cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
998
Views
25
Helpful
11
Replies
Beginner

Configuration solution with CME and Fortigate

Hi all,

It's been now 3 months that I started to find a VoIP solution for our company. I was totally unaware how it worked with VoIP configuration and now I have some ide and came to conclusion on how it works and I would like to ask you one thing. 

After that, I will start the configuration. 

 

We have 3x Cisco 8841 and 2x Cisco 7962G.

This is our current network design: 

Modem ----> Fortigate Firewall (router, DHCP, DNS) ----> L3 Switch (HP 1910, JG539A) ----> Cisco IP phone ----> PC

 

I know that a SIP connection to our SIP provider between our Cisco IP phone and sip server, you need to create VIP (port forwarding) in Fortigate.

So I made One configuration between my IP phone 8841ip address and the Public IP address opening SIP ports (5060) and RTP (10000-20000) (the provider company uses this range). And it worked. 

 

When I wanted to do for other IP phones by mapping another private IP address to the same Public IP address by opening the same SIP and RTP ports it got rejected. You have to use another public IP address and that is not practical.  

 

So I think a CME router will solve the issue. My question is:

Will CME router handle multiple IP phones by mapping the private IP address of CME to the public IP address by opening SIP and RTP ports?

So that different internal users can make and receive calls at the same time.

 

The suggested network design will be like this:

Modem ----> Firewall (DNS) ----> CME router (Cisco 2821 Router) ---->

L3 Switch (HP 1910, JG539A) ----> Cisco IP phone ----> PC

 

Sorry for the long post and Thank you.

 

I await for your response.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Configuration solution with CME and Fortigate

1. I would suggest version 11.0 because of the native support. Not a fan of fast-track personally.
2. Irrespective of the fact whether you want CME or SRST, you would need "cme-srst" license. That's one license serving both the purpose. This is again RTU/paper based. You pay to use the feature.
3. FL-CME-SRST-25= license should be fine. Would give you an option to scale if need be in the future. These are user seat licenses.
4. "uck9" is required to unlock voice feature set on the IOS. "SW-CCME-UL-ENH" is a phone license the convention for which is "SW-CCME-UL-XX" where XX could be any of the following three -

1. Essential: Analog devices using analog gateways such as the Cisco VG202, VG204, VG224, or VG350 Analog Voice Gateways; the Cisco 3905 ISR; and the Cisco Unified IP Phone 6901

2. Basic: Cisco Unified IP Phone 6911, 6921, 7811, and 7821

3. Enhanced: Cisco Unified IP Phone 9900, 8900, 8800, 7841, 7861, 7900, 7937, and 6900; third‑party SIP phones; Cisco Jabber® Mobile; and the Cisco Jabber soft phone

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"

View solution in original post

11 REPLIES 11
Highlighted
Cisco Employee

Re: Configuration solution with CME and Fortigate

CME and IOS NAT on the same box are not supported. If your firewall can take care of the NAT, the solution should be good. You would only NAT the CME DNS facing IP to your public IP.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Highlighted
Beginner

Re: Configuration solution with CME and Fortigate

Hello @Nipun Singh Raghav

Thank you for the reply. The firewall will handle the NAT, in there will be also the policy and the VIP port forwarding.
I didn't understand this part "You would only NAT the CME DNS facing IP to your public IP". Can you bring an example? or link for configuration example?

Thank you.

Highlighted
Participant

Re: Configuration solution with CME and Fortigate

Hi @armancisco

 

You can BIND control and media on your CME. As a consequence, all your sip phone and control flow should be terminating by the CME. Only one address will be necessary for all your call.

 

 

Best regards
******* If This Helps, Please Rate *******
Ben
Highlighted
Beginner

Re: Configuration solution with CME and Fortigate

Hello M02@rt37

 

Thank you for the reply. If my suggested solution is right then I have a couple of questions about the CME.

 

As you know I have 3x 8841 and 2x 7962G and I wonder which CME version is needed in a router? 

On eBay, they sell a lot of routers with mostly CME 8.5 but according to Cisco, you need 10.5 for the Cisco 8841.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/requirements/guide/cme105spc.html 

 

What does fast-track do? 

 

Also is there any more licenses need it on the router to handle VoIP? I heard of CUBE.

 

 

Thank you.

Highlighted
Cisco Employee

Re: Configuration solution with CME and Fortigate

CME version depends upon IOS. IOS is not exclusively charged per download. You need to have a software download contract and you can download any IOS from CCO.

Fast-track is a feature to register SIP Phones to CME which are not natively supported. Newer versions of CME do not require fast track since most of the IP Phones have been added for native support.

For licensing, you would need uck9 for voice and then user+phone license depending upon the number of users/phone. Refer this -
https://supportforums.cisco.com/t5/ip-telephony/call-manager-express-licensing/td-p/2976364

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Highlighted
Participant

Re: Configuration solution with CME and Fortigate

Hi @armancisco the reply of @Nipun Singh Raghav is perfect.

 

Furthermore, in order to have full CUBE features you will need the AdvUCSuiteK9 and activate it (voice service voip >> mode border element licence capacity XXX).

This suite will give you access to cme-srst and cube licence.

 

 

 

Best regards
******* If This Helps, Please Rate *******
Ben
Highlighted
Beginner

Re: Configuration solution with CME and Fortigate

Hello M02@rt37 and @Nipun Singh Raghav

 

Thank you for the replay. In last week I was researching about licensed needed for CME router deployment. And your comments helped me to investigate more. 

 

So I Think I understand most of it, please check:

 

1. I will need CME 10.5 with fast-track (At least IOS 15.4(3)M) to be used with Cisco IP phones 88xx

And CME 11.0 (which is newer, as @Nipun Singh Raghav said, and it is natively supported) with at least IOS 15.6(1)T. 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/release/notes/CME_ReleaseNotes_11_0.html 

 

2. I looked a lot on eBay and they sell Cisco C2911-CME-SRST/K9.

As I understand it I can choose either to activate feature CME or SRST, right?

And in my case, there will not be CUCM in the network for SRST. It will be CME, yes?

3. Every user will have one phone on our network. On eBay, a lot of routers that is included the license FL-CME-SRST-25= which will cover 25 users and we will not be more than 10 users.

So this will be sufficient for us, yes?

I think that answers your statement (user+phone license depending upon the number of users/phone), yes? 

 

4. The uck9 license is the same as SW-CCME-UL-ENH, yes? And this license is not dependent on how many users are registered with the CME, does it?

 

So here is the item on eBay which has all the licenses that I need to deploy on my network as a stand-alone CME. The only thing I have to change the IOS version to have CME 11.0 or higher. 

And as I found out the licences doesn't disappear if I change the IOS on it. Please give your opinion.

 

https://www.ebay.com/itm/Cisco-C2911-CME-SRST-K9-2911-Voice-Bundle-PVDM3-16-FL-CME-SRST-25-FL-CUBEE-10/332616171249?epid=111473317&hash=item4d7177fef1:g:kO8AAOSwCNpauM7N

 

 

Thank you.

Highlighted
Cisco Employee

Re: Configuration solution with CME and Fortigate

1. I would suggest version 11.0 because of the native support. Not a fan of fast-track personally.
2. Irrespective of the fact whether you want CME or SRST, you would need "cme-srst" license. That's one license serving both the purpose. This is again RTU/paper based. You pay to use the feature.
3. FL-CME-SRST-25= license should be fine. Would give you an option to scale if need be in the future. These are user seat licenses.
4. "uck9" is required to unlock voice feature set on the IOS. "SW-CCME-UL-ENH" is a phone license the convention for which is "SW-CCME-UL-XX" where XX could be any of the following three -

1. Essential: Analog devices using analog gateways such as the Cisco VG202, VG204, VG224, or VG350 Analog Voice Gateways; the Cisco 3905 ISR; and the Cisco Unified IP Phone 6901

2. Basic: Cisco Unified IP Phone 6911, 6921, 7811, and 7821

3. Enhanced: Cisco Unified IP Phone 9900, 8900, 8800, 7841, 7861, 7900, 7937, and 6900; third‑party SIP phones; Cisco Jabber® Mobile; and the Cisco Jabber soft phone

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"

View solution in original post

Highlighted
Beginner

Re: Configuration solution with CME and Fortigate

Hello @Nipun Singh Raghav

 

Thank you very much for the explained answer. 

I have just one question: how do I know the uck9 license is an ENHANCED version?

 

 

Thank you.

Highlighted
Cisco Employee

Re: Configuration solution with CME and Fortigate

"uck9" and "phone license" i.e. SW-CCME-UL-XX are two different line items. You need both.
Go through my explanation again in my last post.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Highlighted
Beginner

Re: Configuration solution with CME and Fortigate

My mistake. I thought it was the same thing.

 

Thanks for the clarification @Nipun Singh Raghav

CreatePlease to create content