Category Archives: Network Engineering

All Technology Stuff

Use your italkbb on your own soft phone client

Posted on 16/10/2013 | 5 comments

I believe a lot of people heard about italkbb – this is an aggressive Chinese Telecommunication company that trying to promote their cheap VoIP service here in Australia.

VoIP is not something new in Australia. I set up a VoIP platform for an ISP in Australia back in 2007. It is an open standard I have used Pennytel, Exetel, and other overseas VoIP companies.

Most of the VoIP providers in Australia give you a freedom to use your own ATA, softphone or even a mobile App so you can enjoy cheap phone call all the times. However, italkbb is operating in a different way, they provide you a Linksys ATA and it is like fully plug and play (provided your home router provides DHCP).

You don’t have access to your sip account details (where you can use those details to other ATA / Softphone). I have seen a lot of people talking about wanting to use italkbb on other ATA/soft phone, but due to their customer services/technical support personal won’t give you any hints on the SIP settings, it makes you impossible to use italkbb service on other software/hardware at all.

I am going to provide you a guide on how your can obtains your account detail. Tools that you need
1. a switch that can setup a SPAN port (aka mirror port)
2. a computer with Wireshark installed
3. italkbb Linksys ATA
4. a working internet connection

First of all, you have to setup a SPAN port to monitor the traffic going in and out of the Linksys ATA, where the SPAN port is connected to the computer that running wireshark to capture the traffic. If you have a cisco switch, the command to setup a span port as follow (Linksys ATA on Port 6 and Wireshark on Port 7).

monitor session 1 source interface Fa6 monitor session 1 destination interface Fa7

as soon as you power on the Linksys ATA, the Linksys ATA will try to get a configuration profile from the italkbb server, that file contains all the information you need to use your italkbb service on other ATA/Softphone.

You can check your Wireshark output after your Linksys ATA status light comes on. What you can see in Wireshark is some DNS requests and one http request.

The DNS requests are for resolving the sip proxy ip address and the http configuration file ip address. italkbb has it private dns server, as a result, even you get the setting from the configuration file, the sip proxy server and the web server (for the configuration) is not directly accessible from your computer or internet.

In the wireshark, you should able to see the http respond packets. If you look at the packets (in Ascii view), the http respond from the server provides you all the information you need. It looks like a XML file with the following information :

<Display_Name>Your Name</Display_Name> <User_id>XXXXXXXXXXXX</User_id> (your italkbb number which is the label on the Linksys ATA) <Password>xxxxxxxxx</Password> (your sip password, which you can use it on other ata device) <Auth_id>XXXXXXXXXXXX</Auth_id> <Proxy>p7glm22.italkbb.com</Proxy> (this is the proxy server I got) <Outbound_Proxy>p7glm22.italkbb.com</Outbound_Proxy> (same as above) <SIP_PORT>10000</SIP_PORT> <Profile_rule>http://cfp7glm22.italkbb.com:80/customContent/GenX.dbml?MA=000eXXXXXXXXX&SWVER=5.2.13(004)&PSN=2102</Profile_rule>(this is the URL to get your configuration from italkbb, if you have your mac address you can request for the configuration file, luckily italkbb web server cannot be resolved via public DNS, but still I think this is not secure enough) <Web_Server_Port>1980</Web_Server_Port> (This is for you to access your Linksys ATA, use http://ataip:1980) <Admin_Password>46394552</Admin_Password> (this is the password for admin) <User_Password>1234</User_Password> (this is the password for user)

I am able to take my account details and set it up on my iphone using the app called Bria to make outgoing call. Please note that italkbb use port 10000 instead of 5060. I have changed the Proxy Server to ip address in order to get it to work. The server you get from the configuration cannot be publicly resolved. If you are using softphone on Linux, Mac and windows, you can manually edit the host file to make it works. Otherwise, you can directly enter the ip address. However, it will not register for incoming call.

I can now make use of italkbb in anywhere as long as I have good mobile reception. If you are on Telstra, it is a very good way to make international phone call without paying too much for Telstra.

5 Comments

Posted in Network Engineering

Tagged italkbb, italkbb admin password, italkbb australia, italkbb details, italkbb for iphone, italkbb iphone, italkbb password, italkbb sip, italkbb sip account, italkbb sip details, italkbb sip password, italkbb softphone, itallkbb app

Moved !

Posted on 16/09/2013 | Leave a comment

My blog (http://blog.howardtang.com) and my photo blog (http://photo.howardtang.com) have been moved away from iiNet to my NBN home connection. Up time could be a problem as I still haven’t purchased a UPS for my system.

There are a few benefits moving the blog and photos blog back to my home server.

– save $60 a month VPS hosting fee
– able to provide IPv6 addresses to my blog
– able to back up my server anytime I want (And I can switch it off anytime I want)
– able to provide more bandwidth than hosting with iiNet! (40Mbps upload rate with NBN)

Stay tuned, I will let you know when IPv6 is setup!

Leave a comment

Posted in Network Engineering

Tagged Exetel, iiNet, ipv6, NBN, VPS

NBN via Exetel

Posted on 11/09/2013 | Leave a comment

I have signed up a 100M/40M service using Exetel as the ISP. The download speed is very good, in my speed test, I get 91Mbps download and 38kbps upload.

Well, since I get a static IP address from Exetel, I am going to move my VPS from iinet to a physical server at home and run at home 24×7 with UPS backup.

Instead of paying $50 a month for iiNet, I think with the NBN connection, my server can run at a much lower cost and I back it up whenever I like.

A Cisco ASA firewall will be put in place to add additional security in my home network.

Leave a comment

Posted in Network Engineering

Tagged 100M, Exetel, FTTN, NBN, NBN Co

My Cisco router freaks me out!

Posted on 09/05/2013 | Leave a comment

Recently, I have bought a cisco 887 ADSL router for home use. I can than setup SSLVPN, ipv6 tunnel, IOS IPS, zone base firewall, etc. It is really for my lab use to get myself familiar with the Cisco IOS again after passing my CCIE Routing and Switching 2 years ago.

One of the main reason of using a Cisco Router at home is the VPN connectivity which allow me to connect back to my Lab from work. May be you will ask, why don’t setup a Lab at work? well, GNS3 is resource greedy, and the laptop provided by work is not good enough to even just simulate one single router on GNS3.

To cut the long story short, I have setup AAA authentication with the Cisco ISE NFR kit. All the authentication for VPN and access to the router are done by the Cisco ISE. All of a sudden, I couldn’t login to my router this morning with my username and password! I have been trying over 1 hour.

I jumped on the Cisco ISE remotely and cannot see any authentication request during the period of failed login attempts and then I checked the log..

Here I found the problem of why I cannot login to my router.

May 9 10:18:49 AST: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory
May 9 10:28:44 AST: %AAA-3-ACCT_LOW_PROC_MEM_TRASH: AAA unable to handle accounting requests due to insufficient processor memory and could be trashing the queued accounting records

This is a Cisco 887 router which I have paid to upgrade to Advanced IP Services. Cisco advertises this router is feature rich, you can use this with IPS, Firewall, VPN termination, etc. However, I don’t have much feature enabled on the router, it has already created problem. What if this router is going to be put in a branch with 10 – 20 users ?

Leave a comment

Posted in Network Engineering

Tagged Cisco 887 AAA failure, Cisco 887 low memory, Cisco Authentication Failed low memory

ISE + ASA Home Lab Part 1

Posted on 22/12/2012 | Leave a comment

Yesterday I have written my plan of setting up a Lab at home to get familiar with the Cisco ISE and ASA (I heard that is going to be in CCIE security test…). Today I have some screen shot and have proved that the basic stuff works.

First of all, follow the links I posted yesterday for the ASA 8.4(2) run on GNS3 first. The next step is to setup a topology in GNS3. I haven’t completed the full lab, but this is what I have done today.

C1 is the host computer running ADSM GUI to configure the ASA.

C2 is the Virtual Machine running Cisco ISE NFR 1.1.1.

I setup an Inside interface with ip address in the same subnet as the ISE.

ASA Inside : 10.100.64.100
ISE : 10.100.64.70

I have done some ping test to make sure the connectivity are good. Then I add the ASA in the network device list on the ISE.

The next step is add the AAA server in the ASA. Once this step is completed, I used a “test” username and password to test the radius authentication with ISE from the ASA.

As I haven’t setup anything on the ISE, I have expected the authentication will be failed. Now we can check the log on the ISE to see if it has captured the fail login.

I am happy to the result today. I am going to build a remote VPN lab by using ISE when I have time again. Enjoy!

Leave a comment

Posted in Network Engineering

Tagged ASA, CISCO ISE HOME LAB, Cisco ISE LAB, Cisco ISE NFR, GNS3, GNS3 ASA, GNS3 ASA ISE, ISE, ISE HOME LAB, ISE VPN LAB, SETUP CISCO ISE, Setup ISE with ASA on GNS3

Creating an ISE, ASA Lab at home without buying any hardware

Posted on 21/12/2012 | Leave a comment

I created a Lab to simulate a client’s situation yesterday on a ASA using GNS3 simulator. Suddenly, I want to create a Lab using the ability to connect GNS3 to a virtual machine. I am not sure if this will work, but I would like to write down the step here and share to everyone who have time to experiment this..

What you need (at least I believe what you need to have….)
– A powerful PC which you can run a few VMs
– A ISE VM
– A GNS3 installed on the host PC (prefer Windows OS, as all the guides are based on windows 7)

Using the ability to connects real device from GNS3, (in this case will be GNS3 connecting VM machines and host machines), enabling ip routing on the windows and allowing multiple VM networks to communicates…. I am hoping to do the following……

I have the Cisco ISE 1.0 NFR (Which I have upgraded to 1.1.2 by following the steps from Cisco Web Site). You can find my previous post about the Cisco ISE and the upgrade. The Cisco ISE is running in a VM. Now, what I need is the GNS3 and ASA. You can follow the steps from this link to setup an ASA in GNS3.

http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/

Once you have done that, follow the link below to create connection between the ASA in the GNS3 and other real machines. You can get the idea from this link and have it connected to your VM machine interface.

http://www.xerunetworks.com/2012/03/connect-gns3-network-to-real-networks-other-gns3-network/

The next step, I will be following the cisco support forum able setting up the “VPN inline Posture using iPEP ISE and Cisco ASA”.

https://supportforums.cisco.com/docs/DOC-24412

Leave a comment

Posted in Network Engineering

Tagged Cisco ASA ISE LAB, Cisco ISE LAB, GNS3, ISE LAB, using iPEP ISE and ASA on GNS3, VPN inline Posture using iPEP ISE and Cisco ASA

Double NAT on ASA 8.4 ? Thanks for GNS3

Posted on 20/12/2012 | Leave a comment

Yesterday, I received a task at work to resolve an VPN issue. It wasn’t a straight forward solution. The client want to create a new internet link via a new ASA firewall to connect to a pptp sitting inside of the network. The default route is still going to their old internet link. One suggestion is to create a double nat environment, but how? Thanks for GNS3, I have created a lab using GNS3 with ASA and Cisco 7200 to simulate the situation and was able to find a solution.

So what need to be done is to create double NAT on the ASA, in this way, I don’t have to change the default route.

Simple Network Diagram

C1 is the VPN Client, R1 is the ISP router, ASA is the firewall, R2 is the Core Switch and R3 is the PPTP server.

here are the interface configurations:
R1 G1/0 : 222.111.111.1
R1 G2/0 : 233.111.111.254
C1 : 233.111.111.5
ASA: G1/0 : 222.111.111.2 (Ouside)
ASA: G2/0 : 192.168.2.1 (Inside)
ASA NAT POOL : 192.168.11.1 – 192.168.11.254
R2: G1/0 : 192.168.2.2
R2: G2/0 : 192.168.10.1
R3: G1/0 : 192.168.10.18 (PPTP SERVER)
R3: VPN POOL : 192.168.5.1 – 195.168.5.254

R1 Configuration
int gi1/0 ip add 222.111.111.1 255.255.255.252 int gi2/0 ip add 233.111.111.254 255.255.255.0

R2 Configuration
int gi1/0 ip add 192.168.2.2 255.255.255.252 int gi2/0 ip add 192.168.10.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.2.1

R3 Configuration
int gi1/0 ip add 192.168.10.18 255.255.255.0


ip route 0.0.0.0 0.0.0.0 192.168.10.1
aaa new-model 
aaa authentication login VPNAUTHEN local

aaa authorization network VPNAUTHOR local
vpdn-group 1

 ! Default PPTP VPDN group

 accept-dialin

  protocol pptp

  virtual-template 1

 l2tp tunnel timeout no-session 15

interface Virtual-Template1 ip address 192.168.5.1 255.255.255.0 peer default ip address pool vpnpool no keepalive ppp authentication pap chap ms-chap ms-chap-v2 ! ip local pool vpnpool 192.168.5.2 192.168.5.255

ASA
interface GigabitEthernet0 nameif Outside security-level 0 ip address 222.111.111.2 255.255.255.252 ! interface GigabitEthernet1 nameif Inside security-level 100 ip address 192.168.2.1 255.255.255.252 ! object network pptp_inside host 192.168.10.18 object network NAT_POOL range 192.168.11.1 192.168.11.254 object service pptp service tcp destination eq pptp object network Inside-network subnet 192.168.0.0 255.255.0.0 access-list Outside_access_in extended permit ip any any access-list Inside_access_in extended permit ip any any nat (Outside,Inside) source dynamic any NAT_POOL destination static interface pptp_inside service pptp pptp access-group Outside_access_in in interface Outside access-group Inside_access_in in interface Inside route Outside 0.0.0.0 0.0.0.0 222.111.111.1 1 route Inside 192.168.0.0 255.255.0.0 192.168.2.2 1 ! policy-map global-policy class class-default inspect pptp set connection advanced-options tcp-state-bypass ! service-policy global-policy global

What I want to achieve is from VPN Client (0.0.0.0) to connect (222.111.111.2), it will be translated to (192.168.11.x) and connect to 192.168.10.18. PPTP will be able to setup, while it won’t be affect people connect via the existing internet link.

Leave a comment

Posted in Network Engineering

Tagged ASA Double NAT, Cisco ASA, Double NAT, Double NAT ASA 8.4, GNS3, PPTP

Deploying 2 Cisco ISE Nodes using the ISE NFR Kit

Posted on 11/09/2012 | Leave a comment

If you have read my previous post, I have successfully upgraded the ISE 1.0MR to ISE 1.1.1. using the Cisco Installation and Upgrade Guide. According to the Cisco ISE deployment guide, we should able to deploy a secondary node as long as your have the license on the Primary node.
Continue reading →

Leave a comment

Posted in Network Engineering

Tagged Cisco ISE, Cisco ISE deployment, setup Cisco ISE secondary node, setup ISE

Upgrade my desktop to i7 3930K

Posted on 03/09/2012 | Leave a comment

The Quad 2 core 2600 CPU with 8 Gb of memory is no longer good enough for me. With Cisco CCIE Voice study, I would like to setup some CISCO Voice related Lab at home. It may not a completed lab, but at least I would like to test some Cisco products so I can well prepared before I really need to work on some of its newest software.

As you may have seen my previous post about the Cisco ISE which runs on a VM. I was trying to have 2 ISE running as a primary and secondary node. However, due to lack of memory and CPU power, it runs very slow on the Quad2core system.

To learn new technology, you just have to invest time and money, without working on a real product, you will never know how it really work. Just like people tell you how to drive, you think you know how to drive, but you haven’t really driven a car, do you think you can drive it when you first jump into it?

Continue reading →

Leave a comment

Posted in Network Engineering

Upgrade Cisco ISE 1.0MR NFR to 1.1.1

Posted on 29/08/2012 | Leave a comment

There is a document that comes with the ISE USB. It is an instruction about how to setup the Cisco Identity Services Engine (ISE) Not-For-Resale partner bundle in an ESXi lab environment and how you can upgrade it from 1.0MR to 1.1. The newest version on Cisco is 1.1.1, so I have followed the instruction and went from 1.0MR to 1.1.1 (aka 1.1MR).

The default VM setting on the ISE 1.0MR is 1 processor and 2GB ram. The ip address of the ISE is 10.10.10.70 and default gateway is 10.10.10.1. Using the predefined username and password given in the document, you will able to get into the CLI as well as the web GUI. (provided your have your virtual network adapter setup correctly for your hosted computer to talk to the virtual machine). In my case, I run the VM on my Hackintoch which using VMware Fusion 3. I have changed the VM setting to 2 processors and 4GB of ram.

To upgrade the ISE NFR form 1.0MR to 1.1.1, the first step is to download the update file from Cisco website. You will need your CCO account to obtain the update software. The file I have downloaded is ise-appbundle-1.1.1.268.i386.gz.

On my Hackintosh, I have enabled the web share and put the downloaded file in the web directory. After that, I log in the ISE by using SSH 10.10.10.70. The CLI of the ISE is similar to the Cisco IOS command, you can do show run to see the running configuration. To prepare for the upgrade, there are some configuration that you need to put in.

ISE/admin# conf t ISE/admin (config)# repository iseupgrade ISE/admin (config)# url http://10.10.10.1 ISE/admin (config)# end ISE/admin# application upgrade ise-appbundle-1.1.1.268.i386.gz iseupgrade

After the install is complete, ISE will reboot. You can use this command “show version” to check the ISE version after the upgrade. It should be showing 1.1.1.268.

The next thing I am going to try is to setup 2 nodes using this NFR kit.

Leave a comment

Posted in Network Engineering

Tagged ISE 1.0MR, ISE 1.1.1, upgrade ISE, upgrade ISE 1.0MR to 1.1.1, upgrade ISE NFR

Category Archives: Network Engineering

Categories

Tags