Solved: Ask the Expert: Cisco Unified Border Element (UBE) Enterprise - Page 3

ciscomoderator · ‎12-07-2012

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to and ask questions about how to design and troubleshoot Cisco Unified Border Element (UBE) for the enterprise with Cisco expert Robin Cai. You can ask questions on how UBE works in different call scenarios, including normal calls, hold/resume, call transfer, call forwarding, as well as best practices.

Robin Cai is a senior customer support engineer in the Cisco Technical Assistance Center in Sydney. His current role includes configuring, troubleshooting and designing Cisco Unified Border Element Enterprise and Service Provider, voice gateways, and Cisco Unified Communications Manager. He has in-depth knowledge of Cisco and industry signaling protocols. He has more than 11 years of experience working in the telecommunication industry. Previously at Cisco he was a senior software test engineer at the China Research & Development Centre in Shanghai. Before joining Cisco, he worked for UTStarcom as a field support engineer and for Huawei Technologies as a software development engineer. Cai holds a bachelor's degree in computer science from Nanjing University of Science & Technology. He also holds CCIE certification (#26037) in Voice and Routing & Switching.

Remember to use the rating system to let Robin know if you have received an adequate response to your technical support question.

Robin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice and Video sub-community discussion forum shortly after the event. This event lasts through December 21, 2012. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members.

Zhiping Cai · ‎12-15-2012

Hi Aokanlawon,

Thanks for your question.

I assume you mean the MTP in CUCM SIP trunk configuration and the INVITE was sent from CUCM to CUBE. In UCCX/UCCE environment, when the call is being on hold or transferred to agent/IVR, UCCX/CUCM will send RE-INVITE to update the media few times; when the call finally reaches an agent, they will send UPDATE with Remote-Party-ID/P-Asserted-Identity header to update the caller on information of connected party.

In your case, if there is no MTP, the media path is between CUBE and agent or media server. When media changes, CUCM has to update it by sending RE-INVITE to CUBE. If MTP is involved, CUCM keeps the media leg between MTP and CUBE from beginning to end; when necessary, it just updates another leg of MTP between MTP and agent. However UPDATE messages which does not include any SDP, usually has to be passed from end to end.

If you could provide more details as well as debug logs for these two scenarios, I can help to have a look and verify that.

Please let me know if you have any further questions.

Thanks,

Robin

Ayodeji Okanlawon · ‎12-17-2012

Thanks Robin, This is exactly what I was looking for.

Please rate all useful posts

"'Nature is too thin a screen, the glory of the omnipresent God bursts through it everywhere"-Ralph Waldo Emerson

Please rate all useful posts

chrysostomos1980 · ‎12-15-2012

Robin hi

The current GW has already communication with the cucm as is acting as h323 GW.. So no issues with that.
Second the outgoing calls through sip are fine so the sip trunk is fine also

Any suggestions?

Sent from Cisco Technical Support iPhone App

Please rate all useful posts Regards Chrysostomos ""The Most Successful People Are Those Who Are Good At Plan B""

Zhiping Cai · ‎12-15-2012

Hi Chrys,

Also I find you have outbound proxy configured under voice service sip, however I don't think proxy is needed for CUBE to communicate with CUCM. Please modify dial-peer 889 as below:

dial-peer voice 889 voip

no voice-class sip outbound-proxy

Let's see how it goes.

Thanks,

Robin

chrysostomos1980 · ‎12-19-2012

Hi Robin

You are 100% correct

With no voice-class sip outbound-proxy in dial peer 889 then incomig worked perfect

1000000 thank you

Regards

Please rate all useful posts Regards Chrysostomos ""The Most Successful People Are Those Who Are Good At Plan B""

Juan Carlos Strassen · ‎12-18-2012

Hello Robin,

I wonder if an MTP is needed when using CUBE with CUCM. Can you let me know?

Thank you.

- Juan Carlos

Zhiping Cai · ‎12-18-2012

Hi Juan Carlos,

Thanks for your question.

Usually in this setup MTP is not needed, as both inbound and outbound call should work without MTP in mose cases. However MTP might be used and needed in some cases, for example, if we need CUCM to do Early Offer (SDP being included in first INVITE sent from CUCM); or if we need to MTP to do DTMF conversion between RTP-NTE and inband.

Please let me know if it answers your question.

Thanks and regards,

Robin

James Hawkins · ‎12-19-2012

Hi Robin,

I am hoping that you can help me with some security questions for SIP trunks. I have configured CUBE on a 2900 ISR to link to an Internet Telephony Service Provider and want to make sure that it is secure.

I have connected Gi0/0 to an inside VLAN and Gi0/1 to the public Internet with a registered address.

So far for security I have set the ip trusted address list feature to include just the CUCM server and the IP address of the SIP provider

voice service voip

ip address trusted list

ipv4 10.1.1.11 255.255.255.255 <-------------- CUCM server 1

ipv4 222.222.222.222 255.255.255.255 <-------------- ITSP SIP server

address-hiding

mode border-element

I also have set an ACL to limit inbound connections from the Internet to SIP signalling and media traffic from the ITSP server

interface GigabitEthernet0/0

description CUBE Inside Interface

ip address 10.3.1.4.11 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

description CUBE Outside Interface

ip address 111.111.111.111 255.255.255.255

ip access-group SIP-Inbound in

no ip unreachables

no ip proxy-arp

!

ip access-list extended SIP-Inbound

permit udp host 222.222.222.222 host 111.111.111.111 eq 5060

permit udp host 222.222.222.222 host 111.111.111.111 range 6000 40000

deny ip any any log

!

I also set the call spike feature

!

call spike 5

!

I also limit the number of connections on the SIP ITSP dial peer

dial-peer voice 100 voip

description Outbound SIP calls

max-conn 40

destination-pattern .T

session protocol sipv2

session target ipv4:222.222.222

voice-class codec 1

voice-class sip privacy-policy passthru

voice-class sip early-offer forced

!

Note that the ITSP does not offer SIP registration by username/password or any form of encryption.

Is the above configuration secure or do I need to deploy a firewall in front of the CUBE?

If I should use a firewall this could be challenging as the customer uses Watchguard firewalls and I would have to move the outside interface of the CUBE to the WatchGuard DMZ. Hosts in the DMZ use private addresses so the Watchguard would be doing NAT which I guess could be tricky.

Are there any other forewall options you would recommend? e.g.

IOS Firewall - could I just enable this on the CUBE and get it to do SIP inspection? - I have been trying to find a sample config for this without success.
ASA Transparent firewall - deploy one of these as a bump in the wire between the CUBE and the ISP router.

Is there any value in configuring stateful inspection on firewalls for SIP or does this just replicate what the CUBE itself does?

I am also interested in other security features that could be enabled. What would you recommend I configure?

Thanks

James