Avaya Solution & Interoperability Test Lab

Configuring Avaya 96x1 Series IP Telephone VPN feature

with Cisco 5510 Adaptive Security Appliance using
Microsoft Windows Server 2008 Certificate Authority and
Network Device Enrollment Service with Simple Certificate
Enrollment Protocol - Issue 1.0

Abstract

These Application Notes describes the configuration steps required to configure the Avaya
96x1 IP Telephone VPN feature for Certificate Authentication using Cisco 5510 Adaptive
Appliance and Microsoft Certificate Authority. The Application Notes identifies how to
generate digital certificates using the Microsoft Certificate Authority and download these
certificates to the Avaya 96x1 Series IP Telephone and how to administer the Cisco Adaptive
Security Appliance to establish and terminate an IPSec VPN tunnel request from the Avaya
96x1 Series VPN enabled IP Telephone.

The validation test of the sample configuration was conducted at the Avaya Solution and
Interoperability Test Lab.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 1 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
1. Introduction ...................................................................................................................... 3
2. Interoperability Testing .................................................................................................... 4
2.1. Test Description and Coverage ........................................................................................ 4
2.2. Test Results and Observations.......................................................................................... 4
3. Test Configuration ............................................................................................................ 5
4. Equipment and Software Validated .................................................................................. 6
5. Configure Cisco 5510 Adaptive Security Appliance ....................................................... 7
5.1. Configure Trustpoint ........................................................................................................ 8
5.2. Configure IPSec Remote Access .................................................................................... 10
6. Configuration of Avaya 96x1 IP Telephones ................................................................. 12
6.1. Configuration of 46xxsettings ........................................................................................ 12
6.2. Upload Certificates to 96x1 IP Telephone ..................................................................... 14
7. Verification Steps ........................................................................................................... 15
8. Conclusion ...................................................................................................................... 16
9. Additional References .................................................................................................... 16
10. Appendix A - Configure Avaya Aura® Communication Manager .............................. 17
10.1. Verify System Capacities and Licensing .................................................................... 17
10.2. Configure Trunk-to-Trunk Transfers.......................................................................... 19
10.3. Configure IP Codec Set .............................................................................................. 19
10.4. Configure IP Network Region .................................................................................... 20
10.5. Configure Node Names and IP Addresses ................................................................. 20
10.6. Configure SIP Signaling Groups and Trunk Groups .................................................. 20
10.7. Configure Route Pattern ............................................................................................. 24
10.8. Administer Private Numbering Plan........................................................................... 25
10.9. Administer Dial Plan .................................................................................................. 26
10.10. Administer Uniform Dialplan ..................................................................................... 27
10.11. Add Coverage Path ..................................................................................................... 28
10.12. Add Hunt Group ......................................................................................................... 28
10.13. Save Translations ........................................................................................................ 28
11. Appendix B - Configure Avaya Aura® Session Manager ............................................ 30
11.1. Define SIP Domains ................................................................................................... 31
11.2. Define Locations......................................................................................................... 32
11.3. Define SIP Entities ..................................................................................................... 34
11.4. Define Entity Links .................................................................................................... 35
11.5. Define Routing Policies .............................................................................................. 36
11.6. Define Dial Pattern ..................................................................................................... 37
11.7. Synchronize Changes with Avaya Aura® Communication Manager ........................ 38
12. Appendix C - Configure Avaya Aura® Messaging ...................................................... 39
12.1. Configure Sites ........................................................................................................... 39
12.2. Configure Telephony Integration ............................................................................... 40
12.3. Configure Dial Rules .................................................................................................. 41
12.4. Configure Class of Service ......................................................................................... 42
12.5. Configure Subscribers ................................................................................................ 43
Appendix D - Configuration of the Cisco Adaptive Security Appliance 5510 ............................ 45

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 2 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
1. Introduction
The Microsoft Certificate Authority (CA) can issue multiple certificates in the form of a tree
structure. A root certificate is the top most certificate of the tree, the private key of which is used
to sign other certificates. All certificates immediately below the root certificate inherit the
trustworthiness of the root certificate. A signature by a root certificate is somewhat analogous to
notarizing an identity in the physical world. Certificates further down the tree also depend on the
trustworthiness of the intermediates often known as subordinate certification authorities. Many
software applications assume these root certificates are trustworthy on the user's behalf.

The 96x1 Series IP Telephones use built in Avaya certificates for trust management. Trust
management involves downloading certificates for additional trusted Certificate Authorities
(CA) and the policy management of those CAs. Identity management is handled by Simple
Certificate Enrollment Protocol (SCEP) with phone certificates and private keys. Simple
Certificate Enrollment Process applies to the VPN operation or to standard enterprise network
operation. The Simple Certificate Enrollment Protocol is the protocol used by the Microsoft CA
to securely transport key information and digital certificates to network devices, such as the
Avaya 96x1 IP telephone and Cisco Adaptive Security Appliance. For the Microsoft CA to
support SCEP, the Microsoft Network Device Enrollment Service (NDES) role must be installed.
Information on how to install and configure Microsoft CA and NDES is included in Reference 6
Section 9 of these Application Notes.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 3 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
2. Interoperability Testing
Avaya Aura® Communication Manager serves as an Evolution Server within the Avaya Aura®
architecture and supports Avaya 9600 Series and 96x1 Series SIP endpoints registered to Avaya
Aura® Session Manager. Avaya 9600 Series and 96x1 Series IP Deskphones (H.323) phones are
also supported by Avaya Aura® Communication Manager. Only 96x1 IP Telephones using
H.323 support VPN.

Testing was limited to station to VPN, station calls and supplemental features. Voice Messaging
was used to validate MWI and DTMF. Interoperability was verified for SIP trunks between
Avaya Aura® Session Manager Release 6.3, Avaya Aura® Communication Manager Release
6.3 and Avaya Aura® Messaging 6.2 SP2.

2.1. Test Description and Coverage

Interoperability testing included making bi-directional calls between several different types of
stations on both telephony systems with various features including hold, transfer, 3 way
conference and forwarding.

For VPN Interoperability testing Phase I and Phase II re-keying was observed as well as IP
phone registration and IPSec tunnel persistence.

2.2. Test Results and Observations

All tests passed. No unusual behavior was noted.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 4 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
3. Test Configuration
The configuration used in these Application Notes is shown in Figure 1. The Avaya Aura®
Communication Server 6.3 and Avaya Aura® Session Manager 6.3 were installed and
configured under VMware. Avaya Aura® System Manager 6.3 and Avaya Aura® Messaging 6.2
were installed on Avaya Servers. The 96x1 H.323 IP telephones register to Avaya Aura®
Communication Manager and are administered as H.323 stations. The 96x1 SIP IP telephone
registers to Avaya Aura® Session Manager. The Microsoft Windows Server 2008 R2 Certificate
Authority is used to generate the digital certificates used by the 96x1 Series IP Telephone and
Cisco Adaptive Security Appliance. Only 96x1 IP Telephones using H.323 support VPN. The
Microsoft CA in the sample configuration is used in the enterprise network as a private
certificate server for internal use. The Cisco Adaptive Security Appliance is configured for
automatic certificate enrollment.

Figure 1: Avaya Aura® Session Manager, Avaya Aura® Communications Manager and
Avaya Aura® Messaging with the Cisco Adaptive Security Appliance and Windows Server
2008 R2

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 5 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
4. Equipment and Software Validated
The following equipment and software were used for the sample configuration provided:

Equipment Software
Avaya Aura® Session Manager under
Release 6.3 (Build 6.3.2.0.83005)
VMware 5.1
Avaya Aura® System Manager on HP
Release 6.3 (Build 6.3.0.8.923)
360 G7
Avaya Aura® Communication Manager
Release 6.3 (Build 6.3.0.120.0)
under VMware 4.1
Avaya G430 Gateway Firmware 32.26.0
Avaya Aura® Messaging on Dell R610 6.2 SP2 (Build 06.2-02.0.823.0-109)
Avaya 9641G IP Telephone (H.323) Release 6.2.3.13
Avaya 9611G IP Telephone (H.323) Release 6.2.3.13
Avaya 9621G IP Telephone (H.323) Release 6.2.3.13
Avaya 9641G IP Telephone (SIP) Release 6.2.2r5
Cisco 5510 Adaptive Security Release 9.0(2)
Appliance
Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2, Enterprise
Edition

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 6 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
5. Configure Cisco 5510 Adaptive Security Appliance
The Cisco 5510 ASA was configured using the CLI. The following steps describe how to
generate a keypair, create and authenticate a Trustpoint and enroll the TrustPoint with the
Microsoft Certificate Authority. It also describes the steps needed to create the IPSec ACLs,
crypto maps, VPN tunnel and VPN user accounts. It is assumed that all CLI based configuration
commands are done while in configuration mode (configure terminal or conf t).

Initial access to the Cisco ASA is via console interface using a Cisco console cable with serial (9
pin RS-232) interface and RJ-45 connectors. Use a putty serial interface set to 9600-N-8-1.

After initial configuration of the management interface, the Cisco ASA can be accessed via the
CLI by a telnet session to the management interface. The IP Address of the management
interface 0/0 was 10.129.112.82.

Type help or '?' for a list of available commands.

ciscoasa> enable
Password: *****
ciscoasa#

To set the Cisco 5510 ASA to sync with an NTP server enter configuration mode with conf t.

Type help or '?' for a list of available commands.

ciscoasa> enable
Password: *****
ciscoasa# conf t
ciscoasa(config)# ntp server 10.129.112.30
ciscoasa(config)# ntp server 10.9.1.2
ciscoasa(config)#

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 7 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
5.1. Configure Trustpoint

Step 1. The Cisco ASA Key Pair

The Cisco ASA must have its own private and public keys. The public key will be sent to the
Microsoft CA during enrollment. To generate an RSA keypair called ASA-RSA-Key with a
2048 bit key:

ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# crypto key generate rsa label ASA-RSA-Key modulus 2048
INFO: The name for the keys will be: ASA-RSA-Key
Keypair generation process begin. Please wait...
ciscoasa(config)#

Step 2. Create a TrustPoint

To create a TrustPoint called ASA5510-trust:

ciscoasa# conf t
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# crypto ca trustpoint ASA5510-trust
ciscoasa(config-ca-trustpoint)# enrollment url
http://10.129.1129.20/certserv/mscep/mscep.dll
ciscoasa(config-ca-trustpoint)# enrollment retry period 5
ciscoasa(config-ca-trustpoint)# enrollment retry count 3
ciscoasa(config-ca-trustpoint)# keypair ASA-RSA-Key
ciscoasa(config-ca-trustpoint)# password Interop
ciscoasa(config-ca-trustpoint)# fqdn ciscoasa.avaya.com
ciscoasa(config-ca-trustpoint)# exit
ciscoasa(config)#

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 8 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
Step 3. Authenticate a TrustPoint
To authenticate the Trustpoint with the Windows Server 2008:

ciscoasa# conf t
ciscoasa(config)#
ciscoasa(config)# crypto ca authenticate ASA5510-trust

INFO: Certificate has the following attributes:

Fingerprint: 495f47ea 574fb851 a70cf818 a0f61341
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

ciscoasa(config)#

Step 4. Enroll a Trustpoint with Microsoft CA

To enroll a Trustpoint:

ciscoasa# conf t
ciscoasa(config)# crypto ca enroll ASA5510-trust
%
% Start certificate enrollment

% The fully-qualified domain name in the certificate will be:

ciscoasa.avaya.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority
ciscoasa(config)# The certificate has been granted by CA!

ciscoasa(config)#

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 9 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
5.2. Configure IPSec Remote Access
Configuration for remote access requires the following steps:

Step 1. Enable IKEv1 on the Outside (Public) Interface

ciscoasa# conf t
ciscoasa(config)# crypto ikev1 enable outside
ciscoasa(config)#

Step 2. Create the IKEV1 Policy

To create a new crypto policy that uses aes-128 and sha:

ciscoasa# conf t
ciscoasa(config)#
ciscoasa(config)# crypto ikev1 policy 65535
ciscoasa(config-ikev1-policy)# authentication rsa-sig
ciscoasa(config-ikev1-policy)# encryption aes
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 86400
ciscoasa(config-ikev1-policy)# exit
ciscoasa(config)#

Step 3. Setup Tunnel and Group Policies

Create a VPN group policy called VPNPHONE and set the DNS, VPN tunnel protocol and
default domain attributes.

ciscoasa# conf t
ciscoasa(config)# group-policy
ciscoasa(config)# group-policy
ciscoasa(config-group-policy)#
ciscoasa(config-group-policy)#
ciscoasa(config-group-policy)#
ciscoasa(config-group-policy)#
ciscoasa(config)#
VPNPHONE internal
VPNPHONE attributes
dns-server value 10.129.112.70
vpn-tunnel-protocol ikev1
default-domain value avaya.com
exit

Step 4. Define the IPSec Policy

The transform set is an IPSec Policy that defines the type of encryption and authentication that
will be used. The IPSec Policy is named ESP-AES-128-SHA.

ciscoasa# conf t
ciscoasa(config)# crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes
esp-sha-hmac
ciscoasa(config)#

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 10 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
Step 5. Assign Local Address Pool
Define an IP address pool that will be used to assign a private IP address to each IP telephone
using VPN.

ciscoasa# conf t
ciscoasa(config)# ip local pool vpnphone-ip-pool 10.129.112.56-10.129.112.62 mask
255.255.255.248
ciscoasa(config)#

Step 6. Create Crypto Maps

Only 1 dynamic and 1 static crypto map can be defined for each interface.

ciscoasa# conf t
ciscoasa(config)#
ciscoasa(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
ciscoasa(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set
ikev1 transform-set ESP-AES-128-SHA
ciscoasa(config)# crypto dynamic-map inside_nat0_outbound 65535 set pfs
ciscoasa(config)# crypto dynamic-map inside_nat0_outbound 65535 set ikev1
transform-set ESP-AES-128-SHA
ciscoasa(config)# crypto map outside_map 65535 ipsec-isakmp dynamic
SYSTEM_DEFAULT_CRYPTO_MAP
ciscoasa(config)# crypto map outside_map interface outside
ciscoasa(config)#

Step 7. Configure Access Lists

This section describes the steps to create the access control lists which define protected traffic.

ciscoasa# conf t
ciscoasa(config)#
ciscoasa(config)# access-list SYSTEM_DEFAULT_CRYPTO_MAP standard permit
192.145.131.0 255.255.255.0
ciscoasa(config)# access-list inside_nat0_outbound extended permit ip any4
10.129.112.56 255.255.255.248
ciscoasa(config)#

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 11 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
6. Configuration of Avaya 96x1 IP Telephones
The Avaya IP Telephones must undergo staging before being deployed to a remote location.
Staging consists of accessing a HTTP server and downloading new firmware, 46xxsettings.txt
file and the certificate to each Avaya IP Telephone. For this sample configuration a Linux server
with HTTP enabled was used. Files needed are:
current handset firmware file, unzipped
46xxsettings.file
Certificate file. To download the certificate file see Reference 6 in Section 9.

6.1. Configuration of 46xxsettings

The 46xxsettings file controls the behavior of the 96x1 IP telephone. For a detailed description of
these settings see Reference 1 in Section 9.

SET NVVPNMODE 1
This variable dictates when the VPN Client is started. If the value is 1, VPN Client is started
immediately after TCP/IP stack is initialized, If the value is 0, VPN Client is disabled.

SET NVVPNCFGPROF 8
For Cisco authentication with certificates choose option number 8.
The following variables are set to specified values when NVVPNCFGPROF is set to 8:
NVIKECONFIGMODE 1
NVIKEIDTYPE 11
NVIKEXCHGMODE 1

SET NVSGIP 192.145.131.1

Specifies a list of IP addresses for VPN security gateways. Addresses can be in dotted-decimal
or DNS name format, separated by commas without any intervening spaces. The list can contain
up to 255 characters; the default value is null ("").

SET NVVPNPSWDTYPE 1
This variable determines how a password should be treated. By default, password type is set to 1.
You must set this variable to 3 or 4 if using One Time Password such as SecureID from RSA.

SET NVVPNCOPYTOS 1
The value of this variable decides whether TOS bits should be copied from inner header to outer
header or not. If the value is 1, TOS bits are copied otherwise not. By default TOS bits are not
copied from inner header to outer header. Some Internet Service Providers do not route the IP
packets properly if TOS bits are set to anything other than 0.

SET NVVPNENCAPS 0
Specifies type of UDP encapsulation method to use if there is a NAT device between phone and
the security gateway. By default UDP Encapsulation 4500-4500 is used.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 12 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
SET NVIKEID VPNPHONE
Phone uses this string as IKE Identifier during phase 1 negotiation. Some XAuth documentation
refer to this variable as group name because same IKE Id is shared among a group of user and
individual user authentication is done using XAuth after establishing IKE phase 1 security
association. The default value is "VPNPHONE".

SET NVIKEXCHGMODE 2
Specifies the exchange method to be used for IKE Phase 1.
1 Aggressive Mode (default)
2 Main Mode

SET NVIKEDHGRP 2
This variable contains the value of the DH group to use during phase 1 negotiation.
1 Diffie-Hellman Group 1
2 Diffie-Hellman Group 2 (default)
5 Diffie-Hellman Group 5
14 Diffie-Hellman Group 14
15 Diffie-Hellman Group 15

SET NVPFSDHGRP 2
This variable contains the value of the DH group to use during phase 2 negotiation for
establishing IPsec security associations also known as Perfect Forward Secrecy. By default PFS
is disabled.
0 No PFS (default)
1 Diffie-Hellman Group 1
2 Diffie-Hellman Group 2
5 Diffie-Hellman Group 5
14 Diffie-Hellman Group 14
15 Diffie-Hellman Group 15

SET NVIKEP1ENCALG 1
Security Gateway picks the algorithm mandated by administrator.
0 ANY
1 AES-128
2 3DES
3 DES
4 AES-192
5 AES-256
SET NVIKEP2ENCALG 1
Security Gateway picks the algorithm mandated by administrator.
0 ANY
1 AES-128
2 3DES
3 DES
4 AES-192
5 AES-256

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 13 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
SET NVIKEP1AUTHALG 2
0 ANY
1 MD5
2 SHA1
SET NVIKEP2AUTHALG 2
0 ANY
1 MD5
2 SHA1

SET TRUSTCERTS 96x1vpn_cert.cer

List of trusted certificates to download to phone. This parameter may contain one or more
certificate filenames, separated by commas without any intervening spaces. Files may contain
only PEM formatted certificates.

SET MYCERTKEYLEN 2048

Specifies the bit length of the public and private keys generated for the SCEP certificate request.
4 ASCII numeric digits, "1024" through "2048"; the default value is "1024".

SET MYCERTWAIT 0
Specifies whether the telephone will wait until a pending certificate request is complete, or
whether it will periodically check in the background.

SET MYCERTURL http://10.129.112.20/certsrv/mscep/mscep.dll

URI used to access SCEP server.

6.2. Upload Certificates to 96x1 IP Telephone

To upload the exported certificates to the 96x1 IP telephone the 46xxsettings file is used. The
96x1 IP telephone begins the uploading of the certificates to the IP telephone. The SCEP timeout
is displayed on the 96x1 IP telephone as the certificates are uploaded.

SCEP 10 secs

The 96x1 IP telephone has begun requesting the certificates from the Microsoft CA and will
continue requesting the certificate for 60 minutes until the certificate is issued.

The following screen is displayed on the 96x1 IP telephone.

SCEP Successful

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 14 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
7. Verification Steps
The following verification steps were tested using the sample configuration.

From Communication Manager, verify the IP telephones registered to Avaya Communication

Manager as shown below.

list registered-ip-stations

REGISTERED IP STATIONS

Station Ext Set Type/ Prod ID/ TCP Station IP Address/

or Orig Port Net Rgn Release Skt Gatekeeper IP Address
------------- --------- ---------- --- ---------------------------------------
2005 9640 IP_Phone y 10.129.113.50
1 3.105S 10.129.112.25
2006 9608 IP_Phone y 10.129.113.61
1 6.2313 10.129.112.25
2008 9641 IP_Phone y 10.129.112.57
1 6.2313 10.129.112.25
2009 9611 IP_Phone y 10.129.112.58
1 6.2313 10.129.112.25

Verify calls can be made with clear audio from an Avaya VPN telephone to a second VPN
telephone. The VPN telephone extension 2009 registered with IP Address 10.129.112.58 places a
call to VPN telephone extension 2008 registered with IP Address 10.129.112.57. Use status
station 2009 and go to page 4 to see Call Control Signaling.

status station 2009 Page 4 of 9

CALL CONTROL SIGNALING
Port: S00016 Switch-End IP Signaling Loc: PROCR H.245 Port:
IP Address Port Node Name Rgn
Switch-End: 10.129.112.25 1720 procr 1
Reg Set End:10.129.112.58 4063 1
Alt Set End:not applicable
H.245 Near:
H.245 Set:

Do the same for extension 2008.

status station 2008 Page 4 of 9

CALL CONTROL SIGNALING
Port: S00016 Switch-End IP Signaling Loc: PROCR H.245 Port:
IP Address Port Node Name Rgn
Switch-End: 10.129.112.25 1720 procr 1
Reg Set End:10.129.112.58 4063 1
Alt Set End:not applicable
H.245 Near:
H.245 Set:

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 15 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
8. Conclusion
These Application Notes describe the administration steps required to configure an Avaya 96x1
IP Telephone VPN feature for Certificate Authentication using Cisco Adaptive Appliance and
Microsoft Certificate Authority with Avaya Aura® Communication Manager.

9. Additional References
This section references the documentation relevant to these Application Notes.

For Avaya, additional product documentation is available at http://support.avaya.com.

1. VPN Setup Guide for 9600 Series IP Telephones Release 3.1 and 6.2, January 2013, Doc ID
16-602968
2. Administering Avaya Aura® Communication Manager, Release 6.2, Doc ID 03-300509,
Issue 7.0, February 2012
3. Administering Avaya Aura® Messaging, Release 6.2, September 2012, CID 156479

Avaya Application Notes

4. Configuring an IPSec Tunnel between Avaya 96xx Series IP Phones and the Cisco Adaptive
Security Appliance 5510
5. Configuring Avaya 9600 Series IP Telephone VPN feature for Certificate Authentication
using Cisco 5510 Adaptive Security Appliance and Microsoft Certificate Authority with
Avaya Aura™ Communication Manager
6. Configuring Microsoft Windows Server 2008 R2 Certificate Authority and Network Device
Enrollment Service with Simple Certificate Enrollment Protocol for use with Avaya 96x1 IP
Telephones in VPN Mode

Product documentation for Cisco products may be found at http://www.cisco.com

7. Cisco ASA Series CLI Configuration Guide, Software Version 9.0, Updated February 25,
2013
Product documentation for Microsoft products may be found at http://www.microsoft.com
8. Introducing Windows Server 2008 R2, by Charlie Russell and Craig Zacker with the
Windows Server Team at Microsoft, e-book published by Microsoft, 2010.
9. Windows Server 2008 and Windows Server 2008 R2, http://technet.microsoft.com/en-
us/library/dd349801(v=ws.10).aspx

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 16 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
10. Appendix A - Configure Avaya Aura® Communication
Manager
This section describes the steps needed to configure Communication Manager to route and
receive calls over the SIP trunk to Session Manager to support calls between Communication
Manager and Avaya Aura® Messaging. While this configuration is needed to route calls within
an enterprise, there is no specific configuration in this section related to connecting the Avaya
96x1 IP telephones to the Cisco ASA via a VPN. These instructions assume the Avaya G430
Media Server is already configured on Communication Manager. For more information
describing these additional administration steps, see Section 9.

This section describes the administration of Communication Manager using a System Access
Terminal (SAT). Some administration screens have been abbreviated for clarity.

The following administration steps will be described:

Verify System Capacities and Licensing
Configure Trunk-to-Trunk Transfers
Configure IP Codec Set
Configure IP Network Region
Configure Node Names and IP Addresses
Configure SIP Signaling Groups and Trunk Groups
Configure Route Pattern
Administer Private Numbering Plan
Administer Dial Plan
Administer Uniform Dialplan
Add Coverage Path
Add Hunt Group
Save Translations

10.1. Verify System Capacities and Licensing

This section describes the procedures to verify the correct system capacities and licensing have
been configured. If there is insufficient capacity or if a required feature is not available, contact
an authorized Avaya sales representative to make the appropriate changes.

Step 1: Verify SIP Trunk Capacity is sufficient for the expected number of calls. Verify the
system is licensed to support IP Telephones.

On Page 2 of the display system-parameters customer-options command, verify an adequate

number of SIP Trunk Members are administered for the system as shown below.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 17 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
display system-parameters customer-options Page 2 of 11
OPTIONAL FEATURES
IP PORT CAPACITIES USED
Maximum Administered H.323 Trunks: 500 0
Maximum Concurrently Registered IP Stations: 2400 40
Maximum Administered Remote Office Trunks: 4000 0

Maximum Video Capable IP Softphones: 0 0

Maximum Administered SIP Trunks: 4000 20

Step 2: Verify AAR/ARS Routing features are Enabled on system.

To simplify the dialing plan for calls between telephony systems, verify the following AAR/ARS
features are enabled on the system.

On Page 3 of the display system-parameters customer-options command, verify the following

features are enabled.
ARS? Verify “y” is displayed.
ARS/AAR Partitioning? Verify “y” is displayed.
ARS/AAR Dialing without FAC? Verify “y” is displayed.

display system-parameters customer-options Page 3 of 11

OPTIONAL FEATURES

A/D Grp/Sys List Dialing Start at 01? n CAS Main? n

Answer Supervision by Call Classifier? n Change COR by FAC? n
ARS? y Computer Telephony Adjunct Links? y
ARS/AAR Partitioning? y Cvg Of Calls Redirected Off-net? y
ARS/AAR Dialing without FAC? y DCS (Basic)? y
ASAI Link Core Capabilities? y DCS Call Coverage? n
…

Step 3: Verify Private Networking feature is Enabled.

On Page 5 of the display system-parameters customer-options command, verify the Private

Networking feature is set to “y”.

display system-parameters customer-options Page 5 of 11

OPTIONAL FEATURES
Uniform Dialing Plan? y
Private Networking? y Usage Allocation Enhancements? y
Processor and System MSP? y
Processor Ethernet? y Wideband Switching? n
…

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 18 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
10.2. Configure Trunk-to-Trunk Transfers
Use the change system-parameters features command to enable trunk-to-trunk transfers. This
feature is needed when an incoming call to a SIP station is transferred to another SIP station. For
simplicity, the Trunk-to-Trunk Transfer field on Page 1 was set to “all” to enable all trunk-to-
trunk transfers on a system wide basis.

Note: Enabling this feature poses significant security risk by increasing the risk of toll fraud, and
must be used with caution. To minimize the risk, a COS could be defined to allow trunk-to-trunk
transfers for specific trunk group(s). For more information regarding how to configure Avaya
Communication Manager to minimize toll fraud, see Section 9.

change system-parameters features Page 1 of 19

FEATURE-RELATED SYSTEM PARAMETERS

Self Station Display Enabled? n

Trunk-to-Trunk Transfer: all
Automatic Callback with Called Party Queuing? n
Automatic Callback - No Answer Timeout Interval (rings): 3
…

10.3. Configure IP Codec Set

Use the change ip-codec-set n command where n is the number used to identify the codec set.

Enter the following values:

Audio Codec: Enter “G.711MU” and “G.729” as supported types.
Silence Suppression: Retain the default value “n”.
Frames Per Pkt: Enter “2”.
Packet Size (ms): Enter “20”.
Media Encryption: Enter the value based on the system requirement. For the
sample configuration, “none” was used.
change ip-codec-set 1 Page 1 of 2
IP Codec Set

Codec Set: 1

Audio Silence Frames Packet

Codec Suppression Per Pkt Size(ms)
1: G.711MU n 2 20
2: G.729 n 2 20

Media Encryption
1: none

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 19 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
10.4. Configure IP Network Region
Use the change ip-network-region n command where n is an available network region.

Enter the following values and use default values for remaining fields.
Authoritative Domain: Enter the correct SIP domain for the configuration.
For the sample configuration, “avaya.com” was used.
Name: Enter descriptive name.
Codec Set: Enter the number of the IP codec set configured in
Section 5.3.
Intra-region IP-IP Direct Audio: Enter “yes”.
Inter-region IP-IP Direct Audio: Enter “yes”.

change ip-network-region 1 Page 1 of 20

IP NETWORK REGION
Region: 1
Location: Authoritative Domain: avaya.com
Name: Main Network Region
MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes
Codec Set: 1 Inter-region IP-IP Direct Audio: yes
UDP Port Min: 2048 IP Audio Hairpinning? n
UDP Port Max: 3329
…

10.5. Configure Node Names and IP Addresses

Use the change node-names ip command to add the node-name and IP Addresses for the
“procr” interface on Avaya Communication Manager and the SIP signaling interface of Avaya
Session Manager, if not previously added.

In the sample configuration, the node-name of the SIP signaling interface for Avaya Session
Manager is “sm63-1” with an IP address of “10.129.112.17”.

change node-names ip Page 1 of 2

IP NODE NAMES
Name IP Address
sm63-1 10.129.112.17
default 0.0.0.0
procr 10.129.112.25

10.6. Configure SIP Signaling Groups and Trunk Groups

This section provides the configuration of SIP trunk between Avaya Communication Manager
and Avaya Session Manager. In the sample configuration, trunk group “10” and signaling group
“10” were used for connecting to Avaya Session Manager.

Step 1: Add Signaling Group for SIP Trunk

Use the add signaling-group n command, where n is an available signaling group number.
Enter the following values and use default values for remaining fields.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 20 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
 Group Type: Enter “sip”
IMS Enabled: Enter “n”
Transport Method: Enter “tls”
Peer Detection Enabled? Enter “y”.
Peer Server: Use default value.
Near-end Node Name: Enter “procr” node name from Section 10.5.
Far-end Node Name: Enter node name for the Avaya Session Manager
defined in Section 10.5.
Near-end Listen Port: Verify “5061” is used
Far-end Listen Port: Verify “5061” is used
Far-end Network Region: Enter network region defined in Section 10.4.
Far-end Domain: Enter domain name for Authoritative Domain
field defined in Section 10.4.
DTMF over IP: Verify “rtp-payload” is used
Direct IP-IP Audio Connections? Enter “y”
Direct IP-IP Early Media? Enter “y”

add signaling-group 10 Page 1 of 2

SIGNALING GROUP

Group Number: 10 Group Type: sip

IMS Enabled? n Transport Method: tls
Q-SIP? n
IP Video? n Priority Video? n Enforce SIPS
URI for SRTP? n
Peer Detection Enabled? y Peer Server: SM

Near-end Node Name: procr Far-end Node Name: sm63-1

Near-end Listen Port: 5061 Far-end Listen Port: 5061
Far-end Network Region: 1
Far-end Domain: avaya.com
Bypass If IP
Threshold Exceeded? n
Incoming Dialog Loopbacks: eliminate RFC 3389 Comfort
Noise? n
DTMF over IP: rtp-payload Direct IP-IP Audio Connections? y
Session Establishment Timer(min): 3 IP Audio Hairpinning? n
Enable Layer 3 Test? n Direct IP-IP Early Media? y
H.323 Station Outgoing Direct Media? n Alternate Route Timer(sec):

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 21 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
Step 2: Add SIP Trunk Group

Add the corresponding trunk group controlled by the signaling group defined in Step 1 using the
add trunk-group n command where n is an available trunk group number.

Enter the following values and use default values for remaining fields.
Group Type: Enter “sip”.
Group Name: Enter a descriptive name.
TAC: Enter an available trunk access code.
Direction: Enter “two-way”.
Outgoing Display? Enter “n”.
Service Type: Enter “tie”.
Signaling Group: Enter the number of the signaling group added in Step 1.
Number of Members: Enter the number of members in the SIP trunk (must be
within the limits for number of SIP trunks configured in
Section 10.1).

Note: once the add trunk-group command is completed, trunk members will be automatically
generated based on the value in the Number of Members field.

add trunk-group 10 Page 1 of 21

TRUNK GROUP

Group Number: 10 Group Type: sip CDR Reports: y

Group Name: SIP trunk to sm63-1 COR: 1 TN: 1 TAC: #10
Direction: two-way Outgoing Display? n
Dial Access? n Night Service:
Queue Length: 0
Service Type: tie Auth Code? n
Member Assignment Method: auto
Signaling Group: 10
Number of Members: 20

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 22 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
On Page 3, enter the following values and use default values for remaining fields.
Numbering Format Enter “private”.
Show ANSWERED BY on Display Enter “y”.

add trunk-group 10 Page 3 of 21

TRUNK FEATURES
ACA Assignment? n Measured: none
Maintenance Tests? y

Numbering Format: private

UUI Treatment: service-provider

Replace Restricted Numbers? n

Replace Unavailable Numbers? n

Show ANSWERED BY on Display? y

On Page 4, enter the following values and use default values for remaining fields.
Support Request History Enter “y”.
Telephone Event Payload Type Enter “101”.

add trunk-group 10 Page 4 of 21

PROTOCOL VARIATIONS

Mark Users as Phone? y

Prepend '+' to Calling Number? n
Send Transferring Party Information? n
Network Call Redirection? n
Send Diversion Header? n
Support Request History? y
Telephone Event Payload Type: 101

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 23 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
10.7. Configure Route Pattern
This section provides the configuration of the route pattern used in the sample configuration for
routing calls to stations supported by Cisco Unified Communications Manager.

Use change route-pattern n command where n is an available route pattern.

Enter the following values and use default values for remaining fields.
Grp No Enter a row for the trunk group defined in Section 10.6.
FRL Enter “0”.
Numbering Format Enter “lev0-pvt”.

In the sample configuration, route pattern “10” was created as shown below.

change route-pattern 10 Page 1 of 3

Pattern Number: 10 Pattern Name: to sm63-1
SCCAN? n Secure SIP? n
Grp FRL NPA Pfx Hop Toll No. Inserted DCS/ IXC
No Mrk Lmt List Del Digits QSIG
Dgts Intw
1: 10 0 n user
2: n user
3: n user
…

BCC VALUE TSC CA-TSC ITC BCIE Service/Feature PARM No. Numbering LAR
0 1 2 M 4 W Request Dgts Format
Subaddress
1: y y y y y n n rest lev0-pvt none
2: y y y y y n n rest none
3: y y y y y n n rest none
…

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 24 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
10.8. Administer Private Numbering Plan
Extension numbers used for SIP Users registered to Avaya Session Manager must be added to
either the private or public numbering table on Communication Manager. For the sample
configuration, private numbering was used and all extension numbers were unique within the
private network. However, in many customer networks, it may not be possible to define unique
extension numbers for all users within the private network.

Use the change private-numbering n command, where n is the length of the private number.

Fill in the indicated fields as shown below.

Ext Len: Enter length of extension numbers. In the sample configuration, “4”
was used.
Ext Code: Enter leading digit (s) from extension number. In the sample
configuration, “20” was used for stations on Communication
Manager.
Trk Grp(s): Enter trunk group defined in Section 10.6.
Private Prefix: Leave blank unless an enterprise canonical numbering scheme is
defined in Avaya Session Manager. If so, enter the appropriate
prefix.
Total Length: Enter “4”.

change private-numbering 11 Page 1 of 2

NUMBERING - PRIVATE FORMAT

Ext Ext Trk Private Total

Len Code Grp(s) Prefix Len
4 20 10 4 Total Administered: 2
4 90 10 4 Maximum Entries: 540

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 25 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
10.9. Administer Dial Plan
Use the change dialplan analysis command.

In the sample configuration, 4-digit extension numbers starting with “20” are used for stations
supported by Communication Manager.

Fill in the indicated fields as shown below and use default values for remaining fields.
Dialed String Enter digit pattern for extension numbers on Communication
Manager.
Total Length Enter length of extension numbers. For the sample configuration,
“4” was used.
Call Type Enter “ext”.

change dialplan analysis Page 1 of 12

DIAL PLAN ANALYSIS TABLE
Location: all Percent Full: 0

Dialed Total Call Dialed Total Call Dialed Total Call

String Length Type String Length Type String Length Type
20 4 ext
*8 2 fac
*9 2 fac
# 3 dac

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 26 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
10.10. Administer Uniform Dialplan
This section provides the configuration of the Uniform Dialplan pattern used in the sample
configuration for routing calls between the telephony systems.

Note: Other methods of routing may be used.

Use the change uniform-dialplan n command where n is the first digit of the number assigned
to a station supported by Communication Manager. In the sample configuration, the numbers on
Communication Manager start with digits “20”.

Fill in the indicated fields as shown below and use default values for remaining fields.

Matching Pattern Enter the number Communication Manager matches to dialed

numbers. Accepts up to seven digits.
Len Enter the number of user-dialed digits the system collects to match
to this Matching Pattern value.
Del Enter number of digits to delete before routing the call.
Net The server or switch network used to analyze the converted
number. The converted digit-string is routed either as an extension
number or through its converted AAR address, its converted ARS
address, or its ENP node number. In the sample configuration
“aar” was used.
Conv Enables or disables additional digit conversion.

change uniform-dialplan 1 Page 1 of 2

UNIFORM DIAL PLAN TABLE
Percent Full: 0

Matching Insert Node

Pattern Len Del Digits Net Conv Num
20 4 0 aar n

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 27 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
10.11. Add Coverage Path
A coverage path is a list of one to six alternate answering positions. The system sequentially
accesses the coverage points when the called party or the called group is unavailable to answer
the call. To add a coverage path for a voicemail hunt group:

add coverage path 1 Page 1 of 1

COVERAGE PATH

Coverage Path Number: 1

Cvg Enabled for VDN Route-To Party? n Hunt after Coverage? n
Next Path Number: Linkage

COVERAGE CRITERIA
Station/Group Status Inside Call Outside Call
Active? n n
Busy? y y
Don't Answer? y y Number of Rings: 2
All? n n
DND/SAC/Goto Cover? y y
Holiday Coverage? n n

COVERAGE POINTS
Terminate to Coverage Pts. with Bridged Appearances? n
Point1: h99 Rng: Point2:
Point3: Point4:
Point5: Point6:

10.12. Add Hunt Group

To add a hunt group for voicemail:
add hunt-group 99 Page 1 of 60
HUNT GROUP
Group Number: 99 ACD? n
Group Name: voicemail Queue? n
Group Extension: 2900 Vector? n
Group Type: ucd-mia Coverage Path:
TN: 1 Night Service Destination:
COR: 1 MM Early Answer? n
Security Code: Local Agent Preference? n
ISDN/SIP Caller Display:

10.13. Save Translations

Configuration of Communication Manager Evolution Server is complete. Use the save
translation command to save these changes.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 28 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
Note: After making a change on Communication Manager which alters the dial plan or
numbering plan, synchronization between Communication Manager and System Manager must
be completed and SIP telephones must be re-registered.

See Section 11.7 for more information on how to perform an on-demand synchronization.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 29 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
11. Appendix B - Configure Avaya Aura® Session Manager
This section describes the procedures for configuring Avaya Aura® Session Manager to route
calls to/from Communication Manager. While this configuration is needed to route calls within
an enterprise, there is no specific configuration in this section related to connecting the Avaya
96x1 IP telephones to the Cisco ASA via a VPN.

These instructions assume other administration activities have already been completed such as
defining SIP entities for Session Manager, defining the network connection between System
Manager and Session Manager and defining SIP users. For more information on these additional
actions, see Section 9.

The following administration activities will be described:

Define SIP Domains
Define Locations
Define SIP Entities
Define Entity Links
Define Routing Policies
Define Dial Pattern
Synchronize Changes with Avaya Aura® Communication Manager

Note: Some administration screens have been abbreviated for clarity.

Configuration is accomplished by accessing the browser-based GUI of Avaya Aura® System

Manager, using the URL “http://<ip-address>/SMGR”, where “<ip-address>” is the IP
address of Avaya Aura® System Manager. Log in with the appropriate credentials.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 30 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
11.1. Define SIP Domains
Expand Elements  Routing and select Domains from the left navigation menu.

Click New (not shown). Enter the following values and use default values for remaining fields.
Name Enter the Authoritative Domain Name specified in Section 10.4.
For the sample configuration, “avaya.com” was used.
Type Select “sip” from drop-down menu.
Notes Add a brief description. [Optional].

Click Commit to save. The screen below shows the SIP Domain defined for the sample
configuration.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 31 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
11.2. Define Locations
Locations are used to identify logical and/or physical locations where SIP Entities or SIP
endpoints reside, for purposes of bandwidth management or location-based routing.

Expand Elements  Routing and select Locations. Click New (not shown).

In the General section, enter the following values and use default values for remaining fields.
Name: Enter a descriptive name for the location.
Notes: Add a brief description. [Optional].

In the Location Pattern section, click Add and enter the following values.
IP Address Pattern Enter the logical pattern used to identify the location.
For the sample configuration, “10.129.112.79” was used.
Notes Add a brief description. [Optional]

Click Commit to save. The screen on the next page shows the Location used for the CM
system in the sample configuration.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 32 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 33 of 52
SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
11.3. Define SIP Entities
A SIP Entity must be added for each telephony system connected over a SIP trunk to Avaya
Session Manager.

Expand Elements  Routing and select SIP Entities from the left navigation menu.

Click New (not shown). In the General section, enter the following values and use default values
for remaining fields to define a SIP Entity for CM system.
Name: Enter an identifier for new SIP Entity.
FQDN or IP Address: Enter IP address of CM system.
Type: Select “CM”.
Location: Select Location defined in Section 11.2.
Time Zone: Select appropriate time zone.
Notes: Enter a brief description. [Optional].

In the SIP Link Monitoring section:

SIP Link Monitoring: Select “Use Session Manager Configuration”.

Click Commit to save SIP Entity definition. The following screen shows the SIP Entity
defined for the Cisco Unified Communications Manager system.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 34 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
11.4. Define Entity Links
A SIP trunk between Avaya Session Manager and each telephony system is described by an
Entity Link.

To add an Entity Link, expand Elements  Routing and select Entity Links from the left
navigation menu.

Click New (not shown). Enter the following values.

Name Enter an identifier for the link to CM system.
SIP Entity 1 Select SIP Entity defined for Avaya Session Manager.
SIP Entity 2 Select the SIP Entity defined in Section 11.3 for
Communication Manager.
Protocol After selecting both SIP Entities, select “TCP” as the
required protocol.
Port Verify Port for both SIP entities is “5061”.
Connection Policy Select Trusted.
Notes Enter a brief description. [Optional].

Click Commit to save Entity Link definition.

The following screen shows the Entity Link defined between Session Manager and
Communication Manager.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 35 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
11.5. Define Routing Policies
Routing policies describe the conditions under which calls will be routed to the SIP Entities
specified in Section 11.4. A routing policy must be added for Communication Manager.

To add a routing policy, expand Elements  Routing and select Routing Policies.

Click New (not shown). In the General section, enter the following values.
Name: Enter an identifier for policy being added for CM system.
Disabled: Leave unchecked.
Notes: Enter a brief description. [Optional].

In the SIP Entity as Destination section, click Select. The SIP Entity List page opens (not
shown).
Select the SIP Entity defined for CM system in Section 11.3 and click Select.
The selected SIP Entity displays on the Routing Policy Details page.

Use default values for remaining fields. Click Commit to save Routing Policy definition.

Note: the routing policy defined in this section is an example and was used in the sample
configuration. Other routing policies may be appropriate for different customer networks.

The following screen shows the Routing Policy defined in the sample configuration for routing
calls to CM system.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 36 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
11.6. Define Dial Pattern
Define dial patterns to direct calls to the appropriate telephony system. In the sample
configuration, 4-digit extensions beginning with “20” reside on Communication Manager.

To define a dial pattern, expand Elements  Routing and select Dial Patterns.

Click New (not shown). In the General section, enter the following values and use default values
for remaining fields.
Pattern: Enter the dial pattern associated Communication Manager
system.
Min: Enter the minimum number digits that must to be dialed.
Max: Enter the maximum number digits that may be dialed.
SIP Domain: Select the SIP Domain from drop-down menu or select “ALL”
if Avaya Session Manager should accept incoming calls from
all SIP domains.
Notes: Enter a brief description. [Optional].

In the Originating Locations and Routing Policies section, click Add.

The Originating Locations and Routing Policy List page opens (not shown).
In Originating Locations table, select “ALL” .
In Routing Policies table, select the appropriate Routing Policy defined for CM
system in Section 11.5.
Click Select to save these changes and return to Dial Patterns Details page.
Click Commit to save the new definition. The following screen shows the Dial Pattern
defined for routing calls to CM.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 37 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
11.7. Synchronize Changes with Avaya Aura® Communication
Manager
If changes are made on Communication Manager which alters the dial plan or numbering plan,
perform on-demand synchronization to synchronize the data between System Manager and
Communication Manager.

Expand Elements  Inventory  Synchronization and select Communication System.

On the Synchronize CM Data and Configure Options page, expand the Synchronize CM
Data/Launch Element Cut Through table and select the row associated with Avaya
Communication Manager as shown below.

Click to select Incremental Sync data for selected devices option. Click Now to start the
synchronization.

Use the Refresh button in the table header to verify status of the synchronization.

Verify synchronization successfully completes by verifying the status in the Sync. Status
column is “Completed”.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 38 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
12. Appendix C - Configure Avaya Aura® Messaging
Messaging was configured for SIP communication with Session Manager and also to add
Communication Manager Subscribers. The procedures include the following areas:
Configure Sites
Configure Telephony Integration
Configure Dial Rules
Configure Class of Service
Configure Subscribers
Please note that while this configuration is needed to route calls within an enterprise, there is no
specific configuration in this section related to connecting the Avaya 96x1 IP telephones to the
Cisco ASA via a VPN.

See references in Section 9 for standard installation and configuration information. General
knowledge of the configuration tools and interfaces is assumed.

12.1. Configure Sites

A Messaging Access number and a Messaging Auto Attendant number needs to be defined. Log into
the Avaya Aura Messaging System Management Interface (SMI) and go to Administration
Messaging  Messaging System (Storage)  Sites.

For the Default Site, in the right panel, fill in the following:
Internal Messaging access number Enter internal messaging access number
External Messaging access number Enter external messaging access number

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 39 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
12.2. Configure Telephony Integration
A SIP trunk needs to be configured from Messaging to Avaya Session Manager. Log into the
Messaging System Management Interface (SMI) and go to Administration  Messaging 
Telephony Settings (Application)  Telephony Integration. In the right panel fill in the
following:

Under Basic Configuration:

Switch Integration Type: SIP

Under SIP Specific Configuration:

Transport Method: “TCP”
Connection 1: Enter the Session Manager signalling IP address and
TCP port number
Messaging Address Enter the Messaging IP address and TCP port number
SIP Domain Enter the Messaging and Session Manager domain
names

Click Save to save changes. See below.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 40 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
12.3. Configure Dial Rules
Navigate to Administration Messaging  Server Settings (Application)  Dial Rules to configure
the dial rules. Set the Dial plan handling style: Site definition based, as shown below.

Next select the Edit Dial-Out Rules button to verify the appropriate parameters for outbound
dialling from Avaya Aura® Messaging were set above. These dial rules help Avaya Aura®
Messaging send the correct number and combination of digits when originating a call to Avaya
Communication Manager, whether the call is destined for another extension or ultimately expected to
be routed to the PSTN. For the sample configuration, 4-digit extensions were used on Avaya
Communication Manager so any time Avaya Aura® Messaging originates a call to an extension it
should send the 4-digit number and not attempt to insert or delete any digits.

Scroll down to the section titled Dial-out Test Numbers. As shown below the number 2001 is
treated as an internal number and is dialed intact, whereas the test number 408-555-7086 is
treated as a long-distance national number which requires a 9 prefixed as an access code.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 41 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
12.4. Configure Class of Service
Verify Messaging Waiting is enabled for all subscribers.
Use Administration  Messaging  Messaging System (Storage)  Class of Service.
Select Standard from the Class of Service drop-down menu.
Under General section, enter the following value and use default values for remaining fields.
Dial-out privilege: Long Distance.
Set Message Waiting Indicator (MWI) on user’s desk phone: Checked.

Under Greetings section, Select Personal and optional greetings

Click Save (not shown) to save changes. The following screen shows the settings defined for the
“Standard” Class of Service in the test configuration.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 42 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
12.5. Configure Subscribers
Log into the Messaging System Management Interface (SMI) and go to Administration
Messaging. In the left panel, under Messaging System (Storage) select User Management. In
the right panel fill in the following:
First Name Enter first name
Last Name Enter last name
Display Name Enter display name
ASCII name Enter the ASCII name
Site Enter site defined in Section 12.1
Mailbox Number Enter desired mailbox number i.e. “2005”
Internal identifier Enter the name for internal use
Numeric address Enter the mailbox number
Extension Enter desired extension number i.e. “2005”
Class of Service Select a Class of Service
MWI Enabled Select “Yes” to enable the MWI light on phones
New Password/Confirm Password Enter desired extension password
Next logon password change Select the Checkbox

Click Save to save changes. See next page.

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 43 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 44 of 52
SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
Appendix D - Configuration of the Cisco Adaptive Security
Appliance 5510
Appendix D contains the complete configuration for the Cisco 5510 Adaptive Security
Appliance. The ASA 5510 was configured from the CLI.

ASA Version 9.0(2)

!
hostname ciscoasa
domain-name avaya.com
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool vpnphone-ip-pool 10.129.112.56-10.129.112.62 mask 255.255.255.248
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.145.131.1 255.255.255.0
!
interface Ethernet0/1
description VLAN 3000
nameif inside
security-level 100
ip address 10.129.112.52 255.255.255.192
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 45 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
 no ip address
!
interface Management0/0
description VLAN 3001
management-only
nameif management
security-level 100
ip address 10.129.112.82 255.255.255.224
!
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone MST -6
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.129.112.20
domain-name avaya.com
same-security-traffic permit intra-interface
object network obj-10.129.112.56
subnet 10.129.112.56 255.255.255.248
access-list SYSTEM_DEFAULT_CRYPTO_MAP standard permit 192.145.131.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any4 10.129.112.56 255.255.255.248
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any management
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static any any destination static obj-10.129.112.56 obj-10.129.112.56 no-
proxy-arp
route outside 0.0.0.0 0.0.0.0 192.145.131.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 46 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
http server enable
http 10.129.112.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set
ESP-AES-128-SHA
crypto dynamic-map inside_nat0_outbound 65535 set pfs
crypto dynamic-map inside_nat0_outbound 65535 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASA5510-trust
enrollment retry period 5
enrollment retry count 3
enrollment url http://10.129.112.20:80/certsrv/mscep/mscep.dll
fqdn ciscoasa.avaya.com
password *
keypair ASA-RSA-Key
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASA5510-trust
certificate 14f8930500000000004c
308205cd 308204b5 a0030201 02020a14 f8930500 00000000 4c300d06 092a8648
86f70d01 01050500 30643113 3011060a 09922689 93f22c64 01191603 636f6d31
15301306 0a099226 8993f22c 64011916 05617661 79613118 3016060a 09922689
93f22c64 01191608 61766179 6173696c 311c301a 06035504 03131361 76617961
73696c2d 57494e44 4e53302d 4341301e 170d3133 30343138 32313030 35395a17
0d313530 34313832 31313035 395a3023 3121301f 06092a86 4886f70d 01090213
12636973 636f6173 612e6176 6179612e 636f6d30 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 e9b9e821 c903a3fd f1880484
da20e61e a268ba50 b438ae83 c41a62e0 e431ff74 b443a93c 236f4cce 0f7aa0b2
b1820dc1 67ed7482 7e11cb84 ef6b44c3 08e9a7c0 9ae28ff2 d26b5e6a ac38e5cd
671f14d6 314ef2a8 ab8bacb4 67b1f530 069632fc f94ce99e cdb49835 b2c833b5
5214d08d 07cad477 3a663ba5 2ec2094e 86afe499 46ad79b9 0c4bc154 2a81a6bd
64065589 e63223e1 f5cf88d6 8be83887 4abd251f f01ee7df e1ea8790 1e3dff87
5876e7f2 9d706f2c 150a8d0c 69418443 87d74997 7170a0f2 3941e71b e2f9649e
14a5d2a0 36c36ef8 cd815ee0 21d547ea 80092348 2e76bdfb 1b24aab1 3bc25673
29445779 0957afc1 5861785f b8909a16 2aee5e9b 02030100 01a38202 c0308202
bc300e06 03551d0f 0101ff04 04030205 a0301d06 03551d11 04163014 82126369
73636f61 73612e61 76617961 2e636f6d 301d0603 551d0e04 1604144f 6e3f94b3

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 47 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
 9752b1b6 60666e94 3ab7c8dd a4784a30 1f060355 1d230418 30168014 04959f26
19134522 c0697e5d b979475a 1286151f 3081db06 03551d1f 0481d330 81d03081
cda081ca a081c786 81c46c64 61703a2f 2f2f434e 3d617661 79617369 6c2d5749
4e444e53 302d4341 2c434e3d 77696e64 6e73302c 434e3d43 44502c43 4e3d5075
626c6963 2532304b 65792532 30536572 76696365 732c434e 3d536572 76696365
732c434e 3d436f6e 66696775 72617469 6f6e2c44 433d6176 61796173 696c2c44
433d6176 6179612c 44433d63 6f6d3f63 65727469 66696361 74655265 766f6361
74696f6e 4c697374 3f626173 653f6f62 6a656374 436c6173 733d6352 4c446973
74726962 7574696f 6e506f69 6e743081 cf06082b 06010505 07010104 81c23081
bf3081bc 06082b06 01050507 30028681 af6c6461 703a2f2f 2f434e3d 61766179
6173696c 2d57494e 444e5330 2d43412c 434e3d41 49412c43 4e3d5075 626c6963
2532304b 65792532 30536572 76696365 732c434e 3d536572 76696365 732c434e
3d436f6e 66696775 72617469 6f6e2c44 433d6176 61796173 696c2c44 433d6176
6179612c 44433d63 6f6d3f63 41436572 74696669 63617465 3f626173 653f6f62
6a656374 436c6173 733d6365 72746966 69636174 696f6e41 7574686f 72697479
303d0609 2b060104 01823715 07043030 2e06262b 06010401 82371508 85e8ce2f
84d7af5c 85c9830b 8485c90d 839f984f 0d81bbdc 208590a9 35020164 02010430
27060355 1d250420 301e0608 2b060105 05070301 06082b06 01050508 02020608
2b060105 05070302 30330609 2b060104 01823715 0a042630 24300a06 082b0601
05050703 01300a06 082b0601 05050802 02300a06 082b0601 05050703 02300d06
092a8648 86f70d01 01050500 03820101 00ca6e17 de745b27 c1333d8b fd853312
7226fca8 30b70aa4 ed72a676 47d2acbc 669d220d b313bb57 87b29561 d747095f
fd65e653 e223f05a 4d68a2d5 6dd5fab9 f6e8b78d 98849f0d 1d82fafa e3b0d6fc
a7c0b78d f39a21d9 a862ef18 01fbbe41 0243903e 36a968a0 fe6a9763 c7677c06
b71bb7d4 5919878e e0913875 97fb07fe 9049dfc8 467e3795 1e19dc90 5bc12e1b
a650391b c762539d f5d7eda3 9be05f7e 502081b9 51219919 43e0881e 22249e22
ef4f393d 5bc9e46b 9d79dba1 38921b92 2eac6dd2 ce8edd20 51cc1989 b4ee54c8
8d32e3b4 06ea23e1 f1cc8783 35d8e01e 84ca321b 84c256f8 6e945373 773d92b9
5fe50094 a654ee94 d3646031 485f550a 74
quit
certificate ca 22adfd0c11bd03a945f4324e1d3bd43b
308203a3 3082028b a0030201 02021022 adfd0c11 bd03a945 f4324e1d 3bd43b30
0d06092a 864886f7 0d010105 05003064 31133011 060a0992 268993f2 2c640119
1603636f 6d311530 13060a09 92268993 f22c6401 19160561 76617961 31183016
060a0992 268993f2 2c640119 16086176 61796173 696c311c 301a0603 55040313
13617661 79617369 6c2d5749 4e444e53 302d4341 301e170d 31333034 31313134
32343031 5a170d31 38303431 31313433 3430305a 30643113 3011060a 09922689
93f22c64 01191603 636f6d31 15301306 0a099226 8993f22c 64011916 05617661
79613118 3016060a 09922689 93f22c64 01191608 61766179 6173696c 311c301a
06035504 03131361 76617961 73696c2d 57494e44 4e53302d 43413082 0122300d
06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100cd fee44235
4fbadc5e c5b2a0a8 c4c7082b 2fa7052c c68b3719 027bc06a 64484abb b00458d3
445c7f07 48f8ae27 c2e7391e ec0cd69b 18512d7e d872cb33 44a3f46f d44ad638
09b93f9d d5adec52 04a95fb3 4882fa3d 2c645036 6ad107ec 283f64ef 11014bb7
e0c5d4e0 40bb9b0d 6742d06c 67668f80 a90abb54 27662433 d284ec66 cbc286d5
b8bbafbb ba833285 f81b2a48 2755b62f b8e1ce0e 62ac8066 2fc064b9 1c03d721

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 48 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
 2f68dc70 42badfb6 5d89468c edab9732 977996fe e3032b28 5cd1de67 c56032a0
ba210725 dd106d27 e3c9d183 142e4ac9 0ddfaa11 9a0fb53c ef09e29a b402afc4
c8b17418 2debf421 8f785f3d ec9fc0c3 80f6e2e4 05c6d14d 731bd302 03010001
a351304f 300b0603 551d0f04 04030201 86300f06 03551d13 0101ff04 05300301
01ff301d 0603551d 0e041604 1404959f 26191345 22c0697e 5db97947 5a128615
1f301006 092b0601 04018237 15010403 02010030 0d06092a 864886f7 0d010105
05000382 01010056 7e522219 c427451a 505dc249 0440a765 fcba33bd 56441010
486023aa 53379fd1 10069e5d 004766c4 c3149e03 bf44cd79 425ced4e 89e4a549
69cba47a ee02d845 4d07819a 3944ce69 668dbcb9 edb69a08 7a40a0d1 1aa9b105
08779bee a89a66b3 c41472b8 31ea80d5 ea24f87c a132c3e5 a4d9d334 1b834b65
b7f9a3b6 07e4f4fc 51ec1408 fe4ab466 f72862c3 c11e1033 b7a54bce 86e12acf
7005129a d573da5e 2a80fdec 8529c96d 3db51771 3046cf89 97c82aed a9d41504
b28e066a f01e53e6 64d1f719 f031c5a9 2be40093 ed320a9b 4fbf50e0 7313f971
2cc71e98 6d73f4c1 d89d5ebc 1ba4fb41 81f56258 89f81057 06a02894 91f85b79
b5353c69 5a04c8
quit
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.129.112.30
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 3
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
anyconnect ssl keepalive none
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
anyconnect ssl compression deflate
customization value DfltCustomization
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 10.129.112.70
vpn-tunnel-protocol ikev1

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 49 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
 default-domain value avaya.com
username 1adgjm password kBMTfTmCWSZ4t1CY encrypted
username 1adgjm attributes
vpn-group-policy VPNPHONE
username 123456 password P8dZ7nOjjJPDoTgI encrypted
username 123456 attributes
vpn-group-policy VPNPHONE
username sil password 6bUugr4eBousoqAg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpnphone-ip-pool
tunnel-group DefaultRAGroup ipsec-attributes
peer-id-validate nocheck
ikev1 trust-point ASA5510-trust
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool vpnphone-ip-pool
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
ikev1 trust-point ASA5510-trust
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 50 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a990d7efb553df3a7babbba30c2a8c45
: end

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 51 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA
©2013 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and
™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks
are the property of their respective owners. The information provided in these Application
Notes is subject to change without notice. The configurations, technical data, and
recommendations provided in these Application Notes are believed to be accurate and
dependable, but are presented without express or implied warranty. Users are responsible for
their application of any products specified in these Application Notes.

Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at [email protected]

RKD; Reviewed: Solution & Interoperability Test Lab Application Notes 52 of 52

SPOC 6/24/2013 ©2013 Avaya Inc. All Rights Reserved. 96x1VPNSCEPASA