Policy Based Routing Cisco y Mikrotik, tunnel IPIP y NAT (1)

Esta entrada, con diferencia, es una de las configuraciones que más me ha hecho sudar la gota gorda…. intervienen varios factores:

1º) Tengo un proveedor de servicio que me proporciona 8 ip’s públicas
2º) Tengo que llegar con mi conexión al proveedor
3º) Hago un tunel IPIP entre la Mikrotik y mi router cisco
4º) Hay que usar nat

El motivo es que, necesito usar esas 8 ip’s y sólo determinados equipos, saldrán por el tunnel IP / ip’s públicas; el resto de máquinas de mi casa, saldrá por la conexión normal que tengo.

Primero de todo, haré la config y el esquema con cisco como cliente y mikrotik como servidor:
ipip1

Empezamos por la configuración de la mikrotik:

/interface ipip
add disabled=no dscp=0 local-address=3.3.3.3 mtu=1480 name=ipip_craem remote-address=2.2.2.2
/ip address
add address=192.168.194.1/30 disabled=no interface=ipip_craem network=192.168.194.0

add disabled=no distance=1 dst-address=1.1.1.1/32 gateway=192.168.194.2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=1.1.1.2/32 gateway=192.168.194.2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=1.1.1.3/32 gateway=192.168.194.2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=1.1.1.4/32 gateway=192.168.194.2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=1.1.1.5/32 gateway=192.168.194.2 scope=30 target-scope=10
add disabled=no distance=1 dst-address=1.1.1.6/32 gateway=192.168.194.2 scope=30 target-scope=10

Primero creamos el tunnel, le damos la ip y, para no perder la de red y broadcast, negociamos con el proveedor que nos la enrute una a una, tras pagarle unas cervezas al técnico 😉

Y ahora el lado Cisco; empezamos por el tunnel:

interface Tunnel7
description TUNNEL proveedor /29
ip address 192.168.194.2 255.255.255.252 --> ip privada del tunnel
ip mtu 1480 --> ajustamos el mtu
ip nat outside --> mis máquinas están detrás del firewall, con NAT
ip virtual-reassembly
ip policy route-map prov_lan --> policy route aplicado
qos pre-classify --> aplico QoS antes de meter en el tunnel
tunnel source 2.2.2.2 --> ip pública mia
tunnel destination 3.3.3.3 --> ip destino
tunnel mode ipip --> modo del tunnel

Creamos la política:

ip local policy route-map prov_map

Metemos en un access-list las ip’s que tendrán salida por el tunnel:

access-list 112 remark -> ACL NAT prov IPS PUBLICAS
access-list 112 permit ip host 172.26.2.9 any
access-list 112 permit ip host 172.26.2.11 any
access-list 112 permit ip host 172.26.2.5 any
access-list 112 permit ip host 172.26.2.6 any
access-list 112 permit ip host 172.26.2.12 any

Hacemos el route-map para identificar los paquetes:

route-map prov_lan permit 10
match ip address 112
set interface Tunnel7

Y ahora, nacemos el nat de las privadas a las públicas de nuestro proveedor:

ip nat inside source static 172.26.2.9 1.1.1.1
ip nat inside source static 172.26.2.11 1.1.1.2
ip nat inside source static 172.26.2.5 1.1.1.3
ip nat inside source static 172.26.2.6 1.1.1.4
ip nat inside source static 172.26.2.12 1.1.1.5

Si no ponemos el nat en el tunnel; no habrá traducción y no podremos usar las ip’s.

Ahora hemos de aplicar el policy-map a los interfaces:

interface FastEthernet0/0
bandwidth 6096
ip address dhcp
ip flow ingress
ip nat outside
ip virtual-reassembly
ip policy route-map rlan_map

interface GigabitEthernet0/1/0
ip address 172.26.2.20 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip policy route-map rlan_map
negotiation auto

Cisco 7912 asterisk 1.x

Otra entrada que es un apunte.

Recientemente, ha caído en mis manos un cisco 7912 para jugar y, venía con firmware SCCP. En mi asterisk, sólo uso SIP, ya que todo el sistema lo tengo con ese protocolo… hasta las llamadas y el DDI.

Empezamos por pasar el teléfono de SCCP a SIP.

Para ello, bajamos el siguiente archivo: 7912.tar

Lo descomprimes en el tftp server y tenemos estos ficheros:

Parte1Sip

Creamos el fichero gkmac_address_telf.txt con el siguiente contenido:

#txt
# -----------------------------------------------------------------------------
# This file "gkdefault.txt" is provided as a convenience for upgrading the
# Cisco 7912G IP Phone with minimal effort.
#
# If changes are made to this file, you must run
#
# cfgfmt -tsip_ptag.dat gkdefault.txt gkdefault.cfg
#
# again to create a new profile and place it in the TFTP directory.
#
# If you plan to upgrade just one phone, you can copy gkdefault.cfg to
# gk, where is the MAC address of the target phone, such
# as gk001122334455.
#
# The phone will try to download gk first, then gkdefault.cfg
# if corresponding gk is not found on the TFTP server.
# -----------------------------------------------------------------------------

upgradecode:3,0x601,0x0400,0x0100,0.0.0.0,69,0x060111a,CP7912080000SIP060111A.sbin

# Set the GUI/Web config password to 1234; the password must NOT be 0
# (disabled) if configuring via the phone's web interface is desired.

UIPassword:1234

Guardamos cambios, reiniciamos el teléfono y esperamos a que se instale el firmware sip.

Una vez hecho ésto, volvemos a generar el fichero con los datos para registrarlo en nuestro asterisk…… los datos:

ip asterisk: 192.168.1.1
user:100
pass:100

Tendremos el fichero tal que:

#txt
# -----------------------------------------------------------------------------
# Example Profile for Cisco 7905G/7912G IP Phones (SIP)
# -----------------------------------------------------------------------------
#
# IMPORTANT: File must begin with "#txt" (without the quotes) for the
# formating tool (cfgfmt.exe) to treat it as a text file.
#
# NOTE: 1. A hash (#) at the beginning of the line is a comment. The
# formatting tool ignores any line beginning with the token.
#
# 2. All parameter/value pairs are OPTIONAL; however, they may be
# needed nevertheless for the phone to function properly
# if no prior value had been programmed.
#
# 3. Parameter values can be one of the following:
#
# a. Alphanumeric string
# Ex: SIP-4-Ever$#, 1234, #012-34la$!-
#
# b. Numeric digit string
# Ex: 593, 960135, 19690489
#
# c. Array of comma-separated short integer
# Ex: {395,65534,20,32768,105} (without brackets)
#
# d. IP address
# Ex: 192.168.2.170, 64.15.243.3
#
# e. Extended IP address -- IP address with Port
# Ex: 192.168.2.170.9001, 174.10.232.53.10364
#
# f. Boolean
# Ex: 0 or 1
#
# g. Bitmap value -- unsigned hex integer (32-bit)
# Ex: 0x00060400, 0x125f0431
#
# h. Integer (32-bit)
# Ex: 2147483647, 56, 65342
#
# ============================= UI Parameters =================================
# -----------------------------------------------------------------------------
# Parameter: UIPassword
#
# Type: Alphanumeric string (9 characters max)
#
# Description: Control access to the web page and some protected phone menus.
# If set to non-zero, then every access to the web page will
# require the value of UIPassword being entered.
#
# Default: 0 = Web interface is restricted to viewing of device
# information and network configuration and statistics.
# Parameter changes are not allowed via the web interface.

UIPassword:cisco

# ========================== Logo Upgrade Parameter ===========================
# -----------------------------------------------------------------------------
# Parameter: upgradelogo
#
# Description: Special parameter to provide information on how to upgrade the
# logo on the main LCD screen
#
# Syntax: upgradelogo:,,
#
# Options: image_id
# - A unique number that is logically associated with the logo
# file and must be incremented for each new logo upgrade;
# the factory logo is assigned '1'. Upgrading the firmware
# resets this value to '1'.
#
# tftp_ip_addr
# - TFTP server IP address where logo_filename is located
#
# logo_filename
# - Name of logo file
#
# Example: upgradelogo:4,192.168.3.105,logo.dat
#
# NOTE: The default values listed below will not trigger any upgrade.

#upgradelogo:0,0,none

# ===================== Network Configuration Parameters ======================
# -----------------------------------------------------------------------------
# Parameter: Dhcp
#
# Type: Boolean
#
# Options: 1 = Use DHCP to obtain IP, route, netmask, DNS, NTP, TFTP, etc.
# 0 = Don't use DHCP, instead use hard coded parameter values for
# IP, route, netmask, DNS, NTP, TFTP, etc.

dhcp:1

# ======================= SIP Configuration Parameters ========================
# -----------------------------------------------------------------------------
# Parameter: Proxy
#
# Type: Alphanumeric string (31 characters max)
#
# Description: IP address or domain name of SIP proxy server

Proxy:192.168.1.1

# -----------------------------------------------------------------------------
# Parameter: UID
#
# Type: Alphanumeric string (31 characters max)
#
# Description: User ID (i.e. phone number) for the line

UID:100

# -----------------------------------------------------------------------------
# Parameter: PWD
#
# Type: Alphanumeric string (31 characters max)
#
# Description: Password used for authentication

PWD:100

# -----------------------------------------------------------------------------
# Parameter: LoginID
#
# Type: Alphanumeric string (51 characters max)
#
# Description: User ID used for authentication, if different from UID.

LoginID:100

# -----------------------------------------------------------------------------
# Parameter: UseLoginID
#
# Type: Boolean
#
# Description: Indicate user ID to use for authentication
#
# Options: 0 = Use UID as user ID for authentication
# 1 = Use LoginID as user ID for authentication

UseLoginID:0

# -----------------------------------------------------------------------------
# Parameter: SIPPort
#
# Type: Integer (1 - 65535)
#
# Description: Port to listen for incoming SIP requests.
# The same port is used for sending outgoing SIP requests.

SIPPort:5060

# -----------------------------------------------------------------------------
# Parameter: SIPRegInterval
#
# Type: Integer (1 - 86400 seconds)
#
# Description: Interval between registration renewal

SIPRegInterval:3600

# -----------------------------------------------------------------------------
# Parameter: SIPRegOn
#
# Type: Boolean
#
# Description: Enable or disable SIP registration
#
# Options: 0 = Disable registration
# 1 = Enable registration

SIPRegOn:1

# -----------------------------------------------------------------------------
# Parameter: MAXRedirect
#
# Type: Integer (0 - 10)
#
# Description: Maximum number of times to try redirection
#
# Note: If set to greater than 10, default is 10 times.

MaxRedirect:5

# -----------------------------------------------------------------------------
# Parameter: OutBoundProxy
#
# Type: IP address or alphanumeric string (31 characters max)
#
# Description: Outbound proxy server that processes all outbound SIP requests.
# It can be an IP address with or without a port parameter such
# as 123.123.110.45, 123.123.110.45.5060, or 123.123.110.45:5061,
# or URL such as sip.cisco.com, sip.komodo.cisco.com:5061. For
# IP address, a '.' or ':' can be used to delimit a port
# parameter. For URL, a ':' must be used to delimit the port
# parameter.
#
# Note: If this parameter is configured, all SIP requests will be
# sent to this outbound proxy and then forwarded to the
# destination specified in the Request-URI of the SIP message.
# An outbound proxy may or may not be the same SIP proxy server.

OutBoundProxy:0

# -----------------------------------------------------------------------------
# Parameter: RxCodec
#
# Type: Integer (1 - 3)
#
# Description: Preferred receiving audio codec
#
# Options: 1 -- g711a
# 2 -- g711u
# 3 -- g729a

RxCodec:1

# -----------------------------------------------------------------------------
# Parameter: TxCodec
#
# Type: Integer (1 - 3)
#
# Description: Preferred transmitting audio codec
#
# Options: 1 -- g711a
# 2 -- g711u
# 3 -- g729a

TxCodec:3

# -----------------------------------------------------------------------------
# Parameter: MsgRetryLimits
#
# Type: Bitmap
#
# Description: Specify number of times SIP requests and final responses to
# INVITE request are retransmitted to the current SIP user agent.
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0-3 Number of times to retransmit SIP requests, except
# those listed below, and final response to INVITE
# Range: 0-15
# Default: 0 = NOTIFY retransmitted 6 times
# PRACK restransmitted 5 times
# Response to INVITE retransmitted 7 times
#
# 4-7 Number of times to retransmit REGISTER request
# Range: 0-15 Default: 0 (= 10 times)
#
# 8-11 Number of times to retransmit INVITE request
# Range: 0-15 Default: 0 (= 2 times)
#
# 12-15 Number of times to retransmit BYE request
# Range: 0-15 Default: 0 (= 4 times)
#
# 16-19 Number of times to retransmit CANCEL request
# Range: 0-15 Default: 0 (= 4 times)
#
# 20-23 Number of times to retransmit REFER request
# Range: 0-15 Default: 0 (= 5 times)
#
# 24-31 RESERVED

MsgRetryLimits:0x00000000

# ====================== Audio Configuration Parameters =======================
# -----------------------------------------------------------------------------
# Parameter: AudioMode
#
# Type: bitmap value
#
# Description: Used for controlling or fine-tuning certain audio features
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0 Silence Suppression
# 0 = Disable silence suppression
# *1 = Enable silence suppression
#
# 1-3 RESERVED. Must be set to 0.
#
# 4-5 DTMF Transmission Method
# 0 = Always inband
# *1 = Negotiated via SDP
# 2 = Always out-of-band
#
# 6-31 RESERVED. Must be set to 0.
#
# Defaults are marked with *.

AudioMode:0x00000011

# ------------------------------------------------------------------------
# Parameter: NumTxFrames
#
# Type: Integer (1 - 6)
#
# Description: Transmit frames per packet.
#
# Note: G.711 and G.729 frame sizes are 10 ms per frame.
#
# Cisco recommends that you use only the default value 2.

NumTxFrames:2

# ------------------------------------------------------------------------
# Parameter: ConnectMode
#
# Type: bitmap value
#
# Description: Connection mode of the protocol used
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0 Send INVITE requests (due to call forwarding, call
# transfer, etc.) to the URL specified in the
# corresponding header value, i.e. 302's Contact,
# Refer-To, etc.
#
# *0 = Disable. INVITE is sent via local proxy.
# 1 = Enable. INVITE is sent via specified URL.
#
# 1-3 RESERVED. Must be set to 0.
#
# 4 Include +sip.instance=... in REGISTER's Contact:
# 0 = Disable
# *1 = Enable
#
# 5-15 RESERVED. Must be set to 0.
#
# 16 Registration Removal Prior To Re-Registration
# *0 = Disable
# 1 = On power up, "Contact: *" is used to remove all
# registrations. On subsequent registration cycles,
# "Contact: ;expires=0" is used.
#
# 17 RESERVED. Must be set to 0.
#
# 18 SIP Proxy Type
# *0 = Standard or no SIP proxy
# 1 = Cisco Call Manager
#
# 19 IP Ringback and Early Media
# *0 = Do not send ringback tone to the caller
# 1 = Send ring back tone to the caller
#
# 20 Include "action=proxy" in REGISTER request
# *0 = Disable
# 1 = Enable
#
# 21 Include "action=redirect" in REGISTER request
# *0 = Disable
# 1 = Enable
#
# 22 Process "received=" tag in VIA header to automatically
# detect if phone is behind a NAT and use specified WAN IP
# *0 = Disable
# 1 = Enable
#
# 23 RESERVED. Must be set to 0.
#
# 24 Include RTP statistics in BYE and 200 response to BYE
# *0 = Disable
# 1 = Enable
#
# 25-31 RESERVED. Must be set to 0.
#
# Defaults are marked with *.
#
# Note: Setting both bits 20 & 21 is forbidden; setting both to 0
# causes the phone to not include the "action" parameter in
# the REGISTER request and leaves it up to the proxy server
# to decide what action to take.

ConnectMode:0x00000010

# -----------------------------------------------------------------------------
# Parameter: TimeZone
#
# Type: Integer (0 - 24)
#
# Description: Timezone offset from GMT for time-stamping incoming calls with
# the local time (for caller-id display, etc.)
#
# Use the following table to select the correct TimeZone value.
#
# 0 = GMT 9 = GMT + 9 18 = GMT - 7
# 1 = GMT + 1 10 = GMT + 10 19 = GMT - 6
# 2 = GMT + 2 11 = GMT + 11 20 = GMT - 5
# 3 = GMT + 3 12 = GMT + 12 21 = GMT - 4
# 4 = GMT + 4 13 = GMT - 12 22 = GMT - 3
# 5 = GMT + 5 14 = GMT - 11 23 = GMT - 2
# 6 = GMT + 6 15 = GMT - 10 24 = GMT - 1
# 7 = GMT + 7 16 = GMT - 9
# 8 = GMT + 8 17 = GMT - 8
#
# Type: Integer ( -720 thru -60, 60 thru 780)
#
# Description: Timezone offset (in minutes) from GMT used for cities/countries
# that fall on 30 and 45 minutes zones.
#
# Use the following table to select the correct TimeZone value.
#
# 210 = GMT + 3:30 Tehran
# 270 = GMT + 4:30 Kabul
# 330 = GMT + 5:30 Calcutta, Chennai, Mumbai, New Delhi
# 345 = GMT + 5:45 Kathmandu
# 390 = GMT + 6:30 Rangoon
# 570 = GMT + 9:30 Darwin, Adelaide
# -210 = GMT - 3:30 Newfoundland
#
# Formula for calculating TimeZone in Minutes:
# (#hr * 60min/hr) + #min = total #min
#
# Sample calculation for Darwin (GMT + 9:30):
# (9hr * 60min/hr) + 30min = 570min

TimeZone:1

# -----------------------------------------------------------------------------
# Parameter: NTPIP
#
# Type: IP address
#
# Description: NTP IP address. This is an OPTIONAL parameter; however, if
# this parameter value is not configured and the DHCP server
# does not provide the value, then the time and caller ID time
# information will be incorrect.

NTPIP:192.168.1.1

# -----------------------------------------------------------------------------
# Parameter: AltNTPIP
#
# Type: IP address
#
# Description: Alternate NTP IP address (if redundancy is desired)

AltNTPIP:130.206.3.166

# -----------------------------------------------------------------------------
# Parameter: UseTftp
#
# Type: Boolean
#
# Description: Indicate whether TFTP server is used for provisioning
#
# Options: 1 = Use TFTP for provisioning
# 0 = TFTP is not used for provisioning

UseTftp:1

# -----------------------------------------------------------------------------
# Parameter: TftpURL
#
# Type: Alphanumeric string (31 characters max)
#
# Description: IP address or URL of TFTP server to use.
# This value is required if the DHCP server will not provide
# the TFTP address. You can optionally include the path prefix
# to the Tftp file to download. Example: If the TFTP server IP
# address is 192.168.2.170 or wwww.cisco.com, and the path to
# download the Cisco phone profile is in /IP_phones, then you
# can specify the URL as 192.168.2.170/IP_phones or
# www.cisco.com/IP_phones.

TftpURL:192.168.1.1

# -----------------------------------------------------------------------------
# Parameter: CfgInterval
#
# Type: Integer (60 - 4294967295 seconds)
#
# Description: Interval (in seconds) between each configuration update.
# When TFTP is used for provisioning, at every such interval
# expiration, the box will perform a TFTP get of its
# configuration file at the earliest possible time -- when the
# box is idle). CfgInterval can be set to some random value to
# achieve random contact interval from individual phone to the
# TFTP server.
#
# Note: If set to less than 60, default is 60 seconds.

CfgInterval:3600

# -----------------------------------------------------------------------------
# Parameter: EncryptKey
#
# Type: Hexadecimal string (8 Hex digits max)
#
# Description: Key to use to decrypt the configuration profile
#
# Options: *0 = Configuration profile is not encrypted
#
# non-zero = Configuration profile is encrypted with this key,
# and the phone will decrypt the profile with this
# key.
#
# Default is marked with *.
#
# Note: The cfgfmt.exe program will automatically encrypt the binary
# file when this parameter value is non-zero.

EncryptKey:0

# -----------------------------------------------------------------------------
# Parameter: EncryptKeyEx
#
# Value Type: Hexadecimal string (64 Hex digits max)
#
# Description: Stronger encryption key to use to decrypt the configuration
# profile. When this parameter is set to a non-zero value, the
# phone will request a profile with the name .x,
# where
#
# = "ld" for Cisco 7905 IP phone
# "gk" for Cisco 7912 IP phone
# = MAC address of the Cisco IP phone
# x = extension indicating profile w/strong encryption
#
# If this parameter is set to 0, the phone will operate as if it
# only possessed the EncryptKey parameter, i.e. it will request
# its profile as without the "x" extension.
#
# Syntax: [/MAC]
#
# RC4_Key = Hexadecimal string from 1 to 64 hex digits
#
# MAC = (Optional) MAC address of the Cisco IP phone
# If this is specified, only the phone with the
# specified MAC address will be able to decrypt
# the profile.
#
# Options: *0 = EncryptKey parameter value is used.
# The phone will request file and
# decrypt it using the EncryptKey parameter value.
#
# non_zero = Configuration profile is encrypted with this
# stronger key, and the phone will request and
# decrypt the profile with this key.
#
# Default is marked with *.
#
# Note: If this parameter is specified, the cfgfmt.exe (version 2.1a
# or later) program will create two profiles. The
# .x profile will be encrypted with EncryptKeyEx
# while profile will be encrypted with
# EncryptKey.

#EncryptKeyEx:0

# -----------------------------------------------------------------------------
# Parameter: NPrintf
#
# Type: Extended IP value
#
# Syntax: .
#
# Description: For diagnostic use. Use this parameter to specify the IP
# address and port number where the phone will send its
# debug output information.
#
# The program "prserv.exe", which is included in every software
# upgrade package, is need to capture the debug information.
# For example, to send message to the host at 192.168.2.170 and
# port number 9001, you would run "prserv 9001" on a PC and
# specify "192.168.2.170.9001" as the value of this parameter.

NPrintf:0

# -----------------------------------------------------------------------------
# Parameter: TraceFlags
#
# Type: Bitmap value
#
# Description: For diagnostic use. Use this parameter to turn ON specific
# trace features.
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0 SIP Messages Log
# *0 = Disable
# 1 = Enable
#
# 1-7 RESERVED. Must be set to 0.
#
# 8 RTP Statistics Log
# *0 = Disable
# 1 = Enable
#
# RTP statistics log is in the following format:
#
# Recv[channel number]:
#
#
#
#
#
#
# Tx[channel number]:
#
#
#
# 9-31 RESERVED. Must be set to 0.

TraceFlags:0x00000000

# -----------------------------------------------------------------------------
# Parameter: IPDialPlan
#
# Type: Integer (0 - 2)
#
# Description: Allow for detection of IP-like destination address in dial
# plan.
#
# Options: 0 = Disable IP dialing detection.
#
# 1 = If two '.' is seen, then the phone assumes that an
# IP address is being entered.
#
# 2 = If three '.' is seen, then the phone assumes that an
# IP address is being entered.

IPDialPlan:1

# -----------------------------------------------------------------------------
# Parameter: DialPlan
#
# Type: Alphanumeric string (199 characters max)
#
# Description: Dial plan rules.
#
# Note: No syntax check is performed by the actual implementation.
# It is the responsibility of the provisioner to make sure that
# the dial_plan is syntatically valid.
#
# Programmable strings of dial plan that allow one to specify:
# o special rule -- I{timeout} to control default inter-digit
# timeout - specifying this rule also has the side effect
# of preventing non-matching dial string from being sent out.
# o optional send character to use (e.g. '#' or '*')
# o how many digits before auto send
# o send after timeout at any specified number of digits
# (time out can be changed as digits are entered).
# in the following:
# o . means match any digits
# o - means more digits can be entered, this (if needed) must
# appear at the end of the individual rule
# (i.e. e.g. 1408t5- is legal, but 1408t5-3...
# is illegal).
# o ># means terminating key to send is #, and termination
# can be applied only after matching hits ># (So >*
# means terminating char is *, i.e. terminating key
# must follow >)
# o rules applied in the order of listed (whichever matched
# completely first will cause trigger the send).
# o tn means timeout is n seconds (note: n is 0-9 and
# a-z -- which ranges 0 to 26).
# o more than one rules are separated by |.
# o rn means repeat last pattern n times (note: 1. ># or tn are
# modifier, they are not pattern; 2. n is 0-9 and a-z --
# which ranges 0 to 26). Use the repeat modifier to specify
# more rules in less space.
#
# You can also use the modifier 'S' to sieze the rule matching
# (i.e. if a rule matches and the modifier 'S' is seen, all other
# rules after that matching rule will not be used for matching).
#
# Examples 1: The set of dial plan rules:
#
# ".t7>#......t4-|911|1t7>#..........t1-|0t4>#.t7-"
#
# or equivalently
#
# ".t7>#r6t4-|911|1t7>#.r9t1-|0t4>#.t7-"
#
# consists of the following rules:
#
# .t7>#......t2- -- at least one digit need to be
# entered, after that, time out is 7 seconds
# before send, and terminating char # can also
# be applied after the first digit is entered,
# and after 7 digits are entered, time out
# change to 2 seconds. * means further digits
# can be entered as long as not terminated by
# timeout or #.
#
# 911 -- send out immediately
#
# 1t7>#..........t1- -- at least one digit need to be
# entered, after that, time out is 7 seconds
# before send, and terminating char # can also
# be applied after the first digit is entered,
# and after 10 digits are entered, time out
# change to 1 second. * means further digits can be
# entered as long as not terminated by timeout
# or #.
#
# 0t4>#.t7- -- after entering 0, if no other digit is
# entered, it will timeout and send in 4 seconds,
# otherwise, time out change to 7 seconds after
# another key is entered. again # is terminating
# digit.
# Examples 2: The set of dial plan rules:
#
# "911|1>#.r9t3.t5-|0t411t9-"
#
# if 911 entered, it will be sent out immediately.
# if 14088713344 is entred, after 3 seconds, it will
# be sent out but if another digit is entered (say
# 140887133445, the timeout chaned to 5 seconds).
# if 0 is entered, after 4 seconds, it will be send out.
# if 011 is entered, the time out changed to 9 seconds.

DialPlan:112|1>#t8.r9t2-|0>#t811.rat4-|^1t4>#.-

# -----------------------------------------------------------------------------
# Parameter: RingOnOffTime
#
# Type: Array of three short integers
#
# Description: Control phone ring characteristic.
#
# Note: Values specified below are recommended for the U.S.

RingOnOffTime:2,4,25

# -----------------------------------------------------------------------------
# Parameters: DialTone
# DialTone2
# BusyTone
# ReorderTone
# RingBackTone
# CallWaitTone
#
# Type: Array of short integers
#
# Description: Playback tones
#
# Format: For DialTone, DialTone2, BusyTone, RingBackTone, CallWaitTone
#
# NumOfTone,Freq[0],Level[0],Freq[1],Level[1],NumOfCadence,
# OnTime[0],OffTime[0],OnTime[1],OffTime[1],TotalToneTime
#
# For ReorderTone
#
# SequentialTone,NumOfTone,Freq[0],Level[0],Freq[1],Level[1],
# Freq[2],Level[2],NumOfCadence,OnTime[0],OffTime[0],
# OnTime[1],OffTime[1],OnTime[2],OffTime[2],NumOfRepeat,
# TotalToneTime
#
# Options: - NumOfTone:
# Number of frequency components (1 or 2)
# For Reorder Tone, value range is 1 to 3.
# - Freq[x] (Hz):
# Transformed frequency (-32768 to 32767)
# - Level[x] (dBm):
# Transformed amplitude (-32768 - 32767)
# - NumOfCadence:
# Number of cadence pairs (0 - 2).
# For Reorder Tone, value range is 0 to 3.
# To specify a steady tone, set value to 0.
# - OnTime[x] (s):
# Length of time tone is ON (0 - 65535)
# - OffTime[x] (s):
# Length of time tone is OFF (0 - 65535)
# - SequentialTone:
# Juxtoposed tones or sequential tones
# 0 = Juxtoposed tone, 1 = Sequential tone
# - NumOfRepeat:
# Number of times (OnTime[x], OffTime[x]) cadence pair is
# repeated before proceeding to the (OnTime[x], OffTime[x]).
# - TotalToneTime:
# The total length of time the tone is played. If set to 0,
# tone will play continously until other call events stop
# the tone. For DialTone, BusyTone, ReorderTone, and
# RingBackTone, the unit is in number of 10 ms. For other
# tones, the unit is the number of samples.
#
# Note: 1. If NumOfCadence is set to 0, OnTime[x] and OffTime[x] must
# be set to 0.
# 2. Values specified below are recommended for the U.S.

DialTone:2,31538,814,30831,2032,0,0,0,0,0,0
DialTone2:2,30743,1384,29864,1252,0,0,0,0,0,0
BusyTone:2,30467,1104,28959,1404,1,4000,4000,0,0,0
ReorderTone:0,2,30467,1104,28959,1404,0,0,1,2000,2000,0,0,0,0,0,0
RingBackTone:2,30831,2032,30467,1104,1,16000,32000,0,0,0
CallWaitTone:1,30831,2412,0,0,1,2400,2400,0,0,4800

# -----------------------------------------------------------------------------
# Parameter: MediaPort
#
# Type: Integer (1 - 65535)
#
# Description: Base port to receive RTP media

MediaPort:16384

# -----------------------------------------------------------------------------
# Parameter: TOS
#
# Type: Bitmap value
#
# Description: ToS (Type of Service) bits. This bitmap value specifies the
# precedence and delay of Audio and Signaling IP packets.
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0-7 ToS Value For Audio Data Packets
# Range: 0-255 Default: 184 (0xb8)
#
# 8-15 ToS Value For Signaling Data Packets
# Range: 0-255 Default: 96 (0x60)
#
# 16-31 RESERVED

TOS:0x000060b8

# -----------------------------------------------------------------------------
# Parameter: SigTimer
#
# Type: Bitmap value
#
# Description: Timeout values to start/stop the following signalling events
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0-7 CALL WAITING PERIOD
# Period between each burst of call waiting tone
#
# Range: 0 - 255
# Factor: 0.1 second
# Note: 0 defaults to 100 (or 10 sec)
# Default: 100 (0x64 = 10 sec)
#
# 8-13 RESERVED. Must be set to 0.
#
# 14-19 RING TIMEOUT
# Timeout in ringing the phone after which the incoming
# call is rejected
#
# Range: 0 - 63
# Factor: 10 seconds
# Note: 0 means ring never times out
# Default: 6 (60 sec)
#
# 20-25 NO ANSWER TIMEOUT
# Time to declare no answer and initiate call forwarding
# on no answer
#
# Range: 0 - 63
# Factor: 1 second
# Default: 20 (0x14 = 20 sec)
#
# 26-27 RESERVED. Must be set to 0.
#
# 28-29 FIRST KEY REPEAT INTERVAL
# The minimum time required initially for the Volume or
# Navigation key to be pressed before the highlight bar
# begins to move automatically.
#
# Range: 0 to 3
# Default: 0 (1 second)
#
# 0 = 1 sec 1 = Disable Key Repeat
# 2 = 2 sec 3 = 3 sec
#
# 30-31 SUBSEQUENT KEY REPEAT INTERVAL
# The minimum time required subsequently for Volume or
# Navigation key to be pressed to keep the highlight bar
# moving automatically.
#
# Range: 0 to 3
# Default: 0 (0.25 second)
#
# 0 = 0.25 sec 1 = 0.5 sec
# 2 = 0.75 sec 3 = 1 sec

SigTimer:0x01418064

# -----------------------------------------------------------------------------
# Parameter: OpFlags
#
# Type: Bitmap value
#
# Description: Turn ON/OFF various operational features
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0 TFTP CONFIGURATION FILE NAME
# *0 = Do not use internally generated TFTP configuration
# file name
# 1 = Always use the internally generated TFTP
# configuration file name
#
# 1 NETWORK PROBING ON POWER UP
# 0 = Probe the static network router on power up
# *1 = Do not perform static network router probing at
# power up
#
# 2 RESERVED. Must be set to 0.
#
# 3 DHCP OPTION 150
# *0 = Ask for DHCP option 150 in DHCP DISCOVERY message
# 1 = Do not ask for DHCP option 150 in DHCP DISCOVERY
# message (some DHCP server will not respond if
# option 150 is requested)
#
# 4 NETWORK OPERATION
# *0 = Assume normal operation without VLAN
# 1 = Assume operation under VLAN (the VLAN ID is
# specified in VLANSetting, see VLANSetting parameter)
# Multicast is disabled
#
# 5 VLAN ENCAPSULATION
# *0 = Use VLAN IP encapsulation
# 1 = Do not use VLAN IP encapsulation, i.e. force
# turning OFF VLAN IP encapsulation
#
# 6 Cisco Discovery Protocol (CDP)
# *0 = Use CDP discovery
# 1 = Do not perform CDP discovery. Multicast is disabled
#
# 7 WEB CONFIGURATION ACCESS
# *0 = Allow web configuration
# 1 = Do not allow web configuration
#
# 8 TFTP REFRESH ACCESS
# *0 = Allow force profile update via http://ip/refresh
# 1 = Do not allow http://ip/refresh
#
# 9 REMOTE RESET ACCESS
# *0 = Allow reset of the phone via http://ip/reset
# 1 = Do not allow reset of the phone via http://ip/reset
#
# 10-14 RESERVED. Must be set to 0.
#
# 15 UDP CHECKSUM GENERATION
# *0 = Generate UDP checksum in outgoing UDP packets
# 1 = Do not generate UDP checksum in outgoing UDP packets
#
# 16-31 RESERVED. Must be set to 0.

OpFlags:0x00000002

# -----------------------------------------------------------------------------
# Parameter: VLANSetting
#
# Type: Bitmap value
#
# Description: Control various VLAN settings
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0-2 Specify 802.1Q priority for Signalling IP packets
# 3-5 Specify 802.1Q priority for Audio Voice IP packets
# 6-17 RESERVED. Must be set to 0.
# 18-29 Specify 802.1Q VLAN ID
# 30-31 RESERVED. Must be set to 0.

VLANSetting:0x0000002b

# -----------------------------------------------------------------------------
# Parameter: NatServer
#
# Type: Alphanumeric string (47 characters max)
#
# Description: IP address or domain name of a server to which a dummy,
# single-byte UDP packet is sent to maintain a NAT during
# a session.
#
# Syntax: [:port]
# If port number is not specified, 5060 is assumed.

NatServer:0

# -----------------------------------------------------------------------------
# Parameter: NatTimer
#
# Type: Bitmap value
#
# Description: This parameter provides control over the transmission interval
# and destination server of Keep Alive packets.
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0-11 SIP/RTP Keep Alive (KA) period in seconds (0-2047)
# Specify the interval in which a dummy packet is sent
# out through the specified SIP and RTP ports to keep
# the port bindings on the NAT/firewall open
#
# 12-17 RESERVED. Must be set to 0.
#
# 18 SIP KA destination:
# 0 = NatServer
# 1 = ProxyServer
#
# 19 RESERVED. Must be set to 0.
#
# 20 Enable KA for SIPPort (send to either NatServer or
# Proxy)
#
# 21 Enable KA for MediaPort (send to NatServer)
#
# 22 Enable KA for MediaPort + 4 (send to NatServer)
#
# 23-31 RESERVED. Must be set to 0.
#
# Note: 1. If NatServer is not specified (0) or invalid, then the
# only available option is to enable SIP KA to Proxy Server.
#
# 2. If KA period is 0, all KA are disabled; but still can
# do NATIP mapping.

NatTimer:0

# ============================ Caller Preferences =============================

# -----------------------------------------------------------------------------
# Parameter: CallForwardNumber
#
# Type: Numeric digit string (31 digits max)
#
# Description: Phone number to forward all calls
#
# Note: Set value to zero (0) to disable this feature.

CallForwardNumber:0

# -----------------------------------------------------------------------------
# Parameter: VoiceMailNumber
#
# Type: Numeric digit string (31 digits max)
#
# Description: Phone number to access voice mail
#
# Note: Set value to zero (0) to disable this feature.

VoiceMailNumber:1234

# -----------------------------------------------------------------------------
# Parameter: CallFwdBusyNumber
#
# Type: Numeric digit string (31 digits max)
#
# Description: Phone number to forward busy calls
#
# Note: Set value to zero (0) to disable this feature.

CallFwdBusyNumber:0

# -----------------------------------------------------------------------------
# Parameter: DisplayName
#
# Type: Alphanumeric string (31 characters max)
#
# Description: Display Name used in outgoing Caller ID
#
# Note: Set value to zero (0) to disable this feature.

DisplayName:100

# -----------------------------------------------------------------------------
# Parameter: ShortName
#
# Type: Alphanumeric string (31 characters max)
#
# Description: Name to be displayed on phone's LCD screen.
#
# Note: Set value to zero (0) to disable this feature and display
# the value in "DisplayName", if any, on the LCD screen.

ShortName:100

# -----------------------------------------------------------------------------
# Parameters: TimeFormat
# DateFormat
#
# Type: Alphanumeric string (15 characters max)
#
# Description: Strings to controls the Time and Date format as appear
# on the top line of the LCD display.
#
# Special characters are:
#
# h = 12 hour format
# H = 24 hour format
# i = Minute
# I = Minute
# a = AM
# A = AM
# p = PM
# P = PM
# m = Month in number (1 - 12)
# M = Month in abbreviation (Jan - Dec)
# d = Day in number (1 - 31)
# D = Day in number (1 - 31)
# y = Year in 2 digits (00 - 99)
# Y = Year in 4 digits (0000 - 9999)
# : = Colon blinks every second
# 0 = Time or date is not displayed
#
# All other characters are shown as is.
#
# Examples: TimeFormat Sample Display
# ---------- --------------
# h:ia 2:00p or 11:00a
# H:i 14:00
# 0 Time is not displayed
#
# DateFormat Sample Display
# ---------- --------------
# m-d-y 04-20-05
# M d, Y Apr 20, 2005
# M. D, y Apr. 20, 05
# Y/m/d 2005/04/20
# Y M. D 2005 Apr. 20
# 0 Date is not displayed

TimeFormat:h:ia
DateFormat:m-d-y

# -----------------------------------------------------------------------------
# Parameter: DoNotDisturb
#
# Type: Boolean
#
# Description: Enable or disable "Do Not Disturb"
#
# Options: 0 = Deactivate "Do Not Disturb" feature
# 1 = Activate "Do Not Disturb" feature

DoNotDisturb:0

# -----------------------------------------------------------------------------
# Parameter: BlockCallerId
#
# Type: Boolean
#
# Description: Enable or disable blocking of outgoing Caller ID
#
# Options: 0 = Do not block outgoing Caller ID
# 1 = Block outgoing Caller ID

BlockCallerId:0

# -----------------------------------------------------------------------------
# Parameter: CallWaiting
#
# Type: Boolean
#
# Description: Enable or disable call waiting for every call
#
# Options: 0 = Disable call waiting for every call
# 1 = Enable call waiting for every call

CallWaiting:1

# -----------------------------------------------------------------------------
# Parameter: AttendedTransfer
#
# Type: Boolean
#
# Description: Enable or disable attended call transfer
#
# Note: If attended call transfer is disabled, the "Trnsfer"
# softkey will not be shown on the LCD screen.
#
# Options: 0 = Disable attended call transfer
# 1 = Enable attended call transfer

AttendedTransfer:1

# -----------------------------------------------------------------------------
# Parameter: BlindTransfer
#
# Type: Boolean
#
# Description: Enable or disable blind transfer
#
# Note: If blind transfer is disabled, the "BlndXfr" softkey
# will not be shown on the LCD screen.
#
# Options: 0 = Disable blind transfer
# 1 = Enable blind transfer

BlindTransfer:1

# -----------------------------------------------------------------------------
# Parameter: Conference
#
# Type: Boolean
#
# Description: Enable or disable 3-way conference
#
# Note: If 3-way conference is activated, "Confrn" softkey
# will not be shown on the LCD screen.
#
# Options: 0 = Deactivate 3-way conference
# 1 = Enable 3-way conference

Conference:1

# -----------------------------------------------------------------------------
# Parameter: BlockAnonymous
#
# Type: Boolean
#
# Description: Enable or disable blocking of anonymous incoming calls
#
# Note: If enabled, anonymous incoming calls will be rejected.
#
# Options: 0 = Deactivate blocking of anonymous incoming call
# 1 = Activate blocking of anonymous incoming call

BlockAnonymous:0

# -----------------------------------------------------------------------------
# Parameter: ForwardToVMDelay
#
# Type: Integer (1 - 4294967295 seconds)
#
# Description: Number of seconds before forwarding a call to the
# VoiceMailNumber, if configured.
#
# Note: This setting has no effect if VoiceMailNumber is not
# provisioned OR the value is 0 or greater than the ring timeout
# value (see SigTimer bits 14-19).

ForwardToVMDelay:20

# -----------------------------------------------------------------------------
# Parameters: CallPrefGuiShow
# CallPrefGuiSet
#
# Type: Bitmap value
#
# Description: CallPrefGuiShow provides the ability to control whether a
# call preference option is displayed on the LCD screen.
#
# CallPrefGuiSet provides the ability to control whether a
# call preference option can be set by an end user if it is
# displayed on the LCD screen.
#
# Options: Bit Values
# ----- --------------------------------------------------------
# 0 Do Not Disturb (DND)
#
# 1 Call Waiting
#
# 2 Block Caller ID
#
# 3 Call Forward All
#
# 4 RESERVED
#
# 5 RESERVED
#
# 6 Display Name
#
# 7 Time Format
#
# 8 Date Format
#
# 9 Voice Mail
#
# 10 Call Transfer
#
# 11 Blind Transfer
#
# 12 Conference
#
# 13 Short Name
#
# 14-23 RESERVED
#
# 24 Block Anonymous Calls
#
# 25 RESERVED
#
# 26 Forward to Voice Mail Delay
#
# 27 Call Forward On Busy
#
# 28 Show Registration Status Icon
# (If set in CallPrefGuiShow, registration status icon
# will be displayed on LCD screen. This bit has no
# effect in CallPrefGuiSet.)
#
# 29-31 RESERVED

CallPrefGuiShow:0xffffffff
CallPrefGuiSet:0xffffffff

Guardamos el fichero en el tftp y ahora toca compilar el fichero para que el teléfono lo pueda leer.

Para ello, con la utilidad que tenemos el los archivos cfgfmt.linux o la de windows, convertiremos el fichero, mediante la línea de comandos:


#cfgfmt.linux fichero_origen.txt fichero_destino

Asignamos permisos y listo.

Vpn IPSEC cisco asa y mikrotik

Otra entrada que es un apunte.

Hoy toca detallar la configuración de una vpn ipsec entre un cisco ASA y una mikrotik x86.

Escenario:

EQUIPO
192.168.0.1
<->
CISCO ASA
192.168.0.254 INSIDE
1.1.1.1 OUTSIDE
<->
INTERNET
<->
MIKROTIK
192.168.11.254 INSIDE
2.2.2.2 OUTSIDE
<->
EQUIPO
192.168.11.1/24

Con este esquema, empezamos las configuraciones del lado mikrotik:


/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5,sha1 disabled=no enc-algorithms=3des lifetime=59m59s name=cisco pfs-group=modp1024

/ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey
secret=miSuperSecreto send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.11.0/24 src-port=any tunnel=yes
/ip neighbor discovery

Y la regla de NAT para evitarlo dentro del tunel IPSEC:


/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/24 src-address=192.168.11.0/24

Y ahora la parte cisco:

access-list 100 remark --> acl denegar nat vpn
access-list 100 extended permit ip redLocal 255.255.255.0 192.168.11.0 255.255.255.0
access-list 110 remark --> acl permitir_vpn
access-list 110 extended permit ip redLocal 255.255.255.0 192.168.11.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.0.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic dynmap
crypto map dyn-map 30 match address 110
crypto map dyn-map 30 set peer 2.2.2.2
crypto map dyn-map 30 set transform-set myset
crypto map dyn-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 10
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key miSuperSecreto

Hacemos un ping en los extremos para generar tráfico interesante en la vpn y listos !!!!!!

Ipsec Over GRE + ospf mikrotik vs Cisco, parte 1

Hoy toca una entrada de las que me ha costado más de elaborar.

Tengo bastantes routers cisco en los clientes y la mayoría de vpn’s (más de 50), las tengo con ipsec over GRE y EIGRP…. de esta manera, todas las sedes se ven entre ellas y no me tengo que preocupar de las rutas.

La idea, es montar routers mikrotik virtuales y aprovechar el espacio, ahorrar corriente, etc..

El escenario que propongo es sencillo:

Tenemos en un lado, la red local: 192.168.80.0/24 y en el otro extremo, la red 192.168.2.0/24.

La red que usaremos para el tunel, será: 172.30.0.0/30.

Empezamos con la configuración del router cisco:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key superClave address 1.1.1.1 no-xauth

crypto ipsec transform-set trans_3des esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile mikro
set transform-set trans_3des

Colocaremos ipsec en modo transporte para no perder la información de routing, entre otras cosas y nos creamos un profile para el tunel con la mikrotik.

Creamos en Tunel GRE:

interface Tunnel5
description CONNECTED TO oficina mikrtik
ip address 172.30.0.1 255.255.255.252
ip mtu 1476
tunnel source FastEthernet0/0
tunnel destination 1.1.1.1
tunnel protection ipsec profile mikro

Y configuramos OSPF, con las áreas:

router ospf 10
log-adjacency-changes
redistribute static subnets
network 192.168.2.0 0.0.0.255 area 0
network 172.30.0.0 0.0.0.3 area 0

Y por último, la ruta estática (de momento no me funciona de otra manera), con la red remota:

cisco(conf-if)# ip route 192.168.80.0 255.255.255.0 tunnel 5

Y ahora vamos por la mikrotik:

/interface ethernet
/interface gre
add disabled=no dscp=0 l2mtu=65535 local-address=1.1.1.1 mtu=1476
name=tunnel5 remote-address=2.2.2.2

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=59m59s name=
cisco pfs-group=none

/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=
ospf-in metric-bgp=auto metric-connected=20 metric-default=1
metric-other-ospf=auto metric-rip=20 metric-static=20 name=default
out-filter=ospf-out redistribute-bgp=no redistribute-connected=as-type-1
redistribute-other-ospf=as-type-1 redistribute-rip=no
redistribute-static=as-type-1 router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=
backbone type=default
add area-id=192.168.80.0 disabled=no instance=default name=area11 type=
default
/routing ospf-v3 instance
set [ find default=yes ] disabled=no distribute-default=never metric-bgp=auto
metric-connected=20 metric-default=1 metric-other-ospf=auto metric-rip=20
metric-static=20 name=default redistribute-bgp=no redistribute-connected=
no redistribute-other-ospf=no redistribute-rip=no redistribute-static=no
router-id=0.0.0.0

/ip address
add address=192.168.80.254/24 comment=”added by setup” disabled=no interface=
ether1_lan network=192.168.80.0
add address=1.1.1.1/32 disabled=no interface=public_interface network=
1.1.1.1
add address=172.30.0.2/30 disabled=no interface=tunnel5 network=172.30.0.0
/ip dhcp-server config
set store-leases-disk=5m

/ip ipsec peer
add address=2.2.2.2/32 auth-method=pre-shared-key comment=
“tunel IPSEC pruebas angel” dh-group=modp1024 disabled=no dpd-interval=2m
dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d
my-id-user-fqdn=”” nat-traversal=no port=500 proposal-check=obey secret=
superClave send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=2.2.2.2/32 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=cisco protocol=47
sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=
1.1.1.1/32 src-port=any tunnel=no
/ip neighbor discovery
set ether1_lan disabled=no
set public_interface disabled=no
set tunnel5 disabled=yes

/ip route
add comment=”added by setup” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=1.1.1.2 scope=30 target-scope=10

/routing filter
add action=accept chain=ospf-out disabled=no distance=1 invert-match=no
prefix=192.168.80.0/24 protocol=connect,ospf set-bgp-prepend-path=””

/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m
gateway-selection=no-gateway origination-interval=5s preferred-gateway=
0.0.0.0 timeout=1m ttl=50
/routing ospf area range
add advertise=yes area=area11 cost=calculated disabled=no range=
192.168.80.0/24
/routing ospf interface
add authentication=none authentication-key=”” authentication-key-id=1 cost=10
dead-interval=40s disabled=no hello-interval=10s instance-id=0 interface=
all network-type=broadcast passive=no priority=1 retransmit-interval=5s
transmit-delay=1s use-bfd=no
add authentication=none authentication-key=”” authentication-key-id=1 cost=10
dead-interval=40s disabled=no hello-interval=10s instance-id=0 interface=
public_interface network-type=broadcast passive=yes priority=1
retransmit-interval=5s transmit-delay=1s use-bfd=no
/routing ospf network
add area=backbone comment=”local lan” disabled=no network=192.168.80.0/24
add area=backbone comment=”tunnel 5 network” disabled=no network=
172.30.0.0/30
/system clock
set time-zone-name=Europe/Madrid
/system clock manual
set dst-delta=+00:00 dst-end=”jan/01/1970 00:00:00″ dst-start=
“jan/01/1970 00:00:00″ time-zone=+00:00
set name=cpd_router
/system lcd
set contrast=0 enabled=no port=parallel type=24×4
set enabled=yes mode=unicast primary-ntp=130.206.3.166 secondary-ntp=
130.206.3.166
/system ntp server
set broadcast=no broadcast-addresses=”” enabled=no manycast=yes multicast=no

Cisco Pix 515e con movistar Futura

Esta entrada es otro apunte.

Hoy toca configurar un pix515e contra la ONT de movistar directamente, taggueando la vlan 6.

Para ello, damos por supuesto que tenemos un pix con 7.2.x y la ONT funcionando….

Dejamos los interfaces tal que :

!
interface Ethernet0
no nameif
security-level 0
no ip address
!
interface Ethernet0.6
vlan 6
nameif outside
security-level 0
pppoe client vpdn group telefonica
ip address pppoe setroute

Y creamos el pppoe con el user / pass de toda la vida:

vpdn group telefonica request dialout pppoe
vpdn group telefonica localname adslppp@telefonicanetpa
vpdn group telefonica ppp authentication pap
vpdn username adslppp@telefonicanetpa password adslppp

y el resto de Globals y nat’s, como siempre.

enjoy your firewall 😉

Backups automatizados en Cisco IOS

En esta ocasión, aprovechando una funcionalidad de las IOS cisco > 12.3, automatizaremos los backups de nuestras configuraciones.

Para ello, necesitamos:

1º) Servidor TFTP accesible
2º) Acceso a la consola del router

En esta ocasión, programaremos que cada viernes a las 22:00 la copia de la configuración de nuestros routers, para ello, entraremos en la consola y teclearemos:

r01(config)#kron occurrence copiaViernes at 22:00 Fri recurring
r01(config-kron-occurrence)#policy-list respaldo_config
Kron: Policy Accepted, Policy respaldo_config needs to be configured
r01(config-kron-occurrence)#kron policy-list respaldo_config
r01(config-kron-policy)#cli show running-config | redirect tftp://ip.de.srv.tftp/cisco_config.txt
r01(config-kron-policy)#exit

Y con esto ya tenemos nuestro plan de copias de config 😉

Testear aaa radius en cisco IOS

Esta entrada es otro apunte.

En el acceso de clientes por vpn, suelo usar la validación radius contra el active directory, con lo que, para conceder acceso, tan sólo hay que activar en cada usuario el permiso de “marcado”.

Suponemos que tenemos un router con IOS cisco 12.4 y que hemos configurado toda la parte de AAA como de costumbre…. ahora toca depurar…

Desde la consola del router, hacemos:

# terminal monitor
# debug radius

El comando en cuestión es:

test aaa group radius pruebas prueba new-code

Lo que hace es probar el usuario pruebas / password pruebas con la configuración que tengamos en el radius, siendo la definición en el router:

radius-server host 172.26.2.100 auth-port 1812 acct-port 1813
radius-server key clavePrecompartida

Y suponemos que el resto de AAA lo tenemos correcto, teniendo el usuario / password: pruebas/pruebas

router#test aaa group radius pruebas prueba new-code
Trying to authenticate with Servergroup radius

router#Aug 21 21:23:40.506: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Aug 21 21:23:40.506: RADIUS: AAA Unsupported Attr: interface [157] 0
Aug 21 21:23:40.506: RADIUS/ENCODE: Skip encoding 0 length AAA attribute interface
Aug 21 21:23:40.506: RADIUS/ENCODE(00000000): dropping service type, “radius-server attribute 6 on-for-login-auth” is off
Aug 21 21:23:40.506: RADIUS(00000000): Config NAS IP: 0.0.0.0
Aug 21 21:23:40.506: RADIUS(00000000): sending
Aug 21 21:23:40.506: RADIUS/ENCODE: Best Local IP-Address 172.26.2.250 for Radius-Server 172.26.2.100
Aug 21 21:23:40.506: RADIUS(00000000): Send Access-Request to 172.26.2.100:1812 id 1645/230, len 59
Aug 21 21:23:40.506: RADIUS: authenticator 80 B3 48 6D 92 D0 D4 03 – 62 CB A0 57 7B 3F 2E 50
Aug 21 21:23:40.506: RADIUS: User-Password [2] 18 *
Aug 21 21:23:40.506: RADIUS: User-Name [1] 9 “pruebas”
Aug 21 21:23:40.506: RADIUS: NAS-Port [5] 6 60000
Aug 21 21:23:40.506: RADIUS: NAS-IP-Address [4] 6 172.26.2.250
Aug 21 21:23:40.510: RADIUS: Received from id 1645/230 172.26.2.100:1812, Access-Reject, len 20
Aug 21 21:23:40.510: RADIUS: authenticator C0 01 36 A9 46 B2 C0 EA – 1B 61 58 DF 87 C3 9C E4
Aug 21 21:23:40.510: RADIUS(00000000): Received from id 1645/230User rejected

En este caso, el servidor radius nos ha respondido y ha rechazado el usuario, con lo que, tenemos buenas y malas notícias :

– Buena notícia: El router es capaz de llegar al radius y atiende nuestras peticiones, con lo que la clave pre-compartida en principio es correcta.

– Mala notícia: Ha rechazado la petición de nuestro usuario, bien por user / password mal escrito o porque no tiene derecho de “marcado”.

Nos aseguramos del user / pass y lo volvemos a probar:

router#test aaa group radius pruebas pruebas new-code
Trying to authenticate with Servergroup radius
User successfully authenticated

router#
Aug 21 21:28:10.779: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Aug 21 21:28:10.783: RADIUS: AAA Unsupported Attr: interface [157] 0
Aug 21 21:28:10.783: RADIUS/ENCODE: Skip encoding 0 length AAA attribute interface
Aug 21 21:28:10.783: RADIUS/ENCODE(00000000): dropping service type, “radius-server attribute 6 on-for-login-auth” is off
Aug 21 21:28:10.783: RADIUS(00000000): Config NAS IP: 0.0.0.0
Aug 21 21:28:10.783: RADIUS(00000000): sending
Aug 21 21:28:10.783: RADIUS/ENCODE: Best Local IP-Address 172.26.2.250 for Radius-Server 172.26.2.100
Aug 21 21:28:10.783: RADIUS(00000000): Send Access-Request to 172.26.2.100:1812 id 1645/231, len 59
Aug 21 21:28:10.783: RADIUS: authenticator B4 A2 AB 32 2A 2D 2D 94 – 0E 9F 01 76 D3 11 C9 9C
Aug 21 21:28:10.783: RADIUS: User-Password [2] 18 *
Aug 21 21:28:10.787: RADIUS: User-Name [1] 9 “pruebas”
Aug 21 21:28:10.787: RADIUS: NAS-Port [5] 6 60000
Aug 21 21:28:10.787: RADIUS: NAS-IP-Address [4] 6 172.26.2.250
Aug 21 21:28:10.807: RADIUS: Received from id 1645/231 172.26.2.100:1812, Access-Accept, len 64
Aug 21 21:28:10.807: RADIUS: authenticator 0F ED 4B 8C 4F DA B3 C9 – 0A 4F 3A 8B 66 E6 0D 57

Aug 21 21:28:10.807: RADIUS: Framed-Protocol [7] 6 PPP [1]
Aug 21 21:28:10.807: RADIUS: Service-Type [6] 6 Framed [2]
Aug 21 21:28:10.811: RADIUS: Class [25] 32
Aug 21 21:28:10.811: RADIUS: 52 76 05 8F 00 00 01 37 00 01 C0 A8 02 64 01 CD [Rv?????7?????d??]
Aug 21 21:28:10.811: RADIUS: 7F E0 20 13 31 ED 00 00 00 00 00 00 00 09 [?? ?1?????????]
Aug 21 21:28:10.811: RADIUS(00000000): Received from id 1645/231
Aug 21 21:28:10.811: RADIUS(00000000): Unique id not in use
Aug 21 21:28:10.811: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
Aug 21 21:28:10.811: RADIUS: Constructed ” ppp negotiate”

Ahora sí que ha funcionado; hemos escrito correctamente el user / pass

Sustituir router vodafone / comunitel con VoIP por cisco 827, 17xx o 18xx

Esto es una config que tenía hace tiempo.

Comunitel o ahora vodafone / tele2, cuando instalan un ADSL, los teléfonos tienen que ir conectados al router ADSL, con lo que es, a la práctica, VoIP.

Es un proveedor bastante cerrado y no es facil que te den los datos de conexión, pero tras mucho insistir los he conseguido.

El motivo de cambiarlo es que, necesito hacer una vpn y me gusta tener controlado los dos extremos, asi que procedemos y para ello necesitamos:

1º) usuario / password VoIP / ADSL
2º) IP’s gatekeepers
3º) Ip de VoIP

Partimos de la base siguiente:

1º) Dividen la conexión ADSL en 2 circuitos: circuito 1 datos, circuito 2 voz… así se aseguran que la voz tenga su caudal.

2º) En mi caso tenía un telsey con 2 bris (rdsi), así que la configuración para analógicos difiere un poco, aunque no mucho.

3º) La conexión es pppoA y o sé si es correcta, pero mí me ha funcionado.

4º) La voz, debe de ir “exclusivamente” por el circuito de voz, así que la deberemos encaminar con un route-map.

Una vez tenemos estos datos, vamos a configurar nuestro router, sabiendo que el circuito ATM es PPPoA. En mi caso he usado un cisco 1760:

Password:
zeusII#sh run
Building configuration…

Current configuration : 6752 bytes
!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname zeusII
!
boot-start-marker
boot-end-marker
!
enable password xxxxxxxxxx
!
no aaa new-model
memory-size iomem 25
clock timezone ESPANA 1
clock summer-time ESPANA recurring last Sun Mar 2:00 last Sun Oct 3:00
tdm clock bri-auto
voice-card 2
!
voice-card 3
!
ip cef
!
!
!
!
no ip domain lookup
ip domain name dominio.net
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
isdn switch-type basic-net3
!
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
h323
!
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g729r8
!
!
!
!
!
translation-rule 1201
Rule 1 ^0 12010
Rule 2 ^1 12011
Rule 3 ^2 12012
Rule 4 ^3 12013
Rule 5 ^4 12014
Rule 6 ^5 12015
Rule 7 ^6 12016
Rule 8 ^7 12017
Rule 9 ^8 12018
Rule 10 ^9 12019
!
!
!
!
!
!
interface Loopback0
ip address ip.de.voip 255.255.255.255
ip policy route-map TRAFICO_VOIP
h323-gateway voip interface
h323-gateway voip id gatekeeper1 ipaddr ip.gatekeeper.1.voip 1719 priority 126
h323-gateway voip id gatekeeper2 ipaddr ip.gatekeeper.2.voip 1719
h323-gateway voip h323-id userVoIP@bcn.comunitel.es$PASSWORD
h323-gateway voip bind srcaddr ip.de.voip
!
interface ATM0/0
no ip address
no ip redirects
no ip proxy-arp
load-interval 30
no atm ilmi-keepalive
bundle-enable
dsl operating-mode ansi-dmt
hold-queue 224 in
!
interface ATM0/0.1 point-to-point
description CIRCUITO_SOLO_INTERNET
pvc datos 0/33
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/0.2 point-to-point
description CIRCUITO_VOIP
bandwidth 256
ip unnumbered Loopback0
pvc voz 0/34
cbr 448
inarp 1
no ilmi manage
encapsulation aal5snap
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
hold-queue 100 out
!
interface BRI3/0
no ip address
isdn switch-type basic-net3
isdn overlap-receiving
isdn protocol-emulate network
isdn layer1-emulate network
isdn spid1 num.telefono.linea
isdn caller num.telefono.linea
isdn incoming-voice voice
isdn skipsend-idverify
line-power
!
interface BRI3/1
no ip address
isdn switch-type basic-net3
isdn protocol-emulate network
isdn layer1-emulate network
isdn incoming-voice voice
isdn skipsend-idverify
line-power
!
interface Dialer1
ip address IP.PUBLICA.O.DHCP
ip nat outside
ip nbar protocol-discovery
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname usuario.adsl@iservicesmail
ppp chap password passwordadsl

ip nat inside source list 101 interface dialer 1 overload
ip local policy route-map TRAFICO_VOIP
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server

access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 remark — Marcado y routing del trafico de VoIP
access-list 100 permit ip any any dscp cs5
access-list 100 permit ip host ip.de.voip.solo any
access-list 101 remark –> acl permitirNAT
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
route-map TRAFICO_VOIP permit 10
match ip address 100
set ip precedence critical
set interface ATM0/0.2
!
!
!
control-plane
!
!
!
voice-port 2/0
input gain 8
output attenuation 14
echo-cancel coverage 32
cptone ES
timeouts interdigit 5
description PUERTO_0_FXS
station-id number numero.telefono
caller-id enable
!
voice-port 2/1
input gain 6
output attenuation 14
echo-cancel coverage 32
cptone ES
timeouts interdigit 5
description puerto_1_FXS
caller-id enable
!
voice-port 3/0
output attenuation 7
echo-cancel coverage 32
compand-type a-law
cptone ES
timeouts interdigit 5
description PUERTO_0_RDSI_
!
voice-port 3/1
output attenuation 7
echo-cancel coverage 32
compand-type a-law
cptone ES
timeouts interdigit 5
description PUERTO_1_RDSI_
!
!
!
!
!
dial-peer cor custom
!
!
!
dial-peer voice 1 pots
huntstop
destination-pattern numero.telefono
incoming called-number .
direct-inward-dial
port 2/0
!
dial-peer voice 1201986 voip
description SALIENTES NACIONALES-MOVILES 9 DIG PUERTO FAX Y ENTRANTES FAX
huntstop
destination-pattern numero.telefono
translate-outgoing called 1201
no modem passthrough
voice-class codec 1
voice-class source interface Loopback0
session target ras
incoming called-number .
fax rate disable
fax protocol none
ip qos dscp cs5 media
ip qos dscp cs5 signaling
no vad
!
dial-peer voice 12011234 voip
description SALIENTES RESTO FAX
huntstop
destination-pattern .T
translate-outgoing called 1201
no modem passthrough
voice-class codec 1
voice-class source interface Loopback0
session target ras
fax rate disable
fax protocol none
ip qos dscp cs5 media
ip qos dscp cs5 signaling
no vad
!
dial-peer voice 2 pots
incoming called-number .
direct-inward-dial
port 3/0
!
dial-peer voice 3 pots
incoming called-number .
direct-inward-dial
port 3/1
!
num-exp 1201090 1201333
gateway
timer receive-rtp 1200
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
password password
login
!
ntp clock-period 17208156
ntp server hora.rediris.es source FastEthernet0/0 prefer
end

zeusII#

Cisco 87x con movistar futura

Otro apunte, para configurar un cisco 87x con la fibra de movistar:

Current configuration : 5274 bytes
!
! Last configuration change at 13:12:21 ESPANA Thu Jul 5 2012
! NVRAM config last updated at 13:12:21 ESPANA Thu Jul 5 2012
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password password
!
no aaa new-model
clock timezone ESPANA 1
clock summer-time ESPANA recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip source-route
!
!
!
ip dhcp pool redLocal
import all
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.1.254
domain-name lan.local
!
!
ip cef
no ip domain lookup
ip domain name lan.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
description FIBRA MOVISTAR
switchport access vlan 6
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description CONNECTED TO LOCAL LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan6
description VLAN DATOS TELEFONICA
no ip address
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
pppoe enable group global
pppoe-client dial-pool-number 1
!

interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname adslppp@telefonicanetpa
ppp chap password 0 adslppp
ppp pap sent-username adslppp@telefonicanetpa password 0 adslppp
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer1 overload
!
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 100 remark –> ACL NO NAT
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
password password
login
!
scheduler max-task-time 5000
ntp server 130.206.3.166 prefer source Dialer1
end

Configurando netflow en routers cisco

Esta entrada es más bien un apunte.

Netflow, es un protocolo diseñado por Cisco, que es usado para recolectar información sobre el tráfico IP que pasa por nuestro dispositivo; bastante útil para si tenemos nuestras sedes por vpn y queremos ver en detalle en qué nos gastamos el ancho de banda.

No entraremos en detalle sobre los programas para recolectar, ya que hay varios, tanto para windows como linux y libres / comerciales.

Para empezar, entraremos en nuestro router y en el interfaz público o más cerca del recolector de netlow, ingresaremos los siguientes comandos…. (suponemos que el interfaz público es el FA0/0).

router#conf t
router(config)#interface fa0/0
router(config-if)#ip route-cache flow

Ahora vamos a configurar el destino y versión:

ip flow-export source FastEthernet0/0
ip flow-export version 9
ip flow-export destination ip.del.netflow.x 9996

Y ahora a recolectar y analizar el tráfico.