! THIS IS A SPECIAL TEMPLATE FOR USE IN THE SIP TUTORIAL AT APAN July 2004 ! ! This Gateway can support H.323 and SIP at the same time. ! ! Used with vcware vcw-vfc-mz.c542.7.44.bin ! ! Last update Stephen.Kingham@aarnet.edu.au 21 June 2004 ! ! The following improves timestamps in debugs, eg debug isdn q931 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone ! ! encrypt all passwords service password-encryption ! ! XXXX change the following to your prefered hostname hostname XXXX ! boot system flash c5300-is-mz.123-6b.bin boot system flash boot system rom ! logging console notifications aaa new-model ! ! create a server group of Radius Accounting Servers ! Note: Other Member radius servers can still be used for Authentication no aaa group server radius VOIP-ACCOUNTING aaa group server radius VOIP-ACCOUNTING ! a.b.c.d is always first: server a.b.c.d ! ACT RNO: server w.x.y.z ! ! Create a server group called LOGIN for user authentication ! this is an EXAMPLE ONLY and should be changed to suite the Member !no aaa group server radius LOGIN !aaa group server radius LOGIN ! XXXX change the following to point to the Member's servers ! server 1.2.3.4 ! server 6.7.8.9 ! ! Set the prompts for the username and password aaa authentication password-prompt password: aaa authentication username-prompt username: ! ! a default login authentication, needed for boot mode aaa authentication login default line ! ! The following shows how radius servers could be used for Authentication. ! login via console and aux to use LOGIN group defines above, ! then local, then line, then allow in !aaa authentication login CONSOLE group LOGIN local line none ! login via vty to use LOGIN, then local, then line, then fail !aaa authentication login VTY group LOGIN local line ! going to enable mode use default, then LOGIN, then local enable, then none !aaa authentication enable default group LOGIN enable none ! If the above three lines are not present then the server will use ! the username and passwords set below ! ! Only generate Accounting packets when there is something new aaa accounting update newinfo ! ! accounting of VoIP to go to AARNET-ACCOUNTING group aaa accounting connection h323 start-stop group ACCOUNTING ! ! set the local enable password ! XXXX change the following enable password XXXX enable secret XXXX ! ! set up a username and password if the AAA servers fail username XXXX password XXXX ! ! XXXX change the following to suite local time zone clock timezone +1000 10 ! ! Some standard security stuff: no ip source-route no ip domain-list ! ! enable Cisco Express Forwarding to improve router speed ip cef ! ! This commands is needed to detect IP Network failures quicker: ip tcp synwait-time 5 ! ! XXXX change the following to your local Domain Name Servers ip name-server 202.6.112.5 ip name-server 203.21.37.30 ! ! Set up some defaults for the ISDN connections isdn switch-type primary-net5 ! the following command critical and is hidden, it tells the router to use and ! end to end ISDN protocol state engine (needed for feature transperancy): isdn alert-end-to-end ! ! The following command connects audio path prior to call answering (improves support for ip phone): voice rtp send-recv ! ! DEFINE AN PREFERENCE ORDER FOR WHICH AUDIO CODECS TO USE ! THIS THEN GETS APOPLIED TO THE DIAL-PEERs voice class codec 1 codec preference 1 g729r8 codec preference 2 g729br8 codec preference 3 g723r63 codec preference 4 g723ar63 codec preference 5 g723r53 codec preference 6 g723ar53 codec preference 7 g728 codec preference 8 g726r24 codec preference 9 g726r32 codec preference 10 g711alaw codec preference 11 g711ulaw ! ! ! Tell the gateway to use the vfc DSPs rather than the modems to support FAXs fax interface-type fax-mail ! ! Tell the Router to use the open standard for fax support, ! but if that does not work try the cisco proprietry one fax protocol t38 fallback cisco ! ! Layer 2 for E1 interface controller E1 0 framing CRC4 Australia ! get clock from PABX clock source line primary pri-group timeslots 1-31 description CONNECTED TO PABX ! controller E1 1 framing CRC4 Australia ! 2nd source of clock from PABX if above fails clock source line secondary 1 pri-group timeslots 1-31 description CONNECTED TO PABX ! controller E1 2 framing CRC4 Australia ! 3rd source of clock from PABX if above fails clock source line secondary 2 pri-group timeslots 1-31 description NOT CONNECTED ! controller E1 3 framing CRC4 Australia ! 4th source of clock from PABX if above fails clock source line secondary 3 pri-group timeslots 1-31 description NOT CONNECTED ! ! The following is needed to generate VoIP Accounting VSA records ! the VSA part means the ICPIF will be sent gw-accounting h323 vsa ! ! Create an access list to stop this Gateway from being abused by un-authorised callers. no ip access-list extended ALLOWVOIP ip access-list extended ALLOWVOIP remark ALLOW SIP TRAFFIC ONLY IF IT HAS BEEN PARSED BY AARNet SIP Proxy Server remark PRODUCTION SIP Proxy Server - Sydney RNO permit tcp host 202.158.196.132 any eq 5060 permit udp host 202.158.196.132 any eq 5060 remark STOP all other unauthenticated SIP traffic deny tcp any any eq 5060 deny udp any any eq 5060 permit ip any any ! interface Ethernet0 description NOT CONNECTED ! XXXX change the following !ip address XXX.XXX.XXX.XXX 255.255.255.0 ip access-group ALLOWVOIP in ! Only simple QoS prioritisation is needed as only VoIP originated traffic is used. ! Use Weighted Randon Early Detection Queueing random-detect ! ! Next part of setting up the E1 interfaces interface Serial0:15 description CONNECTED TO PABX ! Cisco supports ETSI ISDN using QSIG better than primary-net5 isdn switch-type primary-qsig ! emulate a Carrier, rather than a CPE (a PABX) isdn protocol-emulate network ! In the event that there is an TCP/IP problem clear the call with this cause (congestion) isdn network-failure-cause 42 isdn incoming-voice modem ! interface Serial1:15 description CONNECTED TO PABX isdn switch-type primary-qsig isdn protocol-emulate network isdn network-failure-cause 42 isdn incoming-voice modem ! interface Serial2:15 description QSIG ISDN USER SIDE - NOT CONNECTED isdn switch-type primary-qsig isdn protocol-emulate network isdn network-failure-cause 42 isdn incoming-voice modem ! interface Serial3:15 description QSIG ISDN USER SIDE - NOT CONNECTED isdn switch-type primary-qsig isdn protocol-emulate network isdn network-failure-cause 42 isdn incoming-voice modem ! interface FastEthernet0 description DIRECTLY CONNECTED TO BOARDER ROUTER TO RNO ! XXXX change the following !ip address XXX.XXX.XXX.XXX 255.255.255.0 ! Apply security on the echo Denial of Service attacks ip access-group ALLOWVOIP in ! hard code duplex and speed to avoid common mismatches: duplex full speed 100 ! Only simple QoS prioritisation is needed as only VoIP originated traffic is used. ! Use Weighted Randon Early Detection Queueing: random-detect ! ! Set ip addresses to being class-less ip classless ! Set the default ip route ip address ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX ! standard security fix: no ip http server ! ! ! Tell the router to source radius from the one address: ip radius source-interface FastEthernet0 ! ! create an access list to stop everyone from being able to telnet to the router ! change XXXX to the ip address ranges allowed to telnet to the router access-list 12 permit XXXX access-list 12 permit XXXX ! ! These are the radius servers: radius-server host a.b.c.d key XXXX radius-server host w.x.y.z key XXXX ! only try each one once until sucessful radius-server retransmit 1 ! Send additional accounting information in the radius record: radius-server vsa send accounting ! ! ! Set up some of the telephony voice-port 0:D ! make the echo canceller as large as possible echo-cancel enable echo-cancel coverage 32 ! tell the router to use Australian tones cptone AU ! tell the router that all calls will be speach (allows MicroSoft Netmeeting to work) bearer-cap Speech ! voice-port 1:D echo-cancel enable echo-cancel coverage 32 cptone AU description CONNECTED TO PABX bearer-cap Speech ! voice-port 2:D echo-cancel enable echo-cancel coverage 32 cptone AU description NOT CONNECTED bearer-cap Speech ! voice-port 3:D echo-cancel enable echo-cancel coverage 32 cptone AU description NOT CONNECTED bearer-cap Speech ! ! ! Put these "dial-peers" FIRST, they set up some importand defaults: dial-peer voice 90 pots incoming called-number . direct-inward-dial port 0:d dial-peer voice 91 pots incoming called-number . direct-inward-dial port 1:d dial-peer voice 92 pots incoming called-number . direct-inward-dial port 2:d dial-peer voice 93 pots incoming called-number . direct-inward-dial port 3:d ! dial-peer voice 99 voip incoming called-number . ip precedence 5 ! ! ! Put in dial peers for the local PABX here ! The following example assumes the local PABX No range in 02 1234 5xxx ! and there are two E1 between the PABX and Gateway ! 1st choice full international 11 digit goes to E1 port 0 ! dial-peer voice 161212345 pots destination-pattern 61212345... ! Connect the audio before call is answered when alert message comes back from PSTN: progress_ind alert enable 8 direct-inward-dial port 0:D ! Note that the destination pattern strips off all the digits it matches ! and the prefix command allows to add digits back on, so inthis case 5xxx ! is sent to the PABX prefix 5 ! 2nd choice full international 11 digit goes to E1 port 1 dial-peer voice 261212345 pots preference 1 destination-pattern 61212345... progress_ind alert enable 8 direct-inward-dial port 1:D prefix 5 ! This is the last dialpeer that handles the local PABX numbers so ! tell the Gateway not to look for any more dial-peers. huntstop ! ! 1st choice full 10 digit goes to E1 port 0 dial-peer voice 10212345 pots destination-pattern 0212345... progress_ind alert enable 8 direct-inward-dial port 0:D ! Note that the destination pattern strips off all the digits it matches ! and the prefix command allows to add digits back on, so inthis case 5xxx ! is sent to the PABX prefix 5 ! 2nd choice full 10 digit goes to E1 port 1 dial-peer voice 20212345 pots preference 1 destination-pattern 0212345... progress_ind alert enable 8 direct-inward-dial port 1:D prefix 5 ! This is the last dialpeer that handles the local PABX numbers so ! tell the Gateway not to look for any more dial-peers. huntstop ! ! 1st choice 8 digit goes to E1 port 0 dial-peer voice 112345 pots destination-pattern 12345... progress_ind alert enable 8 direct-inward-dial port 0:D prefix 5 ! 2nd choice 8 digit goes to E1 port 1 dial-peer voice 212345 pots preference 1 destination-pattern 12345... progress_ind alert enable 8 direct-inward-dial port 1:D prefix 5 huntstop ! ! The dial peers for remote Gateways go here ! In this case all long distance numbers are resolved by the SIP Proxy Server dial-peer voice 10 voip destination-pattern 0......... dtmf-relay h245-alphanumeric ! This command cuts the voice path on IP leg of the call so that !the IP phone can hear in-band information: progress_ind setup enable 3 ! Tell the router to offer ALL the codecs it can support, default is only a handfull voice-class codec 1 ! Apply the H323 timeout voice-class h323 1 fax-rate 14400 ip precedence 5 session target sip-server ! dial-peer voice 161 voip destination-pattern 61......... dtmf-relay h245-alphanumeric fax-rate 14400 progress_ind setup enable 3 voice-class codec 1 voice-class h323 1 ip precedence 5 session target sip-server ! ! Tell the router where the SIP Proxy Server is sip-ua sip-server ipv4:192.94.63.28 ! ! ! Set up a warning banner banner exec ^ VoIP Gateway ***** This service is for authorised clients only ***** **************************************************************************** * WARNING: Under Australian law, it is a criminal offence to: * i. Obtain access to data without authority * (Penalty 2 years imprisonment) * ii. Damage, delete, alter or insert data without authority * (Penalty 10 years imprisonment) **************************************************************************** ^ ! ! Set up the console and VTY ports to apply the above security line con 0 ! timout connection after 10 hours exec-timeout 240 0 no vacant-message ! Use the CONSOLE method defined above to authenticate users if using radius !login authentication CONSOLE transport input none line aux 0 ! timout connection after 10 hours exec-timeout 240 0 no vacant-message ! Use the CONSOLE method defined above if using radius !login authentication CONSOLE access-class 12 in line vty 0 4 ! timout connection after 10 hours exec-timeout 600 0 ! set a default password in the VTY authentication fails to find an authentication server: password XXXX ! Use the VTY method defined above (DO NOT USE CONSOLE) if using radius !login authentication VTY access-class 12 in ! ! A n NTP server is important for accurate time in Accounting and debugs ! XXXX Change the following to the closest NTP server ! This NTP server is a CSIRO one in the ACT. !ntp server 152.83.1.1