I currently have CM8.5 running with a SIP provider trunk out to the internet. It is running via CUBE that is on a DMZ. The firewall is an ASA and it is doing SIP inspection, so the payload is being NAT'd along with the ip headers. We are replacing the ASA with another firewall that appearently does not do SIP inspection. Is there a way in CM8.5 to setup a SIP trunk with the global IP address being used in the SIP payload instead of the internal address?
Nope. CUCM is not supposed to be exposed to an untrusted network. CUBE can do it if you bypass the firewall and give the outside interface a public IPv4 directly. If you have sufficient CPU headroom, you could enable IOS zone-based firewalling to protect the router. If not, use an ACL to deny all traffic except to/from the ITSP SIP Proxy and established connections.