05-24-2013 03:16 AM - edited 03-16-2019 05:29 PM
Dear Folks,
We are planning to pilot hosted sip trunking. Should I just try do a Port Address Translation (with one Public IP) for my CUCM cluster of subscribers and give it to the service provider to be used in their Session Border Controllers.
Thanks Friends...
Solved! Go to Solution.
05-24-2013 05:31 AM
Hi
Gordon is right (+5), however note that you can do this with a firewall that supports application layer inspection. I've NATd CUCM behind a Cisco ASA firewall that is inspecting SIP and it works fine - no CUBE required. I've also done it with Palo Alto.
Also note that CUBE gives you a lot more flexibility however in terms of configuring the SIP trunk to your ITSP.
Barry Hesk
Intrinsic Network Solutions
05-24-2013 06:42 AM
Hi
No you must do static one to one NAT. You can't use PAT as your ITSP will attempt to signal back to you.
Barry Hesk
Intrinsic Network Solutions
05-24-2013 05:03 AM
NAT/PAT and SIP are unhappy bed fellows. This is because NAT/PAT only re-writes the IP packet header addresses. SIP buries the source and destination IP addresses inside the data packets too, which NAT/PAT won't touch.
If you want to expose your CUCM to the outside world, you'll need your own session border controller (e.g. Cisco CUBE)
GTG
05-24-2013 05:09 AM
Hi Thanks for the reply. In the case of trying out hosted sip trunking where the SBC sits on the service provider.. what is the best possible way of giving the CUCM external IP connectivity.
05-24-2013 05:12 AM
No - *you* need an SBC to present your CUCM on private IP addresses to the public Internet. The providers SBC is doing the same for their system: Presenting their private SIP system on a public IP address.
GTG
05-24-2013 05:31 AM
Hi
Gordon is right (+5), however note that you can do this with a firewall that supports application layer inspection. I've NATd CUCM behind a Cisco ASA firewall that is inspecting SIP and it works fine - no CUBE required. I've also done it with Palo Alto.
Also note that CUBE gives you a lot more flexibility however in terms of configuring the SIP trunk to your ITSP.
Barry Hesk
Intrinsic Network Solutions
05-24-2013 05:34 AM
Barry's right. The key thing is that you need a firewall device that looks beyond the IP header layer and understands the application layer.
GTG
05-24-2013 05:40 AM
Hello Barry,
Thanks for the reply. I would like to pursue without a CUBE or any SBC and just tryout/pilot few SIP trunk providers who are offering SIP service over Private&Public Network. We have ASA firewall and we can accomplish what you have suggested. I would like to know did you just do one-to-one NATing of all CUCM subs and expose the Public IP or does PAT would do ? Many Thanks for your time.
I thank Gordon for his time.
05-24-2013 06:42 AM
Hi
No you must do static one to one NAT. You can't use PAT as your ITSP will attempt to signal back to you.
Barry Hesk
Intrinsic Network Solutions
05-24-2013 07:30 AM
Thanks For your help...:-)
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide