12-27-2011 04:37 PM - edited 03-21-2019 05:07 AM
I have a cisco UC520 with the data vlan1 at the default 192.168.10.1. The original vendor connected to their network via the WAN(FastEthernet0/0) port getting dhcp from the windows server. Their phone service is a sip service connected at FastEthernet0/1/2 on a seperate vlan200. I am trying to correct it so that it connects to the network via expansion port(FastEthernet0/1/8) with a static ip of 10.0.0.201 255.255.255.0 on the data vlan1. When I change it, I lose phone service. I am assuming i am missing something in the access list. Below is the config minus most of the phone info and any other info you don't need to see. Any help would be great.
!
version 15.1
parser config cache interface
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service internal
service compress-config
service sequence-numbers
!
hostname UC520
!
boot-start-marker
boot system flash uc500-advipservicesk9-mz.151-2.T2
boot-end-marker
!
!
logging buffered 300000
no logging console
no logging monitor
!
no aaa new-model
!
clock timezone GMT -8 0
clock summer-time GMT recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1533260434
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1533260434
revocation-check none
!
!
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool phone
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.1.1.1
!
ip dhcp pool data
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 63.203.35.55
!
!
!
no ip domain lookup
ip name-server 63.203.35.55
ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
no ipv6 cef
!
multilink bundle-name authenticated
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
!
!
!
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
sip
bind control source-interface Vlan200
bind media source-interface Vlan200
no update-callerid
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
ip tftp source-interface Vlan1
!
!
!
!
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address dhcp
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
duplex auto
speed auto
!
interface Integrated-Service-Engine0/0
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
interface FastEthernet0/1/0
switchport voice vlan 100
macro description cisco-phone
!
interface FastEthernet0/1/1
switchport voice vlan 100
macro description cisco-phone
!
interface FastEthernet0/1/2
switchport access vlan 200
macro description cisco-phone
!
interface FastEthernet0/1/3
switchport voice vlan 100
macro description cisco-phone
!
interface FastEthernet0/1/4
switchport voice vlan 100
macro description cisco-phone
!
interface FastEthernet0/1/5
switchport voice vlan 100
macro description cisco-phone
!
interface FastEthernet0/1/6
switchport voice vlan 100
macro description cisco-phone
!
interface FastEthernet0/1/7
switchport voice vlan 100
macro description cisco-phone
!
interface FastEthernet0/1/8
switchport mode trunk
macro description cisco-switch
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
!
interface Vlan200
ip address x.x.x.x 255.255.255.248
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
ip route 192.169.1.110 255.255.255.255 192.168.1.10
!
logging esm config
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any
!
!
!
!
control-plane
!
!
sccp local Loopback0
sccp ccm 10.1.1.1 identifier 1 version 3.1
sccp
!
sccp ccm group 1
associate ccm 1 priority 1
!
!
!
!
telephony-service
video
no auto-reg-ephone
max-ephones 40
max-dn 160
ip source-address 10.1.1.1 port 2000
auto assign 1 to 1 type bri
calling-number initiator
service phone videoCapability 1
timeouts interdigit 3
system message SAGE
url services http://10.1.10.1/voiceview/common/login.do
url authentication http://10.1.10.1/voiceview/authentication/authenticate.do
time-zone 5
voicemail 399
max-conferences 8 gain -6
call-forward pattern .T
call-forward system redirecting-expanded
moh flash:VinceG-lowdb.au
multicast moh 239.10.16.16 port 2000
dn-webedit
time-webedit
transfer-system full-consult dss
transfer-pattern 9.T
transfer-pattern .T
secondary-dialtone 9
create cnf-files version-stamp 7960 Aug 22 2011 12:41:03
!
!
12-28-2011 06:03 AM
I wouldn't change the data vlan1 unless you are trying to match it with your internal computer network. Are you using the UC as your main router? Please provide more information about your network topology and configuration so we can help you better.
-Renato
12-28-2011 08:15 AM
Yes I am trying to match the data vlan to their existing network. I am not going to use the UC as the main router. I want to setup the uc on ip 10.0.0.201 255.255.255.0.
12-28-2011 09:47 AM
Just make sure you use CCA to change the smartports to the correct setting (IPPhone/Desktop) on fe0-7. Make sure you delete the DHCP scope for vlan1 as well. I'm not sure why you have vlan 200 for their SIP service. Usually SIP is configured to go through the WAN port. In CCA, Configure->Telephony->Ports and Trunks->SIP Trunk. I don't know how it would any other way unless there are some custom config via CLI.
12-28-2011 02:51 PM
I was told that this setup is not CCA supported so I need cli help. Yes I believe they have custom cli and that is where most of these issues originated.
12-29-2011 05:27 AM
I guess it would help to know more information on the SIP provider to see if you can use CCA to configure it. It would also help to see the rest of your config.
01-02-2012 09:10 PM
Hi Mark,
I believe the problem to be this " ip nat inside source list 1 interface FastEthernet0/0 overload"
Your UC is acting as a routing device, but in an unusual way, who ever set it up before might not have fully understood the UC and how it operates, or the best practice of configuration.
If you had a spare 2 hours I would have strongly suggested you blow the configuration away entirely and redo the whole thing using CCA telephony Wizard, it takes about <45 minutes to go through the wizard if you know all the info before hand you can even do it in about 20 minutes... You would then have a fully supported system, your life would be much..much...MUCH more easier and you wont have to worry about working with a CLI based system that might have a CCNA Data person configure it with without understanding the full implication of what they have done.
The 2 hours is to cover any upgrades you might do to the CME/CUE and also the tweaking that will need to be done after the system reloads from doing the configuration, to be on the safe side though I would allocate 4 hours to ensure you get the system back up to where it is now or in a better state.
Probably not the advise you wanted, but it is the most honest and up front one to give
Cheers,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide