Solved: CUCM 8.x - SIP to ITSP - without Router ?

philippe.cousineau · ‎11-14-2011

Hi there,

I know that best practices tell to use a router when you do SIP trunk to an ITSP...

Anyone have done a SIP trunk just from CUCM straight to the ITSP ( without CUBE voice-gateway )?

Any doc. on that?

thanks

Chris Deren · ‎11-14-2011

I would never do it, but if you need to and you do not require SIP trunk authentication you can easily do it by creating the SIP trunk pointing to the ITSP.

Make sure you understand Early vs. Delayed media detaction and CUCM limitations as you may require MTPs for your calls to support Early Media as most ITSPs use it.

Chris

View solution in original post

Gajanan Pande · ‎11-14-2011

Ofcourse, you wouldnt find a Cisco's official doc about this as Cisco strongly recommends deploying CUBE in path to ITSPs. I know it can be done but havent seen any business practice doing it that way. Please keep this thread posted if someone has done it.

GP.

View solution in original post

ciscoroyzhang · ‎02-24-2013

Hi Philippe, I am also quite interested in this topic, could you advice how you setup your ITSP simulator in your lab for creating the SIP trunk from CUCM to it. cheers.. Roy

View solution in original post

Ayodeji Okanlawon · ‎02-25-2013

Roy and all, I will add my 2 cents to this thread...You should understand why this is not best practice..i will give a few suggestions and No I dont work for cisco

1. Security: CUBE provides a point of demarcation between your private network and the unsafe public world. When you connect directly to an ITSP using CUCM, you essentially open up your private network...Thats a big RISK

2. Interoperability: Though sip is supposed to be a standardized protocol, many providers implement slightly different flavours of SIP. Should you run into issues like this you will need to do some modification to make CUCM talk properly with your provider. Your only option at this is using "sip normalization scripts"...This is written in "lua" scripting language...Many people are not familiar this, hence you are stuck!

With CUBE in the call flow, you can easily use sip profiles to resolve issues like this...

3. Troubleshooting: When things go wrong....You are limited to only see CUCM traces...Thats is it. Now many people are not familiar with this...Hence you are stuck again...

Ok so think about this very welll before going down that route

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

View solution in original post

Chris Deren · ‎11-14-2011

I would never do it, but if you need to and you do not require SIP trunk authentication you can easily do it by creating the SIP trunk pointing to the ITSP.

Make sure you understand Early vs. Delayed media detaction and CUCM limitations as you may require MTPs for your calls to support Early Media as most ITSPs use it.

Chris

Gajanan Pande · ‎11-14-2011

Ofcourse, you wouldnt find a Cisco's official doc about this as Cisco strongly recommends deploying CUBE in path to ITSPs. I know it can be done but havent seen any business practice doing it that way. Please keep this thread posted if someone has done it.

GP.

philippe.cousineau · ‎11-15-2011

I will let you know if I have a chance to try it in lab.

I think Chris said that if we do the trunk with CUCM, we cannot have an authentication with the provider.

Basicly, the ITSP need to have an open authentication.. ?

philippe.cousineau · ‎12-12-2011

I've done the ITSP sip trunk with CUCM without CUBE in LAB; it work.

Of course, you have to ask your provider some information to match your setting.

Here is some things I've configure to match my ISP:

First, you have to tell your ITSP that you will not be able to do authentication.

So no credentials.

For security, you will have to do an ACL in you firewall to accept only SIP from your ITSP.

SIP trunk security profile :

security mode : non-secure

incoming : tcp/udp

out : udp

port 5060

check only:

Accept Out-of-Dialog REFER

Accept Unsolicited Notification

Accept Replaces Header

sip trunk

check on :

Media Termination Point Required

PSTN Access

Remote-Party-Id

Asserted-Identity

I was in G711 with the provider and I did'nt use the fqdn but the IP to connect to it.

outcoming

I did all my PSTN route pattern to go through the ITSP

incoming

I did a CTI route point de voice, In the DN I configured the DID and I have forwarded this DN to the AA Menu.

Be sure your CTI route point have a CSS to reach your Menu;

Be sure your trunk have the right CSS to reach your Cti route point;

In the ASA

I've done a NAT 5060 tcp/udp

I've done an inspect rule for SIP tcp/udp

I've done an ACL to accept only 5060 tcp/udp from my ITSP.

As I said, it was done In a lab.

Gajanan Pande · ‎12-12-2011

Thanks Philippe for posting your simulation here, it will definitely help us understand what is possible & what is supported. Later if you get a chance to validate such config for any of your customers with TAC ( in case of any issues ), please update this post with TAC's opinion on it's supportability. If I get a chance, I'll do the same. Cheers !!

+5 to you too, mate.

GP.

ciscoroyzhang · ‎02-24-2013

Hi Philippe, I am also quite interested in this topic, could you advice how you setup your ITSP simulator in your lab for creating the SIP trunk from CUCM to it. cheers.. Roy

philippe.cousineau · ‎02-24-2013

Pretty much, the simulation was done with a real itsp

I just asked the itsp to give me a number to test to do a proof of concept before going further

Remembre. If you dont have a cube you have to ask the itsp to remove the authentication on the sip trunk

ciscoroyzhang · ‎02-24-2013

thanks. will give a try... cheers...

Ayodeji Okanlawon · ‎02-25-2013

Roy and all, I will add my 2 cents to this thread...You should understand why this is not best practice..i will give a few suggestions and No I dont work for cisco

1. Security: CUBE provides a point of demarcation between your private network and the unsafe public world. When you connect directly to an ITSP using CUCM, you essentially open up your private network...Thats a big RISK

2. Interoperability: Though sip is supposed to be a standardized protocol, many providers implement slightly different flavours of SIP. Should you run into issues like this you will need to do some modification to make CUCM talk properly with your provider. Your only option at this is using "sip normalization scripts"...This is written in "lua" scripting language...Many people are not familiar this, hence you are stuck!

With CUBE in the call flow, you can easily use sip profiles to resolve issues like this...

3. Troubleshooting: When things go wrong....You are limited to only see CUCM traces...Thats is it. Now many people are not familiar with this...Hence you are stuck again...

Ok so think about this very welll before going down that route

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

chrysostomos1980 · ‎02-25-2013

Hi

Aokanlawon has right about the Risk that you will face(5 points Aokanlawon)

But its your choice at all

Regards

chrysostomos

Please rate all useful posts Regards Chrysostomos ""The Most Successful People Are Those Who Are Good At Plan B""

philippe.cousineau · ‎02-25-2013

I think that it's not just a best practice to use CUBE.

Basicly, i think it's wrong if you don't use CUBE and "Aokanlawon" is right !

The only thing...

when some manager know that it's possible to do and ITSP SIP trunk without CUBE they will ask you to do it because it's cheaper. So, it's really not recommended but you can do it.

Cheers,