[cisco-voip] Authenticating sip trunk to ITSP from CUBE?

Nick Barnett nicksbarnett at gmail.com
Wed May 4 11:59:33 EDT 2016 

I'm currently on c3900e-universalk9-mz.SPA.153-3.M6, but can totally
upgrade. Was actually planning on going to 15.4 this weekend. Jumping 3
versions kind of scares me, so maybe staging is in order.

*I do have some limited auth commands on the dial peer, if this is what you
were talking about... but I don't think it applies in this scenario. I
don't have any options for credentials:*
CUBE(config-dial-peer)#voice-class sip authenticate ?
  redirecting-number  Use redirecting number credentials while
authenticating

CUBE(config-dial-peer)#voice-class sip cred
CUBE(config-dial-peer)#voice-class sip c?
  call-route  calltype-video  conn-reuse  copy-list

*There is also the registration commands:*
CUBE(config-dial-peer)#voice-class sip registration ?
  passthrough  SIP Registration Passthrough Options

CUBE(config-dial-peer)#voice-class sip registration passthrough ?
  dynamic          SIP Registration Use dynamic Registrar Details (default)
  local-fallback   Local Fallback - (e2e)
  rate-limit       SIP Registration pass-through rate-limit Options
  reg-sync         Registration Sync - send REGISTER when registrar up (p2p)
  registrar-index  Registrar Index(s) used for registration passthrough
  static           SIP Registration Use static Registrar Details
  system           Use global registration passthrough CLI setting
  <cr>

*I tried using the system passthrough setting, but it did not work.*

*I need to make sure I understand what is actually happening.*

*I don't think the CUBE is even looking at dial-peers for REGISTER
messages. Am I correct?  If so, no amount of dial peer settings is going to
make any difference here... unless there is a way to create a dial-peer
that will intercept REGISTER messages. I believe it is using the REALM
settings in the credentials and authentication strings (that I entered into
sip-ua). And sip-ua is using the global bind settings I set within voice
service voip -> SIP (which are set to the inside interface).*

*Please set me straight!*

Thanks,
Nick

On Wed, May 4, 2016 at 10:37 AM, Sreekanth Narayanan (sreenara) <
sreenara at cisco.com> wrote:

> What IOS version are you running on the CUBE? I can think of a couple of
> things.
> 1. In 15.6(2)T, a new feature has been introduced called multi-tenant
> where you can configure separate voice class tenants. Each tenant can have
> separate authentication mutually exclusive to one another and can be bound
> to different interfaces.
>
> 2. In your current IOS, check if you are able to configure the
> authentication and credential commands at the dial peer level. I am not
> sure which IOS had this introduced but it is worth a try.
>
>
>
> Sreekanth
>
> Sent from a phone.
>
>
> -------- Original message --------
> From: Nick Barnett <nicksbarnett at gmail.com>
> Date: 5/4/16 8:03 PM (GMT+05:30)
> To: Brian Meade <bmeade90 at vt.edu>
> Cc: Cisco VoIP Group <cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] Authenticating sip trunk to ITSP from CUBE?
>
> I'm binding control and media to my inside interface:
>
> sip
>
>   bind control source-interface GigabitEthernet0/0
>   bind media source-interface GigabitEthernet0/0
>
> I suspect this is the issue... is there any way to make the REGISTER
> messages come from the outside gi0/1 interface?
>
> The reason I'm binding to inside is that we have a a very fluid internal
> network. I have to make and modify internal dial peers almost daily.  When
> I need to create a dial peer and put the bind statements on the dial peer,
> it won't bind properly since there are active SIP calls on the CUBE... so I
> bound it globally. My external dial peers rarely change, so I bind those
> directly to gi0/1 (on the DP).
>
> I was under the impression that REGISTER events can take place without a
> dial peer... but is there a way to, i dunno, make a dial peer for register
> messages?  Can I use SIP profile magic to get it working as is?
>
> I found this article which is pretty much exactly what I'm dealing with,
> but it doesn't mention REGISTER at all...
>
>    https://supportforums.cisco.com/blog/154506
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__supportforums.cisco.com_blog_154506&d=CwMFAg&c=M-KQspD_LQogCbR-BWCHOaeDEPOhF8vWqHZTaiwxT3c&r=T9uVLZucbHG2NKKKzOrp-o5cpdReHj02PkJJsCVkgfwcv7S0R5lDeFJg2VRbiNih&m=UIAzGDQs8RCZld9kCbExwqpJhTgzpDVwM0k8_I7JRqU&s=jZN-R2pRsZOWN3r5is-aSivDlf9hqddUzDIoOWRWc3E&e=>
>
>
>
>
> On Wed, May 4, 2016 at 9:06 AM, Brian Meade <bmeade90 at vt.edu> wrote:
>
>> Do you already have the SIP bind under voice service voip?
>> voice service voice
>>  sip
>>   bind all source-interface FastEthernet0
>>
>> On Wed, May 4, 2016 at 9:58 AM, Nick Barnett <nicksbarnett at gmail.com>
>> wrote:
>>
>>> I've never dealt with an authenticated SIP trunk before and I'm having
>>> some issues. I was wondering if anyone has had a similar experience. I
>>> already have 2 SIP trunks from ITSP-1 that do NOT require authentication.
>>> These are working fine and have been for years.
>>>
>>> We are adding ITSP-2 and their SIP service DOES require auth.  I've
>>> followed their integration guide (which left a lot to be desired) and their
>>> acceptance team is telling me my auth is coming from our private class A
>>> address.
>>>
>>> Our CUBE is in HA with an inside (10.x.x.x) and outside (public) IP
>>> address. They are seeing REGISTER messages sourcing the inside VIP.
>>>
>>> I was looking around for an auth BIND statement or something like that,
>>> but I haven't had any luck. Any pointers?
>>>
>>> Thanks,
>>> Nick
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160504/597679e2/attachment.html>

More information about the cisco-voip mailing list