Well, I made some progress.  Since I am using +E.164 to call the world, at one point in testing I had set the "put this on beginning of dial string" option.  Once I removed that I was able to get one client with a public IP registered and a second client with a private IP to register.  I also had fits with my firewall, I was able to get those resolved by changing my ACLs (implicit deny any any at the bottom got me again). Since I have a cisco firewall my options were many.  So everything in the diagram attached above is working as I want it too relating to call flow and capabilities.  Yay!

Yes, the is only SIP, I'll see what I can do to add some of the debugs, will have to scrub heavily.

New problems to overcome:

  1) It appears I can only have one device behind the firewall.  Will need to keep playing with this one, may not be a show stopper.

  2) If I move either of the devices outside of my firewall where my ISP just does nat, I have no audio. 

My concern at this point is if I can make it work with whatever device "Bob's Bait and Internet" is providing to end users.  I'm afraid of providers using NAT somewhere downstream from the device.

There are two other options you can explore depending on if the end points are Cisco:

1) Cisco Phone VPN - Using ASA anyconnect

2) CUBE - Remote Phone Proxy session

Ref: http://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/data-sheet-c78-729692.html

Also Refer here: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/mobilapp.html#pgfId-1539123

-Terry

Please rate all helpful posts

Neither the firewall nor the endpoints are Cisco.  We looked at doing the CUBE proxy and all the configuration examples we saw said "do not use this for production"  May have been for an earlier release and worth taking a second look at.  

Everything I am seeing now lists Cisco phones as being supported.  Do you know if the CUBE Phone Proxy works with third party SIP devices?

Thanks!

As I have referenced above - Though it says SIP based end points - I think it should,  since the phone registers to CUCM and for non-cisco SIP phones you should be register as third party SIP phone in CUCM - but not 100% if it will support non-Cisco phones, may need to reach out to Cisco to confirm.

Refer here for config guide:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube_interop/configuration/15-mt/cube-interop-15-mt-book/voi-cucm-lineside.html#task_C9A25BECD9894E92B62F5D1EE0E2C868

https://ciscocollab.wordpress.com/2014/04/08/cube-sip-lineside-phone-vpn-configuration/

Also refer here for a similar thread:

Ref: http://www.gossamer-threads.com/lists/cisco/voip/182839

-Terry

Please rate all helpful posts

Right now only have a 2800 to work with, so working on getting a 2900 or better so we can deploy a version of IOS that supports the feature for testing.  The document states 

For an IP phone to register on a CUCM through CUBE, CUBE must be configured to do the following requirements.

• TCP must be used for registration.
• The MAC address of the device (device ID) and the device name, present in the CONTACT header of the REGISTER message, need to be copied to the outgoing messages and passed to the CUCM intact.

So I am not having warm and fuzzy feelings about non-Cisco devices since the third party devices use the sip digest user and not the mac address for registration.  Anyway, step one is get a hold of a device capable of running the required software. Thanks for the suggestion!

Doh!

Other issue is caller ID only showing the DN.  Purely cosmetic, but people will be upset.

Need to get it to 15.1 as well.

version 12.4
!
hostname dmz-sbc
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 1024000
no logging console
no logging monitor
enable secret <Removed>
enable password <Removed>
!
clock timezone PST -8
clock summer-time PDT recurring

ip domain name mycompany.net
no ipv6 cef
!
multilink bundle-name authenticated
!
voice service voip 
 allow-connections sip to sip
 redirect ip2ip
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback cisco
 sip
  bind control source-interface GigabitEthernet0/0
  bind media source-interface GigabitEthernet0/0
  session transport tcp
  registrar server expires max 1200 min 300
  no update-callerid
  g729 annexb-all
!
voice class codec 100
 codec preference 1 g722-64
 codec preference 2 g711ulaw
 codec preference 3 g729r8
!
voice register global
 mode cme
 source-address 10.10.10.19 port 5060
 timeouts interdigit 5
 max-dn 200
 max-pool 100
 authenticate register
 authenticate realm mycompany.net
 date-format D/M/Y
 mwi stutter
 voicemail 8000
 tftp-path flash:
 create profile sync 000394280920404A
!
voice register dn  1
 number 1233
 call-forward b2bua busy 8000  
 call-forward b2bua mailbox 1233  
 call-forward b2bua noan 8000 timeout 20
 allow watch
 name Tommy Tester
 label +19193921233
 mwi
!
voice register dn  2
 number 1234
 call-forward b2bua busy 8000  
 call-forward b2bua mailbox 1234  
 call-forward b2bua noan 8000 timeout 20
 allow watch
 name Sally Sample
 label +19193921234
 mwi
!
voice register pool  1
 busy-trigger-per-button 2
 id mac 1919.0392.1233
 session-transport tcp
 number 1 dn 1
 presence call-list
 dtmf-relay rtp-nte
 voice-class codec 100
 username 1233 password 12345
 description Tommy_Tester_1233
 no vad
!
voice register pool  2
 busy-trigger-per-button 2
 id mac 1919.0392.1234
 session-transport tcp
 number 1 dn 2
 presence call-list
 dtmf-relay rtp-nte
 voice-class codec 100
 username 133830 password 12345
 description Sally_Sample_133830
 no vad
!         
voice-card 0
 dsp services dspfarm
!
voice-card 1
 dsp services dspfarm
!
username <Removed> privilege 15 password <Removed>
archive
 log config
  hidekeys
! 
ip ssh version 2
!
class-map match-any VoIP-Control
 match ip dscp cs3 
 match ip dscp af31 
class-map match-any VoIP-RTP
 match ip dscp ef 
!
policy-map VoIP-QOS
 class VoIP-RTP
    priority percent 70
  set ip dscp ef
 class VoIP-Control
    bandwidth percent 5
  set ip dscp cs3
 class class-default
    fair-queue
  set ip dscp default
!
interface GigabitEthernet0/0
 description **  Connection  to DMZ  **
 ip address 10.10.10.19 255.255.255.0
 duplex auto
 speed auto
 no mop enabled
 service-policy output VoIP-QOS
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.10.1
no ip http server
no ip http secure-server
! 
control-plane
!
sccp local GigabitEthernet0/0
sccp ccm 10.10.10.19 identifier 1 priority 1 version 7.0 
sccp
!
sccp ccm group 1
 bind interface GigabitEthernet0/0
 associate ccm 1 priority 1
 associate profile 1 register DMZ-xCode
 associate profile 2 register DMZ-Conf
!
dspfarm profile 1 transcode  
 codec g711ulaw
 codec g711alaw
 codec g729ar8
 maximum sessions 24
 associate application SCCP
!
dspfarm profile 2 conference  
 codec g711ulaw
 codec g711alaw
 codec g729ar8
 codec g729r8
 maximum sessions 8
 associate application SCCP
!
dial-peer voice 9101 voip
 description ** PSTN thru CCM1  **
 preference 1
 destination-pattern +T
 voice-class codec 100
 session protocol sipv2
 session target ipv4:10.1.1.11
 dtmf-relay sip-kpml rtp-nte
 no vad
!
dial-peer voice 9102 voip
 description ** PSTN thru CCM2  **
 preference 2
 destination-pattern +T
 voice-class codec 100
 session protocol sipv2
 session target ipv4:10.1.1.12
 dtmf-relay sip-kpml rtp-nte
 no vad
!
dial-peer voice 9103 voip
 description ** PSTN thru CCM3  **
 preference 3
 destination-pattern +T
 voice-class codec 100
 session protocol sipv2
 session target ipv4:10.2.1.11
 dtmf-relay sip-kpml rtp-nte
 no vad
!
dial-peer voice 10001 voip
 description ** OnNet to CCM1  **
 preference 1
 destination-pattern [1-8]...$
 voice-class codec 100
 session protocol sipv2
 session target ipv4:10.1.1.11
 incoming called-number 1[2-5]..$
 dtmf-relay sip-kpml rtp-nte
 no vad
!
dial-peer voice 10002 voip
 description ** OnNet to CCM2  **
 preference 2
 destination-pattern [1-8]...$
 voice-class codec 100
 session protocol sipv2
 session target ipv4:10.1.1.12
 dtmf-relay sip-kpml rtp-nte
 no vad
!
dial-peer voice 10003 voip
 description ** OnNet to CCM3  **
 preference 3
 destination-pattern [1-8]...$
 voice-class codec 100
 session protocol sipv2
 session target ipv4:10.2.1.11
 incoming called-number 1[2-5]..$
 dtmf-relay sip-kpml rtp-nte
 no vad
!
presence
 presence call-list
 allow subscribe
!
sip-ua 
 retry invite 2
 timers trying 200
 timers connect 200
 mwi-server ipv4:10.1.1.21 expires 3600 port 5060 transport udp unsolicited
 presence enable
!
telephony-service
 sdspfarm units 2
 sdspfarm tag 1 DMZ-xCode
 sdspfarm tag 2 DMZ-Conf
 conference hardware
 max-ephones 10
 max-dn 20
 ip source-address 10.10.10.19 port 2000
 time-zone 5
 voicemail 800000
 max-conferences 8 gain -6
 transfer-system full-consult dss
 transfer-pattern 9T
 create cnf-files version-stamp Jan 01 2002 00:00:00
!
banner motd ^C

  **************************** NOTICE TO USERS *******************************
  *                                                                          *
  * This is an official computer system and is for authorized users only.    *
  * Unauthorized use is  prohibited.  Use (Authorized or Unauthorized) may   *
  * be subject to one or more of the following actions:                      *
  *                                                                          *
  *   1.  Interception                                                       *
  *   2.  Monitoring                                                         *
  *   3.  Recording                                                          *
  *   4.  Auditing                                                           *
  *   5.  Inspection                                                         *
  *   6.  Report to security and/or law enforcement agencies both            *
  *       domestic and foreign.                                              *
  *                                                                          *
  * By using this system, the user consents to these actions.  Unauthorized  *
  * or improper use of this system may result in administrative disciplinary *
  * action as well as civil and criminal penalties.                          *
  * By accessing this system you indicate your awareness of and conset to    *
  * these terms and conditions of use.  Discontinue access immediately if    *
  * you do not agree to the conditions stated in this notice.                *
  *                                                                          *
  ****************************************************************************

^C
!
line con 0
line aux 0
line vty 0 4
 password <Removed>
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 71.19.145.222
end