Thank you for reply

I check the configuration on cube and it's good .i can ping the SIP TRUNK from the CUBE.

the cube has only one interface 192.168.5.5 and i use NAT i reach the SIP TRUNK and i think the problem in the rule NAT can you confim is that rules is good

best regards

@aouelali  Pinging the SIP TRUNK does not mean your end to end communication will be success.

One more thing, is the FW allowing UDP ports 16384 - 32767 for RTP. Also, the processing of UDP packets on FW may also cause (i m assuming).

What you can do here is by enabling the debugs on CUBE and check when the ACK is sent in SIP MESSAGES debug.

#debug ccsip messages

#debug voip ccapi inout

Please analyse to go for next stage.

Recommend you to reconfigure your SBC (Cube) to have two interfaces. One connected to your internal network and the other connected to your firewall for the connection to the SIP service. This would be the preferred setup of a SBC for it to truly come to it’s right as the demarcation point between your internal network and the external SIP service provider.

Are you recommending that the CUBE connection would look like this?

Yes that’s correct. Anyway if the OP wants to have a firewall in front of the outside interface of the SBC to the service provider. This is not all that common in my experience, as the SBC can be setup with its own security enforcement, but if for example the connection to the service provider would utilise internet it could be a requirement for various reason.

Ah that's interesting and thanks for sharing your experience with it.  That is not a deployment I have ever seen before, and while I agree that the CUBE has its own security features built in, I would just as soon leave it on a single interface in the DMZ, just being careful with my NAT and ALG.

The reason for why I would argue to have an inside interface is that there is little point in having the internal endpoints communicate with the SBC via a firewall. I mean you would not likely contemplate to do that with a TDM voice gateway, right? See it as you would for a Expressway C, you would not very likely put a firewall between that and your endpoints. There is a merit to have the interface that face the service provider behind a firewall for protection. But as you say keep clear of NAT as that's s pretty sure way of successfully creating a perfect storm of issue and shorten your expected lifespan with a few odd years or so.

Yeah, I hear you on those points.  But, I wonder what the security folks would say about having systems in the dmz with direct inside connections, bypassing the security from DMZ to Inside (security levels, ACL, IPS, IDS, etc.)

True, those paranoid security folks are always “fun”. Joke aside, it would depend on what type of connection you utilities for the circuit with the service provider. If it’s a less secure connection type like internet this could absolutely be of concern.

My experience is that this is not the preference connection type for most service providers. More common would be to use a dedicated private connection to deliver the SIP service. This also in most cases removes the need to use encryption to protect the media and signaling path between the customer and the service provider. Whereas with a service running via internet this would be a necessity to protect the integrity of the traffic.

Yeah, I see no FW in the mix for private connections.  The FW only comes up when the connection is public and things like SIP Vicious start scanning you.  The FW is nice in this context because it can block the traffic to CUBE, and let CUBE spend more time processing real calls.  This way your max calls and/or CPS don't take a hit.