Child pages
  • Acme Packet SBC sample config for Remote Workers
Skip to end of metadata
Go to start of metadata

This is a sample config for an Acme Packet Net-Net 3820 sbc to enable Remote Workers with sipXecs 4.4 in a distributed environment. It includes basic SIPVicious protection. This is a work in progress as the config will require some tweaking to get all sipX features working for Remote phones. Additionally, the config for passing phone provisioning through the sbc is not included, but hopefully will be added at some time.

apkt01-phx2# sh run
certificate-record
	name                           SDcert
	country                        US
	state                          xx
	locality                       yyy
	organization                   zzz
	unit                           
	common-name                    pub.ip.goes.here
	key-size                       1024
	alternate-name                 
	trusted                        enabled
	key-usage-list                 
	                               digitalSignature
	                               keyEncipherment
	extended-key-usage-list        
	                               serverAuth
	options                        
	last-modified-by               admin
	last-modified-date             2010-11-01 14:58:49
host-routes
	dest-network                   <sipx>
	netmask                        <netmask>
	gateway                        <gateway>
	description                    sipXecs
	last-modified-by               admin@console
	last-modified-date             2010-11-15 19:12:42
host-routes
	dest-network                   <ntp-source>
	netmask                        <netmask>
	gateway                        <gateway
	description                    ntp
	last-modified-by               admin
	last-modified-date             2011-03-29 09:13:26
local-policy
	from-address                   
	                               *
	to-address                     
	                               *
	source-realm                   
	                               outside
	description                    Remote_Worker_Route_Policy_to_Core
	activate-time                  N/A
	deactivate-time                N/A
	state                          enabled
	policy-priority                none
	last-modified-by               admin@10.10.10.12
	last-modified-date             2010-10-14 09:45:39
	policy-attribute
		next-hop                       sag:sipXecs
		realm                          inside
		action                         none
		terminate-recursion            disabled
		carrier                        
		start-time                     0000
		end-time                       2400
		days-of-week                   U-S
		cost                           0
		app-protocol                   SIP
		state                          enabled
		methods                        
		media-profiles                 
media-manager
	state                          enabled
	latching                       enabled
	flow-time-limit                86400
	initial-guard-timer            300
	subsq-guard-timer              300
	tcp-flow-time-limit            86400
	tcp-initial-guard-timer        300
	tcp-subsq-guard-timer          300
	tcp-number-of-ports-per-flow   2
	hnt-rtcp                       disabled
	algd-log-level                 NOTICE
	mbcd-log-level                 NOTICE
	red-flow-port                  1985
	red-mgcp-port                  1986
	red-max-trans                  10000
	red-sync-start-time            5000
	red-sync-comp-time             1000
	media-policing                 enabled
	max-signaling-bandwidth        1041040
	max-untrusted-signaling        11
	min-untrusted-signaling        10
	app-signaling-bandwidth        0
	tolerance-window               30
	rtcp-rate-limit                0
	min-media-allocation           2000
	min-trusted-allocation         4000
	deny-allocation                32000
	anonymous-sdp                  disabled
	arp-msg-bandwidth              32000
	fragment-msg-bandwidth         0
	rfc2833-timestamp              disabled
	default-2833-duration          100
	rfc2833-end-pkts-only-for-non-sig enabled
	translate-non-rfc2833-event    disabled
	dnsalg-server-failover         disabled
	last-modified-by               admin
	last-modified-date             2011-04-20 13:24:26
network-interface
	name                           s0p0
	sub-port-id                    0
	description                    Public_Network_Interface_Remote_Worker
	hostname                       
	ip-address                     pub.ip.goes.here
	pri-utility-addr               
	sec-utility-addr               
	netmask                        255.255.255.0
	gateway                        pub.ip.gw.here
	sec-gateway                    
	gw-heartbeat
		state                          disabled
		heartbeat                      0
		retry-count                    0
		retry-timeout                  1
		health-score                   0
	dns-ip-primary                 
	dns-ip-backup1                 
	dns-ip-backup2                 
	dns-domain                     
	dns-timeout                    11
        hip-ip-list                    
	ftp-address                    
        icmp-address                   
	snmp-address                   
	telnet-address                 
	last-modified-by               admin
	last-modified-date             2011-04-20 13:07:53
network-interface
	name                           s1p0
	sub-port-id                    0
	description                    Network_Interface_Connected_to_Internal_Network
	hostname                       
	ip-address                     <sipX_ip>
	pri-utility-addr               
	sec-utility-addr               
	netmask                        <netmask>
	gateway                        <gateway>
	sec-gateway                    
	gw-heartbeat
		state                          disabled
		heartbeat                      0
		retry-count                    0
		retry-timeout                  1
		health-score                   0
	dns-ip-primary                 
	dns-ip-backup1                 
	dns-ip-backup2                 
	dns-domain                     
	dns-timeout                    11
        hip-ip-list                    <sipX_ip>
	ftp-address                    <sipX_ip>
        icmp-address                   <sipX_ip>
	snmp-address                   
	telnet-address                 
	last-modified-by               admin@10.10.10.12
	last-modified-date             2010-10-14 10:46:37
ntp-config
	server                         <ntp_ip>
	last-modified-by               admin@console
	last-modified-date             2010-10-14 09:15:15
phy-interface
	name                           s0p0
	operation-type                 Media
	port                           0
	slot                           0
	virtual-mac                    
	admin-state                    enabled
	auto-negotiation               enabled
	duplex-mode                    FULL
	speed                          100
	last-modified-by               admin@10.10.10.12
	last-modified-date             2010-10-14 09:19:50
phy-interface
	name                           s1p0
	operation-type                 Media
	port                           0
	slot                           1
	virtual-mac                    
	admin-state                    enabled
	auto-negotiation               enabled
	duplex-mode                    FULL
	speed                          100
	last-modified-by               admin@console
	last-modified-date             2011-02-18 12:29:05
realm-config
	identifier                     outside
	description                    Remote_Worker_to_SBC
	addr-prefix                    0.0.0.0
	network-interfaces             
	                               s0p0:0
	mm-in-realm                    enabled
	mm-in-network                  enabled
	mm-same-ip                     enabled
	mm-in-system                   enabled
	bw-cac-non-mm                  disabled
	msm-release                    disabled
	qos-enable                     disabled
	generate-UDP-checksum          disabled
	max-bandwidth                  0
	fallback-bandwidth             0
	max-priority-bandwidth         0
	max-latency                    0
	max-jitter                     0
	max-packet-loss                0
	observ-window-size             0
	parent-realm                   
	dns-realm                      
	media-policy                   
	in-translationid               
	out-translationid              
	in-manipulationid              addRouteHdr
	out-manipulationid             
	manipulation-string            
	class-profile                  
	average-rate-limit             0
	access-control-trust-level     medium
	invalid-signal-threshold       1
	maximum-signal-threshold       4000
	untrusted-signal-threshold     0
	nat-trust-threshold            0
	deny-period                    60
	ext-policy-svr                 
	symmetric-latching             enabled
	pai-strip                      disabled
	trunk-context                  
	early-media-allow              
	enforcement-profile            
	additional-prefixes            
	restricted-latching            none
	restriction-mask               32
	accounting-enable              enabled
	user-cac-mode                  none
	user-cac-bandwidth             0
	user-cac-sessions              0
	icmp-detect-multiplier         0
	icmp-advertisement-interval    0
	icmp-target-ip                 
	monthly-minutes                0
	net-management-control         disabled
	delay-media-update             disabled
	refer-call-transfer            disabled
	codec-policy                   
	codec-manip-in-realm           disabled
	constraint-name                
	call-recording-server-id       
	stun-enable                    disabled
	stun-server-ip                 0.0.0.0
	stun-server-port               3478
	stun-changed-ip                0.0.0.0
	stun-changed-port              3479
	match-media-profiles           
	qos-constraint                 
	last-modified-by               admin
	last-modified-date             2011-12-01 16:18:18
realm-config
	identifier                     inside
	description                    SBC_TO_SIPX
	addr-prefix                    0.0.0.0
	network-interfaces             
	                               s1p0:0
	mm-in-realm                    enabled
	mm-in-network                  enabled
	mm-same-ip                     enabled
	mm-in-system                   enabled
	bw-cac-non-mm                  disabled
	msm-release                    disabled
	qos-enable                     disabled
	generate-UDP-checksum          disabled
	max-bandwidth                  0
	fallback-bandwidth             0
	max-priority-bandwidth         0
	max-latency                    0
	max-jitter                     0
	max-packet-loss                0
	observ-window-size             0
	parent-realm                   
	dns-realm                      
	media-policy                   
	in-translationid               
	out-translationid              
	in-manipulationid              
	out-manipulationid             
	manipulation-string            
	class-profile                  
	average-rate-limit             0
	access-control-trust-level     high
	invalid-signal-threshold       0
	maximum-signal-threshold       0
	untrusted-signal-threshold     0
	nat-trust-threshold            0
	deny-period                    30
	ext-policy-svr                 
	symmetric-latching             disabled
	pai-strip                      disabled
	trunk-context                  
	early-media-allow              
	enforcement-profile            
	additional-prefixes            
	restricted-latching            none
	restriction-mask               32
	accounting-enable              enabled
	user-cac-mode                  none
	user-cac-bandwidth             0
	user-cac-sessions              0
	icmp-detect-multiplier         0
	icmp-advertisement-interval    0
	icmp-target-ip                 
	monthly-minutes                0
	net-management-control         disabled
	delay-media-update             disabled
	refer-call-transfer            disabled
	codec-policy                   
	codec-manip-in-realm           disabled
	constraint-name                
	call-recording-server-id       
	stun-enable                    disabled
	stun-server-ip                 0.0.0.0
	stun-server-port               3478
	stun-changed-ip                0.0.0.0
	stun-changed-port              3479
	match-media-profiles           
	qos-constraint                 
	last-modified-by               admin
	last-modified-date             2011-04-20 12:37:50
response-map
	last-modified-by               admin
	last-modified-date             2011-10-07 14:40:55
	name                           503Rogue
	entries                        
				       503 -> 677 (Rogue)  
session-agent
	hostname                       <sipX_ip>
	ip-address                     <sipX_ip>
	port                           5060
	state                          enabled
	app-protocol                   SIP
	app-type                       
	transport-method               UDP
	realm-id                       *
	egress-realm-id                
	description                    To_Core_sipXecs_1
	carriers                       
	allow-next-hop-lp              enabled
	constraints                    disabled
	max-sessions                   0
	max-inbound-sessions           0
	max-outbound-sessions          0
	max-burst-rate                 0
	max-inbound-burst-rate         0
	max-outbound-burst-rate        0
	max-sustain-rate               0
	max-inbound-sustain-rate       0
	max-outbound-sustain-rate      0
	min-seizures                   5
	min-asr                        0
	time-to-resume                 10
	ttr-no-response                16
	in-service-period              0
	burst-rate-window              0
	sustain-rate-window            0
	req-uri-carrier-mode           None
	proxy-mode                     
	redirect-action                
	loose-routing                  enabled
	send-media-session             enabled
	response-map                   
	ping-method                    OPTIONS;hops=0
	ping-interval                  60
	ping-send-mode                 keep-alive
	ping-in-service-response-codes 
	out-service-response-codes     
	options                        trans-timeouts=1
	media-profiles                 
	in-translationid               
	out-translationid              
	trust-me                       disabled
	request-uri-headers            
	stop-recurse                   
	local-response-map             
	ping-to-user-part              
	ping-from-user-part            
	li-trust-me                    disabled
	in-manipulationid              
	out-manipulationid             
	manipulation-string            
	p-asserted-id                  
	trunk-group                    
	max-register-sustain-rate      0
	early-media-allow              
	invalidate-registrations       disabled
	rfc2833-mode                   transparent
	rfc2833-payload                0
	codec-policy                   
	enforcement-profile            
	refer-call-transfer            disabled
	reuse-connections              NONE
	tcp-keepalive                  none
	tcp-reconn-interval            0
	max-register-burst-rate        0
	register-burst-window          0
	last-modified-by               admin
	last-modified-date             2011-09-06 20:59:24
session-agent
	hostname                       10.12.13.14
	ip-address                     
	port                           5060
	state                          disabled
	app-protocol                   SIP
	app-type                       
	transport-method               UDP
	realm-id                       *
	egress-realm-id                
	description                    SIPVicious Protection
	carriers                       
	allow-next-hop-lp              enabled
	constraints                    disabled
	max-sessions                   0
	max-inbound-sessions           0
	max-outbound-sessions          0
	max-burst-rate                 0
	max-inbound-burst-rate         0
	max-outbound-burst-rate        0
	max-sustain-rate               0
	max-inbound-sustain-rate       0
	max-outbound-sustain-rate      0
	min-seizures                   5
	min-asr                        0
	time-to-resume                 0
	ttr-no-response                0
	in-service-period              0
	burst-rate-window              0
	sustain-rate-window            0
	req-uri-carrier-mode           None
	proxy-mode                     
	redirect-action                
	loose-routing                  enabled
	send-media-session             enabled
	response-map                   
	ping-method                    
	ping-interval                  0
	ping-send-mode                 keep-alive
	ping-in-service-response-codes 
	out-service-response-codes     
	media-profiles                 
	in-translationid               
	out-translationid              
	trust-me                       disabled
	request-uri-headers            
	stop-recurse                   
	local-response-map             503Rogue
	ping-to-user-part              
	ping-from-user-part            
	li-trust-me                    disabled
	in-manipulationid              
	out-manipulationid             
	manipulation-string            
	p-asserted-id                  
	trunk-group                    
	max-register-sustain-rate      0
	early-media-allow              
	invalidate-registrations       disabled
	rfc2833-mode                   none
	rfc2833-payload                0
	codec-policy                   
	enforcement-profile            
	refer-call-transfer            disabled
	reuse-connections              NONE
	tcp-keepalive                  none
	tcp-reconn-interval            0
	max-register-burst-rate        0
	register-burst-window          0
	last-modified-by               admin
	last-modified-date             2011-10-07 14:41:34
session-group
	group-name                     sipXecs
	description                    
	state                          enabled
	app-protocol                   SIP
	strategy                       Hunt
	dest                           
	                               <sipX_ip>
	trunk-group                    
	sag-recursion                  enabled
	stop-sag-recurse               401,407
	last-modified-by               admin
	last-modified-date             2012-01-09 22:34:11
sip-config
	state                          enabled
	operation-mode                 dialog
	dialog-transparency            enabled
	home-realm-id                  inside
	egress-realm-id                inside
	nat-mode                       None
	registrar-domain               *
	registrar-host                 *
	registrar-port                 5060
	register-service-route         always
	init-timer                     500
	max-timer                      4000
	trans-expire                   32
	invite-expire                  180
	inactive-dynamic-conn          32
	enforcement-profile            
	pac-method                     
	pac-interval                   10
	pac-strategy                   PropDist
	pac-load-weight                1
	pac-session-weight             1
	pac-route-weight               1
	pac-callid-lifetime            600
	pac-user-lifetime              3600
	red-sip-port                   1988
	red-max-trans                  10000
	red-sync-start-time            5000
	red-sync-comp-time             1000
	add-reason-header              disabled
	sip-message-len                4096
	enum-sag-match                 disabled
	extra-method-stats             enabled
	registration-cache-limit       0
	register-use-to-for-lp         disabled
	options                        cache-challenges
                                       max-register-forward=5000
                                       max-register-refresh=112
                                       max-udp-length=0
                                       reg-overload-protect
                                       register-grace-timer=120
                                       reject-register=refresh
                                       set-inv-exp-at-100-resp
	add-ucid-header                disabled
	proxy-sub-events               
	last-modified-by               admin
	last-modified-date             2011-10-07 14:38:53
sip-interface
	state                          enabled
	realm-id                       outside
	description                    Remote_Worker_to_SBC
	sip-port
		address                        pub.ip.goes.here
		port                           5060
		transport-protocol             UDP
		tls-profile                    
		allow-anonymous                registered
		ims-aka-profile                
	sip-port
		address                        pub.ip.goes.here
		port                           5061
		transport-protocol             TLS
		tls-profile                    SSA
		allow-anonymous                registered
		ims-aka-profile                
	carriers                       
	trans-expire                   0
	invite-expire                  0
	max-redirect-contacts          0
	proxy-mode                     
	redirect-action                Proxy
	contact-mode                   none
	nat-traversal                  always
	nat-interval                   45
	tcp-nat-interval               90
	registration-caching           enabled
	min-reg-expire                 300
	registration-interval          3600
	route-to-registrar             enabled
	secured-network                disabled
	teluri-scheme                  disabled
	uri-fqdn-domain                
	options                        reg-via-key
	trust-mode                     all
	max-nat-interval               3600
	nat-int-increment              10
	nat-test-increment             30
	sip-dynamic-hnt                disabled
	stop-recurse                   401,407
	port-map-start                 0
	port-map-end                   0
	in-manipulationid              
	out-manipulationid             
	manipulation-string            
	sip-ims-feature                disabled
	operator-identifier            
	anonymous-priority             none
	max-incoming-conns             0
	per-src-ip-max-incoming-conns  0
	inactive-conn-timeout          0
	untrusted-conn-timeout         0
	network-id                     
	ext-policy-server              
	default-location-string        
	charging-vector-mode           pass
	charging-function-address-mode pass
	ccf-address                    
	ecf-address                    
	term-tgrp-mode                 none
	implicit-service-route         disabled
	rfc2833-payload                101
	rfc2833-mode                   transparent
	constraint-name                
	response-map                   
	local-response-map             
	ims-aka-feature                disabled
	enforcement-profile            
	refer-call-transfer            disabled
	route-unauthorized-calls       
	tcp-keepalive                  none
	add-sdp-invite                 disabled
	add-sdp-profiles               
	last-modified-by               admin
	last-modified-date             2011-11-29 21:09:06
sip-interface
	state                          enabled
	realm-id                       inside
	description                    PBX_to_SBC
	sip-port
		address                        <sipX_ip>
		port                           5060
		transport-protocol             UDP
		tls-profile                    
		allow-anonymous                all
		ims-aka-profile                
	carriers                       
	trans-expire                   0
	invite-expire                  0
	max-redirect-contacts          0
	proxy-mode                     
	redirect-action                Recurse
	contact-mode                   none
	nat-traversal                  none
	nat-interval                   30
	tcp-nat-interval               90
	registration-caching           disabled
	min-reg-expire                 300
	registration-interval          3600
	route-to-registrar             disabled
	secured-network                disabled
	teluri-scheme                  disabled
	uri-fqdn-domain                
	trust-mode                     all
	max-nat-interval               3600
	nat-int-increment              10
	nat-test-increment             30
	sip-dynamic-hnt                disabled
	stop-recurse                   401,407
	port-map-start                 0
	port-map-end                   0
	in-manipulationid              
	out-manipulationid             
	manipulation-string            
	sip-ims-feature                disabled
	operator-identifier            
	anonymous-priority             none
	max-incoming-conns             0
	per-src-ip-max-incoming-conns  0
	inactive-conn-timeout          0
	untrusted-conn-timeout         0
	network-id                     
	ext-policy-server              
	default-location-string        
	charging-vector-mode           pass
	charging-function-address-mode pass
	ccf-address                    
	ecf-address                    
	term-tgrp-mode                 none
	implicit-service-route         disabled
	rfc2833-payload                101
	rfc2833-mode                   transparent
	constraint-name                
	response-map                   
	local-response-map             
	ims-aka-feature                disabled
	enforcement-profile            
	refer-call-transfer            disabled
	route-unauthorized-calls       
	tcp-keepalive                  none
	add-sdp-invite                 disabled
	add-sdp-profiles               
	last-modified-by               admin@10.10.10.12
	last-modified-date             2010-10-14 09:36:42
sip-manipulation
	name                           addRouteHdr
	description                    SIPVicious Protection
	header-rule
		name                           isScanner
		header-name                    User-Agent
		action                         store
		comparison-type                pattern-rule
		match-value                    ^friend.*
		msg-type                       any
		new-value                      
		methods                        
	header-rule
		name                           addNullRoute
		header-name                    Route
		action                         add
		comparison-type                boolean
		match-value                    $isScanner.$0
		msg-type                       request
		new-value                      "<sip:10.12.13.14;lr>"
		methods                        
	last-modified-by               admin<sipX_ip>
	last-modified-date             2011-10-07 14:40:26
steering-pool
	ip-address                     <sipX_ip>
	start-port                     31000
	end-port                       34999
	realm-id                       inside
	network-interface              
	last-modified-by               admin
	last-modified-date             2011-10-07 14:35:54
steering-pool
	ip-address                     pub.ip.goes.here
	start-port                     31000
	end-port                       34999
	realm-id                       outside
	network-interface              
	last-modified-by               admin
	last-modified-date             2011-10-07 14:36:04
system-config
	hostname                       
	description                    
	location                       
	mib-system-contact             
	mib-system-name                
	mib-system-location            
	snmp-enabled                   enabled
	enable-snmp-auth-traps         disabled
	enable-snmp-syslog-notify      disabled
	enable-snmp-monitor-traps      disabled
	enable-env-monitor-traps       disabled
	snmp-syslog-his-table-length   1
	snmp-syslog-level              WARNING
	system-log-level               WARNING
	process-log-level              NOTICE
	process-log-ip-address         0.0.0.0
	process-log-port               0
	collect
		sample-interval                5
		push-interval                  15
		boot-state                     disabled
		start-time                     now
		end-time                       never
		red-collect-state              disabled
		red-max-trans                  1000
		red-sync-start-time            5000
		red-sync-comp-time             1000
		push-success-trap-state        disabled
	call-trace                     disabled
	internal-trace                 disabled
	log-filter                     all
	default-gateway                <gateway>
	restart                        enabled
	exceptions                     
	telnet-timeout                 0
	console-timeout                0
	remote-control                 enabled
	cli-audit-trail                enabled
	link-redundancy-state          disabled
	source-routing                 enabled
	cli-more                       disabled
	terminal-height                24
	debug-timeout                  0
	trap-event-lifetime            0
	cleanup-time-of-day            00:00
	last-modified-by               admin
	last-modified-date             2010-11-15 17:17:39
tls-profile
	name                           SSA
	end-entity-certificate         SDcert
	trusted-ca-certificates        
	cipher-list                    
	                               ALL
	verify-depth                   10
	mutual-authenticate            disabled
	tls-version                    compatibility
	last-modified-by               admin
	last-modified-date             2011-11-29 20:13:14
capture-receiver
	state                          disabled
	address                        
	network-interface              s1p0:0
	last-modified-by               admin
	last-modified-date             2010-11-01 14:19:17