Basic CUBE Question

kpstross · ‎09-19-2012

Sorry if this is a dumb question. Since CUBE is an SBC, should inbound calls arrive on one interface and outbound calls go out on another? That is to say, shouldn't one interface be in the DMZ facng the PSTN and the other on the corporate LAN? I've been through all of the configuration documentation and I can't find anything that details this.

Mark Turpin · ‎09-19-2012

You do not need multiple interfaces. You will need an inbound voip dial peer and outbound VoIP dial peer.

Take a look at the following for an example config.

http://www.cisco.com/en/US/products/sw/voicesw/ps5640/products_configuration_example09186a00808ead0f.shtml

Hope this helps!

Sent from Cisco Technical Support iPad App

--
-Mark Turpin

kpstross · ‎09-20-2012

But an SBC should sit at the edge of the private LAN, seperating and securing it from the public network. Is that not the function of CUBE?

Mark Turpin · ‎09-20-2012

I would not use a CUBE alone to be the security point if you are trying to stay very tight with security. I think you would be more interested in this document as it pertains to security for CUBE.

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6790/gatecont/ps5640/white_paper_c11-613550_ps10536_Products_White_Paper.html

Check out the section about Security Recommendations and consider which might apply to your needs. However, I would advise you to consider using an ASA doing SIP inspection in front of the CUBE instead of using the CUBE's security features alone.

--
-Mark Turpin

kpstross · ‎09-21-2012

Let me provide a little history and thereby (hopefully) simplify my question. Our CUBEs are lab systems only, they were bought to emulate a customer environment for test purposes. The customer uses them as I have described as an edge device (I'm sure they have more for their security, but this is part of it). What we would like to do is have SIP calls enter the CUBE on one interface, and egress on another, with each interface being in a seperate segment of our network. Is that possible? If so, can you offer an example of how that is accomplished?

Roger Kallberg · ‎09-21-2012

That is most definitely possible. Just configure the different interfaces and route the appropriate networks out on these. Then setup dial peers to point at a destination IP that egress out on each interface.

There is no magic to setup routing off VOIP traffic, it's just as any other type off IP traffic. The only difference is the dial peer part, but that's just as any other VGW with voice cards, it's very much alike when you configure a CUBE. Remember that a CUBE is only a VGW without voice cards.

There are good examples on how to setup CUBE on Cisco.com. I suggest that you start there and then come back here if you get stuck.

Best of luck!

Please rate useful posts.

Sent from Cisco Technical Support iPhone App

kpstross · ‎09-21-2012

I've been through all of the CUBE SIP docs that I can find on Cisco.com, and I have not found any that speak to this specific scenario (ingress on one interface, egress on another). I have both interfaces configured and up, and inbound and outbound dial-peers, but calls are coming in and going out on the same interface. What's the magic bit to make them transition to the other interface?

Mark Turpin · ‎09-21-2012

That's just IP routing not CUBE

You simply need to route traffic with ip route statements or with your dynamic routing protocol, out the interface you want it to go.

--
-Mark Turpin

kpstross · ‎09-23-2012

How do we specify the interface that we want to use?

Mark Turpin · ‎09-23-2012

Paste your config and we can help

But basically we are going to solve this with routing, so if you're using dns for your destinations please include their ip's and if using a dynamic routing protocol, please include a show ip route.

Thanks!

Sent from Cisco Technical Support iPad App

--
-Mark Turpin

kpstross · ‎09-23-2012

Current configuration : 2346 bytes

!

! Last configuration change at 15:42:56 UTC Wed Sep 19 2012 by cubea

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

!

hostname cubea

!

boot-start-marker

boot system flash:/asr1001-universalk9.03.07.00b.S.152-4.S0b.bin

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable password telecom

!

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default if-needed local

!

aaa session-id common

!

ip domain name genesyslab.com

ip name-server 192.168.20.134

ip name-server 192.168.20.167

!

multilink bundle-name authenticated

!

voice service voip

address-hiding

allow-connections sip to sip

sip

header-passing sip-sip

error-passthru

!

voice class codec 1

codec preference 1 g711ulaw

codec preference 3 g723r63

codec preference 4 g729r8

codec preference 5 g729br8

!

username cubea password 0 telecom

!

redundancy

mode none

!

ip tftp source-interface GigabitEthernet0

!

interface GigabitEthernet0/0/0

ip address 192.168.6.243 255.255.255.0

ip route-cache same-interface

negotiation auto

!

interface GigabitEthernet0/0/1

ip address 135.17.64.11 255.255.255.0

ip route-cache same-interface

negotiation auto

!

interface GigabitEthernet0/0/2

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet0/0/3

no ip address

shutdown

negotiation auto

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

ip address 192.168.6.246 255.255.255.0

negotiation auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route profile

ip route 0.0.0.0 0.0.0.0 192.168.6.1

ip route 0.0.0.0 0.0.0.0 135.17.64.1

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.6.1

!

control-plane

!

dial-peer voice 1 voip

description Incoming SIP Dial-Peer

incoming called-number ....

dtmf-relay rtp-nte

codec g711ulaw

no vad

!

dial-peer voice 163 voip

tone ringback alert-no-PI

description Outgoing Test to Ken

destination-pattern 163.

session protocol sipv2

session target ipv4:192.168.18.20

dtmf-relay rtp-nte

codec g711ulaw

no vad

!

sip-ua

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password telecom

!

end

Roger Kallberg · ‎09-21-2012

Let's say you have these networks and nodes.

Outside

Interface 1 IP: 10.10.10.2

Mask: 255.255.255.252

IPT GW IP: 10.10.10.1

IPT SIP IP: 10.0.0.1

Inside

Interface 2 IP: 192.168.0.20

Mask: 255.255.255.0

GW IP: 192.168.0.254

CUCM IP: 192.168.0.100

Route all internal traffic to 192.168.0.254 and outside traffic to 10.10.10.1.

Setup a dial peer that match internal DNs that point the session target to the CUCM IP.

Setup another dial peer, or more than one if needed, that match all external calls that point the session target to the IPT SIP IP.

Both of these will be considered as outgoing dial peers. You should also have at least one dial peer that is used to match in the incoming direction.

I recommend that you use SIP as the protocol on both ends, to the IPT you have no choice, but to the the CUCM you have the option to use SIP or H.323.

Please rate useful posts.

Sent from Cisco Technical Support iPhone App

kpstross · ‎09-23-2012

Sorry if I'm being lame here, but what ties the Session Target to a specific interface?

Currently we have interface 0 = 192.168.6.243 and interface 1 = 135.17.64.11. PSTN calls come from our gateway via SIP to interface 0 and then route to our SIP proxy, but they go back out interface 0. How can we get them to go out interface 1?

Roger Kallberg · ‎09-24-2012

There are some fundamental parts in your config that need to be addressed.

First the routing.

ip route 0.0.0.0 0.0.0.0 192.168.6.1

ip route 0.0.0.0 0.0.0.0 135.17.64.1

You need to change one of these so that it's not a default route. It need to be a more specific route to the destination network.

The other part you need to address is that you only have 1 VoIP dial peer that point to your ITSP, there aren't any dial peer that point in the direction of your SIP Proxy. Add a dial peer that matches calls in that direction with a session target that has the proxys ip as the destination.

Please rate all useful posts.

Sent from Cisco Technical Support iPhone App