1.
pseudowire-class CABLE
encapsulation l2tpv2
ip local interface FastEthernet4
2.
interface FastEthernet4
ip address dhcp client-id FastEthernet4
duplex auto
speed auto
3.
interface Virtual-PPP1
ip address negotiated
ip virtual-reassembly in
ppp pap sent-username username password 123456
no cdp enable
pseudowire a.b.c.d pw-class CABLE
* a.b.c.d = l2tp gateway (IP) of your ISP
Fortigate Manage Port
How to change Fortigate HTTP manage port
set auth-http-port 8080 ( example)
It's the same command to HTTPS, you just need to write 'set auth-https-port 7443'
To check what the current manage, run the following command: 'port: show system global'
if it stay blank - the manage port use the default; HTTP - 80 HTTPS - 443.
set auth-http-port 8080 ( example)
It's the same command to HTTPS, you just need to write 'set auth-https-port 7443'
To check what the current manage, run the following command: 'port: show system global'
if it stay blank - the manage port use the default; HTTP - 80 HTTPS - 443.
Cisco Router Site 2 Site Configuration
Simple configure Site 2 Site vpn for Cisco router :
First we need to create access list that permit between our local and remote network ( enycprion domain)
ip access-list ex 110
10 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
20 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
! If your router using nat out side, you will have to modify nat access list
ip access list ex NAT
10 deny 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
phase 1 :
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 172.16.1.1
phase 2 :
crypto ipsec transform-set DESSHA esp-des esp=sha-hmac
crypto map cryptomap 10 ipsec-isakmp
set peer 172.16.1.1
set trasfrom-set DESSHA
match address 110
finally configure the crypto map on the outside interface
interface Fa0/1
crypto map cryptomap
First we need to create access list that permit between our local and remote network ( enycprion domain)
ip access-list ex 110
10 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
20 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
! If your router using nat out side, you will have to modify nat access list
ip access list ex NAT
10 deny 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
phase 1 :
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 172.16.1.1
phase 2 :
crypto ipsec transform-set DESSHA esp-des esp=sha-hmac
crypto map cryptomap 10 ipsec-isakmp
set peer 172.16.1.1
set trasfrom-set DESSHA
match address 110
finally configure the crypto map on the outside interface
interface Fa0/1
crypto map cryptomap
UCCX - Pickup call
Hey folks,
Just want to update you after some searching, that pickup calls from Unified CCX Agents
Is not supported!
If you try to pickup call from another agent, probably the agent with available ( Ready ) longest time will received the call.
Information related at least to UCCX version 8.5.1
A list of unsupported actions for UCCX Agents
Just want to update you after some searching, that pickup calls from Unified CCX Agents
Is not supported!
If you try to pickup call from another agent, probably the agent with available ( Ready ) longest time will received the call.
Information related at least to UCCX version 8.5.1
A list of unsupported actions for UCCX Agents
•
Barge
•
cBarge
•
DirTrfr
•
DND
•
GPickup
•
iDivert
•
Join
•
MeetMe
•
Park
ASA - Site 2 Site Configuration
This is a template for a simple site 2 site between 2 Cisco ASA;
Side A details: internal 192.168.48.0 - external 199.99.9.99
Side B details: internal 192.168.1.0 - external 62.0.62.60
Implement in Side A:
Access-list of the encryption domain
access-list outside_10_cryptomap extended permit ip 192.168.48.0 255.255.255.0 192.168.1.0 255.255.255.0
Access-list that disable nat between the encryption domains ( networks)
access-list inside_nat0_outbound extended permit ip 192.168.48.0 255.255.255.0 192.168.1.0 255.255.255.0
Enable no nat access-list:
nat (inside) 0 access-list inside_nat0_outbound
IPsec setting phase 1:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Crypto transfrom set and IPsec setting phase 2:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_10_cryptomap
crypto map outside_map 20 set peer 62.0.62.60
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Enable vpn on the external interface
crypto isakmp enable outside
Set shared key
tunnel-group 62.0.62.60 type ipsec-l2l
tunnel-group 62.0.62.60 ipsec-attributes
pre-shared-key hopeitworks
Implement in Side B:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.48.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 199.99.9.99
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
tunnel-group 199.99.9.99 type ipsec-l2l
tunnel-group 199.99.9.99 ipsec-attributes
pre-shared-key hopeitworks
Side A details: internal 192.168.48.0 - external 199.99.9.99
Side B details: internal 192.168.1.0 - external 62.0.62.60
Implement in Side A:
Access-list of the encryption domain
access-list outside_10_cryptomap extended permit ip 192.168.48.0 255.255.255.0 192.168.1.0 255.255.255.0
Access-list that disable nat between the encryption domains ( networks)
access-list inside_nat0_outbound extended permit ip 192.168.48.0 255.255.255.0 192.168.1.0 255.255.255.0
Enable no nat access-list:
nat (inside) 0 access-list inside_nat0_outbound
IPsec setting phase 1:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Crypto transfrom set and IPsec setting phase 2:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_10_cryptomap
crypto map outside_map 20 set peer 62.0.62.60
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Enable vpn on the external interface
crypto isakmp enable outside
Set shared key
tunnel-group 62.0.62.60 type ipsec-l2l
tunnel-group 62.0.62.60 ipsec-attributes
pre-shared-key hopeitworks
Implement in Side B:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.48.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 199.99.9.99
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
tunnel-group 199.99.9.99 type ipsec-l2l
tunnel-group 199.99.9.99 ipsec-attributes
pre-shared-key hopeitworks
Nat on a stick - Cisco
Nat on a Stick used mostly when you trying connect to remote computer by a forwarding port
through VPN tunnel, the connection will drop even if there's connectivity to remote computer ( by ICMP packet for example).
Why?through VPN tunnel, the connection will drop even if there's connectivity to remote computer ( by ICMP packet for example).
The packet from the VPN tunnel reach the remote station, but because there's a NAT command on the remote router that forward the port we trying to connect, the packet back will perform a NAT, and will not enter to the VPN tunnel back.
Solution:
The solution is to create a route-map that sent all the traffic back from the local lan to the tunnel, by next hop to a loopback interface that not perform NAT.
Here's the steps:
1. Create a Loopback
conf t
int loopback 1002
ip address 1.1.1.1 255.255.255.252
2. Create access list from lan to VPN lan
ip access-list ex NO_NAT_VPN
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
3. Next, need to configure a route map
rotue-map NO_NAT_VPN
match ip add NO_NAT_VPN
set ip next hop 1.1.1.2
4. Need to apply the route map on the internal leg
int vlan 1
ip policy route-map NO_NAT_VPN
Set Duplex & Speed - Fortigate CLI
To configure a full duplex 100 speed interface negotiation, you can do it only via the CLI.
In the GUI we don't have the option to change the speed and duplex.
Command to show the interface speed and duplex status:
get system interface physical
Command to set the interface speed and duplex
wanFG100 $ config system interface
wanFG100 (interface) $ edit wan2
wanFG100 (wan2) $ set speed ?
In the GUI we don't have the option to change the speed and duplex.
Command to show the interface speed and duplex status:
get system interface physical
Command to set the interface speed and duplex
wanFG100 $ config system interface
wanFG100 (interface) $ edit wan2
wanFG100 (wan2) $ set speed ?
Subscribe to:
Posts (Atom)