โ07-20-2009 12:59 PM - ํธ์ง โ03-21-2019 01:20 AM
Using CCA 2.0.1 on UC520.
12.4(22)YB/ CME 7.1
After inputting everything through CCA & pressing OK, it said:
CCA detects unsupported firewall configuration on the device UC520
CCA will not create pass-through for unrecognised firewall configuration
I made some changes to F0/4 ACL to allow SSH from Internet...so that could be the changes.
How do I complete the config through CLI?
I will have 5 SR520 connecting...would be nice if I could use GUI on them at least.
๋ ์ง: โ07-20-2009 01:01 PM
I would remove what you have added manually, and then readd it in CCA. If you need in configuring it CCA, let me know. You can enable portforwarding in CCA.
๋ ์ง: โ07-20-2009 01:02 PM
For CLI guide on how to do S2S VPN, refer to:
https://supportforums.cisco.com/docs/DOC-9652
Please notice this document is UC 500 centric (not SR520).
Thanks,
Marcos
๋ ์ง: โ07-20-2009 01:08 PM
So to enable ports to UC520 from Internet & you want to use CCA, the work around is to use Port forwarding?
๋ ์ง: โ07-20-2009 01:25 PM
I think I misread what you were wanting earlier. If you are going to have a UC500 behind a SR520, you should delete the firewall settings on the UC500, the NAT on the UC500, and add routes on the SR520 to go to the UC500. After that, you do the port forwarding through CCA on the SR520 for what you want to pass though.
๋ ์ง: โ07-20-2009 01:27 PM
No, UC520 is not behind SR520.
๋ ์ง: โ07-20-2009 01:38 PM
3rd times the charm... I hope.
https://supportforums.cisco.com/docs/DOC-9493
That document talks about using remote sites with an 871. You can basically do this with a SR520. If you want this to work via CCA, then my first post is correct. Undo the changes you made via CLI, and redo them via CCA. Also, you should look at the CCA out of band configuration guide. It will let you know how to make changes via CLI that will work with CCA.
๋ ์ง: โ07-21-2009 08:53 AM
๋ ์ง: โ07-21-2009 09:00 AM
In your config, you have...
ip local pool SDM_POOL_1 192.168.1.5 192.168.1.20
You should make this part of your data network, somewhere in the 192.168.0.0/24 range.
I don't have my CCA open right now, but I believe you can set this pool through CCA.
I would use 192.168.0.245 to 192.168.0.254.
๋ ์ง: โ07-21-2009 09:11 AM
Made that change.
Still not able to register IP Communicator nor can I use CCA through the VPN tunnel nor ping anything inside.
I also see this.
ISAKMP:(0):Support for IKE Fragmentation not enabled
๋ ์ง: โ07-21-2009 11:43 AM
If you did the change in CLI, there are changes to access-lists that need to be made. If you did it in CCA, that is good. To get rid of the error message.
config t
crypto isakmp fragmentation
๋ ์ง: โ07-21-2009 11:52 AM
what about not able to access anything inside @ the UC520 location or use IP Communicator?
๋ ์ง: โ07-21-2009 11:53 AM
I am not a security expert, but that command might help. Also, did the access list get changed?
๋ ์ง: โ07-21-2009 11:55 AM
I did that command. I only used CCA for the VPN.
I'm about to start using CLI as working with TAC.
๋ ์ง: โ07-21-2009 11:56 AM
If it is still not working, please open a TAC case.
์๋ก์ด ์์ด๋์ด๋ฅผ ๋ฐ๊ฒฌํ๊ณ ์ ์ฅํ์ธ์. ์ ๋ฌธ๊ฐ ๋ต๋ณ, ๋จ๊ณ๋ณ ๊ฐ์ด๋, ์ต๊ทผ ์ฃผ์ ๋ฑ ๋ค์ํ ๋ด์ฉ์ ํ์ธํด ๋ณด์ธ์.
์ฒ์์ด์ ๊ฐ์? ์๋ ํ๋ค์ ํ์ธํด ๋ณด์ธ์. ์์ค์ฝ ์ปค๋ฎค๋ํฐ ์ฌ์ฉํ๊ธฐ ์ ๋ฉค๋ฒ ๊ฐ์ด๋