I would also recommend against this in general, the Firewall (depending on Make/Model, software version, and config) may actively interfere with even a single SIP trunk, and often in a very unpredictable manner. Some devices do this without even making it clear they do (one example is the Firewall software in the Netopia routers ATT and other carrier deployed for "business" DSL, which for some time or possibly still have an undocumented SIP ALG enable by default which could only be disabled from the CLI, the GUI didn't eve show the option). I've seen cases where everything was fine initially, but the Firewall closed the NAT hole too early and killed standing calls at a 5 or 10 minute mark, usually due to a failed session audit from the Soft Switch. Some firewalls may also view too much RTP traffic (when some specific threshold is crossed) as an attack, which can result in one way audio at some point during a call. Someone mentioned CUBE already, but another similar option is to put in some local ALG device that has predictable behavior. One of my personal favorites is the Edgemarc line of products (http://edgewaternetworks.com/), but there are certainly others out there. While it certainly CAN work, the real question is if the firewall does interfere, are you willing and able to prove that to the customer before they get mad that something is broken that you can't fix. At a very minimum, you should make it clear to the customer starting from the pre-sales discussions that if the firewall does interfere, you won't be able to support it and they'll need to get their vendor involved. There are also concerns if there are multiple separate trunks to different internal devices, especially if registrations aren't used. -Scott -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of joshua sahala Sent: Monday, February 27, 2012 12:29 PM To: VoiceOps Subject: Re: [VoiceOps] Enterprise customer desiring NAT for their SIP frank, On Mon, Feb 27, 2012 at 6:49 AM, Alex Balashov <abalashov at evaristesys.com> wrote:
On 02/26/2012 11:34 PM, Frank Bulk wrote:
Yes, our SBC does supports the usual NAT traversal features, but our customer will have more than one trunk with us...they have several two PRIs today, so it will be 15 to 20 active trunks on a regular basis and almost 30 at peak.
in addition to the un-nat-magik on the sbc, the asa/pix will try to translate not just the header, but the sip messages themselves (sip inspection/sip fixup) http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a008081042c.shtml#sip unless they have a very small fw, resources should be ok (i have done
200Mbps with a 72xx doing the nat/sip mangling @50% cpu, iirc)
/joshua _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops