If you had your Cisco IP phones registered to a CUCM 8.x system and you go back to a 7.x system, you should remember to downgrade the firmware to an appropiate one for 7.x. Otherwise chances are good to end up in problems when trying to access the IP phone services of the CUCM 7.x system.
Problem seems to be that CUCM 7.x tries to address the services via an URL like:
http://172.20.23.210:8080/ccmcip/getservicesmenu.jsp
The phones with the phone load for CUCM 8.x still tries to access the services via:
https://172.20.23.210:8443/ccmcip/getservicesmenu.jsp
So, the only thing you will see, while trying to open the corporate directory, is a "Requesting..." which finaly will end in a "Host not found" message. A factory reset would be the easiest way to go back to the right phone load. Just keep that in mind ....
Sunday, August 7, 2011
Sunday, July 24, 2011
Cisco CME with 3rd party SIP phones
Had to configure a Cisco Callmanager Express to accept connections from 3rd party SIP phones via the Internet. The SIP phones need to reach each other, their voicemail and PSTN phones via ISDN breakout.
Keep in mind that, as always, public IP's have been changed to private ones. Phone numbers are also fake. Signalling & RTP communication is NOT encrypted in this example! Be aware of that! You could tunnel this traffic through a VPN. Registration would then work too & everything should be fine (except for the additional delays ...). ISDN configuration is for German PSTN, but you should be able to modify it for your needs. If you have trouble to get this to work, try this debug commands:
debug ccsip all (Be carefull, some phones fire off over 20 register requests per second. This usually only happens if the phone is not able to register, but it might freeze your router. This is not a theoretically option!)
debug voice register errors
debug voice register events
Check your systems firewall settings if you use software phones. Might be a good idea to deactivate it temporarily for verifying functionality.
At first I would try to use the X-Lite client. That's a client that usually always works first. Most tolerant one for NAT issues. In general almost any third party SIP client, even IPhones, should work in this implementation. Before delivering such a solution you should always verify functionality thoroughly. Some problems arise after a longer period of time because of timeouts etc..
This is only a short abstract. If you have any suggestions or coments - feel free to post them.
Overview
Configuration of Cisco Callmanager Express
sipgateway#sh sip-ua status registrar
Line destination expires(sec) contact
transport call-id
peer
============================================================
12341455 172.20.22.52 597 172.20.22.52
UDP g7ngEr-P2hu1kPJ6mDgWP8FNWrPJDIql
40002
These are the phone configs I tested:
Android CSipSimple Settings
Accountname: 12344971
Send own number: 12344971
SIP Server: 172.20.21.165
Username: 12344971
Password: 1234
Proxy: 172.20.21.165
Phoner Lite Settings
Configuration -> Server
Proxy/registrar: 172.20.21.165
STUN Server: stun.counterpath.com
Domain/Realm: 172.20.21.165
Check Registration
Configuration -> User
Username: 12341453
Shown username: 12341453
Password: 1234
Authentication name: 12341453
Number: 12341453
Configuration -> Network
Check preferred connection type: UDP
Check Windows Firewall
Xlite (ver 4.0) settings
Softphone -> Account Settings -> Account
Check allow this account for call
User ID: 12341453
Domain: 172.20.21.165
Password: 1234
Authorization name: 12341453
Check Domain Proxy to register with Domain and receive calls
Check outbound via domain
Softphone -> Account Settings -> Topology
Autodetect firewall traversal method using ICE
Softphone -> Preferences -> Advanced
Check send DTMF via RFC2833
Snom 360 Settings
Identity1
Login
Account: 12344887
Password: 1234
Registrar: 172.20.21.165
Authentication Username: 12344887
SIP
Check Support broken Registrar
NAT
Check Offer ICE
STUN Server: stun.counterpath.com
Keep in mind that, as always, public IP's have been changed to private ones. Phone numbers are also fake. Signalling & RTP communication is NOT encrypted in this example! Be aware of that! You could tunnel this traffic through a VPN. Registration would then work too & everything should be fine (except for the additional delays ...). ISDN configuration is for German PSTN, but you should be able to modify it for your needs. If you have trouble to get this to work, try this debug commands:
debug ccsip all (Be carefull, some phones fire off over 20 register requests per second. This usually only happens if the phone is not able to register, but it might freeze your router. This is not a theoretically option!)
debug voice register errors
debug voice register events
Check your systems firewall settings if you use software phones. Might be a good idea to deactivate it temporarily for verifying functionality.
At first I would try to use the X-Lite client. That's a client that usually always works first. Most tolerant one for NAT issues. In general almost any third party SIP client, even IPhones, should work in this implementation. Before delivering such a solution you should always verify functionality thoroughly. Some problems arise after a longer period of time because of timeouts etc..
This is only a short abstract. If you have any suggestions or coments - feel free to post them.
Overview
sipgateway#sh run
Building configuration...
Current configuration : 8775 bytes
!
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sipgateway
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M1.bin
boot-end-marker
!
!
logging buffered 100000
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
network-clock-participate wic 0
network-clock-select 1 BRI0/0/1
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
ip domain name lab.local
ip name-server 172.20.21.5
multilink bundle-name authenticated
!
!
!
!
isdn switch-type basic-net3
!
voice-card 0
dsp services dspfarm
!
!
voice call disc-pi-off
!
voice service voip
allow-connections sip to sip
redirect ip2ip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface GigabitEthernet0/0
bind media source-interface GigabitEthernet0/0
registrar server expires max 600 min 60
no call service stop
!
voice class codec 10
codec preference 1 g711ulaw
!
!
voice register global
mode cme
source-address 172.20.21.165 port 5060
max-dn 35
max-pool 10
authenticate register ==> This is needed, because phones are not localy connected.
authenticate realm lab.local ==> This is needed by some SIP phones to switch to digest auth.
timezone 21
time-format 24
date-format D/M/Y
voicemail 88888888
tftp-path flash:
create profile sync 0429414478545137
!
voice register dn 1
number 12344887
call-forward b2bua unregistered 88888888
allow watch
name Test1
label 12344887
mwi
!
voice register dn 2
number 12344898
allow watch
name Test2
label 12344898
mwi
!
voice register dn 4
number 12344971
call-forward b2bua unregistered 88888888
allow watch
name Test4
label 12344971
mwi
!
voice register dn 5
number 12341453
allow watch
name Test5
label 12341453
mwi
!
voice register dn 7
number 12341455
allow watch
name Test7
label 12341455
mwi
!
voice register pool 1
id mac 0000.0000.0000 ==> Mac is irrelevant. Auth is now digest based.
number 1 dn 1
presence call-list
dtmf-relay rtp-nte
username 12344887 password 1234
codec g711ulaw
!
voice register pool 2
id mac 0000.0000.0000
number 1 dn 2
presence call-list
dtmf-relay rtp-nte
username 12344898 password 1234
codec g711ulaw
!
voice register pool 4
id mac 0000.0000.0000
number 1 dn 4
presence call-list
dtmf-relay rtp-nte
username 12344971 password 1234
codec g711ulaw
!
voice register pool 5
id mac 0000.0000.0000
number 1 dn 5
presence call-list
dtmf-relay rtp-nte
username 12341453 password 1234
codec g711ulaw
!
voice register pool 7
id mac 0000.0000.0000
number 1 dn 7
presence call-list
dtmf-relay sip-notify
username 12341455 password 1234
codec g711ulaw
!
!
!
voice translation-rule 5
rule 1 /^\(.*\)/ /30\1/ type any national
!
voice translation-rule 10
rule 1 /^\(.*\)/ /0\1/ type subscriber unknown
rule 2 /^\(.*\)/ /00\1/ type national unknown
rule 3 /^\(.*\)/ /000\1/ type international unknown
!
!
voice translation-profile From-PSTN
translate calling 10
!
voice translation-profile To-PSTN
translate calling 5
!
!
license udi pid CISCO2901/K9 sn 12341234
license accept end user agreement
hw-module ism 0
!
hw-module pvdm 0/0
!
!
!
username labtest privilege 15 labt3st
!
redundancy
!
!
!
interface Loopback0
ip address 172.20.20.1 255.255.255.252
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LAN Interface
ip address 172.20.21.165 255.255.255.248
duplex auto
speed auto
!
interface ISM0/0
ip unnumbered Loopback0
service-module ip address 172.20.20.2 255.255.255.252
!Application: CUE Running on ISM
service-module ip default-gateway 172.20.20.1
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
shutdown
!
interface BRI0/0/0
no ip address
shutdown
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
!
interface BRI0/0/1
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
!
ip http server
ip http access-class 24
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
!
ip route 0.0.0.0 0.0.0.0 172.20.21.161
ip route 172.20.20.2 255.255.255.255 ISM0/0
!
!
!
!
!
control-plane
!
!
voice-port 0/0/0
compand-type a-law
cptone DE
bearer-cap Speech
!
voice-port 0/0/1
compand-type a-law
cptone DE
bearer-cap Speech
!
!
dial-peer voice 1 pots
description ISDN
translation-profile incoming From-PSTN
translation-profile outgoing To-PSTN
destination-pattern 0.T
incoming called-number .
direct-inward-dial
port 0/0/1
!
dial-peer voice 5 voip
destination-pattern 88888888
session protocol sipv2
session target ipv4:172.20.20.2
incoming called-number .
voice-class codec 10
dtmf-relay sip-notify
no vad
!
!
gateway
timer receive-rtp 1200
!
sip-ua
!
end
sipgateway#
Building configuration...
Current configuration : 8775 bytes
!
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sipgateway
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M1.bin
boot-end-marker
!
!
logging buffered 100000
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
network-clock-participate wic 0
network-clock-select 1 BRI0/0/1
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
ip domain name lab.local
ip name-server 172.20.21.5
multilink bundle-name authenticated
!
!
!
!
isdn switch-type basic-net3
!
voice-card 0
dsp services dspfarm
!
!
voice call disc-pi-off
!
voice service voip
allow-connections sip to sip
redirect ip2ip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface GigabitEthernet0/0
bind media source-interface GigabitEthernet0/0
registrar server expires max 600 min 60
no call service stop
!
voice class codec 10
codec preference 1 g711ulaw
!
!
voice register global
mode cme
source-address 172.20.21.165 port 5060
max-dn 35
max-pool 10
authenticate register ==> This is needed, because phones are not localy connected.
authenticate realm lab.local ==> This is needed by some SIP phones to switch to digest auth.
timezone 21
time-format 24
date-format D/M/Y
voicemail 88888888
tftp-path flash:
create profile sync 0429414478545137
!
voice register dn 1
number 12344887
call-forward b2bua unregistered 88888888
allow watch
name Test1
label 12344887
mwi
!
voice register dn 2
number 12344898
allow watch
name Test2
label 12344898
mwi
!
voice register dn 4
number 12344971
call-forward b2bua unregistered 88888888
allow watch
name Test4
label 12344971
mwi
!
voice register dn 5
number 12341453
allow watch
name Test5
label 12341453
mwi
!
voice register dn 7
number 12341455
allow watch
name Test7
label 12341455
mwi
!
voice register pool 1
id mac 0000.0000.0000 ==> Mac is irrelevant. Auth is now digest based.
number 1 dn 1
presence call-list
dtmf-relay rtp-nte
username 12344887 password 1234
codec g711ulaw
!
voice register pool 2
id mac 0000.0000.0000
number 1 dn 2
presence call-list
dtmf-relay rtp-nte
username 12344898 password 1234
codec g711ulaw
!
voice register pool 4
id mac 0000.0000.0000
number 1 dn 4
presence call-list
dtmf-relay rtp-nte
username 12344971 password 1234
codec g711ulaw
!
voice register pool 5
id mac 0000.0000.0000
number 1 dn 5
presence call-list
dtmf-relay rtp-nte
username 12341453 password 1234
codec g711ulaw
!
voice register pool 7
id mac 0000.0000.0000
number 1 dn 7
presence call-list
dtmf-relay sip-notify
username 12341455 password 1234
codec g711ulaw
!
!
!
voice translation-rule 5
rule 1 /^\(.*\)/ /30\1/ type any national
!
voice translation-rule 10
rule 1 /^\(.*\)/ /0\1/ type subscriber unknown
rule 2 /^\(.*\)/ /00\1/ type national unknown
rule 3 /^\(.*\)/ /000\1/ type international unknown
!
!
voice translation-profile From-PSTN
translate calling 10
!
voice translation-profile To-PSTN
translate calling 5
!
!
license udi pid CISCO2901/K9 sn 12341234
license accept end user agreement
hw-module ism 0
!
hw-module pvdm 0/0
!
!
!
username labtest privilege 15 labt3st
!
redundancy
!
!
!
interface Loopback0
ip address 172.20.20.1 255.255.255.252
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LAN Interface
ip address 172.20.21.165 255.255.255.248
duplex auto
speed auto
!
interface ISM0/0
ip unnumbered Loopback0
service-module ip address 172.20.20.2 255.255.255.252
!Application: CUE Running on ISM
service-module ip default-gateway 172.20.20.1
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
shutdown
!
interface BRI0/0/0
no ip address
shutdown
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
!
interface BRI0/0/1
no ip address
isdn switch-type basic-net3
isdn point-to-point-setup
isdn incoming-voice voice
!
ip http server
ip http access-class 24
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
!
ip route 0.0.0.0 0.0.0.0 172.20.21.161
ip route 172.20.20.2 255.255.255.255 ISM0/0
!
!
!
!
!
control-plane
!
!
voice-port 0/0/0
compand-type a-law
cptone DE
bearer-cap Speech
!
voice-port 0/0/1
compand-type a-law
cptone DE
bearer-cap Speech
!
!
dial-peer voice 1 pots
description ISDN
translation-profile incoming From-PSTN
translation-profile outgoing To-PSTN
destination-pattern 0.T
incoming called-number .
direct-inward-dial
port 0/0/1
!
dial-peer voice 5 voip
destination-pattern 88888888
session protocol sipv2
session target ipv4:172.20.20.2
incoming called-number .
voice-class codec 10
dtmf-relay sip-notify
no vad
!
!
gateway
timer receive-rtp 1200
!
sip-ua
!
end
sipgateway#
Verify registration
sipgateway#sh sip-ua status registrar
Line destination expires(sec) contact
transport call-id
peer
============================================================
12341455 172.20.22.52 597 172.20.22.52
UDP g7ngEr-P2hu1kPJ6mDgWP8FNWrPJDIql
40002
These are the phone configs I tested:
Android CSipSimple Settings
Accountname: 12344971
Send own number: 12344971
SIP Server: 172.20.21.165
Username: 12344971
Password: 1234
Proxy: 172.20.21.165
Phoner Lite Settings
Configuration -> Server
Proxy/registrar: 172.20.21.165
STUN Server: stun.counterpath.com
Domain/Realm: 172.20.21.165
Check Registration
Configuration -> User
Username: 12341453
Shown username: 12341453
Password: 1234
Authentication name: 12341453
Number: 12341453
Configuration -> Network
Check preferred connection type: UDP
Check Windows Firewall
Xlite (ver 4.0) settings
Softphone -> Account Settings -> Account
Check allow this account for call
User ID: 12341453
Domain: 172.20.21.165
Password: 1234
Authorization name: 12341453
Check Domain Proxy to register with Domain and receive calls
Check outbound via domain
Softphone -> Account Settings -> Topology
Autodetect firewall traversal method using ICE
Softphone -> Preferences -> Advanced
Check send DTMF via RFC2833
Snom 360 Settings
Identity1
Login
Account: 12344887
Password: 1234
Registrar: 172.20.21.165
Authentication Username: 12344887
SIP
Check Support broken Registrar
NAT
Check Offer ICE
STUN Server: stun.counterpath.com
Tuesday, July 19, 2011
Ever wanted to test a SMTP mailserver manually?
Just telnet to your mailservers TCP port 25 and enter the following commands (green):
QUIT
221 2.0.0 mailserver.lab.local closing connection
[Connection to 172.20.20.88 closed by foreign host]
Host#
Thats it. If you see errors you don't know how to fix, check these links:
http://www.samlogic.net/articles/smtp-commands-reference.htm
http://email.about.com/cs/standards/a/smtp_error_code.htm
http://www.answersthatwork.com/Download_Area/ATW_Library/Networking/Network__3-SMTP_Server_Status_Codes_and_SMTP_Error_Codes.pdf
http://www.hosteng.com/faqfiles/SMTP%20Server%20Status%20Codes%20and%20Errors.pdf
Host#telnet 172.20.20.88 25
Trying 172.20.20.88, 25 ... Open
220 mailserver.lab.local ESMTP Sendmail 8.13.8/8.13.8/Debian-2; Tue, 19 Jul 2011 21:52:12 +0200; (No UCE/UBE) logging access from: host.lab.local(OK)-host.lab.local [172.20.20.89]
EHLO host.lab.local
250-mailserver.lab.local Hello host.lab.local [172.20.20.89], pleased to meet youH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
MAIL FROM:<test@mailserver.lab.local>
250 2.1.0 <test@mailserver.lab.local>... Sender ok
RCPT TO:<andre@lab.local.de>
250 2.1.5 <andre@lab.local.de>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
subject:Test
text, text, text, text, text, text, text, text, text, text, text, text,
text, text, text, text, text, text, text, text, text, text, text, text,
bla ...
.
Trying 172.20.20.88, 25 ... Open
220 mailserver.lab.local ESMTP Sendmail 8.13.8/8.13.8/Debian-2; Tue, 19 Jul 2011 21:52:12 +0200; (No UCE/UBE) logging access from: host.lab.local(OK)-host.lab.local [172.20.20.89]
EHLO host.lab.local
250-mailserver.lab.local Hello host.lab.local [172.20.20.89], pleased to meet youH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
MAIL FROM:<test@mailserver.lab.local>
250 2.1.0 <test@mailserver.lab.local>... Sender ok
RCPT TO:<andre@lab.local.de>
250 2.1.5 <andre@lab.local.de>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
subject:Test
text, text, text, text, text, text, text, text, text, text, text, text,
text, text, text, text, text, text, text, text, text, text, text, text,
bla ...
.
This final dot (.) is crucial. Type it, and then hit enter. This finishes your mail.
250 2.0.0 a7JJwA7887a979 Message accepted for deliveryQUIT
221 2.0.0 mailserver.lab.local closing connection
[Connection to 172.20.20.88 closed by foreign host]
Host#
Thats it. If you see errors you don't know how to fix, check these links:
http://www.samlogic.net/articles/smtp-commands-reference.htm
http://email.about.com/cs/standards/a/smtp_error_code.htm
http://www.answersthatwork.com/Download_Area/ATW_Library/Networking/Network__3-SMTP_Server_Status_Codes_and_SMTP_Error_Codes.pdf
http://www.hosteng.com/faqfiles/SMTP%20Server%20Status%20Codes%20and%20Errors.pdf
Cisco Unity Express SMTP problem FQDN in EHLO
Ever had the problem, because of a sub-optimal DNS implementation, that your CUE doesn't want to use the FQN in EHLO? Your SMTP Server keeps sending "Helo command rejected: need fully-qualified hostname"? Then you should try to set the CUE hostname via CLI. You could set it to something like "hostname CUE.lab.local". This doesn't work via GUI!!
Packet Capture with hostname CUE:
No. Time Source Destination Protocol Length Info
14 26.796002 172.20.20.88 172.20.20.2 SMTP 98 S: 220 labstest.lab.local ESMTP Postfix
16 26.796002 172.20.20.2 172.20.20.88 SMTP 62 C: EHLO CUE
18 26.800002 172.20.20.88 172.20.20.2 SMTP 227 S: 250-labstest.lab.local | 250-PIPELINING | 250-SIZE 10485760 | 250-VRFY | 250-ETRN | 250-AUTH CRAM-MD5 GSSAPI | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
19 26.804002 172.20.20.2 172.20.20.88 SMTP 82 C: MAIL FROM:<CUE@lab.local>
21 26.812002 172.20.20.88 172.20.20.2 SMTP 66 S: 250 2.1.0 Ok
22 26.812002 172.20.20.2 172.20.20.88 SMTP 90 C: RCPT TO:<andre@provider.de>
24 26.812002 172.20.20.88 172.20.20.2 SMTP 123 S: 504 5.5.2 <CUE>: Helo command rejected: need fully-qualified hostname
25 26.812002 172.20.20.2 172.20.20.88 SMTP 58 C: RSET
27 26.816002 172.20.20.88 172.20.20.2 SMTP 66 S: 250 2.0.0 Ok
28 26.816002 172.20.20.2 172.20.20.88 SMTP 58 C: QUIT
31 26.816002 172.20.20.88 172.20.20.2 SMTP 67 S: 221 2.0.0 Bye
Packet Capture with hostname CUE.lab.local:
No. Time Source Destination Protocol Length Info
111 840.239998 172.20.20.88 172.20.20.2 SMTP 98 S: 220 labstest.lab.local ESMTP Postfix
113 840.243998 172.20.20.2 172.20.20.88 SMTP 79 C: EHLO CUE.lab.local
115 840.243998 172.20.20.88 172.20.20.2 SMTP 227 S: 250-labstest.lab.local | 250-PIPELINING | 250-SIZE 10485760 | 250-VRFY | 250-ETRN | 250-AUTH CRAM-MD5 GSSAPI | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
116 840.251998 172.20.20.2 172.20.20.88 SMTP 86 C: MAIL FROM:<CUE@lab.local>
118 840.259998 172.20.20.88 172.20.20.2 SMTP 66 S: 250 2.1.0 Ok
119 840.259998 172.20.20.2 172.20.20.88 SMTP 90 C: RCPT TO:<andre@provider.de>
121 840.267998 172.20.20.88 172.20.20.2 SMTP 66 S: 250 2.1.5 Ok
122 840.267998 172.20.20.2 172.20.20.88 SMTP 58 C: DATA
124 840.267998 172.20.20.88 172.20.20.2 SMTP 89 S: 354 End data with <CR><LF>.<CR><LF>
125 840.287997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
174 840.303997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
177 840.303997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
178 840.303997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
179 840.303997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
180 840.303997 172.20.20.2 172.20.20.88 IMF 440 from: Cisco Unity Express <CUE@lab.local>, subject: Message Notification, (text/plain) (audio/x-wav)
189 840.307997 172.20.20.88 172.20.20.2 SMTP 89 S: 250 2.0.0 Ok: queued as 93155E8CE43
190 840.307997 172.20.20.2 172.20.20.88 SMTP 58 C: QUIT
193 840.311997 172.20.20.88 172.20.20.2 SMTP 67 S: 221 2.0.0 Bye
Packet Capture with hostname CUE:
No. Time Source Destination Protocol Length Info
14 26.796002 172.20.20.88 172.20.20.2 SMTP 98 S: 220 labstest.lab.local ESMTP Postfix
16 26.796002 172.20.20.2 172.20.20.88 SMTP 62 C: EHLO CUE
18 26.800002 172.20.20.88 172.20.20.2 SMTP 227 S: 250-labstest.lab.local | 250-PIPELINING | 250-SIZE 10485760 | 250-VRFY | 250-ETRN | 250-AUTH CRAM-MD5 GSSAPI | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
19 26.804002 172.20.20.2 172.20.20.88 SMTP 82 C: MAIL FROM:<CUE@lab.local>
21 26.812002 172.20.20.88 172.20.20.2 SMTP 66 S: 250 2.1.0 Ok
22 26.812002 172.20.20.2 172.20.20.88 SMTP 90 C: RCPT TO:<andre@provider.de>
24 26.812002 172.20.20.88 172.20.20.2 SMTP 123 S: 504 5.5.2 <CUE>: Helo command rejected: need fully-qualified hostname
25 26.812002 172.20.20.2 172.20.20.88 SMTP 58 C: RSET
27 26.816002 172.20.20.88 172.20.20.2 SMTP 66 S: 250 2.0.0 Ok
28 26.816002 172.20.20.2 172.20.20.88 SMTP 58 C: QUIT
31 26.816002 172.20.20.88 172.20.20.2 SMTP 67 S: 221 2.0.0 Bye
Packet Capture with hostname CUE.lab.local:
No. Time Source Destination Protocol Length Info
111 840.239998 172.20.20.88 172.20.20.2 SMTP 98 S: 220 labstest.lab.local ESMTP Postfix
113 840.243998 172.20.20.2 172.20.20.88 SMTP 79 C: EHLO CUE.lab.local
115 840.243998 172.20.20.88 172.20.20.2 SMTP 227 S: 250-labstest.lab.local | 250-PIPELINING | 250-SIZE 10485760 | 250-VRFY | 250-ETRN | 250-AUTH CRAM-MD5 GSSAPI | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
116 840.251998 172.20.20.2 172.20.20.88 SMTP 86 C: MAIL FROM:<CUE@lab.local>
118 840.259998 172.20.20.88 172.20.20.2 SMTP 66 S: 250 2.1.0 Ok
119 840.259998 172.20.20.2 172.20.20.88 SMTP 90 C: RCPT TO:<andre@provider.de>
121 840.267998 172.20.20.88 172.20.20.2 SMTP 66 S: 250 2.1.5 Ok
122 840.267998 172.20.20.2 172.20.20.88 SMTP 58 C: DATA
124 840.267998 172.20.20.88 172.20.20.2 SMTP 89 S: 354 End data with <CR><LF>.<CR><LF>
125 840.287997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
174 840.303997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
177 840.303997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
178 840.303997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
179 840.303997 172.20.20.2 172.20.20.88 SMTP 1500 C: DATA fragment, 1448 bytes
180 840.303997 172.20.20.2 172.20.20.88 IMF 440 from: Cisco Unity Express <CUE@lab.local>, subject: Message Notification, (text/plain) (audio/x-wav)
189 840.307997 172.20.20.88 172.20.20.2 SMTP 89 S: 250 2.0.0 Ok: queued as 93155E8CE43
190 840.307997 172.20.20.2 172.20.20.88 SMTP 58 C: QUIT
193 840.311997 172.20.20.88 172.20.20.2 SMTP 67 S: 221 2.0.0 Bye
Wednesday, July 13, 2011
Remote Packet Capture in Cisco IOS
Sometimes you need a network packet capture but you don't have access to the network. That's the time for Cisco's "Embedded Packet Capture"
Lets say you want to capture the traffic on you Cisco IOS routers LAN interface. You need about 2 megabyte circular buffer.
Start the capture with:
And stop the capture with:
Check if everything you need is in the trace:
And copy it to a place, in this case flash, where you can access it:
You might want to download it for example via SCP. There is a seperate entry in this blog regarding SCP: http://uc-b.blogspot.com/2011/07/putty-scp-file-transfer-to-cisco-ios.html
But you could also copy it directly to a bunch of remote locations:
Cisco Link to embedded Packet Capture:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html
If you want to automate it in a quite fancy way you should have a look at Cisco Embedded Automation Systems - EASy
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps10777/ppt_EASy_Packet_Capture_c78-577851.pdf
Lets say you want to capture the traffic on you Cisco IOS routers LAN interface. You need about 2 megabyte circular buffer.
monitor capture buffer buf1 size 2048 circular
monitor capture point ip cef cap1 gigabitethernet0/0 both
monitor capture point ip cef cap1 gigabitethernet0/0 both
monitor capture point associate cap1 buf1
Start the capture with:
monitor capture point start cap1
And stop the capture with:
monitor capture point stop cap1
Check if everything you need is in the trace:
show monitor cap buffer buf1 dump
And copy it to a place, in this case flash, where you can access it:
monitor capture buffer buf1 export flash:capture.pcap
You might want to download it for example via SCP. There is a seperate entry in this blog regarding SCP: http://uc-b.blogspot.com/2011/07/putty-scp-file-transfer-to-cisco-ios.html
But you could also copy it directly to a bunch of remote locations:
router#monitor capture buffer buf1 export ?
flash0: Location to dump buffer
flash1: Location to dump buffer
flash: Location to dump buffer
ftp: Location to dump buffer
http: Location to dump buffer
https: Location to dump buffer
pram: Location to dump buffer
rcp: Location to dump buffer
scp: Location to dump buffer
tftp: Location to dump buffer
router#
Cisco Link to embedded Packet Capture:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html
If you want to automate it in a quite fancy way you should have a look at Cisco Embedded Automation Systems - EASy
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps10777/ppt_EASy_Packet_Capture_c78-577851.pdf
Sunday, July 10, 2011
Access Cisco Unity Express from the internet with private addressing
Your Cisco Unity Express Voicemail system is connected to your Cisco Callmanager Express via private addressing? And you need to access it via the Internet? No VPN available?
Well, I had this task waiting for me. Not really complicated, but somebody might find it useful ....
Now you only need to enter this URL in your browser:
http://1.2.3.4:9999/admin
If there is a firewall in between , filtering all ports except for SIP traffic & SSH), you could set up an SSH Tunnel to fix that problem. See http://uc-b.blogspot.com/2011/07/putty-scp-file-transfer-to-cisco-ios.html
Well, I had this task waiting for me. Not really complicated, but somebody might find it useful ....
interface GigabitEthernet0/0
description Internet
ip address 1.2.3.5 255.255.255.248
ip nat outside
!
interface ISM0/0
ip unnumbered Loopback0
ip nat inside
service-module ip address 172.20.20.2 255.255.255.252
!Application: CUE Running on ISM
service-module ip default-gateway 172.20.20.1
!
ip nat inside source list CUE_OUT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.20.20.2 80 1.2.3.5 9999 extendable
!
ip route 0.0.0.0 0.0.0.0 1.2.3.4
ip route 172.20.20.2 255.255.255.255 ISM0/0
!This gives your CUE access to public services (SMTP, DNS, ...)
ip access-list extended CUE_OUT
deny ip host 172.20.20.2 host 172.20.20.1
permit ip host 172.20.20.2 any
Now you only need to enter this URL in your browser:
http://1.2.3.4:9999/admin
If there is a firewall in between , filtering all ports except for SIP traffic & SSH), you could set up an SSH Tunnel to fix that problem. See http://uc-b.blogspot.com/2011/07/putty-scp-file-transfer-to-cisco-ios.html
Putty & SCP => File transfer to Cisco IOS through SSH Tunnel
Had the problem that I had to update an IOS Device with only SSH access available. Solution is to use SCP over a SSH Tunnel.
To do this, go to Change settings => Connection => SSH => Tunnels. Replace 1.2.3.4 with the IP you want to connect to. Before you define the local port, you should verify that it's unused. Doesn't need to be 22 on local side.
Remember to press the Add button before clicking Apply. Otherwise your settings will be lost.
Next check in a DOSs box the listening TCP ports. After entering "netstat -an -p TCP" you should find an entry like " TCP 127.0.0.1:22 0.0.0.0:0 Listening".
Now you have to prepare the router for SCP connection. The device should already be reachable via SSH.
Enter this in your router config:
That's it! Now you can move files to & from your device. I prefer to use the Putty SCP client pscp.
Copy files from flash:
pscp -scp -pw password scp@127.0.0.1:flash:test.pcap "C:\Users\andre\Downloads\test.pcap"
test.pcap | 30 kB | 30.6 kB/s | ETA: 00:00:00 | 100%
Copy files to flash:
pscp -scp -pw password "C:\Users\andre\Downloads\cme-151-4Mv1\cme-151-4Mv1\CME 8.6\CME 8.6.0 GUI\CME8.6.0GUI.tar" scp@127.0.0.1:flash:CME8.6.0GUI.tar
This works for all TCP based protocols. Makes life a lot easier ....
Cisco link for SCP:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html
To do this, go to Change settings => Connection => SSH => Tunnels. Replace 1.2.3.4 with the IP you want to connect to. Before you define the local port, you should verify that it's unused. Doesn't need to be 22 on local side.
Remember to press the Add button before clicking Apply. Otherwise your settings will be lost.
Next check in a DOSs box the listening TCP ports. After entering "netstat -an -p TCP" you should find an entry like " TCP 127.0.0.1:22 0.0.0.0:0 Listening".
Now you have to prepare the router for SCP connection. The device should already be reachable via SSH.
Enter this in your router config:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username scp secret password
ip scp server enable
That's it! Now you can move files to & from your device. I prefer to use the Putty SCP client pscp.
Copy files from flash:
pscp -scp -pw password scp@127.0.0.1:flash:test.pcap "C:\Users\andre\Downloads\test.pcap"
test.pcap | 30 kB | 30.6 kB/s | ETA: 00:00:00 | 100%
Copy files to flash:
pscp -scp -pw password "C:\Users\andre\Downloads\cme-151-4Mv1\cme-151-4Mv1\CME 8.6\CME 8.6.0 GUI\CME8.6.0GUI.tar" scp@127.0.0.1:flash:CME8.6.0GUI.tar
This works for all TCP based protocols. Makes life a lot easier ....
Cisco link for SCP:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html
Subscribe to:
Posts (Atom)