cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5466
Views
5
Helpful
9
Replies

CUCM 11.5 SIP trunk to 3CX

ryan_oconnell
Level 3
Level 3

Hello, My customer is running CUCM version 11.5 and trying to integrate a 3rd Party PBX (3CX) that it has in the office so that extensions on CUCM can 4 digit dial 3CX extensions. The 3CX system requires the SIP Trunk to have authentication. I know this is possible using Cisco CUBE under the SIP UA settings but I have never seen this option directly on CUCM. The customer doesn't have a CUBE to work with and wants to know if it can be done directly on CUCM. The guide the 3cx vendor gave me to follow as this but the main point I am asking is can I do authentication on a SIP trunk directly on CUCM or do I need a CUBE. I was reading about SIP REALMS is this possibly my answer?

The reference guide 3cx gave me to follow was not for CUCM but gives the basic idea of what I am trying to achieve. This guide is below

http://www.3cx.com/docs/bridging-asterisk-pbx/

Thanks Ryan

9 Replies 9

Chris Deren
Hall of Fame
Hall of Fame

Authentication is not an option on SIP trunks in CUCM, and as you point out CUBE would be required. One option would be see if that is something you can add via LUA normalization script in CUCM, check out this great video tutorial to get started:

https://supportforums.cisco.com/video/12151771/guide-sip-normalization-cucm-and-lua-scripting

Chris

Chris my findings so far agree's with your comments that Authentication is not an option on SIP trunks in UCM but wanted to be sure so I asked the question.

Neat video on LUA but it's not obvious to me how this will help me with my end game can you perhaps give some guidance?

Thanks 

If you can find out the SIP header syntax for what 3CX expects for authentication then you should be able to easily add it to the INVITE message by appending an outbound LUA function and apply to the SIP trunk. Might be worth a shot. 

Hi,

I believe authentication is supported on CUCM SIP trunks and can be configured as below. I remember testing this during my CCIE preparations.

 

Step 1 Check the Enable Digest Authentication check box in a SIP Trunk Security profile.

Navigate to System > Security Profile > SIP Trunk Security Profile > Add New.

 

Step 2 Apply the security profile to your SIP Trunk

Navigate to Device > Trunk > #Select-SIP-Trunk#

 

Step 3 Configure unique cluster ID under Enterprise Parameters. This will be CUCM realm configured in your 3CX

 

Step 4 Create new application user (it can be an existing application user) and assign Digest Credentials. CUCM will match 3CX username/digest against this application user after challenging 3CX

 

Step 5 Configure SIP Realm matching 3CX ID. Navigate to User Management > SIP Realm > Add New.

 

Step 6 The username/password under the realm should match 3CX digest user/pass. CUCM will use this account once received challenge request from 3CX

Hello Mohammed

I tried the steps as you described and as per the Cisco Guide. Can you help me understand how the username you assign under the SIP Realm gets actually associated to the trunk? Is the username under SIP Realm actually a global username that gets assigned to all SIP trunks that you use DIGEST Authentication on ?

Thanks Ryan

For outgoing calls:

- Cucm will receive challenge request from 3cx.

- cucm will lookup realm database and will respond to challenge request including the username and hashed digest of the matched realm

- 3cx will compare the received values against its database.

For incoming calls:

- cucm will send challenge request using cluster id as realm

- 3cx will respond to challenge request with username and hashed digest based on matched cucm cluster id

- cucm will lookup the received username against application users database and comapre the digest value



@Mohammed al Baqari wrote:

For outgoing calls:

 

- Cucm will receive challenge request from 3cx.

- cucm will lookup realm database and will respond to challenge request including the username and hashed digest of the matched realm

- 3cx will compare the received values against its database.

 

For incoming calls:

- cucm will send challenge request using cluster id as realm

- 3cx will respond to challenge request with username and hashed digest based on matched cucm cluster id

- cucm will lookup the received username against application users database and comapre the digest value


@Mohammed al Baqari wrote:

For outgoing calls:

 

- Cucm will receive challenge request from 3cx.

- cucm will lookup realm database and will respond to challenge request including the username and hashed digest of the matched realm

- 3cx will compare the received values against its database.

 

For incoming calls:

- cucm will send challenge request using cluster id as realm

- 3cx will respond to challenge request with username and hashed digest based on matched cucm cluster id

- cucm will lookup the received username against application users database and comapre the digest value



@Mohammed al Baqari wrote:

For outgoing calls:

 

- Cucm will receive challenge request from 3cx.

- cucm will lookup realm database and will respond to challenge request including the username and hashed digest of the matched realm

- 3cx will compare the received values against its database.

 

For incoming calls:

- cucm will send challenge request using cluster id as realm

- 3cx will respond to challenge request with username and hashed digest based on matched cucm cluster id

- cucm will lookup the received username against application users database and comapre the digest value


 

Did anyone ever get this working?  I need to interface between a CUCM environment and 3cx.  I will have a CUBE onsite with the 3cx but connectivity is limited until the deployment...The CUCM and 3cx currently have ip reachability and I would like to do some testing...would it be preferred to do this testing with the CUBE, if so does anyone have suggestions on that config or with the CUCM direct trunk?  The legacy sip trunk that comes into the 3CX will be moved to the CUBE and the 3cx will be decomissioned, but the teleco has stated that a change order will need to be completed (3-5 weeks) before the SIP "trunk" can be moved over.  I have worked with other providers that have simply handed an Ethernet port and media/signalling ip's, we simply created dial-peers inbound and outbound.  The current setup requires authentication and a static MAC address. 
Any help would be greatly appreciated.

 

Thanks,

 

Joe 

You are migrating AWAY from 3CX to Cisco?  So you want to pay a LOT more and you want more complexity?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: