07-26-2012 01:43 PM
Hello,
Have an issue where have two locations trying to get connected. first location has a cisco 861 and a uc500 for the phone system. The second location is using a UC520 for the phones and as the router. Below are the configurations of the 861 and the UC520. Any help would be greatly appereciated!
Cisco 861
Current configuration : 7635 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1477458744
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1477458744
revocation-check none
rsakeypair TP-self-signed-1477458744
!
!
crypto pki certificate chain TP-self-signed-1477458744
quit
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
license udi pid CISCO861-K9 sn fff
!
!
username admin
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx address 2.2.2.140 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
crypto map mymap 1 ipsec-isakmp
set peer 1.1.1.140
set transform-set ESP-3DES-SHA
match address SDM_1
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 1.1.1.130 255.255.255.240
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex full
speed auto
crypto map mymap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 10.1.1.23 80 1.1.1.133 80 extendable
ip nat inside source static 10.1.1.23 1.1.1.133
1
ip route 0.0.0.0 0.0.0.0 1.1.1.129
!
ip access-list extended SDM_1
remark CCP_ACL Category=20
permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255
permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
remark IPSec Rule
ip access-list extended VPN-TRAFFIC
remark CCP_ACL Category=16
permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
!
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 1 permit any
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit any
access-list 100 remark CCP_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit ip 0.0.0.0 255.255.255.0 any
access-list 100 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 100 deny ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
------------------------------------------------------------------------------------------------------------------------------------------------------
cisco UC520
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key panasonic address 1.1.1.130 no-xauth
!
crypto isakmp client configuration group EZVPN_GROUP_1
key 8888
dns 64.132.94.250 216.136.95.1
pool SDM_POOL_1
acl 105
save-password
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map mymap 1 ipsec-isakmp
set peer 1.1.1.130
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
logging enable
logging size 600
hidekeys
!
!
ip telnet source-interface BVI100
ip tftp source-interface Loopback0
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
bridge irb
!
interface Loopback0
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 2.2.2.140 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map mymap
!
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered BVI100
ip nat inside
ip virtual-reassembly
service-module ip address 172.16.6.2 255.255.255.0
service-module ip default-gateway 172.16.6.1
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
!
interface Vlan100
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 100
!
interface BVI1
ip address 10.0.0.250 255.255.255.0
ip helper-address 10.0.0.6
ip nat inside
ip virtual-reassembly
!
interface BVI100
ip address 172.16.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
h323-gateway voip interface
h323-gateway voip bind srcaddr 172.16.6.1
!
ip local pool SDM_POOL_1 192.168.2.10 192.168.2.19
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 172.16.6.2 255.255.255.255 Integrated-Service-Engine0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip nat inside source list INSIDE_NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.0.7 80 2.2.2.142 80 extendable
!
ip access-list extended INSIDE_NAT
deny ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255
deny ip any 10.1.1.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 172.16.4.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 172.16.6.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
permit ip 172.16.6.0 0.0.0.255 any
ip access-list extended NAT_CUSTOMERS
permit tcp any host 2.2.2.140 eq 4550
!
access-list 100 permit ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 172.16.6.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 172.16.6.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 105 permit ip 172.16.4.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 10.1.10.0 0.0.0.3 any
access-list 105 permit ip 10.0.0.0 0.0.0.255 any
access-list 105 permit ip 172.16.6.0 0.0.0.255 any
snmp-server community public RO
Solved! Go to Solution.
07-26-2012 02:25 PM
Hi Marshal,
Great news, I give you 5 stars
Please mark this question as answered.
Have a nice day.
07-26-2012 02:04 PM
Actually a reboot of the Cisco 861 seemed to do the trick!
07-26-2012 02:25 PM
Hi Marshal,
Great news, I give you 5 stars
Please mark this question as answered.
Have a nice day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide