Voice VLAN help please
My client has 2 SG300 - 52p and 5 SG300 - 28 p. We have installed a VoIP telephony system earlier this year. At the time of installation, we placed the phone on the native VLAN 1 System. Now, they want to pass the phone system to a new VLAN, because their class C subnet is running out of addresses. DHCP is managed by their Active Directory and their router/firewall is a box to sort out. The SG300 switches have a basic configuration only.
To move the phone system to a new VLAN, I created 20 VLAN on each switch. I then turned on VLAN auto voice. I have all the ports on each switch setting on the trunk. Computers are plugged into the back of the phone. I then created a virtual interface in the box to unravel for VLAN 20. Box unravel also manages DHCP to the new VIRTUAL LAN. Active Directory is always manage DHCP for VLANS native.
I ping from each switch to the bridge of the new VLAN. Since each computer I can ping the gateway and on the new LAN VIRTUAL phone system. However, phones will not seize an address on the VIRTUAL LAN and when they have the static value, they cannot communicate with other devices on the VIRTUAL LAN.
Any help would be much appreciated. I don't know what I'm on.
Here is an example of part of a switch configuration to work with Zultys phones where voice VLAN is 100 and data VLAN 10:
database of VLAN
VLAN 10,20,100
output
ID of the vlan 100 voices
interface fastethernet1
Description "RCP and voice."
switchport trunk allowed vlan add 100
trunk switchport vlan 10 native
!
interface fastethernet2
Description "RCP and voice."
switchport trunk allowed vlan add 100
trunk switchport vlan 10 native
In your case, you need a trunk port with 20 VLAN Tag on your firewall (or an access port to a separate physical port on VLAN 20. The default gateway served on the phone (or put statically) should be the interface on intellectual property. Then, you can also allow routing inter - vlan for admin access or MXIE if you use.
One thing to note on Zultys is by default I think the device profile disables LLDP, but on phones, it is enabled out of the box. For the first time that a phone downloads its config from the Zultys it can turn of LLDP unless you have checked the box to keep it on.
Tags: Cisco Support
Similar Questions
-
Regular stream blackBerry is frozen and the voice reader is activated! Help, please!
I don't know if I accidentally hit on something, but now I can't access my blackberry classic. The pane is frozen and the voice player is activated. It is very annoying because the voice can read everything!
Help, please!
Thank you.
Hold the power button for about 10-15 seconds, through the countdown, through the red LED, and until the BB logo comes up again. This will reboot the unit.
-
Need help to set up voice VLAN in SG300
Hello
I spent too much time on it now and need help. I'm trying to set up a voice switch VLAN on a SG300 - 28 p. I need to charge a phone Cisco 7965 connected to a port on SG300 - 28 p to use VLAN 100, and a workstation connected to the phone to use Cisco 7965 on VLAN 101 by SG300 - 28 p. In the common Cisco IOS switches, this task is configured as follows:
interface gi25
switchport mode access
switchport access vlan 101
switchport voice vlan 100
Trying to achieve this scenario with a Cisco SG300 switch turns into a nightmare. You will have to deal with a Dynamic of VLAN voice Auto Voice VLAN mode. Then, you must have a configured trigger and activated Automatic Smartport . I tried to do this in CLI nothing helps. Cisco 7965 receives an IP address of the access VLAN on Gi15 interface, which is 101 VLAN. I need to receive an address IP of the VLAN 100.
The current configuration under Gi15 interface is as follows:
interface gigabitethernet15
activate the storm control
broadcast storm control level kbit/s 10
Storm-control include multicast
port security throw trap 60
maximum port security by 10 points
port security mode max-addresses
spanning tree portfast
LLDP-med disable
switchport mode access
switchport access vlan 101
! next order is internal
macro auto smartport dynamic_type unknown $native_vlan 101 $voice_vlan 100
Now, I don't know how the macro auto smartport dynamic_type unknown $native_vlan 101 $voice_vlan 100 command in the config, and I do not know how to remove it.
When I try to enter the command macro auto smartport type ip_phone_desktop under Gi15 interface, I get the following error message:
The $voice_vlan macro setting is not configurable by the user
It seems that the auto attendant smartport macro ip_phone_desktop can not apply the setting $voice_vlan with a value of 100. In fact, I explicitly does not use this parameter to everything in the order of macro auto smartport type ip_phone_desktop ; However, the SG300 switch knows that the voice VLAN VLAN 100, and he's trying to use this VLAN ID as the value of the $voice_vlan parameter, the macro fails.
I tried statically configure the voice VLAN on the switch SG300 using the command id of the vlan 100 voice , but I couldn't get the ip_phone_desktop macro to configure interface Gi15 correctly. Then, I removed the command id of the vlan 100 voice and obtained SG300 to learn his voice VLAN ID of UC560 connected to the SG300 through a trunk port based on the port configuration (connected to SG300) for the trunk of the next UC560:
switchport trunk vlan 101 native
switchport mode trunk
switchport voice vlan 100
Cisco-switch macro description
This is the command switchport voice vlan 100 who announces to SG300 via CDP VLAN 100 is a voice VLAN. When I run the command show vlan local VoIP on the SG300, I get the following result:
VLAN ID - VPT DSCP Source MAC address Interface
1 5 46 default ---- ---
* 100 CDP e0:5f:b9:xx:yy:zz gi28
Thus, it is clear that the SG300 receives information from UC560 via CDP in port Gi28 VLAN 100 is the voice VLAN. However, I can not always apply the ip_phone_desktop macro to SG300 Gi15 interface.
Also, I tried to set up vState ofoithis vlan auto-déclenché as well as the commands in global configuration State vlan automatic voice activated mode. Or setting changes anything view voice VLAN announced at Cisco 7965 where Cisco 7965 continues to use VLAN101 (access the VLAN assigned to the interface Gi15).
Hello telecastle,
The Macro just get in the way most of the time. A default state on the switch a user will set the id of the vlan voice with orders
(config) #voice vlan id 100
* This will create the vlan 100
VLAN, VoIP? * You can use to change your defaults for dscp and cos a long with all the other settings.
State of vlan (config) enabled automatic #voice
(config) #interface rank fa1-24
(config-if-range) #switchport trunk vlan 101 native
trunk (config-if-range) #switchport allowed vlan add 100
* This function will define the vlan native on the trunk to 101 for the data port and vlan tagged will be 101 for the voice.
CDP is enabled automatically and should learn the features of the phone and get on the phone to the vlan 101 on this port.
CDP of the UC should automatically fill in the switch of the SG. You may need to upgrade the switch to the latest firmware however. Also make sure that the DHCP server for the voice if the CPU must be configured accordingly.
Let me know if this helps.
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - security
-
Hi all
I tried to config a vlan voice in this switches for the last 3 hours and for me it's impossible... I know how to do it in a switch IOS but with this switches is a nightmare...
I have this topology
PC - telephone to IP - SW1 SRW224G4P - SWCORE SRW2024 - router 2921 CME
I have this config in my router,
interface GigabitEthernet0/0
no ip address
automatic duplex
automatic speed
!
interface GigabitEthernet0/0.1
LAN description
encapsulation dot1Q 1 native
IP 192.168.5.95 255.255.255.0
IP virtual-reassembly in
!
interface GigabitEthernet0/0.100
Description VLAN VoIP
encapsulation dot1Q 100
IP 192.168.251.1 255.255.255.0
IP virtual-reassembly in
!
SW1 created the VLAN 100 and activated as VLAN VOIP
The first 3 octes for the mac on my phone is inserted into the Table YES telephony
Belonging to a VLAN automatic voice is enabled in the port where the phone is attached.
The port connected to the SWCORE has the vlan configured as labeled 100.
SWCORE has created the VLAN 100 and activated as VLAN VOIP
The port connected to SW1 has the vlan configured as labeled 100.
The port connected to the router CME has the vlan configured as labeled 100.
If I have another config port in SWCORE with 100 VLAN Tag I can ping from FMC to this host.
Could be the problem, an error of spread vlan?
Could someone help me? I'm desperate...
Thank you in advance.
Hi David,
Thank you for the purchase of the switch.
. Like what, even riding a bike, the switch is actually very easy to set up, if you practice on it...
You mentioned that you use the 'phone YES picture' I assume you have a SF300 - 24 p or p/n command SRW224G4P-K9-NA. Please be specific with the models of switches you use.
Using the old SRW series or refreshed in the kernel SRWxxx-K9 (300 series) switch?
First of all, make sure that you are using version 1.1.0.73 of the switch firmware. This change now or check that 1.1.0.73 is the active image on the switch.
The switch has two areas to store the firmware images. It stores the new firmware in the area of the image unused. The administration for the firmware update Guide and select new firmware for the next reboot.
CDP is enabled on the switch when using the new software, did not exist with older firmware, where my insistence to upgrade the firmware.
( Personally I would prefer that you have a role of catalyst for switching to your CME ISRG2 application, for purposes of support tech.) But this is the land of freedom..)
I found the following when I added my SG300 - 28 p to a conscious UC500 of VLAN.
The UC500 was vlan100 of advertising as a vlan voice, configured by Cisco Configuration Assistant, you could try CCP on your ISR.
I got an IP phone that is plugged into the port of switch in the G7 and uplink to my UC500 via the Gig27 port.
What follows in blue is a screenshot of my 300 series switch CLI interface.
You will notice that the switch already filled both VLAN and port information, the only command that I added was "don't activate any complexity of passwords" and some usernames, including free from the screenshot below.
the configured basically switch itself.
-See the establishment of the system-
Description of the system: 28 ports Gigabit PoE managed switch
System of the time (days, hours: min: sec): 00, 00:12:04
Contact system:
Name of the system: switch4cf17c
System location:
System MAC Address: d0:d0:fd:4 c: f1:7 c
System object ID: 1.3.6.1.4.1.9.6.1.83.28.2
Fans Status: OK
-See the version-
SW version 1.1.0.73 (date, June 19, 2011 time 18:10:49)
Start the version 1.0.0.4 (April 8, 2010 time 16:37:57)
HW version V01
Location of activity IP gateway Type.
----------------------- ----------------------- --------
192.168.10.1 active dhcp
IP address I / F Type of status
------------------- --------- ----------- -----------
192.168.10.17/24 vlan 1 DHCP valid
-show ipv6 interface-
IPv6 is disabled on all interfaces
-show running-config-
interface gigabitethernet7
Storm-control broadcast level 10
output
interface gigabitethernet7
Storm-control include multicast
output
interface gi27
point to point spanning tree-type of link
output
database of VLAN
VLAN 100
output
Add a voice vlan Yes-table 0001e3 Siemens_AG_phone___
Add a voice vlan Yes-table 00036 b Cisco_phone___
Add a voice vlan Yes-table 00096e Avaya___
Add a voice vlan Yes-table 000fe2 H3C_Aolynk___
Add a voice vlan Yes-table 0060 b 9 Philips_and_NEC_AG_phone
Add a voice vlan Yes-table 00d01e Pingtel_phone___
VLAN voice Yes-table add Polycom/Veritel_phone___ 00e075
Add a voice vlan Yes-table 00e0bb 3Com_phone___
hostname switch4cf17c
No complexity of passwords allow
No server snmp Server
interface gigabitethernet7
macro description ip_phone_desktop
output
interface gigabitethernet27
description of the macro "pass | valeur_log | switch ".
output
interface gigabitethernet7
! next order is internal.
macro auto smartport dynamic_type ip_phone_desktop
switchport trunk allowed vlan add 100
output
interface gigabitethernet27
! next order is internal.
switch dynamic_type macro auto smartport
switchport trunk allowed vlan add 100
output
switch4cf17c #sh cdp nei
Ability code: R - router, T - bridge Trans, B - road Source bridge
S switch, H - host, I - IGMP, r - Repeater, P - VoIP phone
M - managed remote-device, C - CAST phone Port,
W - two port MAC relay
Device ID Local time from Port platform capacity ID Adv
The interface direct worm.
----------------- ----------- ---- ------- ---------- ------------ -----------
SEP503De50F133A gi7 2 158 H P CISCO IP eth0
Phone
SPA525G2
68bdab0fdcfd gi27 2 169 S I Cisco SG gi9
300 10 P
(PID:SRW2008P - K9) - VOD
switch4cf17c #sh vlan
VLAN name Ports type permission
---- ----------------- --------------------------- ------------ -------------
1 1 article gi1-28, required to Po1 - 8 by default
100 100 gi7, required permanent gi27
Automatically numbers which ports need to be listed in VLAN 100.
I did not switch it was connected to VLAN100. I don't have add vlan100 to the database for VLAN.
Get the ISR router to announce VLAN100 as a vlan voice.
Best regards, Dave
-
Microphone has stopped working - HELP, please!
Hello.
My plug-in headset and regular lapel microphone suddenly stopped working. It was working before and I know that my helmet or conventional microphone are not broken.
I noticed this problem when I would go to a Voice Chat room and trying to talk into the microphone, the volume bar would move only a little bit and not much.
I checked all my settings of volume and nothing is low in the volume bar of the Realtek High Definition Audio, or the DD Realtek Audio Manager. Everything is fine and when I lifted up the microphone, he is selected by default and indicates that it works correctly, but the sound does not come through.
I am running Windows Vista Home Premium, my helmet is called Dynex, my plug in microphones are called Plantronics and the other on my Logitech webcam. Help, please.
~ Marynonimous
P.S. I also went to my menu of BIOS and changed my setting audio on-board car Enabled to disabled, and then back to Enabled, and this still does not work.
P.P.S. My speakers work fine. I hear people speaking from the voice chat rooms and hear the sounds of my computer. I hear them on my helmet and my speakers when I unplug my headphones, so my speakers are absolutely perfect.
Well, I don't have the connected headset on the helmet correctly. I fixed it. Thank you. I'm sorry. Thank you. God bless you all. Love and prayers to Jesus.
-
Having trouble getting the voice VLAN on the switch X1052P to work at all
Can someone help me understand how to set up the voice VLAN X1052P? I spent several hours trying to get this working and it does not work. I spent about 4 hours on the phone with a Dell technician that night and he couldn't get it to work and finally gave up. He told me that I had to spend my warranty to ProSupport because he did not know how to solve the problem. What group of *. It's a simple configuration of VLAN. What must be so picky about? In any case...
Setting up the VIRTUAL LAN must be fairly simple, but apparently on this switch is not. The user guide page 406 is not very useful except explaining what the different options. I must admit I am not an expert VLAN so I dunno I've misconfigured something. But remember, Dell technology could not operate either.
Here's my situation... I have VoIP phones on my network connected to a network wall jack. Connected to phones are my computers of users. The computer of the user and its respective VoIP phone, both share the same data cable. Before replacing Cisco managed Internet service provider spend all it worked well. The problem is that they had direct access to our network so I removed the switch and installed the X1052P in its place. I talked to the ISP to let them know what I'm doing and they said everything I had to do was setup VLAN ID: 15 for the voice VLAN because this is the VLAN ID that the router uses to route telephone traffic. Router PSI is also the server DHCP VLAN 15 and issues IP for phones using 172.27.0.0/24 with a DHCP 172.27.0.50 range - 150.
I tried to configure the switch using parameters of VLAN static and settings VLAN voice and neither one also seems to do what I want it to do.
Network administration > VLAN > VLAN static
Network administration > VLAN > Voice VLAN
I activated the profile 'phone' on ports I want to added to the voice VLAN and it does not work. Moreover, 47 the switch port is connected directly to the ISP router and is configured as a trunk with the default port VLAN 1 unidentified and tag VLAN 15. For other ports I tried the general implementation, access and trunk of the parameters on each port to see if I could get something going and still nothing happens. When I set up the ports as General ports VLAN, I made adding VLAN VLAN 1 and VLAN 15 as a VLAN tagged not marked. It still does not.
This is the short story from where I am now. Any help is greatly appreciated.
FYI, as a follow up I finally solved the problem. I hope this information helps someone else that can encounter the same problem.
After buying the ProSupport warranty upgrade ($121 out-of-Pocket mind you) and addressing a total of 4 technicians ProSupport expert technician a 3rd another level (only available via chat message between one of the ProSupport phone technicians and the 3rd Tier expert tech - i.e. I couldn't talk or chat with this person me) the consensus was that the material must be bad. When I bought the X1052P I bought two of them, so the best way to know if it was a bad switch was simply configure the other switch and see if the behavior occurs on this one, too. Well, this switch also restarted each time I assigned the profile 'phone' to more than 13 or 14 ports in the switch. It seems that it was not a hardware problem after all.
I went back to the switch original and tried new things hoping that I could fall on a solution and it turns out that the solution was NOT to use the voice VLAN on the switch. It does not work!
SOLUTION: I set the VLAN ID: 15 manually and no has not assigned any phone profiles to one of the ports. This is how I solved the problem.
So he has bad software on the switch. I tried to see if there are updates of the firmware on the Dell support site, but there is none. Configure manually the phone VLAN was the solution. What a freaking nightmare which turned out to be. Maybe someone in Dell could note this problem and test in-house. And, if you want to compensate me for the 20 + hours I spent working on this problem, which has be great, too.
-
Help PLEASE mxl 10/40gbe and N4032
I can't not seriously STP working between these two for the life of me, any help would be appreciated.
All will connect and be good for a while, but then I miss ping of 10-20 for a reason any. I have yet to find something to work from in the newspapers / debugs. So if there are any suggestions for newspapers / debugs I need turn on please let me know.
I tried General ports vs trunk ports, circuits and not trunking VLAN specific, even using RSTP instead of pvst but I always get the same questions.
Here's the relevant configs each switch
N4032
interface vlan 2 15
IP 10.22.15.250 255.255.255.0spanning tree priority 28672
spanning tree mode rapid pvst
VLAN spanning tree priority 1 36864
VLAN spanning tree 15 priority 36864
VLAN spanning tree 16 priority 36864interface Te1/0/17
switchport mode trunk
pvid switchport General 15
switchport general allowed vlan add 15.16 tag
switchport general allowed vlan add 1 tag
outputinterface Te2/0/17
switchport mode trunk
pvid switchport General 15
switchport general allowed vlan add 15.16 tag
switchport general allowed vlan add 1 tag
outputMXL 10/40gbE
pvst spanning tree Protocol
No deactivation
VLAN 1-16-bridge priority 61440interface TenGigabitEthernet 0/51
no ip address
hybrid portmode
switchport
no cause spanning tree pvst err - say not valid-pvst-bpdu
no downtime
!
interface TenGigabitEthernet 0/52
no ip address
hybrid portmode
switchport
no cause spanning tree pvst err - say not valid-pvst-bpdu
no downtimeinterface Vlan 15
IP address 10.22.15.122/24
Tagged TenGigabitEthernet 0/1-5, 51-52
no downtime
!
interface Vlan 16
no ip address
Tagged TenGigabitEthernet 0/1-5, 51-52
no downtimeHelp, please!
Yes the packets can be lost during covering the election of the tree. If the status of the auxiliary port is bouncing between two ports, packages to send can be lost. If you want to try to leave it this way and still have 1 port throw, you can try to change the port on the ports 1 priority so that it is more likely to be the port to be scrapped.
The following example configures a port to be less likely to be selected for transfer to the root bridge, even if the host starts sending of BPDUS.
Console (config-if-article gi1/0/17) #spanning tree port-priority 240
Console (config-if-article gi1/0/17) #spanning tree vlan 15 port-priority 240
-
There is no command 'Switchport Voice Vlan"on SF300 - 24 p!
Hello everyone
I am in an urgent problem: S
I have a small business SF300 - 24 p
I created two vlans one data and one voice
but I have not assigned to ports and I do not know how, because there is no command ' switchport voice vlan "under the interface!
Here are the configurations
BTW the switchport mode is always trunk as it is by default
Thanks in advance
switch0a1172 #.
switch0a1172 #.
switch0a1172 #sho run
config-file-header
switch0a1172
v1.2.9.44 / R750_NIK_1_2_584_002
CLI v1.0
SSD of encrypted file indicator
@
SSD-control-start
config of SSD
control of password file unrestricted SSD
no control of the integrity of the file ssd
SSD-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
database of VLAN
VLAN 13.20
output
ID of the vlan 20 voices
Add a voice vlan Yes-table 0001e3 Siemens_AG_phone___
Add a voice vlan Yes-table 00036 b Cisco_phone___
Add a voice vlan Yes-table 00096e Avaya___
Add a voice vlan Yes-table 000fe2 H3C_Aolynk___
Add a voice vlan Yes-table 0060 b 9 Philips_and_NEC_AG_phone
Add a voice vlan Yes-table 00d01e Pingtel_phone___
VLAN voice Yes-table add Polycom/Veritel_phone___ 00e075
Add a voice vlan Yes-table 00e0bb 3Com_phone___
hostname switch0a1172
username, encrypted password cisco c8e383b1dd7be99f878a387d87766e875404e0b3 priv
LG 15
The telnet server IP
!
interface vlan 13
name "VLAN13".
!
interface vlan 20
VOICE name
!
switch0a1172 #.
It does it automatically via the port smart auto based on external trigger default. Devices to enable CDP and LLDP are supported.
-Tom
Please mark replied messages useful -
SG200 - 50 p, SG300 - 28 p phone YES Voice VLAN
Hey guys,.
I'm having a problem with the YES voice of VLANS on SG200 - 50 p, SG300 - 28 p, layer 2 Mode. Firmware 1.3.7.18.
Enabled on a port all the ports PVID unlabeled said no marked traffic is blocked.
Example:
Data VLAN 10 - 192.168.10.0/24
Voice VLAN 100 - 192.168.100.0/24
Configuration of Vlan voice and YES added and enabled on ports.
All Ports configured as trunk Type.
Example 1:
Members Table shows that:
Port 1 - 10UP
2 port - 10UP
YES disabled: 2 laptops connected to ports 1, 2, traffic passes.
YES Enabled: 2 laptops connected to ports 1, 2, traffic blocked on VLAN10.
Example 2:
1 - 10UP, 100 tons of port
2 port - 10UP
Port 3 - 10UP
YES Enabled: 2 laptops connected to the ports 2,3, blocked traffic on VLAN10.
1 phone connected to channel 1, the phone connects.
So it's using, but for some reason any the vlan untagged on that port is blocked when the YES is enabled.
I have installation this scenario on many switches cisco small business before and it works very well, so I wonder is this a firmware issue? or am I just being stupid and something wrong?
Thanks for any help you can provide! :)
Hi Vladimir,.
It's something about Cisco still working. You are more than welcome to open the ticket with us and contribute actively. At this point, the only solution is to sue 1.3.5 firmware which does not show this problem.
http://www.Cisco.com/c/en/us/support/Web/TSD-Cisco-small-business-suppor...
Kind regards
Aleksandra
-
problem with dhcp Cisco sg200 voice vlan
I have cisco sg200 50 p connected to the switch cisco 3750. I just wanted to separate voice (vlan2) and data (vlan1) VLAN. I created vlan 2 as my voice VLAN and separate dhcp server for vlan 2 to give IPS for phones. However the phone ip connected to my voice vlan (vlan 2) does not receive the ip address of my dhcp server vlan 2.
the dhcp server is connected to a switch with an access port (vlan2-voice) 3750
two switches are connected through the trunk ports and allowed vlan 1 & 2
IP phone is connected to sg200 via the access port (vlan 2).
Note: there is a pc connected to the ip phone
I'm really grateful if someone can help me with this problem
Hi Ruchiran,
To cover the base, ensure that VLAN 2 is added to the database VLAN on the 3750. Simple by using the command "show vlan id 2", if it is not found, you must first create the VLAN 2 on the 3750.
Second, if you connect the same IP phone directly to the 3750 on an access port, vlan 2 unidentified, is the phone receives IP address as you hope?
Then, on the trunk of 3750 connection to the SX200. Building the trunk when using a command like "switchport trunk allowed vlan remove 1-4094," then build the trunk more precisely with the VLAN ' trunk switchport allowed vlan add 2 "who will score 2 VLAN port." "
On the SG200 switch, must be defined the trunk and VLAN Tag 2 on the port to connect to 3750 then the connection to the phone port should be 2 VLANS not identified as access port.
-
I'll put up a D40 Digium Switchvox PBX phones and switches Cisco SG200. The PBX is no not any COP or LLDP pub so I don't expect the switch to automatically determine the voice VLAN ID and I need to manually set. How can I configure the switch manually to publis the voice VLAN via LLDP-MED? I've been tinkering for hours and may not include the TLV voice in packets. Be able to help?
Thanks in advance,
Paul
At the present time, my switch is configured by default vlan 100 and all ports as 100u. When you connect a phone to any port, it is dynamically assign the vlan 1. Also note that I created the vlan 1.
-Tom
-
Help, please! Connected to the VPN, but cannot access internal servers.
Hi friends,
I'm a newbie on vpn stuff, I set up a base on a Cisco ASA 5505 vpn by using ASDM, and I was able to connect to it. However, I can't ssh or RDP to one of the servers in the House after that I connected to the vpn. Here is the configuration. Help, please!
ASA Version 8.2 (5)
!
hostname sc - asa
domain abc.com
enable the encrypted password xxxxxxxxx
xxxxxxxxx encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
DNS server-group DefaultDNS
domain OpenDNS.com
sc-pool_splitTunnelAcl-list of allowed access standard 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool sc-192.168.1.100 - 192.168.1.110 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
interface ID client DHCP-client to the outside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
rental contract interface 86400 dhcpd inside
dhcpd abc.com domain inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4 - md5, rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
WebVPN
abc group policy - sc internal
attributes of the strategy of group abc - sc
value of server DNS 208.67.222.222 192.168.1.3
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value abc-sc_splitTunnelAcl
field default value abc.com
a001 xxxxxxxxxxx encrypted password username
a002 xxxxxxxxxxx encrypted password username
username a003 encrypted password privilege 0 xxxxxxxxxxx
a003 username attributes
Strategy Group-VPN-abc-sc
a004 xxxxxxxxxxx encrypted password privilege 0 username
a004 username attributes
Strategy Group-VPN-abc-sc
a005 xxxxxxxxxxx encrypted password username
a006 xxxxxxxxxxx encrypted password username
username privilege 15 encrypted password xxxxxxxxxxx a007
remote access to tunnel-group abc - sc type
attributes global-tunnel-group-abc - sc
address sc-pool pool
Group Policy - by default-abc-sc
tunnel-group abc - sc ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:e7df4fa4b60a252d806ca5222d48883b
: end
Hello
I would suggest you start by changing the pool VPN to something else than the current LAN network and see if that helps
These should be the configuration required to achieve this goal
- First remove us pool setup VPN VPN
- Then we delete the VPN Pool and create again with an another address space
- When then attach this new Pool of VPN again to the VPN configuration
- In the last step, we add a NAT0 / exempt for this new pool VPN NAT configuration and remove the old ACL line for the former group of VPN
attributes global-tunnel-group-abc - sc
no address-sc-swimming pool
no ip local pool sc 192.168.1.100 - 192.168.1.110 mask 255.255.255.0
IP local pool sc-192.168.100.100 - 192.168.100.110 mask 255.255.255.0
attributes global-tunnel-group-abc - sc
address sc-pool pool
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.100.0 255.255.255.0
No inside_nat0_outbound access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240
-Jouni
-
Help, please! Cannot access the web after connected to the VPN
Hello
I'm a newbie on Cisco products. I configured a Cisco ASA 5505 with VPN firewall. However, I can't access the web after I connected to the remote IPSec VPN. I also cannot connect to the bands using the intellectual property. But I can connect to the internal servers in the office with no problems.
Here is my setup, can someone help please? Thank you very much
ASA Version 8.2 (5)
!
host name asa
xxxxxxxxx.com domain name
enable the encrypted password xxxxxxxxxxx
xxxxxxxxxxx encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
area of zone clock - 8 schedule
clock summer-time recurring PDT 1 Sun Apr 02:00 last Sun Oct 02:00
DNS lookup field inside
DNS server-group DefaultDNS
Server name 107.204.233.222
name-server 192.168.1.3
xxxxxxxxx.com domain name
inside_nat0_outbound list of allowed ip extended access all 192.168.1.96 255.255.255.240
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool sc-192.168.1.100 - 192.168.1.110 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
interface ID client DHCP-client to the outside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd dns 107.204.233.222 inside the 192.168.1.3 interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal strategy group xxxxxxxx-sc
attributes of xxxxxxxx-sc group policy
value of 107.204.233.222 DNS server 192.168.1.3
Protocol-tunnel-VPN IPSec
XXXXXXXXXX.com value by default-field
xxxxx xxxxxxxxxxx encrypted password username
Strategy Group-VPN-xxxxxxxx-sc
remote access to tunnel-group xxxxxxxx-sc type
attributes global-tunnel-group xxxxxxxx-sc
address sc-pool pool
Group Policy - by default-xxxxxxxx-sc
tunnel-group xxxxxxxx-sc ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home service
anonymous reporting remote call
call-home
contact-email-addr [email protected] / * /
Profile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:5c1c99b09fb26fcc36a8bf7206af8e02
: end
Hello
Try adding the following commands
permit same-security-traffic intra-interface
NAT (outside) 1 192.168.1.96 255.255.255.240
Is there are always problems with VPN then I would maybe change VPN pool to anything other than something that comes into conflict with the LAN.
In this case, these configurations should do the trick
In order from top to bottom, they would do the following things
- First remove the pool VPN and VPN configurations
- Then remove the VPN pool
- Remake of the VPN Pool with different network
- Reattach the VPN pool for VPN configurations
- Configure NAT0 to the new cluster of VPN
- Remove the old line of the ACL of the configuration of NAT0
attributes global-tunnel-group xxxxxxxx-sc
no address-sc-swimming pool
no ip local pool sc 192.168.1.100 - 192.168.1.110 mask 255.255.255.0
IP local pool sc-192.168.2.10 - 192.168.2.254 mask 255.255.255.0
attributes global-tunnel-group xxxxxxxx-sc
address sc-pool pool
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
no access list inside_nat0_outbound extended permits all ip 192.168.1.96 255.255.255.240
Of course you also have the NAT configuration for VPN pools new Internet traffic
NAT (outside) 1 192.168.2.0 255.255.255.0
Please rate if the information has been useful if this resolved the issue as mark responded.
-Jouni
-
Help please
Not sure we can help you much here. It seems that the script should be updated for 2014 CC.
Maybe add your voice to the comments on the download of the plugin site & rated section.
-
Neo speech mechanism works not. Help, please?
I'm on a 64-bit Windows 7 platform. I have captivate 6.01 and installed the patch NeoSpeech. He gave me a successful installation, but when I navigate to Captivate and try to convert the text to speech, he said that I have not added any votes. I checked the folders based on further discussions and it seems that the VT is in my captivate 6 folder and that there are voices in there.
I don't know if that would be a problem or not, but I was a tester of parole for 6 Captivate and I bought and installed a new version after uninstalling it. Help, please!
Mike WildayIn the CP installation folder, the subfolder Utils you will find a batch file that will kill the Preferences folder. You will lose all customizations, when the PC restarts a new folder will be created. The folder is located in your profile:
\Users\
\AppData\Local\Adobe and labelled Captivate 6.0 Lilybiri
Maybe you are looking for
-
purchase WWAN on the ThinkPad X 230
Hello my laptop is x 230 and I intend to buy a wwan card. I found that gobi 3000 is compatible with my laptop. But what I want to know is "the gobi 5000 can be used in x 230? Thank you
-
How can I place a new element behind an old object on the front
is there a ' it forward "or"behind"button. right now I just cut and paste the old item in front of the new element, but not a good way to do it... If it's a var shared in a loop, it may fall back in the wrong place on the block diagram when I stick
-
Subtract value of the signal of the current value 2 seconds ago
Hello I'm relatively new to LabView, but I went through the Forums and google a lot and have not found a solution. I have this problem: I have an analog signal from my USB6009 DAQ of NOR. I want to take the signal I got 2 seconds ago and subtract its
-
I installed service pack 2 about 2 weeks ago. Last week I had began to experience problems with sync to my PDA using the center of the mobile device, so I did a system restore to the previous week. Now, I am unable to reload the service pack 2, or ca
-
Password bios hp dv400 DISABLED SYSTEM [11857]