Configuration Example - 3725 with CallManager Express 4.0
[Last Updated: Sunday, 09-Dec-2007 01:01:09 EST]
The following is a configuration example taken from my own
personal 3725 router that I use for IP telephony at home. When I get a
chance I will add a list of detailed comments on the relevant portions.
I primarily used examples found on CallManager Express Resource
Site as well as the Cisco
Press CallManager Express book. I ran into quite a few issues with
hardware and configuration based on my initially limited understanding of
the logic and processes behind the IOS telephony service, so I figured I'd
put this document out here to help anyone else save a little time.
The information supplied in this configuration is in no
way guaranteed to work in every situation nor officially supported by the
author. If you send me questions, I will eventually respond, though.
This document is meant to provide an example of general IOS telephony
configuration practices. The ! signifies a commented line in Cisco's
notation. Non-commented lines are the actual configuration syntax as it
would be entered on the Cisco router.
Go To Configuration
Relevant Links to Additional Resources
Requirements
In order to support the IOS telephony service, you will
need a version of IOS that includes the voice feature set. Since voice is a
constantly evolving technology on Cisco platforms, the newer the code, the
better the features. I am currently running IOS 12.4(9)T6 Advanced IP
Services (c3725-advipservicesk9-mz.124-9.T6.bin) on a 3725 with 256MB DRAM
and 192MB Flash, NM-2V with VIC-2FXO-M1, and VIC-2FXS. This IOS version
now includes CallManager Express 4.0. Previous IOS versions all ran
CallManager Express 3.3 or earlier. This release follows the previous version
I was running [12.4(9)] but it just provides additional bug fixes under the
latest T train release. I have recently started noticing software crashes
causing my router to reboot. That is never good. So, I may be looking at
reverting back to the previous release.
The previous release fixed a consistent memory leak with SIP
registration and other strange issues with VoIP. The memory leak was quite
significant at first due to bogus SIP registrations occuring for my POTS
dial-peers. I also added 'no sip-register' to my POTS dial-peers as well as
'no-reg both' to the number on my ephone extensions and that made a dent in
the leak but did not resolve it. Upgrading to 12.4(9)T2 resolved the SIP
memory leak altogether. My SBC POTS service is plugged into one of the FXO
ports and I have a SIP VoIP service (ViaTalk) configured as an alternate
trunk provider. The internal house wiring is plugged into an FXS port on an
ATA188 adapter attached via ethernet and the Skinny protocol and I have a
handful of Cisco 7960 IP phones plugged into the network, as well.
My Setup
I have CallManager Express configured to act as a hybrid
phone system. Each IP phone has a unique extension and they also have a
shared line with the rest of the analog phones.
Incoming Calls - DID
Since POTS service doesn't support DID/DNIS, inbound calls
on the POTS line can only be forwarded to a single destination port.
Unfortunately, there is no unique call information available to make a
call routing decision.
There are 2 options (at least that I could find) to forward
the inbound call to a port or extension. The easiest way is to use
connection plar aka Private Line Auto Ringdown aka the BatPhone. When the
port is seized it will automatically ring an extension. You assign PLAR to
the incoming FXO voice-port to ring a known extension or destination
pattern. The downside to this is that anytime you seize the FXO trunk on
an outbound call it will obey the PLAR configuration. When you are trying
to dial outbound it will technically work but it is annoying to get a
call-waitng and caller-id chirp in your ear every time you initiate a
call.
A better way to forward the inbound call is to use Direct
Inward Dial (DID). The problem is that DID relies upon called number
information coming inbound from the telco. POTS lines do not send DID/DNIS
information. The nice thing is that we can at least still match a null
DNIS value and translate it to a useful extension number that will ring an
internal line.
voice translation-rule 1
rule 1 // /299/
!
voice translation-profile default
translate called 1
The translation rule is then applied to the incoming FXO voice-port for
inbound calls.
voice-port 1/1/0
translation-profile incoming default
This config above only does the translation of the called number from null
to the internal extension. The trick now is that you have to match this
value and tell it to start evaluating the dial-peer destination patterns
based on it. This is done using an incoming dial-peer with Direct Inward
Dial that matches the incoming called number.
dial-peer voice 298 pots
incoming called-number 299
direct-inward-dial
port 1/1/0
The direct-inward-dial command tells the dial-peer to force any matching
call to start matching the outbound call leg dial-peer immediately based
on the incoming called number. Of course, we conveniently translated that
value from null to 299 above, so any inbound call will subsequently match
an outbound dial-peer with a destination pattern of 299. Note that this
dial-peer references the FXO port on the router. This is an incoming
dial-peer statement. So, it is triggered when the call is inbound on port
1/1/0 and has an incoming called number of 299. The key action command is
the direct-inward-dial statement which tells the router to start matching
the called number (299) to any of the configured outbound dial-peers.
Outbound Calls
Alternatively, any internal extension can use the POTS line
as an outbound trunk line by dialing 8. I recently integrated ViaTalk's SIP
VoIP service as a second line and I dial 9 to get an outside line using
ViaTalk. Most VoIP providers offer dual-line with many advanced features.
This would allow for multiple phone numbers for custom inbound call
routing. Not only have I gained a 2nd and 3rd trunk line to add seamlessly
for outbound calls, I now have a separate number for work calls that only
rings certain phones in the house, as well as a dedicated fax/modem phone
number. The IOS telphony service allows for integration of SIP services so
the router can become a SIP client and proxy the call from the internal
extension or accept a call from external and forward to a particular port
or dial-peer.
Layer2 Switch Config
The Cisco 7960G IP Phones are plugged into my Catalyst
3524XL with Inline Power. Each phone port on the switch is configured for
802.1q trunking with a voice VLAN configured.
interface FastEthernet0/#
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast
The native VLAN on all of these ports is VLAN 1 which carries the rest of
my home network data. Since Cisco does not tag the native VLAN frames, any
device can plug into these ports and still function on VLAN 1. Cisco IP
phones use CDP to negotiate which VLAN the phone should send its traffic
on. When the voice VLAN is configured on a switch port, the phone
automatically learns this from CDP and tags all of the traffic originated
by the phone with that VLAN number.
Phone Boot Support
My router is configured to act as the DHCP server for all
VLANs. When the phones boot, they autoconfigure the phone's VLAN based on
the default CDP negotiation. Then they get their network address
information from the DHCP server, including the Option 150 parameter which
defines the TFTP server to load the phone configuration file and image
etc.
ip dhcp pool Phones
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
option 150 ip 192.168.2.1
dns-server 192.168.1.5 4.2.2.1
domain-name thewaystation.com
lease 0 0 30
My router is currently configured as the TFTP server for the phones. I have
loaded the necessary firmware image and other ringtones and XML config
files onto the router's flash memory. Good thing it doesn't require very
much memory. I added an extra 128MB ATA Flash card into slot0: anyway just
so I'd have room for another IOS image if necessary.
tftp-server flash:P00308000500.bin
tftp-server flash:P00308000500.sbn
tftp-server flash:ringer1.pcm
tftp-server flash:P00308000500.sb2
tftp-server flash:P00308000500.loads
tftp-server flash:music-on-hold.au
tftp-server flash:NyukNyuk.raw
tftp-server flash:RingList.xml
tftp-server flash:Piano1.raw
tftp-server flash:Piano2.raw
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
CallManager Express GUI
I also loaded the CallManager Express GUI interface into
flash to support an easier configuration interface. For detailed
installation instructions, Click
Here.
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
FXO Disconnect Problem
FXO ports with their default configuration are known to
suffer from problems with not recognizing call hangup or disconnect from
the calling or called party. The reason for this has to do with the fact
that Telco switches or PBXs expect a phone to be attached to the line and
not an FXO port. When a phone is hung up it opens the loop to indicate
on-hook. FXO ports expect the switch to signal hangup by reversing the
battery signal. So either device on either end of the connection is
expecting the other to signal the call disconnect. It can become a
standoff which keeps the line from being released in a timely fashion. In
order to fix this, there are several things shown below that can be
configured on the voice-port to assist the process.
Understanding
FXO Disconnect Problem
voice-port 1/1/0
supervisory disconnect dualtone pre-connect
pre-dial-delay 0
no vad
timeouts call-disconnect 2
timeouts wait-release 2
timing hookflash-out 250
By default, the FXO port supports battery-reversal
detection. This is the normal way the remote switch signals call
disconnect. Additionally, there is a feature called call supervision or
disconnect supervision. This is used to listen for call disconnect tones
that can be generated by a PBX or remote switch. There are several ways to
configure this parameter based on how the remote telco or PBX may indicate
call hangup. It is now possible to configure the disconnect tones to
be detected either continuously during calls (by configuring the
mid-call command), or only during call setup (by using the pre-connect
command in the configuration). Detection of anytone (configured by the
anytone command) operates only during call set-up. If you configure
detection of anytone, you must also enable echo cancellation to
prevent disconnection due to the detection of the router's own
ringback tone.
Finally, changing the default disconnect and wait-release
timeouts on the voice-ports is key to making this process work quickly. By
default the call-disconnect timeout is set for 60 seconds. That is way too
long to wait for the port to clear after a disconnect is received. The
wait-release timeout defaults to 30 seconds which is also rather long. By
lowering the timers to 2 seconds, things work in a much more expected
manner. Finally, in order to support Centrex type services like
call-waiting and 3 way calling, you must support the hook-flash
feature. If this command is not enabled, the router will not relay a
hook-flash event out the FXO port, thus disabling the ability to
answer call-waiting etc.
Caller ID Support
One thing to take note of. If you want caller-id (CLID) to
work on your phones, you will need to make sure you are using a
VIC-2FXO-M1 module which is supported by the NM-1V and NM-2V modules in
older platforms like the 2600, 3600, and 3700 series. Alternatively, you
will need a VIC2-2FXO module which requires the newer NM-HD-1V or NM-HD-2V
modules. These modules require newer platforms like the 2600XM, 2800,
3640/60 or 3800 series. The older VIC-2FXO modules do not support
caller-id.
You can read more about the module dependencies on the compatibility
matrix page.
Not All Dial-Peers are Treated the Same Way
Another thing I learned through experimentation and reading
is that all dial-peers are not created equal. The IOS Telephony service
doesn't really like to share a destination-pattern amongst attached FXS
ports and ephones. Really odd behavior ensues when incoming calls are
evaluated against the dial-peers. What this means is that you can't have
all your IP phones and analog phones, attached to a directly connected FXS
port, ring simultaneously like a normal shared line. The reason is that
IOS applies grouping and order to the way it matches dial-peers. All POTS
dial-peers are evaluated first. Next VOIP dial-peers are evaluated and,
finally, Virtual dial-peers created by ephone configuration.
However, there is a way around this problem if you want to
have a shared line on all IP and analog phones. The trick is to get a
Cisco ATA-186 or the newer 188 Analog Telephone Adapter platform. These
devices each have 2 FXS ports on them and an ethernet port and can run
firmware that supports Cisco's Skinny (SCCP) protocol. This allows the
device to attach to CallManager Express as an ephone. Since the phones
attached to the ATA device now appear as ephones on the router, IOS can
match all the shared ephone dial-peers and ring the phones simultaneously
without any problems.
SIP VoIP Config for 
I recently integrated ViaTalk VoIP service into my CallManager setup to gain
additional lines and cheaper long distance. Primarily I wanted to test the
quality of the service and gauge whether or not it could replace my
existing long distance package successfully. So far, things are going quite
well. The price is right with a good set of features and most importanly
they offer open access to their SIP proxy. I can make multiple outbound
calls from different extensions simultaneously. The call quality has been
really good to destinations within the US. It practically sounds like you
are right next door to someone on the other side of the country. When I
initially signed up for service, the calls I made to Canada, on the other
hand, were more equivalent to cell phone quality. There must have beeen
additional latency and/or jitter to contend with at the time into Canada.
Within the past couple weeks I have made a couple calls to Canada and the
quality has been just as good as within the US. The possibility of
intermittent voice quality issues with VoIP is somewhat annoying but, for
the price, I can deal with it. ;)
If you are seriously considering signing up for
ViaTalk's VoIP service, please
use me as a referral and click
on one of the ads on this page as a link to their site to go sign up.
Thank you!
When you configure a SIP User Agent on your router, it will
automatically attempt to register any destination patterns for dial-peers not
associated with the SIP service. This is not a good thing. As a small home user, you
probably only have one or two valid e164 phone numbers assigned to the SIP service. So
no point in trying to register anything else. It just wastes CPU cycles and memory and
will add annoying messages in the provider's log files. The solution to keep these
unwanted numbers from attempting to register via SIP is to use the no sip-register
command on each dial-peer you want to filter. For ephones you have to use 'no-reg
[primary | secondary | both]' on the number assignment. You can filter the primary
number, secondary number, or both from registering with SIP.
sip-ua
authentication username 1614602xxxx password xxxxxxxxxxxxxxxx
no remote-party-id
retry invite 4
retry response 3
retry bye 2
retry cancel 2
retry register 5
timers register 250
mwi-server dns:newyork.vtnoc.net expires 3600 port 5060 transport udp unsolicited
registrar dns:newyork.vtnoc.net expires 3600
sip-server dns:newyork.vtnoc.net
!
telephony-service
voicemail *123
mwi relay
transfer-system full-consult
transfer-pattern .T
transfer-pattern 8.T
secondary-dialtone 9
!
dial-peer voice 801 pots
no sip-register
.
.
.
!
dial-peer voice 901 voip
translation-profile outgoing SIP
destination-pattern 91[2-9].........
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay rtp-nte
codec g711ulaw
.
.
.
DTMF Relay is another issue that became an annoyance with ViaTalk. If you
aren't familiar, DTMF or Dual Tone Multi Frequency is the touchtone sound
when you press digits on the phone. Most IP phones do not send the DTMF
sounds in the audio stream. They use an out of band method to communicate
that a digit is being pressed to the VoIP gateway. This in turn has to be
translated on the other end so that an actual DTMF tone is sent to the end
device such as a voicemail system or conferencing system. ViaTalk supposedly
supports RFC 2833 signalling better known as RTP Named Telephone Events.
This is a method of sending the DTMF signaling using a special RTP payload
type called NTE. For the first few months that I had the ViaTalk service I
had no issues checking my work voicemail or dialing into conference calls.
Then one day I stopped being able to use these services. DTMF relay was
failing. I would press buttons on the phone but nothing would happen on the
other end.
After months of trying to figure out what is going on, I have narrowed it
down to an interoperability issue with Cisco's implementation of RTP NTE
and the Asterix servers that ViaTalk uses. At this point you have to open
a ticket with ViaTalk and have them change your profile to use 'Auto' DTMF
relay to get it to work properly. For some reason it will not work if they
hard code the setting on their end. I do not have a specific explanation of
the problem but it has something to do with the way Asterix has implemented
some form of negotiation with the SIP client for DTMF relay.
Additionally, once the DTMF issue has been fixed on your SIP
profile with ViaTalk, their voicemail system will still not work properly.
This is a known issue and I still have not seen an explanation or resolution
from anyone who has run into it and posted questions about it. It is obvious
that the voicemail system does not obey the DTMF relay negotiation or support
the known workaround like the Asterix servers.
Configuring Quality of Service (QoS)
In order to guarantee latency through a "lower" speed
interface, like what is typical of the upstream bandwidth on a DSL
connection, you have to setup Class-Based Weighted Fair Queueing (CBWFQ).
This QoS mechanism only works for traffic destined out of your network and
across the DSL connection. Since, you usually don't have control over the
queueing performed on your ISP's router you can not really impact the
incoming traffic, since most of the interfaces in that path will be higher
speed anyway. The good thing, though, is that you can make sure that your
general upstream data traffic utilization plays nicely with your voice
traffic and doesn't get in the way of it.
policy-map voice-qos
description VoIP QoS
class voice-udp
priority 256
class voice-signaling
bandwidth 128
class class-default
fair-queue 256
class-map match-any voice-signaling
match dscp af31
match protocol sip
class-map match-any voice-udp
description Class Mapping for VoIP RTP
match dscp ef
match protocol rtp
interface ATM0/0.35 point-to-point
bandwidth 512
bandwidth receive 3008
pvc 0/35
vbr-nrt 512 512
service-policy output voice-qos
max-reserved-bandwidth 80
There is a trick to get this configuration to work with the WIC-1ADSL module
which appears as an ATM interface in the router. You have to define the pvc
traffic as vbr-nrt and identify the upstream bit rate of the connection. Then
apply the policy-map to the pvc itself under the ATM sub-interface
configuration. Without configuring vbr-nrt on the specific pvc, you will not
be able to apply the policy-map to the interface in a functioning state.
More details coming...
DISCLAIMER
No Warranty of any kind is expressed or implied with respect to the information contained in this document!
The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.
Use this information at your own risk!
Scott S. 2007
Example Configuration for IOS IP Telephony with CallManager Express 4.0
version 12.4
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname r5418-1
!
boot-start-marker
boot system flash:c3725-advipservicesk9-mz.124-9.T2.bin
boot-end-marker
!
logging count
logging queue-limit 250
logging buffered 50000 informational
no logging rate-limit
logging console informational
logging monitor informational
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius default
!
aaa authentication login default local-case
aaa accounting system default start-stop group default
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip wccp 20 redirect-list 188
ip cef
!
!
ip dhcp relay information policy drop
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.250 192.168.1.255
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool Home
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
netbios-node-type h-node
domain-name thewaystation.com
dns-server 192.168.1.5
lease 30
!
ip dhcp pool Laptop
host 192.168.1.10 255.255.255.0
client-identifier 01xx.xxxx.xxxx.xx
client-name WorkLaptop
default-router 192.168.1.1
netbios-node-type h-node
domain-name thewaystation.com
dns-server 192.168.1.5
lease infinite
!
ip dhcp pool Phones
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
option 150 ip 192.168.2.1
dns-server 192.168.1.5 4.2.2.1
domain-name thewaystation.com
lease 0 0 30
!
!
ip flow-cache timeout active 1
no ip bootp server
ip domain name thewaystation.com
ip name-server 192.168.1.5
ip multicast-routing
ip ssh time-out 30
ip ssh rsa keypair-name r5418-1.thewaystation.com
ip ssh version 2
ip inspect max-incomplete low 100
ip inspect max-incomplete high 300
ip inspect udp idle-time 60
ip inspect dns-timeout 60
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 8
ip inspect tcp max-incomplete host 100 block-time 1
ip inspect name Internet ftp alert on audit-trail on timeout 120
ip inspect name Internet fragment maximum 250 timeout 15
ip inspect name Internet tcp alert on timeout 7200
ip inspect name Internet http alert on timeout 120
ip inspect name Internet icmp alert on timeout 10
ip inspect name Internet udp alert on timeout 60
ip inspect name firewall ftp alert on audit-trail on timeout 120
ip inspect name firewall fragment maximum 250 timeout 15
ip inspect name firewall icmp alert on audit-trail on
ip inspect name firewall http alert on timeout 120
ip inspect name firewall udp alert on timeout 60
ip inspect name firewall tcp alert on timeout 7200
ip ips name Internet
ip accounting-threshold 100
ip accounting-list 192.168.1.0 0.0.0.255
!
!
trunk group outbound
!
!
!
voice service pots
!
voice service voip
sip
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
voice class codec 2
codec preference 1 clear-channel
!
!
voice statistics time-range since-reset
!
voice translation-rule 1
rule 1 // /1614xxxxxxx/
!
voice translation-rule 2
rule 1 /614xxxxxxx/ /xxxxxxx/
!
voice translation-rule 7
rule 1 /^2../ /614xxxxxxx/
!
voice translation-rule 8
rule 1 /^9\(1..........\)/ /\1/
rule 2 /^9614\(.......\)/ /\1/
rule 3 /^9\(.......\)/ /\1/
rule 4 /^9\(011.*\)/ /\1/
rule 5 /^9\([2-9]11\)/ /\1/
!
voice translation-rule 9
rule 1 /^8\(1..........\)/ /\1/
rule 2 /^8614\(.......\)/ /\1/
rule 3 /^8\(.......\)/ /\1/
rule 4 /^8\(011.*\)/ /\1/
rule 5 /^8\([2-9]11\)/ /\1/
!
voice translation-rule 91
rule 1 /^614\(.*\)/ /9\1/
rule 2 /^\(..........\)/ /91\1/
rule 3 /^\(.*\)/ /9\1/
!
!
voice translation-profile SIP
translate calling 7
translate called 8
!
voice translation-profile cid_fix
translate calling 91
!
voice translation-profile default
translate called 1
!
voice translation-profile strip_9_out
translate called 9
!
voice translation-profile voip
translate called 2
!
!
!
!
username user privilege 15 password 7 xxxxxxxxxxxxxxxxxx
!
!
class-map match-all icmp
match protocol icmp
class-map match-all outbound_hosting
match access-group 170
class-map match-any voice-signaling
match dscp af31
match protocol sip
class-map match-any match-any
match any
class-map match-any voice-udp
description Class Mapping for VoIP RTP
match dscp ef
match protocol rtp
class-map match-all outbound_access
match access-group 180
class-map match-all udp
match access-group 150
!
!
policy-map voice-qos
description VoIP QoS
class voice-udp
priority 256
class voice-signaling
bandwidth 128
class class-default
fair-queue 256
policy-map traffic_shape
class outbound_hosting
bandwidth 384
queue-limit 128
class class-default
fair-queue 512
policy-map traffic_shape_out
class outbound_hosting
bandwidth 384
queue-limit 128
class outbound_access
bandwidth 196
class icmp
police cir 128000
class class-default
fair-queue 512
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.255.254 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface ATM0/0
no ip address
atm ilmi-keepalive
atm ilmi-pvc-discovery
bundle-enable
dsl operating-mode auto
!
interface ATM0/0.35 point-to-point
bandwidth 512
bandwidth receive 3008
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/35
vbr-nrt 512 512
service-policy output voice-qos
max-reserved-bandwidth 80
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
description Home Data Network
ip address 192.168.1.1 255.255.255.0
ip access-group inside-out in
ip access-group inside-in out
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
no ip virtual-reassembly
ip accounting output-packets
ip accounting access-violations
ip route-cache flow
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface FastEthernet0/1
description VoIP Phone Network
ip address 192.168.2.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
no snmp trap link-status
speed 100
full-duplex
!
interface Virtual-Template1
no ip address
service-policy output traffic_shape
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
mtu 1492
bandwidth 512
bandwidth receive 3008
ip address negotiated
ip access-group internet-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect Internet out
ip ips Internet in
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin optional
ppp chap hostname user@static.sbcglobal.net
ppp chap password 7 xxxxxxxxxxxxxxxx
ppp pap sent-username user@static.sbcglobal.net password 7 xxxxxxxxxxxxxx
ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1 5 permanent
!
ip flow-export version 5 origin-as
ip flow-export destination 192.168.1.5 2055
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
ip nat translation tcp-timeout 7200
ip nat translation finrst-timeout 5
ip nat translation syn-timeout 15
ip nat translation icmp-timeout 360
ip nat pool HIDE 70.142.142.116 70.142.142.116 prefix-length 29
ip nat inside source route-map NAT pool HIDE overload
!
ip access-list extended NAT
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended inside-in
deny icmp any any fragments
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
deny icmp any any
permit tcp any gt 1023 host 192.168.1.5 eq www
permit tcp any gt 1023 host 192.168.1.5 eq 443
permit tcp any gt 1023 host 192.168.1.5 eq 22
permit tcp any gt 1023 host 192.168.1.5 eq smtp
permit tcp any gt 1023 host 192.168.1.5 eq ftp
permit tcp any gt 1023 host 192.168.1.5 eq ftp-data
permit udp any eq domain host 192.168.1.5 eq domain
permit udp any eq domain host 192.168.1.2 eq domain
permit udp any gt 1023 host 192.168.1.5 eq domain
permit udp any gt 1023 host 192.168.1.2 eq domain
permit tcp host 151.164.1.1 host 192.168.1.5 eq domain
permit tcp host 151.164.11.218 host 192.168.1.5 eq domain
permit tcp host 206.141.251.2 host 192.168.1.5 eq domain
permit tcp host 206.141.193.168 host 192.168.1.5 eq domain
deny tcp any range 0 65535 any range 0 65535 log-input
deny udp any range 0 65535 any range 0 65535 log-input
deny ip any any log-input
ip access-list extended inside-out
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1
permit ip 192.168.1.0 0.0.0.255 host 192.168.255.254
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
log-input
deny ip any 0.0.0.0 0.255.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
deny ip any 127.0.0.0 0.255.255.255 log-input
deny ip any 169.254.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 192.168.0.0 0.0.255.255
deny ip any 224.0.0.0 15.255.255.255 log-input
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended internet-in
deny 53 any any log-input
deny 55 any any log-input
deny 77 any any log-input
deny pim any any log-input
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip host 255.255.255.255 any log-input
deny ip 224.0.0.0 15.255.255.255 any log-input
deny icmp any any fragments
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
deny icmp any any
deny udp any any eq netbios-ns log
deny udp any any eq netbios-dgm log
deny udp any any eq netbios-ss log
permit ip any any
!
logging history informational
logging origin-id hostname
logging facility local0
logging 192.168.1.5
access-list 10 permit 192.168.1.3
access-list 10 permit 192.168.1.2
access-list 10 permit 192.168.1.5
access-list 10 permit 128.46.154.76
access-list 10 permit 192.168.1.254
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 13 permit 192.168.1.5
access-list 50 permit 209.251.120.18 log
access-list 50 permit 192.168.1.0 0.0.0.255 log
access-list 50 permit 155.181.130.0 0.0.0.255 log
access-list 80 permit 192.168.1.6
access-list 98 permit 192.168.1.5
access-list 99 permit 68.79.218.254
access-list 99 permit 192.168.1.10
access-list 110 deny tcp any any eq 135
access-list 110 deny tcp any any eq 137
access-list 110 deny tcp any any eq 139
access-list 110 deny tcp any any eq 445
access-list 110 permit ip any any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip any any
access-list 150 remark Police UDP
access-list 150 permit udp 192.168.1.0 0.0.0.255 any
access-list 160 remark CAR ICMP
access-list 160 permit icmp any any
access-list 170 remark Outbound hosting
access-list 170 permit tcp any eq www any
access-list 170 permit tcp any eq 443 any
access-list 170 permit tcp any eq ftp-data any
access-list 180 remark Outbound access
access-list 180 permit tcp any any eq www
access-list 180 permit tcp any any eq 443
access-list 180 permit tcp any any eq ftp-data
access-list 180 permit tcp any any eq 22
access-list 188 permit tcp 192.168.0.0 0.0.3.255 any eq www
access-list 188 permit tcp 192.168.0.0 0.0.3.255 any eq 443
access-list compiled
dialer-list 1 protocol ip permit
snmp-server community xxxxxx RO 13
snmp-server enable traps tty
!
!
!
route-map NAT permit 10
match ip address NAT
!
!
!
tftp-server flash:P00308000500.bin
tftp-server flash:P00308000500.sbn
tftp-server flash:ringer1.pcm
tftp-server flash:P00308000500.sb2
tftp-server flash:P00308000500.loads
tftp-server flash:music-on-hold.au
tftp-server flash:NyukNyuk.raw
tftp-server flash:RingList.xml
tftp-server flash:Piano1.raw
tftp-server flash:Piano2.raw
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
!
control-plane
!
!
!
voice-port 1/0/0
ren 5
timeouts ringing infinity
station-id name POTS
station-id number 299
caller-id enable
!
voice-port 1/0/1
!
voice-port 1/1/0
trunk-group outbound 1
translation-profile incoming default
translate calling 91
pre-dial-delay 0
no vad
timeouts ringing infinity
timeouts wait-release 5
timing hookflash-out 250
description SBC xxx-xxx-xxxx
station-id number xxxxxxxxxx
!
voice-port 1/1/1
!
ccm-manager config server r5418-1.thewaystation.com
ccm-manager download-tones
!
!
!
dial-peer cor custom
!
!
!
dial-peer voice 801 pots
trunkgroup outbound
description dial 8 for outside POTS line
destination-pattern 81..........
prefix 1
no sip-register
!
dial-peer voice 802 pots
trunkgroup outbound
description local calls
destination-pattern 8[2-9]......
forward-digits 7
no sip-register
!
dial-peer voice 803 pots
description dial 0 for local operator
destination-pattern 80
port 1/1/0
prefix 0
no sip-register
!
dial-peer voice 804 pots
description any 3 digit service ending in 11, ie 611, 411
destination-pattern 8[2-9]11
port 1/1/0
forward-digits 3
no sip-register
!
dial-peer voice 900 voip
translation-profile outgoing SIP
destination-pattern 9[2-9]11
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay rtp-nte
codec g711ulaw
!
dial-peer voice 901 voip
translation-profile outgoing SIP
destination-pattern 91[2-9].........
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay sip-notify rtp-nte
codec g711ulaw
!
dial-peer voice 902 voip
translation-profile outgoing SIP
destination-pattern 9[2-9]......
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay rtp-nte
codec g711ulaw
!
dial-peer voice 903 voip
translation-profile outgoing SIP
destination-pattern 9011T
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay rtp-nte
codec g711ulaw
!
dial-peer voice 904 voip
translation-profile outgoing SIP
destination-pattern 1[2-9].........
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay sip-notify rtp-nte
codec g711ulaw
!
dial-peer voice 905 voip
translation-profile outgoing SIP
destination-pattern 011T
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay sip-notify rtp-nte
codec g711ulaw
!
dial-peer voice 911 pots
description dial 911 for 911 emergency service
destination-pattern 911
port 1/1/0
prefix 911
no sip-register
!
dial-peer voice 912 voip
translation-profile outgoing SIP
destination-pattern *1
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay sip-notify rtp-nte
codec g711ulaw
!
dial-peer voice 913 voip
translation-profile outgoing SIP
destination-pattern *67[2-9]......
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay sip-notify rtp-nte
codec g711ulaw
!
dial-peer voice 914 voip
translation-profile outgoing SIP
destination-pattern *671..........
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay sip-notify rtp-nte
codec g711ulaw
!
dial-peer voice 915 voip
translation-profile outgoing SIP
destination-pattern *..
session protocol sipv2
session target dns:newyork.vtnoc.net
dtmf-relay sip-notify rtp-nte
codec g711ulaw
!
!
sip-ua
authentication username 1614xxxxxxx password xxxxxxxxxxxxxxxxxxx
no remote-party-id
retry invite 4
retry response 3
retry bye 2
retry cancel 2
retry register 5
timers register 250
mwi-server dns:newyork.vtnoc.net expires 3600 port 5060 transport udp unsolicited
registrar dns:newyork.vtnoc.net expires 3600
sip-server dns:newyork.vtnoc.net:5060
!
!
!
!
telephony-service
fxo hook-flash
load 7960-7940 P00308000500
max-ephones 48
max-dn 192
ip source-address 192.168.2.1 port 2000
auto assign 1 to 1
service phone displayIdleTimeout 00:30
service phone displayOnDuration 1:00
timeouts interdigit 8
system message CME 4.0
url services http://phone-xml.berbee.com/menu.xml
time-zone 12
time-format 24
voicemail *123
mwi relay
max-conferences 4 gain -6
call-forward pattern .T
moh music-on-hold.au
web admin system name user secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
transfer-system full-consult
transfer-pattern .T
secondary-dialtone 9
after-hours block pattern 1 1900 7-24
after-hours block pattern 2 1976 7-24
directory entry 1 xxxxxxx name "Scott"
directory entry 2 xxxxxxx name "Kristi"
create cnf-files version-stamp 7960 Apr 18 2006 08:29:50
!
!
ephone-template 1
softkeys idle Redial Newcall Pickup Cfwdall Dnd
softkeys seized Redial Endcall Cfwdall Pickup Gpickup
softkeys alerting Endcall Callback
softkeys connected Hold Confrn Flash Park Trnsfer
!
!
ephone-dn 21 dual-line
call-waiting ring
number 201 no-reg both
label Den: 201
name Den
!
!
ephone-dn 23 dual-line
call-waiting ring
number 202 no-reg both
label Kitchen: 202
name Kitchen
!
!
ephone-dn 25 dual-line
call-waiting ring
number 203 no-reg both
label MBR: 203
name Master Bedroom
!
!
ephone-dn 29 dual-line
call-waiting ring
number 1614xxxxxxx no-reg primary
label 614-xxx-xxxx
!
!
ephone-dn 30 dual-line
call-waiting ring
number 1614xxxxxxx
label VoIP 614-xxx-xxxx
!
!
ephone-dn 31
number 311 no-reg both
description Paging
paging ip 225.54.18.211 port 5418
!
!
ephone 1
device-security-mode none
description Den
username "user" password password
mac-address XXXX.XXXX.XXXX
ephone-template 1
paging-dn 31
type 7960
keep-conference
button 1:21 2:29 3:30
!
!
!
ephone 2
device-security-mode none
description Kitchen
username "user" password password
mac-address XXXX.XXXX.XXXX
ephone-template 1
paging-dn 31
type 7960
keep-conference
button 1:23 2:29 3:30
!
!
!
ephone 3
device-security-mode none
description Master Bedroom
username "user" password password
mac-address XXXX.XXXX.XXXX
ephone-template 1
paging-dn 31
type 7960
keep-conference
button 1:25 2:29 3:30
!
!
!
ephone 4
device-security-mode none
description Cisco ATA188 FXS Port 1
mac-address XXXX.XXXX.XXXX
type ata
keep-conference
button 1:29
!
!
!
ephone 5
device-security-mode none
description Cisco ATA188 FXS Port 2
mac-address XXXX.XXXX.XXXX
type ata
keep-conference
button 1:30
!
!
banner login ^C
Unauthorized Use Is Prohibited
Access to this device or attached networks is expressly
prohibited without express written permission.
Violators will be prosecuted to the fullest extent
of both civil and criminal law.
^C
banner motd ^C
Welcome to r5418-1.thewaystation.com!
All activity is logged and audited.
^C
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxx
logging synchronous
transport preferred none
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 5 0
password 7 xxxxxxxxxxx
logging synchronous
modem InOut
no exec
stopbits 1
speed 19200
flowcontrol hardware
line vty 0 4
access-class 50 in
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxx
logging synchronous
transport preferred ssh
transport input telnet ssh
!
exception core-file r5418-1-core
exception protocol ftp
exception dump 192.168.1.5
ntp clock-period 17180609
ntp access-group peer 10
ntp access-group serve-only 11
ntp peer 192.168.1.3
ntp peer 192.168.1.2
ntp peer 192.168.1.5
ntp server 128.46.154.76 prefer
ntp peer 192.168.1.254
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
end
|
