It is just a matter of configuring a second set of dial peers, inbound and outbound, and set these up to use secure communication. There isn't much more to it.
Looks like your using BT as the ITSP and if I understood you correctly you're looking at adding their SIP trunk service over internet, aka SOTI. We happen to have the exact same setup, so instead of trying to make modifications to your shared config I took the easy way out by copying the parts of config from one of our SBCs that pertains to this and obfuscate any sensitive information.
voice service voip
address-hiding
sip
sip-profiles inbound
voice class uri CUCM sip
host ipv4:10.xx.xx.y1
host ipv4:10.xx.xx.y2
voice class uri PSTNSOTI sip
host ipv4:10.xx.xx.1
voice class uri PSTNGSIP sip
host ipv4:10.xx.xx.2
voice class sip-profiles 10
rule 10 request ANY sip-header From modify "<internal interface IP>" "<external interface 1 IP>"
rule 20 request ANY sip-header From modify "<external interface 1 IP>" "<public internet IP>"
rule 30 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2"
rule 40 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2"
rule 50 request ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*@.*(>)" "P-Asserted-Identity: \2+<main circuit number>@<public internet IP>\3"
rule 60 response ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*@.*(>)" "P-Asserted-Identity: \2+<main circuit number>@<public internet IP>\3"
rule 70 request ANY sip-header Contact modify "(<.*)@<external interface 1 IP>:(.*)>" "\1@<public internet IP>:\2>"
rule 80 response ANY sip-header Contact modify "(<.*)@<external interface 1 IP>:(.*)>" "\1@<public internet IP>:\2>"
rule 90 request ANY sip-header Via modify "(SIP.*) <external interface 1 IP>(.*)" "\1 <public internet IP>\2"
rule 100 request INVITE sip-header Requested-By modify "(.*:)<external interface 1 IP>>" "\1<public internet IP>>"
rule 110 request ANY sdp-header Session-Owner modify "<external interface 1 IP>" "<public internet IP>"
rule 120 response ANY sdp-header Session-Owner modify "<external interface 1 IP>" "<public internet IP>"
rule 130 request ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 140 response ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 150 request ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 160 response ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 170 request INVITE sip-header Diversion modify "Diversion:(.*)(<sip:).*@.*(>)" "Diversion: \2+<main circuit number>@<public internet IP>\3"
voice class sip-profiles 20
rule 10 request ANY sip-header From modify "<internal IP>" "<external interface 1 IP>"
rule 20 request ANY sip-header From modify "<external interface 1 IP>" "<public internet IP>"
rule 30 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2"
rule 40 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2"
rule 50 request ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3"
rule 60 response ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3"
rule 70 request ANY sip-header Contact modify "(<.*)@<external interface 1 IP>:(.*)>" "\1@<public internet IP>:\2>"
rule 80 response ANY sip-header Contact modify "(<.*)@<external interface 1 IP>:(.*)>" "\1@<public internet IP>:\2>"
rule 90 request ANY sip-header Via modify "(SIP.*) <external interface 1 IP>(.*)" "\1 <public internet IP>\2"
rule 100 request INVITE sip-header Requested-By modify "(.*:)<external interface 1 IP>>" "\1<public internet IP>>"
rule 110 request ANY sdp-header Session-Owner modify "<external interface 1 IP>" "<public internet IP>"
rule 120 response ANY sdp-header Session-Owner modify "<external interface 1 IP>" "<public internet IP>"
rule 130 request ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 140 response ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 150 request ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 160 response ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 170 request INVITE sip-header Diversion remove
voice class sip-profiles 100
rule 10 request ANY sip-header From modify "<public internet IP>" "<external interface 1 IP>"
rule 20 request OPTIONS sip-header SIP-Req-URI modify "<public internet IP>" "<external interface 1 IP>"
rule 30 request ANY sip-header To modify "<public internet IP>" "<external interface 1 IP>"
voice class sip-profiles 200
rule 10 request ANY sip-header Via modify "(SIP.*) <external interface 1 IP>(.*)" "\1 <public internet IP>\2"
rule 20 request OPTIONS sip-header From modify "(<.*):<external interface 1 IP>" "\1:<public internet IP>"
rule 30 request ANY sip-header To modify "(<.*):<external interface 1 IP>" "\1:<public internet IP>"
rule 40 request OPTIONS sip-header Contact modify "(<.*):<external interface 1 IP>" "\1:<public internet IP>"
rule 50 response ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
rule 60 response ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>"
voice class sip-profiles 11
rule 10 request ANY sip-header From modify "<internal IP>" "external interface 2 IP"
rule 20 request ANY sip-header From modify "From:(.*)(<sip:.*@.*>)" "From: \2"
rule 30 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2"
rule 40 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2"
rule 50 request ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3"
rule 60 response ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3"
rule 70 request INVITE sip-header Diversion modify "Diversion:(.*)(<sip:)(.*)(@.*>)" "Diversion: \2+<main circuit number>\4"
rule 80 request INVITE sip-header Diversion add "Diversion: <sip:+<main circuit number>@external interface 2 IP>"
voice class sip-profiles 21
rule 10 request ANY sip-header From modify "<internal IP>" "external interface 2 IP"
rule 20 request ANY sip-header From modify "From:(.*)(<sip:.*@.*>)" "From: \2"
rule 30 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2"
rule 40 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2"
rule 50 request ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3"
rule 60 response ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3"
rule 70 request INVITE sip-header Diversion remove
voice class e164-pattern-map 1
description E164 Pattern Map for called number to CUCM
e164 +49XXXXXXXXXXXX
voice class e164-pattern-map 2000
description E164 Pattern Map for called number to PSTN
e164 +.T
voice class e164-pattern-map 2001
description E164 Pattern Map for emergency number
e164 0112
voice class server-group 1
ipv4 10.xx.xx.y1 preference 1
ipv4 10.xx.xx.y2 preference 2
description Inbound calls from PSTN to CUCM
huntstop 1 resp-code 404 to 404
voice class server-group 2000
ipv4 10.XX.XX.XX preference 1
ipv4 10.XX.XX.XX preference 2
description BT SOTI - IP Addresses
huntstop 1 resp-code 404 to 404
voice class server-group 2100
ipv4 10.XX.XX.XX preference 1
ipv4 10.XX.XX.XX preference 2
description ** BT One Voice - IP Addresses **
huntstop 1 resp-code 404 to 404
voice class sip-options-keepalive 1
description Used for Server Group SIP OPTIONS PING
voice class sip-options-keepalive 2000
description ** BT SOTI - Options-Ping **
down-interval 15
retry 3
transport tcp tls
sip-profiles 200
voice class sip-options-keepalive 2100
description ** BT One Voice - Options-Ping **
down-interval 15
retry 3
transport udp
voice class tenant 2000
connection-reuse
audio forced
session transport tcp tls
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
voice class tenant 2100
audio forced
bind control source-interface GigabitEthernet0/0/2
bind media source-interface GigabitEthernet0/0/2
voice class tenant 1
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
dial-peer cor custom
name CM
name PSTN-SOTI
name PSTN-GSIP
dial-peer cor list CM-IN
member PSTN-SOTI
member PSTN-GSIP
dial-peer cor list CM-OUT
member CM
dial-peer cor list PSTN-SOTI-OUT
member PSTN-SOTI
dial-peer cor list PSTN-SOTI-IN
member CM
dial-peer cor list PSTN-GSIP-OUT
member PSTN-GSIP
dial-peer cor list PSTN-GSIP-IN
member CM
dial-peer voice 1000 voip
corlist incoming CM-IN
description Outbound calls from CUCM
session protocol sipv2
incoming uri via CUCM
voice-class codec 1
voice-class sip tenant 1
dtmf-relay rtp-nte sip-kpml
no vad
dial-peer voice 1010 voip
corlist outgoing CM-OUT
description Inbound calls to CUCM
session protocol sipv2
session server-group 1
destination e164-pattern-map 1
voice-class codec 1
voice-class sip tenant 1
voice-class sip options-keepalive profile 1
dtmf-relay rtp-nte sip-kpml
no vad
dial-peer voice 100 voip
corlist incoming PSTN-SOTI-IN
description Inbound calls from PSTN
translation-profile incoming PSTN-IN
max-conn 150
session protocol sipv2
incoming uri via PSTNSOTI
voice-class codec 10
voice-class sip profiles 100 inbound
voice-class sip tenant 2000
dtmf-relay rtp-nte
srtp
no vad
dial-peer voice 110 voip
corlist outgoing PSTN-SOTI-OUT
description Outbound calls to PSTN
translation-profile outgoing PSTN-OUT
huntstop
max-conn 150
session protocol sipv2
session server-group 2000
destination e164-pattern-map 2000
voice-class codec 10
voice-class sip profiles 10
voice-class sip tenant 2000
voice-class sip options-keepalive profile 2000
dtmf-relay rtp-nte
srtp
no vad
dial-peer voice 120 voip
corlist outgoing PSTN-SOTI-OUT
description Emergency calls to PSTN
translation-profile outgoing PSTN-OUT
huntstop
max-conn 150
session protocol sipv2
session server-group 2000
destination e164-pattern-map 2001
voice-class codec 10
voice-class sip profiles 20
voice-class sip tenant 2000
voice-class sip options-keepalive profile 2000
dtmf-relay rtp-nte
srtp
no vad
dial-peer voice 200 voip
corlist incoming PSTN-GSIP-IN
description Inbound calls from PSTN-GSIP
translation-profile incoming PSTN-IN
redirect ip2ip
session protocol sipv2
incoming uri via PSTNGSIP
voice-class codec 10
voice-class sip early-offer forced
voice-class sip tenant 2100
dtmf-relay rtp-nte
fax-relay sg3-to-g3
fax rate 9600
fax nsf 000000
fax protocol t38 version 0 ls-redundancy 2 hs-redundancy 1 fallback pass-through g711ulaw
no vad
dial-peer voice 210 voip
corlist outgoing PSTN-GSIP-OUT
description Outbound calls to PSTN-GSIP
translation-profile outgoing PSTN-OUT
huntstop
session protocol sipv2
session server-group 2100
destination e164-pattern-map 2000
voice-class codec 10
voice-class sip profiles 11
voice-class sip tenant 2100
voice-class sip options-keepalive profile 2100
dtmf-relay sip-kpml rtp-nte sip-notify
fax-relay sg3-to-g3
fax rate 9600
fax nsf 000000
fax protocol t38 version 0 ls-redundancy 2 hs-redundancy 1 fallback pass-through g711ulaw
no vad
dial-peer voice 220 voip
corlist outgoing PSTN-GSIP-OUT
description Emergency calls to PSTN-GSIP
translation-profile outgoing PSTN-OUT
huntstop
session protocol sipv2
session server-group 2100
destination e164-pattern-map 2001
voice-class codec 10
voice-class sip profiles 21
voice-class sip tenant 2100
voice-class sip options-keepalive profile 2100
dtmf-relay sip-kpml rtp-nte sip-notify
no vad
sip-ua
no remote-party-id
retry invite 2
timers trying 300
timers connection establish tls 5
transport tcp tls v1.2 minimum
crypto signaling default trustpoint <name of choice> cn-san-validate server
g729-annexb override
no dial-peer voice 100 voip !Can possibly be removed as it's a H.323 dial peer
no dial-peer voice 101 voip !Can possibly be removed as it's a H.323 dial peer
dspfarm profile 10 transcode universal
codec g729abr8 !Remove as B = VAD and you're not using that
codec g729ar8
codec g711alaw
codec g711ulaw
codec g729br8 !Remove as B = VAD and you're not using that
codec g729r8
codec g722-64
maximum sessions 12
associate application SCCP
*** Bonus ** It would be advisable to use VRFs to split the two SIP trunks, but not technically an absolute must
ip vrf BTSOTI
rd 1:1
ip vrf BTGSIP
rd 2:2
interface GigabitEthernet0/0/1
description WAN interface to BT SOTI
ip vrf forwarding BTSOTI
ip access-group BTSOTI_ACL in !You should use an ACL to filter what traffic is allowed to/from ITSP
interface GigabitEthernet0/0/2
description WAN interface to BT One Voice
ip vrf forwarding BTGSIP
ip access-group BTGSIP_ACL in !You should use an ACL to filter what traffic is allowed to/from ITSP
ip route vrf BTGSIP 0.0.0.0 0.0.0.0 10.1X.XX.XX name EXT_TO_BTGSIP_DEFAULT
ip route vrf BTSOTI 0.0.0.0 0.0.0.0 10.2X.XX.XX name EXT_TO_BTSOTI_DEFAULT
Somewhat of a quite messy configuration. It might be better if you do some cleanup of it before you post it here to ask for help. General observation, your missing bind statements on a few dial peers and the interfaces that has BT as part of the description is in shutdown state. If you need help please either cleanup your configuration and repost it or outline what dial peers that you’re intending on using for your call path. With that and the output from debug ccsip message and debug voip ccapi inout in a separate text file we should be in a better position to give you advice.
Hi @W-Sardar
There are simply to many incorrect things in your setup for it to be worth for me to try to fix it for you as it would take way to much time. I advice you to start over and remove all your dial peers and follow my shared configuration from my reply dated 2025-04-16 09:52 AM. You don't need to follow it to the letter if there are parts that you don't like or is not applicable to you, but it should be a solid starting point for you.
For one you’re stating that DP 100, 101, 202, and 203 are for inbound calls, but all of them are configured for outbound calls. Then you say that DP 106 and 201 are for outbound, but 106 is setup as an inbound dial peer. I suggest that you read this document on how call routing works in IOS, Explain Cisco IOS and IOS XE Call Routing as that will help you better understand how dial peer matching works.
To simplify things it is advised that you do not create separate dial peers per destination peer, instead use server groups and instead of matching on numbers called on inbound dial peers use a voice class that matches on the VIA header in the invite. On all the dial peers that you create there have to be bind statements, either direct or on a tenant.
Looking through your shared debugs there are a number of things that sticks out. For one in the outbound call log you are matching dial peer 0 on the path from CM.
000575: May 27 20:37:53.762: //-1/B1B41C00000A/CCAPI/cc_api_call_setup_ind_common:
Interface=0x7F48B81FC370, Call Info(
Calling Number=0153255205,(Calling Name=)(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed),
Called Number=+4915208048157(TON=Unknown, NPI=Unknown),
Calling Translated=FALSE, Subscriber Type Str=Unknown, FinalDestinationFlag=TRUE,
Incoming Dial-peer=0, Progress Indication=NULL(0), Calling IE Present=TRUE,
Source Trkgrp Route Label=, Target Trkgrp Route Label=, CLID Transparent=FALSE), Call Id=1291
This is not good and means that the dial peer that you intend to match isn't matching. This will be fixed if you follow my advice to match on VIA header.
Also in all the logs this type of error is present.
000329: May 27 20:29:37.529: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 400 Bad Request - 'Invalid IP Address'
Via: SIP/2.0/TLS 62.134.72.254:5061;branch=z9hG4bK+c53ec2f542b44b4702ac01bce246f9001+sip+4+a7bf7c15
From: <sip:62.134.72.254:5061;lr>;tag=sip+4+bb86000b+c0d053d7
To: sip:194.50.160.213:5061;tag=DB732C-1CFE
Date: Tue, 27 May 2025 18:29:37 GMT
Call-ID: 8663162C-4@62.134.72.254:5061
Server: Cisco-SIPGateway/IOS-17.3.4a
CSeq: 524536048 OPTIONS
Content-Length: 0
This is likely due to that you are not taking care of changing the public IP into what the router knows about IP addresses on the interfaces. You'll have to do that with SIP profiles. In my shared config this is present.
For outbound calls BT is responding with this on your outbound invite.
000653: May 27 20:37:54.007: //1292/B1B41C00000A/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 400 Bad Request
Call-ID: 88F8E436-3A6011F0-90F3B4DB-87158A3F@hyundai.com
CSeq: 101 INVITE
From: <sip:0153255205@hyundai.com>;tag=E305A5-1207
To: <sip:+4915208048157@bt.com;user=phone>;tag=sip+4+a991000f+9540753e
Via: SIP/2.0/TLS 10.122.105.205:5061;received=194.50.160.213;branch=z9hG4bK2FC1D7
Server: SIP/2.0
Content-Length: 0
Contact: <sip:213.137.173.94:5061;transport=tls>
Reason: SIP;cause=400;text="Site not found";origin=CS-G
Very likely you are not sending the information that BT expects. Again if you follow my shared configuration example that will be sorted.
With DP 106 enabled that is matched as the inbound dial peer.
000757: May 27 21:16:32.650: //-1/17EF6D80000A/CCAPI/cc_api_call_setup_ind_common:
Interface=0x7F48B81FC370, Call Info(
Calling Number=0153255205,(Calling Name=)(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed),
Called Number=+4915208048157(TON=Unknown, NPI=Unknown),
Calling Translated=FALSE, Subscriber Type Str=Unknown, FinalDestinationFlag=TRUE,
Incoming Dial-peer=106, Progress Indication=NULL(0), Calling IE Present=TRUE,
Source Trkgrp Route Label=, Target Trkgrp Route Label=, CLID Transparent=FALSE), Call Id=1527
And then outbound DP 201 is matched.
000773: May 27 21:16:32.657: //1527/17EF6D80000A/CCAPI/ccCallSetupRequest:
Destination=, Calling IE Present=TRUE, Mode=0,
Outgoing Dial-peer=201, Params=0x7F48BF77D1F8, Progress Indication=NULL(0)
Again BT responds with 400 Bad Request
000837: May 27 21:16:32.701: //1528/17EF6D80000A/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 400 Bad Request
Call-ID: EF22F79E-3A6511F0-9427B4DB-87158A3F@hyundai.com
CSeq: 101 INVITE
From: <sip:0153255205@hyundai.com>;tag=10667CD-19C5
To: <sip:+4915208048157@bt.com;user=phone>;tag=sip+4+b3730018+5c19345f
Via: SIP/2.0/TLS 10.122.105.205:5061;received=194.50.160.213;branch=z9hG4bK3761C33
Server: SIP/2.0
Content-Length: 0
Contact: <sip:213.137.173.94:5061;transport=tls>
Reason: SIP;cause=400;text="Site not found";origin=CS-G
I do not see any inbound call in that log file, so can't comment on why that stops working when you enable that DP. Likely it's related to wrong dial peer being matched, or at least not the one that you'd expect to be matched. I strongly advice you to follow the advice to simplify your DP configuration and to have the needed SIP profiles in-place as otherwise the router wouldn't know what to do with the SIP dialog that has the public IP in it.
