cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
794
Views
10
Helpful
3
Replies

CUBE placement

vsdhillon
Beginner
Beginner

I'm setting up Home Lab for CUCM and a couple of IP Phones. I've got CUCM, CUE, IP Phones, and CSR1000v set up virtually on ESXi 6.7. I want to be able to send and receive calls to the PSTN now via a SIP provider. Everywhere I've read, it states I need the CUBE to set up for secure SIP trunks. I have Verizon FIOS for my internet access using the Quantum Gateway they give you. 

 

The CSR in evaluation mode is configured in my internal network for 2 subnets on Gig1 and Gig2. CUCM, CUE, and IP Phones are on the 10.3.3.0 subnet off Gig1. Gig2 is on the home 192.168.1.0 subnet allowing for CUCM for communication to the internet. Can I enable the CSR for CUBE in this set up or do I need to provision another CSR? Where do I place this CSR? Documentation shows it's a demarc point for the internal network to communicate with the public SIP provider. However, the FIOS Quantum GW is my point of connection to the public internet. 

 

I hope this makes sense but feel free to ask questions. Just want to be able to make and receive calls via the PSTN from the 2 IP Phones in my home lab.

2 Accepted Solutions

Accepted Solutions

Anthony Holloway
Cisco Employee
Cisco Employee
Good news! CUBE does not require securing SIP to function, nor does it require a DMZ (demarc). You will however face some issues if you NAT the public facing side, unless your NAT appliance can do Application Layer Gateway (ALG) functions. I.e., Open the packet, look for IP Address references, and replace them based on your NAT rules. If you cannot do that, then you'll need a bit of SIP Profiles on your CUBE to manipulate all incoming and outgoing SIP messages, but it may or may not be perfect.

View solution in original post

Most residential type SIP services don't need or want a SIP ALG.  Instead they rely on a few specific bits of behaviour to allow them to work through a normal stateful firewall.  Firstly for the actual SIP signalling, your device needs to keep refreshing it's registration frequently enough to keep the NAT translation in place and firewall rule open, so that incoming SIP invites can be received as if they were answers to your outgoing SIP registrations or polling traffic.   Second for media, your device needs to send to the provider as soon as incoming audio is expected, then the provider will send to the address and port that your audio is sourced on, effectively again that's coming in as if in answer to your outbound.

View solution in original post

3 Replies 3

Anthony Holloway
Cisco Employee
Cisco Employee
Good news! CUBE does not require securing SIP to function, nor does it require a DMZ (demarc). You will however face some issues if you NAT the public facing side, unless your NAT appliance can do Application Layer Gateway (ALG) functions. I.e., Open the packet, look for IP Address references, and replace them based on your NAT rules. If you cannot do that, then you'll need a bit of SIP Profiles on your CUBE to manipulate all incoming and outgoing SIP messages, but it may or may not be perfect.

Thanks Anthony,

So regarding the setup, I have it connected in this order?:

CUCM, CUE, IP Phones, ------> CSR ---------> FIOS Router -------> Internet

Collaboration endpoints are on the 10.3.3.x subnet. Subnet between CSR and FIOS Router is on 192.168.1.X network. FIOS Router out to Internet is on public dynamic IP Address 108.x.x.x because Verizon doesn't give residential customers a static IP. The 108.x.x.x is NAT'ed to the home network obviously and I don't think the FIOS Router does ALG. I have the CSR configured to be able to allow the endpoints on the 10.3.3.x network to be able to get out to the public internet. Can I deploy CUBE on the current CSR then and deploy SIP profiles? Will I have issues with the public dynamic IP address even if I'm able to use Dynamic DNS? Would I be able to use the DNS hostname with a SIP trunk provider or am I out of luck with SIP trunk providers only using static IP addresses? I've never set up a SIP trunk out to the public so pardon my elementary questions. I've done plenty of SIP trunks internally in my home lab but I just used the private IP addresses for that.

Remember, this is not a big deployment you typically find in a small business, etc. It's just 2 IP phones with voicemail boxes on CUE and just need PSTN access for phone calls back and forth to the outside world.

Thanks,

Vic

Most residential type SIP services don't need or want a SIP ALG.  Instead they rely on a few specific bits of behaviour to allow them to work through a normal stateful firewall.  Firstly for the actual SIP signalling, your device needs to keep refreshing it's registration frequently enough to keep the NAT translation in place and firewall rule open, so that incoming SIP invites can be received as if they were answers to your outgoing SIP registrations or polling traffic.   Second for media, your device needs to send to the provider as soon as incoming audio is expected, then the provider will send to the address and port that your audio is sourced on, effectively again that's coming in as if in answer to your outbound.