Showing results for 
Search instead for 
Did you mean: 

Best place to put a CUBE behind a FW




I'm deploying a CUBE to connect a SIP TRUNK to ITSP and I'm wondering if its recommending to put a CUBE in the LAN or It's best to put it in DMZ?


If I put it in LAN or DMZ which IP should I give it to my ITSP to build the SIP TRUNK?

5 Replies 5

Jaime Valencia
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

I have to be honest I didn't remember I posted that....


Anyway that was 1 year ago and in that moment we didn't know how the ITSP was going to give us the SIP Trunk and We also postponed until few weeks ago when the company finally hired the service.


They are giving us the service SIP Trunk over our existing Range IP Wan Internet attached to our FW so I don't know exactly where to place the CUBE. I suppose that the best is to place it in a DMZ with one of the IP of our WAN Internet to have connectivity end to end but that mean I will have to use one IP just for this service.... It's possible to place it in LAN Interface and if its possible which IP should I give to our ITSP? Any other deployment recommendation? 

Nobody can help me?

If the SIP service is delivered on your internet connection it is advisable to put the outside interface of the SBC (Cube) on an interface in the firewall and it works best if you use a specific IP address for it. However it’s advisable to work with the admin of the firewall system to verify the proper functionality of the SIP service as it adds complexity to the mix.

Besides from this the answers you got from Chris an me on the other post are still valid.

Response Signature

Scott Leport
Rising star
Rising star

Hi @mdrangell22


It seems you've already got the answers here. As mentioned, the two typical choices are CUBE on a new DMZ off your Firewall or the CUBE has an interface to the ITSP equipment.

I've understood that it's the former which is the topology here, so your CUBE would connect to a DMZ port on your Firewall and there would be a 1:1 NAT translating the "DMZ IP" to a spare public IP address configured on your Firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers