"
access-list 104 permit icmp any host XXX.XXX.XXX.XXX unreachable <<< Must put your ISP Static IP address in here "MUST"
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
The " access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_25##" is just what I remember of the top of my head, it is only a remark so it shouldn't disrupt CCA but I could be wrong, but I am fairly confident that this is a CCA Compliant ACL, but it is very very very important you have this in place, especially if the UC is going to be fully exposed to the outside world... Note that you will need to change all the 192.X.X.X Subnets to what ever your network is configured for, and this ACL is configured to handle both SIP and IPSEC, normally I put them in there even if the system is not going to be doing either of them, just in case it is ever asked for I don't have to rebuild an ACL later on (CCA deletes it and recreates it when it does, so I learnt to follow that practice as well).
This is as far as my memory goes, I think I have it covered and I truly hope I am not missing anything, either way this configuration should be enough in theory to get CCA to start supporting it, but alas if the rest of the configuration is totaly out of CCA scope it may not and you will be left to do it via hand.
Paolo,
Don't be concerned about the low rating you got, I guess for some out there they perceive the UC-500 forums as SMB and as such SMB is more often then not referred to as NON-CLI configuration systems, we live in a world now were being an old school CLI engineer is structurally different to being a GUI based engineer, we all need to respect that even if we do not necessarily agree with the direction Cisco may be taking on this, I know what you are getting at with your post, but I also understand that not everyone is as committed as you or I may be to this level of engineering... Well even I am moving away from CLI because I just want to work smarter, not harder (But this is my personal opinion).
My Interest here is to help the indavidual, not to convince them that one path is better than the other which I am sure you are a person who can understand that
Cheers,
David.
01-07-2012 12:10 AM
Hi Veeral,
Before provide any CLI configuration for this, can you advise why you cannot use CCA? It certainly can be done using CCA and it can be done quickly and easily as well.
I would like to be absolutely certain you cannot use CCA before providing CLI support, if someone else wants to that would be their decision
Cheers,
David.
01-07-2012 07:31 AM
Hi David,
I tried using CCA but was not able to do do. When I tried to configure Internet addresses in CCA it added all the required information but then it greys out. Second time when I went in there I couldnot even enter the information and it greys out. I cannot select anything. Plus when I saw the running config using CLI there is no ip address under fastethernet 0/0.
So I think my CCA is not communicating properly with the UC540 box.
Thank you.
01-08-2012 05:43 PM
Hi Veeral,
It is an interesting issue you have there with CCA and I have a guess as to the problem, just out of interest are you using CCA 3.1.1?
I don't feel comfortable with providing CLI support knowing full well that I am assisting an engineering in potentially taking their system out of support scope However I also cant leave someone to be hung out to dry...
I am working of the top of my head for this so I hope I have covered all the configuration you need, it will be a start anyway at best.
The following is the CLI configuration to get you started:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
ip dhcp pool data
network 192.168.10.0 255.255.255.0 << Enter here the Subnet if the UC is doing the DHCP for data
default-router 192.168.10.254 <<< Point this to your endge WAN router or SBS Server
dns-server XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY <<< Enter the DNS address your ISP gave you
The above code is for when the UC is the network concentrator (Controller as it might also be known as), the above should be CCA compliant of the top of my head.
Next Configuration:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
ip name-server XXX.XXX.XXX.XXX <<< Enter the DNS address your ISP gave you
ip name-server YYY.YYY.YYY.YYY <<< Enter the DNS address your ISP gave you
The above is the same as the DHCP pool addresses and should be CCA compliant, I.E what ever your ISP gave you, or alternatively you can use the free one that Google provides, but note that some ISP's do not like you using this and they could be blocked.
Nect Configuration:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.0 <<< Enter here the static IP address, if it is DHCP then use the DHCP command
ip access-group 104 in <<< Please pay particular attention to this
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
Again please pay attention to the notes in RED as they demark importance, this is also a CCA compliant configuration (Well I am sure it is anyway).
Next Configuration:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
ip nat inside source list 1 interface interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 interface FastEthernet0/0 <<< "OR" the static IP given to you by the ISP
Again pay attention to the RED text, this part is very important, as it stands now the above code should work for you unless there is some weird configuration that needs to be put in, we can cross that bridge when we get there I guess, this should also be CCA compliant, but just know that it might cause issues with CCA "IF" I have missed any important code to support its CCA Compliance.
Next Configuration:
ROUTER# Conft
Do not copy over the text in red, and make modifications to the other code if this particular code is applicable to your setup
ROUTER-CONFIG# exit
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_25##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 192.168.10.XXX eq 5060 any <<< ACL to support SIP Local services
access-list 104 permit udp host 192.168.10.XXX any eq 5060 <<< ACL to support SIP Local services
access-list 104 permit udp host XXX.XXX.XXX.XXX eq 5060 any <<< Your Static IP from the ITSP goes hereaccess-list 104 permit udp host XXX.XXX.XXX.XXX any eq 5060 <<< Your Static IP from the ITSP goes here
access-list 104 permit udp any any range 16384 32767
access-list 104 permit udp any host XXX.XXX.XXX.XXX eq non500-isakmp <<< Your ISP static IP and this is for IPSEC
access-list 104 permit udp any host XXX.XXX.XXX.XXX eq isakmp <<< Your ISP static IP and this is for IPSEC
access-list 104 permit esp any host XXX.XXX.XXX.XXX <<< Must put your ISP Static IP address in here "MUST"
access-list 104 permit ahp any host XXX.XXX.XXX.XXX<<< Must put your ISP Static IP address in here "MUST"
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp host 192.168.10.1 eq domain any
access-list 104 permit icmp any host XXX.XXX.XXX.XXX echo-reply <<< Must put your ISP Static IP address in here "MUST"
access-list 104 permit icmp any host XXX.XXX.XXX.XXX time-exceeded <<< Must put your ISP Static IP address in here "MUST"
access-list 104 permit icmp any host XXX.XXX.XXX.XXX unreachable <<< Must put your ISP Static IP address in here "MUST"
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
The " access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_25##" is just what I remember of the top of my head, it is only a remark so it shouldn't disrupt CCA but I could be wrong, but I am fairly confident that this is a CCA Compliant ACL, but it is very very very important you have this in place, especially if the UC is going to be fully exposed to the outside world... Note that you will need to change all the 192.X.X.X Subnets to what ever your network is configured for, and this ACL is configured to handle both SIP and IPSEC, normally I put them in there even if the system is not going to be doing either of them, just in case it is ever asked for I don't have to rebuild an ACL later on (CCA deletes it and recreates it when it does, so I learnt to follow that practice as well).
This is as far as my memory goes, I think I have it covered and I truly hope I am not missing anything, either way this configuration should be enough in theory to get CCA to start supporting it, but alas if the rest of the configuration is totaly out of CCA scope it may not and you will be left to do it via hand.
Paolo,
Don't be concerned about the low rating you got, I guess for some out there they perceive the UC-500 forums as SMB and as such SMB is more often then not referred to as NON-CLI configuration systems, we live in a world now were being an old school CLI engineer is structurally different to being a GUI based engineer, we all need to respect that even if we do not necessarily agree with the direction Cisco may be taking on this, I know what you are getting at with your post, but I also understand that not everyone is as committed as you or I may be to this level of engineering... Well even I am moving away from CLI because I just want to work smarter, not harder (But this is my personal opinion).
My Interest here is to help the indavidual, not to convince them that one path is better than the other which I am sure you are a person who can understand that
Cheers,
David.
01-17-2012 09:13 AM
I am sorry for the late response. Thank you so much for your help for configuration David. I really appreciate it.
01-17-2012 01:20 PM
Hi Veeral,
If you are happy with the response can you please mark the thread as answered it does help people out when doing searches.
And I am glad to have been able to help you
Cheers,
David.
01-07-2012 04:07 AM
Veeral,
Your early choice of using CLI is the best you could have made in approaching IOS-based Cisco products.
It will allow you to understand what is the logic inside a product that has been sold in tens of millions, what are the easy confirmation procedures for each configuration step, and will allow you to use all its features (very many) to their full potential. In doing this, you will be facilitated by referencing the extensive documentation freely available, either from Cisco or thousands of other source on the Internet.
You will be able to discuss your questions using concise snippets of configuration text, by virtue of which people will be able to easily spot what is wrong and indicate how has to be changed.
More importantly, if you are taking up the task within a professional perspective, you will open yourself the path to an all-important career of networking engineer, that by all means and purpose, is based on knowledge of Cisco IOS. You will find that the matter is not difficult at all, and with few hours of application you can can learn enough to complete almost any daily task.
I hope you will enjoy soon the success and satisfaction of having something up and running perfectly just using few easy text commands that can be issued from any computer of the world, while others are still struggling with the bugs and limitations of GUI, and quickly become frustrated or even worst, unable to provide their customers with the expected results.
Now referring to your problem, if, as I understand, is about connecting to the internet, recommend you use the "WAN routing" forum. That is because under that aspect, an UC500 works identically to a Cisco router. Include the configuration you've made so far, and what is the actual problem you're facing.
Another great forum that I can recommend where Call Manager Express is discussed is "IP telephony" under "voice video and communications".
01-07-2012 12:18 PM
Hmmm.. for the low raters on my post, would you take the time to write why ? Or, what is wrong with what I wrote ?
A discussion forum is better used to discuss than anonymous rating sniping
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide