Solved: SIP trunk in addition to ISDN(pots) trunk

NazgulNr5 · ‎06-10-2022

Hi there,

First thing, I'm a network egineer and don't have really any experience with VOIP stuff. However I have to take care of our office telephone system. We use the Cisco CUCM and not an exactly new version on top.

Currently phone calls go out through pots dial-peers on the voice router. This needs to be migrated to a SIP trunk. We got the credentials for the SIP trunk, configured it on the router and the trunk shows as up. However, we can't make any phone calls when we remove the pots dial-peers.

Can anyone help with what needs to be done in the CallManager? For the SIP trunk we currently have a separate number for testing.

b.winter · ‎06-13-2022

I'm not a FW specialist, but since you are using UDP between router and ITSP, there is no "connection", where the FW can't correlate the return traffic too.

Either way, you need incoming allow rules, since for incoming calls, the connection is start from outside. So you need to allow incoming traffic anyway.

And yes, I agree. CUBE behind NAT is always a bad idea. I always try to use a setup, where you would have a public IP directly configured on the CUBE.

You can do it with a loopback, but why not directly configure it on a physical interface?

The point is: NAT is bad when talking about voice/video traffic. So, if you can avoid it, avoid it.

The following picture shows the recommended design (also recommended by Cisco):

The CUBE has direct access to the internet. With a public IP configured on one interface.

Normally, the ITSP gives you a list of IP's which they use for SIP / RTP traffic. So you can use this list and build an access list and assign it to this internet facing interface.

A second interface is located in a DMZ.

The FW only allows necessary traffic between CUBE and internal servers / clients (not that many rules to do here).

And as always applying (not only in this scenario): Do some router hardening.

Bit older, but you can still take some inputs with you: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

View solution in original post

Elliot Dierksen · ‎06-10-2022

The first thing I would want to see is the output of a "debug ccsip message" on the router in question when you try to place a call. Also what you get from a "show sip-ua status"?

NazgulNr5 · ‎06-10-2022

Here's the requestes info. It does seem to fall back to the ISDN line after trying the SIP trunk...

VoipRTR1#show sip-ua status
SIP User Agent Status
SIP User Agent for UDP : ENABLED
SIP User Agent for TCP : ENABLED

SIP User Agent for TLS over TCP : ENABLED
SIP User Agent bind status(signaling): DISABLED
SIP User Agent bind status(media): DISABLED
SIP early-media for 180 responses with SDP: ENABLED
SIP max-forwards : 70
SIP DNS SRV version: 2 (rfc 2782)
NAT Settings for the SIP-UA
Role in SDP: NONE
Check media source packets: DISABLED
Maximum duration for a telephone-event in NOTIFYs: 2000 ms
SIP support for ISDN SUSPEND/RESUME: ENABLED
Redirection (3xx) message handling: ENABLED
Reason Header will override Response/Request Codes: DISABLED
Out-of-dialog Refer: DISABLED
Presence support is DISABLED
protocol mode is ipv4

SDP application configuration:
Version line (v=) required
Owner line (o=) required
Timespec line (t=) required
Media supported: audio video image
Network types supported: IN
Address types supported: IP4 IP6
Transport types supported: RTP/AVP udptl

Debug output:

.Jun 10 13:32:34.798: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:<test_number>@<voice_router_IP>:5060 SIP/2.0
Via: SIP/2.0/TCP <callmanager_IP>:5060;branch=z9hG4bK8794bdc2fa
From: "<me>" <sip:2044@<callmanager_IP>>;tag=1453~5f73deec-def7-4360-8879-63739c1a89d7-30154588
To: <sip:<test_number>@<voice_router_IP>>
Date: Fri, 10 Jun 2022 13:32:34 GMT
Call-ID: c7c50a80-2a3147f2-169-a0a410a@<callmanager_IP>
Supported: timer,resource-priority,replaces
Min-SE: 1800
User-Agent: Cisco-CUCM8.6
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence, kpml
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Call-Info: <sip:<callmanager_IP>:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Cisco-Guid: 3351579264-0000065536-0000000361-0168444170
Session-Expires: 1800
P-Asserted-Identity: "<me>" <sip:2044@<callmanager_IP>>
Remote-Party-ID: "<me>" <sip:2044@<callmanager_IP>>;party=calling;screen=yes;privacy=off
Contact: <sip:2044@<callmanager_IP>:5060;transport=tcp>
Max-Forwards: 70
Content-Length: 0

.Jun 10 13:32:34.806: //33845/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:<test_number>@<SIP_registrar>:5060 SIP/2.0
Via: SIP/2.0/UDP <voice_router_IP>:5060;branch=z9hG4bK55E3D6D
From: "<me>" <sip:044@<SIP_registrar>>;tag=F32821B4-20D8
To: <sip:<test_number>@<SIP_registrar>>
Date: Fri, 10 Jun 2022 13:32:34 GMT
Call-ID: 9F0DC921-E7F811EC-8E9AF384-E395E532@<voice_router_IP>
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 3351579264-0000065536-0000000361-0168444170
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1654867954
Contact: <sip:044@<voice_router_IP>:5060>
Expires: 60
Allow-Events: telephone-event
Max-Forwards: 69
Session-Expires: 1800
Content-Length: 0

.Jun 10 13:32:34.806: //33844/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 100 Trying
Via: SIP/2.0/TCP <callmanager_IP>:5060;branch=z9hG4bK8794bdc2fa
From: "<me>" <sip:2044@<callmanager_IP>>;tag=1453~5f73deec-def7-4360-8879-63739c1a89d7-30154588
To: <sip:<test_number>@<voice_router_IP>>
Date: Fri, 10 Jun 2022 13:32:34 GMT
Call-ID: c7c50a80-2a3147f2-169-a0a410a@<callmanager_IP>
CSeq: 101 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0

.Jun 10 13:32:34.954: //33845/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:<test_number>@<SIP_registrar>:5060 SIP/2.0
Via: SIP/2.0/UDP <voice_router_IP>:5060;branch=z9hG4bK55E3D6D
From: "<me>" <sip:044@<SIP_registrar>>;tag=F32821B4-20D8
To: <sip:<test_number>@<SIP_registrar>>
Date: Fri, 10 Jun 2022 13:32:34 GMT
Call-ID: 9F0DC921-E7F811EC-8E9AF384-E395E532@<voice_router_IP>
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 3351579264-0000065536-0000000361-0168444170
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OP
TIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1654867954
Contact: <sip:044@<voice_router_IP>:5060>
Expires: 60
Allow-Events: telephone-event
Max-Forwards: 69
Session-Expires: 1800
Content-Length: 0

.Jun 10 13:32:35.254: //33845/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:<test_number>@<SIP_registrar>:5060 SIP/2.0
Via: SIP/2.0/UDP <voice_router_IP>:5060;branch=z9hG4bK55E3D6D
From: "<me>" <sip:044@<SIP_registrar>>;tag=F32821B4-20D8
To: <sip:<test_number>@<SIP_registrar>>
Date: Fri, 10 Jun 2022 13:32:35 GMT
Call-ID: 9F0DC921-E7F811EC-8E9AF384-E395E532@<voice_router_IP>
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 3351579264-0000065536-0000000361-0168444170
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1654867955
Contact: <sip:044@<voice_router_IP>:5060>
Expires: 60
Allow-Events: telephone-event
Max-Forwards: 69
Session-Expires: 1800
Content-Length: 0

.Jun 10 13:32:35.854: //33845/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:<test_number>@<SIP_registrar>:5060 SIP/2.0
Via: SIP/2.0/UDP <voice_router_IP>:5060;branch=z9hG4bK55E3D6D
From: "<me>" <sip:044@<SIP_registrar>>;tag=F32825D0-212B
To: <sip:<test_number>@<SIP_registrar>>
Date: Fri, 10 Jun 2022 13:32:35 GMT
Call-ID: 9F0DC921-E7F811EC-8E9AF384-E395E532@<voice_router_IP>
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 3351579264-0000065536-0000000361-0168444170
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OP
TIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1654867955
Contact: <sip:044@<voice_router_IP>:5060>
Expires: 60
Allow-Events: telephone-event
Max-Forwards: 69
Session-Expires: 1800
Content-Length: 0

.Jun 10 13:32:36.006: //33845/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:<test_number>@<SIP_registrar>:5060 SIP/2.0
Via: SIP/2.0/UDP <voice_router_IP>:5060;branch=z9hG4bK55E3D6D
From: "<me>" <sip:044@<SIP_registrar>>;tag=F32825D0-212B
To: <sip:<test_number>@<SIP_registrar>>
Date: Fri, 10 Jun 2022 13:32:36 GMT
Call-ID: 9F0DC921-E7F811EC-8E9AF384-E395E532@<voice_router_IP>
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 3351579264-0000065536-0000000361-0168444170
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1654867956
Contact: <sip:044@<voice_router_IP>:5060>
Expires: 60
Allow-Events: telephone-event
Max-Forwards: 69
Session-Expires: 1800
Content-Length: 0

.Jun 10 13:32:36.306: //33845/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:<test_number>@<SIP_registrar>:5060 SIP/2.0
Via: SIP/2.0/UDP <voice_router_IP>:5060;branch=z9hG4bK55E3D6D
From: "<me>" <sip:044@<SIP_registrar>>;tag=F32825D0-212B
To: <sip:<test_number>@<SIP_registrar>>
Date: Fri, 10 Jun 2022 13:32:36 GMT
Call-ID: 9F0DC921-E7F811EC-8E9AF384-E395E532@<voice_router_IP>
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 3351579264-0000065536-0000000361-0168444170
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OP
TIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1654867956
Contact: <sip:044@<voice_router_IP>:5060>
Expires: 60
Allow-Events: telephone-event
Max-Forwards: 69
Session-Expires: 1800
Content-Length: 0

.Jun 10 13:32:38.290: //33844/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 183 Session Progress
Via: SIP/2.0/TCP <callmanager_IP>:5060;branch=z9hG4bK8794bdc2fa
From: "<me>" <sip:2044@<callmanager_IP>>;tag=1453~5f73deec-def7-4360-8879-63739c1a89d7-30154588
To: <sip:<test_number>@<voice_router_IP>>;tag=F3282F54-EBD
Date: Fri, 10 Jun 2022 13:32:34 GMT
Call-ID: c7c50a80-2a3147f2-169-a0a410a@<callmanager_IP>
CSeq: 101 INVITE
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Contact: <sip:<test_number>@<voice_router_IP>:5060;transport=tcp>
Call-Info: <sip:<voice_router_IP>:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Supported: sdp-anat
Server: Cisco-SIPGateway/IOS-12.x
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 295

v=0
o=CiscoSystemsSIP-GW-UserAgent 3077 3987 IN IP4 <voice_router_IP>
s=SIP Call
c=IN IP4 <voice_router_IP>
t=0 0
m=audio 21430 RTP/AVP 9 0 8 18
c=IN IP4 <voice_router_IP>
a=rtpmap:9 G722/8000
a=fmtp:9 bitrate=64
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no

.Jun 10 13:32:41.603: %ISDN-6-CONNECT: Interface Serial0/0/0:30 is now connected to 2045 N/A
.Jun 10 13:32:41.603: //33844/C7C50A800000/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 200 OK
Via: SIP/2.0/TCP <callmanager_IP>:5060;branch=z9hG4bK8794bdc2fa
From: "<me>" <sip:2044@<callmanager_IP>>;tag=1453~5f73deec-def7-4360-8879-63739c1a89d7-30154588
To: <sip:<test_number>@<voice_router_IP>>;tag=F3282F54-EBD
Date: Fri, 10 Jun 2022 13:32:34 GMT
Call-ID: c7c50a80-2a3147f2-169-a0a410a@<callmanager_IP>
CSeq: 101 INVITE
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Contact: <sip:<test_number>@<voice_router_IP>:5060;transport=tcp>
Supported: replaces
Call-Info: <sip:<voice_router_IP>:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Supported: sdp-anat
Server: Cisco-SIPGateway/IOS-12.x
Require: timer
Session-Expires: 1800;refresher=uac
Supported: timer
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 295

v=0
o=CiscoSystemsSIP-GW-UserAgent 3077 3987 IN IP4 <voice_router_IP>
s=SIP Call
c=IN IP4 <voice_router_IP>
t=0 0
m=audio 21430 RTP/AVP 9 0 8 18
c=IN IP4 <voice_router_IP>
a=rtpmap:9 G722/8000
a=fmtp:9 bitrate=64
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no

.Jun 10 13:32:41.615: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
ACK sip:<test_number>@<voice_router_IP>:5060;transport=tcp SIP/2.0
Via: SIP/2.0/TCP <callmanager_IP>:5060;branch=z9hG4bK87a61df93fd
From: "<me>" <sip:2044@<callmanager_IP>>;tag=1453~5f73deec-def7-4360-8879-63739c1a89d7-30154588
To: <sip:<test_number>@<voice_router_IP>>;tag=F3282F54-EBD
Date: Fri, 10 Jun 2022 13:32:34 GMT
Call-ID: c7c50a80-2a3147f2-169-a0a410a@<callmanager_IP>
Max-Forwards: 70
CSeq: 101 ACK
Allow-Events: presence, kpml
Content-Type: application/sdp
Content-Length: 154

v=0
o=CiscoSystemsCCM-SIP 1453
1 IN IP4 <callmanager_IP>
s=SIP Call
c=IN IP4 <my_IP>
t=0 0
m=audio 24582 RTP/AVP 9
a=rtpmap:9 G722/8000
a=ptime:20

Elliot Dierksen · ‎06-10-2022

I don't see any responses from the ITSP SIP. I would suspect interface bindings, but it is hard to say for sure. It also looks like you are sending extension numbers on the outbound calls which could be a problem. Can your ITSP tell you if they are seeing the invite messages? Is there a provider router there? What kind of transport do you have (private, VPN, public internet) to your ITSP? At some point seeing the configuration would probably be helpful.

NazgulNr5 · ‎06-12-2022

The SIP trunk is supposed to go over our internet connection (ISP is the same as the SIP provider). The voice router can get to the internet, DNS also works. For now we have allowed any traffic originating from the voice router to the internet in the firewall.

The setup is voice router-> firewall -> NAT router -> ISP

We have opened a ticket with the ITSP and asked them to check if they see any connection attempts form our side, but no reply so far.

b.winter · ‎06-13-2022

If you only have traffic from the router to ITSP allowed, then you have only allowed half of the communication.

You are probably blocking the traffic from ITSP to the router. You should check the logs on the FW.

Also be aware, that if you use NAT, you have to take care about the IP addresses in the SIP-header.

NAT does only translate the IP addresses in the IP-header, but not in the SIP-header (different layer). Normally, FW's have something called "Application Layer Gateway" ALG, which does the same like NAT, but in higher layers.

NazgulNr5 · ‎06-13-2022

Ah, yes, we also need to allow incoming connections.

But outgoing calls should work as it is now, as the return traffic is always allowed.

However, you're right about the IP in the SIP header. We have Fortigate FW and they do have an ALG functionality. However, the Fortigates are not doing the NAT so even if it changed the IP in the SIP header to its won it would still be a private IP.

This whole setup looks like a rather bad idea...

Edit: We do have additional public IPs. Would it work if we put one on a loopback IF on the voice router and route the traffic accordingly?

b.winter · ‎06-13-2022