I haven't really tried this and also can't find much documentation or examples of other users performing this. I'm looking at attempting of putting a CUBE behind an ASA. To get to the SIP PSTN provider, the CUBE would have to communicate with the SIP provider through the ASA. The CUBE would be on the inside or dmz interface and the provider's SIP IP would be on the outside. Let's say that the outside interface of the ASA is a public IP and we are NATing (PAT) to the outside interface IP. So I have a few questions on what would need to be configured...
1) If the SIP Provider knows to communicate to our CUBE on port 5060, I assume the ASA would need to statically forward the public IP of the ASA with port 5060 to the internal CUBE IP?
2) Since everything is blocked by default on the outside interface of the ASA towards the inside or DMZ, and because we are NATing (PAT), SIP inspection would need to be enabled on the ASA, which I believe is by default on the global policy.
Would this be all that needs to be done?
Furthermore, what if we aren't NATing and the firewall is there just to block connections from the outside interface to the inside. You would still need inspection to open the RTP port (pinholes) towards the inside and the port forward 5060 to your CUBE IP. Does SIP inspection work to open pinholes for the RTP ports when NAT is not in use?
If anyone has any examples or good documentation/best practices around this, I would appreciate the sharing of it.
I have a similar setup and what I have done is that I configured a static NAT from my public IP to the internal IP of the CUBE. (I have a bunch of public IPs so I didnt use the IP of my outside interface). I did a one-to-one NAT just so that I dont have to worry about opening RTP ports, however, I used an ACL on the CUBE to ensure only the service provider SBC can initiate calls to it from the PSTN side and only my CUCM can initiate calls from the internal network side.
Hope this helps. If you need more detail please let me know.