Re: Call Manager express SIP trunk to ISP

carl_townshend · ‎08-07-2018

Hi All

We have a Call Manager express with a SIP trunk to the provider, currently the SIP flows through the Firewall and is Natted.

Can anyone tell me if it is best practice when using SIP to plug the ISP connection straight into the Call Manager and run an access list or Firewall, this way we are not doing NAT etc.

Also as it is a CME, it is not a CUBE so can anyone tell me how the calls will flow to the provider?

cheers

Here is a snippet of the config for the SIP

!
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
registrar server
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 g729r8
codec preference 4 g729br8

!

!
voice register dn 3
number 1202
name 1202
no-reg
label 1202

!

voice register pool 3
busy-trigger-per-button 2
id mac 0072.7827.900D
type 7821
number 1 dn 3
no digit collect kpml
presence call-list
dtmf-relay rtp-nte
username 1202 password 1202
codec g711alaw

!

dial-peer voice 103 voip
description -= Incoming to 1202 =-
translation-profile incoming 1
destination-pattern 1203
session protocol sipv2
session target sip-server
incoming called-number XXXXXXXX
dtmf-relay rtp-nte sip-notify
codec g711alaw
no vad

!

credentials username XXXXXX password 7 XXXXXX realm XXX.TEST.COM

no remote-party-id
registrar dns:mpbx.XXX.TEST.COM expires 180
sip-server dns:mpbx.TEST.COM

Dennis Mink · ‎08-07-2018

run a sip trunk into your ISP from your cme then from cme into your cucm, that is best practise

Please remember to rate useful posts, by clicking on the stars below.

carl_townshend · ‎08-07-2018

we do not have a CUCM, it is a standalone CME

Nuno Melo · ‎08-07-2018

Both the Firewall or Connecting directly the ISP public interface to the CME Box are valid options.

Using a firewall you can create a DMZ network between the CME and the Firewall and nat 1:1 the IP ISP assigns to your voip trunk towards to the WAN IP assigend to the CUBE.

Disable Sip Inspection on the firewall, some firewall vendors say the contrary but the fact is Voice is Delay Sensitive and therfore inspecing the traffic may impact voice quality
do NAT 1:1 not PAT

You can also assign the ISP Public Interface to on of the CME Routers interfaces, since by this you are exposing the Router directly to the internet you could do the following.

Create 2 VRFs, 1 for LAN and one For WAN to completely segregate the data/signalling traffic
Create an ACL to allow only inbound traffic on the WAN interface from the ISP voip SBC
Make sure the ISP outbound Dial-peer would be sourced via the wan interface using the sip bind command on the outbound dial-peer
Make sure the CME ip source address is the ip address of the LAN interface

Even if you are using the Route as CME, if the traffic is sourced on the LAN IP address and has a WAN ip address as target on a outbound call and vice-versa on an inbound call the Router will use cube feature to terminate the data traffic on the IP addresses and bridge the 2 call legs using a voice-channel thereby terminating the data streams on each of the IPs,

Its not advisable to have the binding command at the voice service VoIP level since this will make all traffic to and from the router to be sourced allways from GigabitEthernet0/0/0 (this is ok on the direction Router->Internet but not ok from the direction Internet->to Router), it would be preferable as stated above to have a LAN and WAN interface and use the sip binding commands on the dial-peer level.

carl_townshend · ‎08-07-2018

Can you give example how you would do it on dial peer level?
cheers

Nuno Melo · ‎08-07-2018

Dial-peer voice xx voip

session protocol sipv2

voice-class sip bind control source-interface [interface]
voice-class sip bind media source-interface [interface]
no vad

R0g22 · ‎08-07-2018

You already have a SIP binding in place. What is the Gig0/0/0 interface ? LAN where your phones reside ? If yes, then you need to add the same to the VoIP dial-peer but the bind will be for the WAN/ISP facing interface. Another pointer looking at your config, I would not want the trust list to blindly accept everything (0.0.0.0/0 which what you have). Add the specific hosts that should be able to call to your system which would be your ITSP IP.