Yes, our SBC does supports the usual NAT traversal features, but our customer will have more than one trunk with us...they have several two PRIs today, so it will be 15 to 20 active trunks on a regular basis and almost 30 at peak. Frank -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Alex Balashov Sent: Sunday, February 26, 2012 6:10 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Enterprise customer desiring NAT for their SIP On 02/26/2012 05:15 PM, Frank Bulk wrote:

We have an enterprise customer that wants to trial our SIP trunking service. They're using Cisco Call Manager v8.5 and I tried to get them to use a public IP or a private VLAN to our network, but he insists that they want to keep their CCM behind their NATing firewall.

Our softswitch has an integrated SBC, so our side is covered, but I'm afraid that they may run into some issues that are related to NAT but that we'll be held responsible.

Should I continue to push back on this customer, or let them go down this road?

If your SBC supports all the usual far-end NAT traversal measures, you should be good, particularly since this is just a single trunk. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/ _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops

Guilherme: I searched the SRND and could find no such recommendation about that in relation to NAT. Can you share the page number in the v8.x guide? Frank -----Original Message----- From: Guilherme Loch Waltrick G?es [mailto:glwgoes at gmail.com] Sent: Monday, February 27, 2012 7:29 AM To: Frank Bulk Cc: Alex Balashov; voiceops at voiceops.org Subject: Re: [VoiceOps] Enterprise customer desiring NAT for their SIP Alex, Per the Cisco SRND the recommend setup is to terminate the SIP trunk on a SBC inside a DMZ and setup a trunk between the CUCM cluster and the SBC. Cisco routers have a basic SBC called CUBE, maybe your client already have a router with such features, you should try that. Regards, Guilherme Loch G?es On Mon, Feb 27, 2012 at 1:34 AM, Frank Bulk <frnkblk at iname.com> wrote:

Yes, our SBC does supports the usual NAT traversal features, but our customer will have more than one trunk with us...they have several two PRIs today, so it will be 15 to 20 active trunks on a regular basis and almost 30 at peak.

Frank

-----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Alex Balashov Sent: Sunday, February 26, 2012 6:10 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Enterprise customer desiring NAT for their SIP

On 02/26/2012 05:15 PM, Frank Bulk wrote:

...

We have an enterprise customer that wants to trial our SIP trunking service. They're using Cisco Call Manager v8.5 and I tried to get them to use a public IP or a private VLAN to our network, but he insists that they want to keep their CCM behind their NATing firewall.

Our softswitch has an integrated SBC, so our side is covered, but I'm afraid that they may run into some issues that are related to NAT but that we'll be held responsible.

Should I continue to push back on this customer, or let them go down this road?

If your SBC supports all the usual far-end NAT traversal measures, you should be good, particularly since this is just a single trunk.

-- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/ _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops

_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops

On 02/26/2012 11:34 PM, Frank Bulk wrote:

Yes, our SBC does supports the usual NAT traversal features, but our customer will have more than one trunk with us...they have several two PRIs today, so it will be 15 to 20 active trunks on a regular basis and almost 30 at peak.

This is a situation where the discussion is unaided by use of Golden Years PSTN terminology. If there is going to be one signaling channel and 15-20 (with up to 30) calls, you're fine, as long as the SBC can do the appropriate NAT and media source port detection. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/

I would also recommend against this in general, the Firewall (depending on Make/Model, software version, and config) may actively interfere with even a single SIP trunk, and often in a very unpredictable manner. Some devices do this without even making it clear they do (one example is the Firewall software in the Netopia routers ATT and other carrier deployed for "business" DSL, which for some time or possibly still have an undocumented SIP ALG enable by default which could only be disabled from the CLI, the GUI didn't eve show the option). I've seen cases where everything was fine initially, but the Firewall closed the NAT hole too early and killed standing calls at a 5 or 10 minute mark, usually due to a failed session audit from the Soft Switch. Some firewalls may also view too much RTP traffic (when some specific threshold is crossed) as an attack, which can result in one way audio at some point during a call. Someone mentioned CUBE already, but another similar option is to put in some local ALG device that has predictable behavior. One of my personal favorites is the Edgemarc line of products (http://edgewaternetworks.com/), but there are certainly others out there. While it certainly CAN work, the real question is if the firewall does interfere, are you willing and able to prove that to the customer before they get mad that something is broken that you can't fix. At a very minimum, you should make it clear to the customer starting from the pre-sales discussions that if the firewall does interfere, you won't be able to support it and they'll need to get their vendor involved. There are also concerns if there are multiple separate trunks to different internal devices, especially if registrations aren't used. -Scott -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of joshua sahala Sent: Monday, February 27, 2012 12:29 PM To: VoiceOps Subject: Re: [VoiceOps] Enterprise customer desiring NAT for their SIP frank, On Mon, Feb 27, 2012 at 6:49 AM, Alex Balashov <abalashov at evaristesys.com> wrote:

On 02/26/2012 11:34 PM, Frank Bulk wrote:

...

Yes, our SBC does supports the usual NAT traversal features, but our customer will have more than one trunk with us...they have several two PRIs today, so it will be 15 to 20 active trunks on a regular basis and almost 30 at peak.

in addition to the un-nat-magik on the sbc, the asa/pix will try to translate not just the header, but the sip messages themselves (sip inspection/sip fixup) http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a008081042c.shtml#sip unless they have a very small fw, resources should be ok (i have done

200Mbps with a 72xx doing the nat/sip mangling @50% cpu, iirc)

/joshua _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops