[asterisk-users] Cisco 7960 not always receiving incoming calls
Stephen Reese
rsreese at gmail.com
Sat Oct 18 21:23:58 CDT 2008
Very cool, I believe that did the trick. Thank you for your time.
On Sat, Oct 18, 2008 at 7:42 PM, Darryl Dunkin <ddunkin at netos.net> wrote:
> Oh, you are using ip inspect as well.
>
> I have this setup on a few routers when using the FW feature set:
> ip inspect udp idle-time 900
>
> -----Original Message-----
> From: Stephen Reese [mailto:rsreese at gmail.com]
> Sent: Saturday, October 18, 2008 14:41
> To: Asterisk Users Mailing List - Non-Commercial Discussion; Darryl
> Dunkin
> Subject: Re: [asterisk-users] Cisco 7960 not always receiving incoming
> calls
>
> I tried increasing the value and even set it to never and added the
> qualify line but that did not help. Do I need to poke any holes in the
> firewall on the nat device for the udp traffic to stay persistent? I
> have included my routers configuration in case someone notices
> something I may need to make the connection work correctly. Also when
> I call the phone within the "OK" reachable time after the call
> disconnects the status immediately become "UNREACHABLE".
>
> ns1*CLI>sip show peers
> Name/username Host Dyn Nat ACL Port
> Status
> vitel-outbound/rsreese 64.2.142.22 5060
> Unmonitored
> vitel-inbound/rsreese 64.2.142.116 5060
> Unmonitored
> 101/101 68.156.63.118 D N 1038
> UNREACHABLE
> 3 sip peers [Monitored: 0 online, 1 offline Unmonitored: 2 online, 0
> offline]
>
>
> [Oct 18 16:55:09] NOTICE[21216]: chan_sip.c:15231
> handle_response_peerpoke: Peer '101' is now Reachable. (217ms /
> 2000ms)
>
> ns1*CLI> sip show peers
> Name/username Host Dyn Nat ACL Port Status
> vitel-outbound/rsreese 64.2.142.22 5060
> Unmonitored
> vitel-inbound/rsreese 64.2.142.116 5060
> Unmonitored
> 101/101 68.156.63.118 D N 1038 OK (217
> ms)
> 3 sip peers [Monitored: 1 online, 0 offline Unmonitored: 2 online, 0
> offline]
>
> [Oct 18 17:24:16] NOTICE[21216]: chan_sip.c:19339 sip_p
> oke_noanswer: Peer '101' is now UNREACHABLE! Last qualify: 134
>
> CISCO CONF FOLLOWS:
>
>
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime
> service password-encryption
> !
> hostname 3725router
> !
> boot-start-marker
> boot system flash:/c3725-adventerprisek9-mz.124-21.bin
> boot-end-marker
> !
> logging buffered 8192 debugging
> logging console informational
> enable secret 5
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication ppp default local
> aaa authorization exec default local
> aaa authorization network default local
> !
> aaa session-id common
> clock timezone EST -5
> clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
> network-clock-participate slot 1
> network-clock-participate slot 2
> no ip source-route
> !
> ip traffic-export profile IDS-SNORT
> interface FastEthernet0/0
> bidirectional
> mac-address 000c.2989.f93a
> ip cef
> !
> !
> no ip dhcp use vrf connected
> ip dhcp excluded-address 172.16.2.1
> ip dhcp excluded-address 172.16.3.1
> !
> ip dhcp pool VLAN2clients
> network 172.16.2.0 255.255.255.0
> default-router 172.16.2.1
> dns-server 205.152.144.23 205.152.132.23
> option 66 ip 172.16.2.10
> option 150 ip 172.16.2.10
> !
> ip dhcp pool VLAN3clients
> network 172.16.3.0 255.255.255.0
> default-router 172.16.3.1
> dns-server 205.152.144.23 205.152.132.23
> !
> !
> ip domain name neocipher.net
> ip name-server 205.152.144.23
> ip name-server 205.152.132.23
> ip inspect name SDM_LOW cuseeme
> ip inspect name SDM_LOW dns
> ip inspect name SDM_LOW ftp
> ip inspect name SDM_LOW h323
> ip inspect name SDM_LOW https
> ip inspect name SDM_LOW icmp
> ip inspect name SDM_LOW netshow
> ip inspect name SDM_LOW rcmd
> ip inspect name SDM_LOW realaudio
> ip inspect name SDM_LOW rtsp
> ip inspect name SDM_LOW sqlnet
> ip inspect name SDM_LOW streamworks
> ip inspect name SDM_LOW tftp
> ip inspect name SDM_LOW tcp
> ip inspect name SDM_LOW udp
> ip inspect name SDM_LOW vdolive
> ip inspect name SDM_LOW imap
> ip inspect name SDM_LOW pop3
> ip inspect name SDM_LOW esmtp
> ip auth-proxy max-nodata-conns 3
> ip admission max-nodata-conns 3
> ip ips sdf location flash://256MB.sdf
> ip ips notify SDEE
> ip ips name sdm_ips_rule
> vpdn enable
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> crypto pki trustpoint TP-self-signed-995375956
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-995375956
> revocation-check none
> rsakeypair TP-self-signed-995375956
> !
> !
> crypto pki certificate chain TP-self-signed-995375956
> certificate self-signed 01
>
> quit
> username user privilege 15 secret 5
> !
> !
> ip ssh authentication-retries 2
> !
> !
> crypto isakmp policy 3
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> crypto isakmp key cisco address 10.0.0.2 no-xauth
> !
> crypto isakmp client configuration group VPN-Users
> key
> dns 2
> domain neocipher.net
> pool VPN_POOL
> acl 115
> include-local-lan
> netmask 255.255.255.0
> crypto isakmp profile IKE-PROFILE
> match identity group VPN-Users
> client authentication list default
> isakmp authorization list default
> client configuration address initiate
> client configuration address respond
> virtual-template 1
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> mode transport
> !
> crypto ipsec profile IPSEC_PROFILE1
> set transform-set ESP-3DES-SHA
> set isakmp-profile IKE-PROFILE
> !
> !
> crypto dynamic-map DYNMAP 10
> set transform-set ESP-3DES-SHA
> !
> !
> crypto map CLIENTMAP client authentication list default
> crypto map CLIENTMAP isakmp authorization list default
> crypto map CLIENTMAP client configuration address respond
> crypto map CLIENTMAP 1 ipsec-isakmp
> set peer 10.0.0.2
> set transform-set ESP-3DES-SHA
> match address 100
> crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
> !
> !
> !
> !
> interface Loopback0
> ip address 192.168.0.1 255.255.255.0
> no ip unreachables
> ip virtual-reassembly
> !
> interface Tunnel0
> description HE.net
> no ip address
> ipv6 address
> ipv6 enable
> tunnel source FastEthernet0/0
> tunnel destination
> tunnel mode ipv6ip
> !
> interface Null0
> no ip unreachables
> !
> interface FastEthernet0/0
> description $ETH-WAN$$FW_OUTSIDE$
> ip address dhcp client-id FastEthernet0/0 hostname 3725router
> ip access-group 104 in
> no ip unreachables
> ip nat outside
> ip inspect SDM_LOW out
> ip ips sdm_ips_rule in
> ip virtual-reassembly
> speed 100
> full-duplex
> crypto map CLIENTMAP
> !
> interface Serial0/0
> description $FW_OUTSIDE$
> ip address 10.0.0.1 255.255.240.0
> ip access-group 105 in
> ip verify unicast reverse-path
> no ip unreachables
> ip inspect SDM_LOW out
> ip virtual-reassembly
> clock rate 2000000
> crypto map CLIENTMAP
> !
> interface FastEthernet0/1
> no ip address
> no ip unreachables
> ip virtual-reassembly
> duplex auto
> speed auto
> !
> interface FastEthernet0/1.2
> description $FW_INSIDE$
> encapsulation dot1Q 2
> ip address 172.16.2.1 255.255.255.0
> ip access-group 101 in
> no ip unreachables
> ip nat inside
> ip virtual-reassembly
> crypto map CLIENTMAP
> !
> interface FastEthernet0/1.3
> description $FW_INSIDE$
> encapsulation dot1Q 3
> ip address 172.16.3.1 255.255.255.0
> ip access-group 102 in
> no ip unreachables
> ip nat inside
> ip virtual-reassembly
> !
> interface FastEthernet0/1.10
> !
> interface Serial0/1
> no ip address
> no ip unreachables
> shutdown
> clock rate 2000000
> !
> interface Virtual-Template1 type tunnel
> description $FW_INSIDE$
> ip unnumbered Loopback0
> ip access-group 103 in
> no ip unreachables
> ip virtual-reassembly
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile IPSEC_PROFILE1
> !
> ip local pool VPN_POOL 192.168.0.100 192.168.0.105
> ip forward-protocol nd
> ip route 172.16.10.0 255.255.255.0 10.0.0.2
> !
> !
> ip http server
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 600 life 86400 requests 10000
> ip nat translation udp-timeout never
> ip nat inside source list 1 interface FastEthernet0/0 overload
> !
> logging trap debugging
> logging origin-id hostname
> logging 172.16.2.5
> access-list 1 permit 172.16.2.0 0.0.0.255
> access-list 1 permit 172.16.3.0 0.0.0.255
> access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
> access-list 101 remark auto generated by SDM firewall configuration
> access-list 101 remark SDM_ACL Category=1
> access-list 101 permit ahp any host 172.16.2.1
> access-list 101 permit esp any host 172.16.2.1
> access-list 101 permit udp any host 172.16.2.1 eq isakmp
> access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
> access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
> access-list 101 deny ip 10.0.0.0 0.0.15.255 any log
> access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
> access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
> access-list 101 deny ip host 255.255.255.255 any log
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
> access-list 101 deny tcp any any range 1 chargen log
> access-list 101 deny tcp any any eq whois log
> access-list 101 deny tcp any any eq 93 log
> access-list 101 deny tcp any any range 135 139 log
> access-list 101 deny tcp any any eq 445 log
> access-list 101 deny tcp any any range exec 518 log
> access-list 101 deny tcp any any eq uucp log
> access-list 101 permit ip any any
> access-list 102 remark auto generated by SDM firewall configuration
> access-list 102 remark SDM_ACL Category=1
> access-list 102 deny ip 172.16.2.0 0.0.0.255 any log
> access-list 102 deny ip 10.0.0.0 0.0.15.255 any log
> access-list 102 deny ip 192.168.0.0 0.0.0.255 any log
> access-list 102 deny ip host 255.255.255.255 any log
> access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
> access-list 102 permit ip any any
> access-list 103 remark auto generated by SDM firewall configuration
> access-list 103 remark SDM_ACL Category=1
> access-list 103 deny ip 172.16.2.0 0.0.0.255 any
> access-list 103 deny ip 10.0.0.0 0.0.15.255 any
> access-list 103 deny ip 172.16.3.0 0.0.0.255 any
> access-list 103 deny ip host 255.255.255.255 any
> access-list 103 deny ip 127.0.0.0 0.255.255.255 any
> access-list 103 permit ip any any
> access-list 104 remark auto generated by SDM firewall configuration
> access-list 104 remark SDM_ACL Category=1
> access-list 104 permit udp host 205.152.132.23 eq domain any
> access-list 104 permit udp host 205.152.144.23 eq domain any
> access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
> access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
> access-list 104 permit ahp any any
> access-list 104 permit esp any any
> access-list 104 permit udp any any eq isakmp
> access-list 104 permit udp any any eq non500-isakmp
> access-list 104 deny ip 10.0.0.0 0.0.15.255 any log
> access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
> access-list 104 deny ip 172.16.2.0 0.0.0.255 any log
> access-list 104 deny ip 192.168.0.0 0.0.0.255 any log
> access-list 104 deny ip 172.16.3.0 0.0.0.255 any log
> access-list 104 permit udp any eq bootps any eq bootpc
> access-list 104 permit icmp any any echo-reply
> access-list 104 permit icmp any any time-exceeded
> access-list 104 permit icmp any any unreachable
> access-list 104 deny icmp any any echo log
> access-list 104 deny icmp any any mask-request log
> access-list 104 deny icmp any any redirect log
> access-list 104 deny ip 10.0.0.0 0.255.255.255 any log
> access-list 104 deny ip 172.16.0.0 0.15.255.255 any log
> access-list 104 deny ip 192.168.0.0 0.0.255.255 any log
> access-list 104 deny ip 127.0.0.0 0.255.255.255 any log
> access-list 104 deny ip 224.0.0.0 15.255.255.255 any log
> access-list 104 deny ip host 255.255.255.255 any log
> access-list 104 deny tcp any any range 6000 6063 log
> access-list 104 deny tcp any any eq 6667 log
> access-list 104 deny tcp any any range 12345 12346 log
> access-list 104 deny tcp any any eq 31337 log
> access-list 104 deny udp any any eq 2049 log
> access-list 104 deny udp any any eq 31337 log
> access-list 104 deny udp any any range 33400 34400 log
> access-list 104 deny ip any any log
> access-list 105 remark auto generated by SDM firewall configuration
> access-list 105 remark SDM_ACL Category=1
> access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29
> access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp
> access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
> access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
> access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
> access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmp
> access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
> access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
> access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
> access-list 105 deny ip 172.16.2.0 0.0.0.255 any
> access-list 105 deny ip 192.168.0.0 0.0.0.255 any
> access-list 105 deny ip 172.16.3.0 0.0.0.255 any
> access-list 105 permit icmp any host 10.0.0.1 echo-reply
> access-list 105 permit icmp any host 10.0.0.1 time-exceeded
> access-list 105 permit icmp any host 10.0.0.1 unreachable
> access-list 105 deny ip 10.0.0.0 0.255.255.255 any
> access-list 105 deny ip 172.16.0.0 0.15.255.255 any
> access-list 105 deny ip 192.168.0.0 0.0.255.255 any
> access-list 105 deny ip 127.0.0.0 0.255.255.255 any
> access-list 105 deny ip host 255.255.255.255 any
> access-list 105 deny ip host 0.0.0.0 any
> access-list 105 deny ip any any log
> access-list 115 permit ip 172.16.0.0 0.0.255.255 any
> access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
> access-list 120 permit ip 172.16.0.0 0.0.255.255 any
> snmp-server community public RO
> ipv6 route ::/0 Tunnel0
> !
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> password 7 05080F1C2243
> transport input ssh
> line vty 5 903
> transport input ssh
> !
> ntp clock-period 17180643
> ntp server 129.6.15.29 source FastEthernet0/0 prefer
> !
> end
>
More information about the asterisk-users
mailing list