SIP CUBE Behind Meraki Firewall NAT - No SIP ALG

steigja · ‎09-08-2023

Cisco Support Forums,

We are switching out a firewall that has SIP ALG to a Meraki firewall that doesn't do SIP ALG. There is a Cisco 4321 that is running as a CUBE, it has a private IP interface that is NAT'd from the outside, so now without SIP ALG, we will need SIP profiles on the CUBE. It is also running SIP-UA to the telco SIP provider. The inbound Dial-Peer is 2 and then the one to CUCM is 1000, outbound is 9101. The one SIP profile I did build was 101, which I think is correct for outbound since it will change the internal to the external.

Do I only need one SIP profile? One that is inbound on "Dial-Peer 2" and the opposite of what SIP Profile 101 is, so changing the public to the private? I've been having a hell of a time with this. Has anyone delt with a CUBE behind a NAT before?

Below is the config, the interface that reaches the firewall is 172.27.126.100 GigabitEthernet0/0/1, and thats what the Static NAT points to from the outside of the firewall. The phones are connecting the other sub interfaces on the router, so they basically isolated their phones behind this router, from the rest of the network.

XXX-4321#show run
Building configuration...

Current configuration : 14773 bytes
!
! Last configuration change at 20:03:29 EDT Fri Aug 25 2023 by eivr
! NVRAM config last updated at 20:09:22 EDT Fri Aug 25 2023 by eivr
!
version 17.9
service timestamps debug datetime msec localtime
service timestamps log datetime msec
service sequence-numbers
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname DDE-4321
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.17.09.03a.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging queue-limit
logging buffered 600000000
no logging rate-limit
no logging console
no logging monitor
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
!
ip name-server 192.168.1.10
ip domain name cisco.voip
ip dhcp excluded-address 192.168.2.1 192.168.2.20
!
ip dhcp pool XXX-Cisco-Phones
network 192.168.2.0 255.255.255.0
dns-server 192.168.1.10
domain-name cisco.voip
option 150 ip 192.168.1.11
default-router 192.168.2.1
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!

quit
!
!
!
!
voice service voip
dtmf-interworking rtp-nte
allow-connections sip to sip
supplementary-service h450.12
fax protocol pass-through g711ulaw
h323
trace
sip
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
registrar server
no update-callerid
midcall-signaling passthru media-change
early-offer forced
sip-profiles inbound
!
voice class codec 1
codec preference 2 g711ulaw
codec preference 3 g711alaw
!
voice class codec 3
codec preference 1 g729r8
codec preference 2 g711alaw
!
voice class h323 1
h225 timeout tcp establish 3
h225 timeout setup 3
!
!
voice class sip-profiles 1
!
voice class sip-profiles 101
request ANY sip-header From modify "172.27.126.100" "50.X.X.X"
request ANY sip-header Via modify "172.27.126.100" "50.X.X.X"
request ANY sip-header Remote-Party-ID modify "172.27.126.100" "50.X.X.X"
request ANY sip-header Contact modify "172.27.126.100" "50.X.X.X"
response ANY sip-header Contact modify "172.27.126.100" "50.X.X.X"
response ANY sip-header Remote-Party-ID modify "172.27.126.100" "50.X.X.X"
request ANY sip-header Call-Info modify "172.27.126.100" "50.X.X.X"
request ANY sip-header P-Asserted-Identity modify "172.27.126.100" "50.X.X.X"
request ANY sdp-header Audio-Connection-Info modify "172.27.126.100" "50.X.X.X"
request ANY sdp-header Connection-Info modify "172.27.126.100" "50.X.X.X"
request ANY sdp-header Session-Owner modify "172.27.126.100" "50.X.X.X"
response ANY sdp-header Session-Owner modify "172.27.126.100" "50.X.X.X"
response ANY sdp-header Connection-Info modify "172.27.126.100" "50.X.X.X"
response ANY sdp-header Audio-Connection-Info modify "172.27.126.100" "50.X.X.X"
!
!
!
!
voice iec syslog
!
!
voice translation-rule 1
rule 1 reject /^91XXX\(.*\)/
rule 3 reject /^91XXX\(.*\)/
rule 4 reject /^91XXX\(.*\)/
rule 5 reject /^91XXX\(.*\)/
rule 6 reject /^91XXX\(.*\)/
rule 7 reject /^91XXX\(.*\)/
rule 8 reject /^91XXX\(.*\)/
rule 10 reject /^91XXX\(.*\)/
rule 11 reject /^91XXX\(.*\)/
rule 12 reject /^91XXX\(.*\)/
rule 13 /^9\(.*\)/ /\1/
rule 14 /^91\(.*\)/ /\1/
!
voice translation-rule 2
rule 1 /^.*/ /856XXXXXXX/
!
voice translation-rule 3
rule 1 /^.*/ /856XXXXXXX/
!
!
voice translation-profile rpid9
translate called 1
!
!
!
!
!
voice-card 0/1
no watchdog
!
voice-card 0/4
dsp services dspfarm
no watchdog
!
license udi pid ISR4321/K9 sn XXX
license accept end user agreement
license boot suite AdvUCSuiteK9
memory free low-watermark processor 62726
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
enable secret 9 XXXX
!
username XXXX privilege 15 password XXXX
!
redundancy
mode none
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description CONNECTION TO LOCAL LAN
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/0/0.4
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet0/0/1
description CONNECTION TO XXXX VIA INSIDE FIREWALL
ip address 172.27.126.100 255.255.252.0
media-type rj45
negotiation auto
!
interface Service-Engine0/1/0
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.27.126.10
!
!
ip access-list extended CAP-FILTER
10 permit ip host 192.168.4.1 host 192.168.4.5
20 permit ip host 192.168.4.5 host 192.168.4.1
!
ip access-list standard 10
10 permit 172.27.126.0 0.0.0.255
20 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
timing hookflash-out 50
timing guard-out 1000
connection plar 1210
description POTS Number XXX
!
voice-port 0/1/3
timing hookflash-out 50
timing guard-out 1000
connection plar 1210
description POTS Number XXX
!
voice-port 0/1/4
timing hookflash-out 50
timing guard-out 1000
connection plar 1210
description POTS Number XXX
!
voice-port 0/1/5
timing hookflash-out 50
timing guard-out 1000
connection plar 1210
description POTS Number XXX
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
sccp local GigabitEthernet0/0/0
sccp ccm 192.168.1.11 identifier 1 priority 1 version 7.0
sccp
!
sccp ccm group 10
associate ccm 1 priority 1
associate profile 10 register CUCM-MTP
associate profile 11 register CUCM-XCODE
associate profile 12 register CUCMConf-Bridge
!
!
no ccm-manager fax protocol cisco
!
dspfarm profile 11 transcode
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
codec g729r8
codec pass-through
maximum sessions 3
associate application SCCP
!
dspfarm profile 10 mtp
description Media Termination Point
codec g711ulaw
codec pass-through
maximum sessions software 1000
associate application SCCP
!
dial-peer voice 9911 voip
description 911 with 9 access code
translation-profile outgoing rpid9
destination-pattern 9911
session protocol sipv2
session target ipv4:199.X.X.X
voice-class codec 1
voice-class sip early-offer forced
dtmf-relay rtp-nte
clid network-provided
no vad
!
dial-peer voice 911 voip
description 911 without 9 access code
destination-pattern 911
session protocol sipv2
session target ipv4:199.X.X.X
voice-class codec 1
voice-class sip early-offer forced
dtmf-relay rtp-nte
clid network-provided
no vad
!
dial-peer voice 9411 voip
description 411, 611 with 9 access code
translation-profile outgoing rpid9
destination-pattern 9[4,6]11
session protocol sipv2
session target ipv4:199.X.X.X
voice-class codec 1
voice-class sip early-offer forced
dtmf-relay rtp-nte
clid network-provided
no vad
!
dial-peer voice 9100 voip
description 7 or 10 digit local calls
translation-profile outgoing rpid9
destination-pattern 9[2-9]T
session protocol sipv2
session target ipv4:199.X.X.X
voice-class codec 1
voice-class sip early-offer forced
dtmf-relay rtp-nte
clid network-provided
no vad
!
dial-peer voice 9101 voip
description 11 digit long distance calls
translation-profile outgoing rpid9
destination-pattern 91[2-9]..[2-9]......
session protocol sipv2
session target ipv4:199.X.X.X
voice-class codec 1
voice-class sip early-offer forced
dtmf-relay rtp-nte
clid network-provided
no vad
!
dial-peer voice 9102 voip
description International calls and PSTN Operator
translation-profile outgoing rpid9
destination-pattern 90T
session protocol sipv2
session target ipv4:199.X.X.X
voice-class codec 1
voice-class sip early-offer forced
dtmf-relay rtp-nte
clid network-provided
no vad
!
dial-peer voice 2 voip
description - Incoming dial peer needed for translating DID
answer-address .
session protocol sipv2
session target ipv4:199.X.X.X
incoming called-number .T
voice-class codec 1
voice-class sip early-offer forced
dtmf-relay rtp-nte
clid network-provided
no vad
authentication username XXXX password 7 XXXX realm XXXX.CUCM
!
dial-peer voice 1000 voip
description Inbound SIP Calls to CUCM
destination-pattern XXX.......
session protocol sipv2
session target ipv4:192.168.1.11
incoming called-number .
voice-class codec 1
dtmf-relay cisco-rtp
no vad
!
!
sip-ua
credentials username XXXX password 7 XXXX realm XXXX.CUCM
authentication username XXXX password 7 XXXX
set sip-status 400 pstn-cause 31
set sip-status 401 pstn-cause 21
set sip-status 403 pstn-cause 21
set sip-status 405 pstn-cause 63
set sip-status 406 pstn-cause 79
set sip-status 410 pstn-cause 22
set sip-status 488 pstn-cause 31
set sip-status 501 pstn-cause 38
set sip-status 503 pstn-cause 41
set sip-status 606 pstn-cause 38
set pstn-cause 1 sip-status 503
set pstn-cause 6 sip-status 406
set pstn-cause 30 sip-status 501
set pstn-cause 31 sip-status 480
set pstn-cause 43 sip-status 502
set pstn-cause 44 sip-status 503
set pstn-cause 49 sip-status 503
set pstn-cause 50 sip-status 503
set pstn-cause 58 sip-status 503
set pstn-cause 63 sip-status 503
set pstn-cause 66 sip-status 480
set pstn-cause 69 sip-status 503
set pstn-cause 70 sip-status 503
set pstn-cause 81 sip-status 502
set pstn-cause 82 sip-status 502
set pstn-cause 83 sip-status 503
set pstn-cause 84 sip-status 503
set pstn-cause 85 sip-status 503
set pstn-cause 86 sip-status 408
set pstn-cause 88 sip-status 503
set pstn-cause 91 sip-status 502
set pstn-cause 95 sip-status 503
set pstn-cause 96 sip-status 409
set pstn-cause 97 sip-status 480
set pstn-cause 98 sip-status 409
set pstn-cause 99 sip-status 480
set pstn-cause 100 sip-status 501
set pstn-cause 101 sip-status 503
set pstn-cause 102 sip-status 503
set pstn-cause 111 sip-status 500
retry invite 2
retry bye 2
retry cancel 2
registrar ipv4:199.X.X.X expires 3600
sip-server ipv4:199.X.X.X
g729-annexb override

alias exec ct config t
alias exec sit sh int trunk
alias exec sir sh ip ro
alias exec sib sh ip int brie
!
line con 0
exec-timeout 90 0
stopbits 1
line aux 0
line vty 0 4
exec-timeout 90 0
login local
transport input telnet ssh
line vty 5 15
login
transport input telnet ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp master
ntp server 192.5.41.209
!
!
!
!
!
!
end

CUBE-4321#

Roger Kallberg · ‎09-08-2023

You would need to have at least two SIP profiles, one used to change the public IP to the private used in the inbound direction from the service provider and another that is used in the outbound direction to the service provider that changes the private IP to the public. Apart from that your dial peers are quite poorly crafted, for example you have no bind statements to any interfaces and your so called inbound dial peer has a bunch of configurations that are used for an outbound dial peer. Also you don’t need to have that many outbound dial peers towards your service provider, you can combine them into one with the use of e164 pattern map. See this document for more information on how call routing operates in IOS. Explain Cisco IOS and IOS XE Call Routing

Roger Kallberg · ‎09-09-2023

Even if it’s not directly related you should get an idea on what is needed to handle a NAT connection from this document. Direct Routing for Microsoft Phone System with Cisco Unified Border Element (CUBE)

Carlo Poggiarelli · ‎09-11-2023

Hi

In this scenario, you don't need to be discovered from your TSP so you don't need a static NAT. Your VG will use "credentials "statement under sip-ua to contact your TSP registrar every X seconds based on the "refresh-ratio" you configured on registrar option under sip-ua. Eg:

registrar 1 dns:tsp.com:5060 expires 180 refresh-ratio 50

In this case you'll send a "REGISTER" messege every X seconds creating a NAT entry used by your TSP to contact you back.

Please let me know if this help.

BR

Carlo

Please rate all helpful posts "The more you help the more you learn"