Solved

setting up remote IP phone w/ 871 router

Posted on 2008-06-16
9
854 Views
Last Modified: 2009-01-13
Hey Folks...I am trying to set up a remote user in our organization with a 7961 phone in his remote office via a 871 router. The idea is that the router should set up a VPN connection to our call manager express router (Cisco 2811) and be able to download its  configuration and make calls. I have PAT set up on the 871 router translating one static public IP address to a block of private IP addresses inside. I set up the EZVPN in client mode and I can see the VPN connection to our firewall (ASA 5505) but the connection keeps tearing itself down. I dont believe that the ASA supports server mode so I am wondering if i should be setting up an IPSEC tunnel directly to the 2811 router which hosts the call manager express. I am thinking now that my entire approach to this is wrong. As you probably can tell, this is my first time doing this so any help that anyone can offer would be much appreciated.

Here is the config right now...


sg ho run
Building configuration...

Current configuration : 7707 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname M.Vogel-871
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$Rwu1$jqfvx9f.BzeLU5.xqvgxy0
!
no aaa new-model
!
resource policy
!
ip subnet-zero
 --More--         ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   option 150 ip 172.16.64.2
   lease 0 2
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
 --More--         ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip domain name yourdomain.com
ip name-server 71.250.0.12
!
!
crypto pki trustpoint TP-self-signed-436793851
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-436793851
 revocation-check none
 rsakeypair TP-self-signed-436793851
!
!
crypto pki certificate chain TP-self-signed-436793851
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34333637 39333835 31301E17 0D303230 33303130 30303634
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3433 36373933
  38353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
 --More--           ACDAF494 54AFB19B 7C12B6C8 DDBCA6B4 5FFE2368 65FAB1C7 09E24333 6F53075E
  DE89D8B6 3E3E0814 480FC305 2091403D 3ED34435 28DA80A1 8F3B1464 4F9FB26F
  0AFDE646 8FA80913 20EF0D45 B0D3977C E5F14C57 B1A198E4 35AF62D3 7098054F
  0D22B93D F6EF7F73 06E798E6 6CAEA42E 657F38FD 36711B1A DC1F3984 78873921
  02030100 01A37A30 78300F06 03551D13 0101FF04 05300301 01FF3025 0603551D
  11041E30 1C821A4D 2E566F67 656C2D38 37312E79 6F757264 6F6D6169 6E2E636F
  6D301F06 03551D23 04183016 8014B0C4 5465DEB7 93AEDDAB 5973DA28 EA1DBE32
  C05B301D 0603551D 0E041604 14B0C454 65DEB793 AEDDAB59 73DA28EA 1DBE32C0
  5B300D06 092A8648 86F70D01 01040500 03818100 7202FC7C B434CD19 5776F99E
  9B98F3BC 5E66AD91 43B8E9AB 3E0B4201 E586AD4D A58FB94B BEC2DB64 19F548AF
  2091524A 891C4F70 451C5223 6AD95D19 AAC11CBA 428DA63D 49C77D18 27229F9F
  F79CF898 1C446EAB 5946AB48 53282518 F46E6FC6 0F8EBCB0 43799CDC E8705D8A
  EA0890CF 916D236A 8931E8D2 7CDB280B 5F294413
  quit
username admin privilege 15 password 7 13310543055D10337A757972
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 84600
 crypto isakmp keepalive 30 10
!
crypto isakmp client configuration group rtr-remote
 key xxxxxxx
 dns 71.250.0.12
 domain btp.net
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn abvvpn1
 connect auto
 group abvvpn1 key btpbtp123456
 mode client
 peer 205.XXX.XXX.XXX (ASA outside interface)
 xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
 set transform-set test
 reverse-route
!
 --More--         !
crypto map 1 client configuration address respond
!
crypto map dynmap isakmp authorization list rtr-remote
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel1
 no ip address
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address 71.XXX.XXX.xXX 255.255.255.0
 --More--          ip access-group 101 in
 ip verify unicast reverse-path
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto ipsec client ezvpn abvvpn1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.248
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 crypto ipsec client ezvpn abvvpn1 inside
!
ip local pool dynpool 10.10.10.2 10.10.10.6 group rtr-remote
ip classless
ip route 0.0.0.0 0.0.0.0 71.XXX.XXX.XXX
!
ip http server
 --More--         ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flas
ip nat pool translate 71.XXX.XXX.XXX 71.XXX.XXX.XXX prefix-length 24
ip nat source list 23 interface FastEthernet4 overload
ip nat inside source list 23 pool translate overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 71.XXX.XXX.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 10.10.10.0 0.0.0.7 any
access-list 101 permit icmp any host 71.249.218.222 echo-reply
access-list 101 permit icmp any host 71.249.218.222 time-exceeded
 --More--         access-list 101 permit icmp any host 71.249.218.222 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
no cdp run
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
 --More--         It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 --More--         
Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 password 7 08155E1F0748110E435A5D45
 login
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
 --More--         
M.Vogel-871#


0
Comment
Question by:carloshidalgo
  • 3
  • 3
  • 2
9 Comments
 
LVL 7

Expert Comment

by:naughton
ID: 21797237
I thought the idea was for the phone to make the VPN connection tot he ezvpn server on the router?
0
 

Author Comment

by:carloshidalgo
ID: 21797396
the idea is for the phone (which is connected to the 871 router) to be able to make the connection to the remote call manager express router and be able to download its config and make calls. To do this i need to to be able to set the TFTP option on the phone to the call manager IP address (which is a private IP).
0
 
LVL 7

Expert Comment

by:naughton
ID: 21798699
ok - so the vpn option to the call manager router>
0
 

Author Comment

by:carloshidalgo
ID: 21812480
exactly...what im thinking is that maybe i should put a public ip on the call manager and either set up ezvpn server/client or an IPSEC tunnel..im just not sure which one and whether either one will work
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 15

Accepted Solution

by:
wingatesl earned 129 total points
ID: 21818929
The solution is to set up a GRE tunnel between the 877 and the CME device. Then set your TFTP setting  on the phone to the private address on the CME router.
Basic unencrypted GRE config is here:
<2811>
interface tunnel 0
ip address 172.16.1.1 255.255.255.0
tunnel source gigabitethernet 0/0    <put your internet side interface here>
tunnel destination *.*.*.* <put your 877 ip address here>

<877>
interface tunnel 0
ip address 172.16.1.2 255.255.255.0
tunnel source fastethernet 4
tunnel destination *.*.*.* <2811 public address here>

you will then need to set up some kind of routing to get back and forth
<2811>
ip route 10.10.10.0 255.255.255.0 172.16.1.2 1

<877>
ip route <CME Network> <CME subnet mask> 172.16.1.1 1

that will get the two communicating, and you can test. When satisfied you can then put some crypto maps in place to encrypt the traffic
0
 
LVL 15

Assisted Solution

by:wingatesl
wingatesl earned 129 total points
ID: 21818932
obviously you will have to forward GRE packets through the ASA
0
 

Author Comment

by:carloshidalgo
ID: 21832136
why do i need to forward gre packets through asa again?..at this pont the asa is not even a part of the equation, if there is a tunnel built directly from the 2811 to the 871- that is unless i am misunderstanding how this is supposed to be connected...
0
 
LVL 15

Assisted Solution

by:wingatesl
wingatesl earned 129 total points
ID: 21832851
The GRE packets need to be forwarded if the ASA sits between your CME and the internet
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now