This is a sample config for an Acme Packet Net-Net 3820 sbc to enable Remote Workers with sipXecs 4.4 in a distributed environment. It includes basic SIPVicious protection. This is a work in progress as the config will require some tweaking to get all sipX features working for Remote phones. Additionally, the config for passing phone provisioning through the sbc is not included, but hopefully will be added at some time.
apkt01-phx2# sh run
certificate-record
name SDcert
country US
state xx
locality yyy
organization zzz
unit
common-name pub.ip.goes.here
key-size 1024
alternate-name
trusted enabled
key-usage-list
digitalSignature
keyEncipherment
extended-key-usage-list
serverAuth
options
last-modified-by admin
last-modified-date 2010-11-01 14:58:49
host-routes
dest-network <sipx>
netmask <netmask>
gateway <gateway>
description sipXecs
last-modified-by admin@console
last-modified-date 2010-11-15 19:12:42
host-routes
dest-network <ntp-source>
netmask <netmask>
gateway <gateway
description ntp
last-modified-by admin
last-modified-date 2011-03-29 09:13:26
local-policy
from-address
*
to-address
*
source-realm
outside
description Remote_Worker_Route_Policy_to_Core
activate-time N/A
deactivate-time N/A
state enabled
policy-priority none
last-modified-by admin@10.10.10.12
last-modified-date 2010-10-14 09:45:39
policy-attribute
next-hop sag:sipXecs
realm inside
action none
terminate-recursion disabled
carrier
start-time 0000
end-time 2400
days-of-week U-S
cost 0
app-protocol SIP
state enabled
methods
media-profiles
media-manager
state enabled
latching enabled
flow-time-limit 86400
initial-guard-timer 300
subsq-guard-timer 300
tcp-flow-time-limit 86400
tcp-initial-guard-timer 300
tcp-subsq-guard-timer 300
tcp-number-of-ports-per-flow 2
hnt-rtcp disabled
algd-log-level NOTICE
mbcd-log-level NOTICE
red-flow-port 1985
red-mgcp-port 1986
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
media-policing enabled
max-signaling-bandwidth 1041040
max-untrusted-signaling 11
min-untrusted-signaling 10
app-signaling-bandwidth 0
tolerance-window 30
rtcp-rate-limit 0
min-media-allocation 2000
min-trusted-allocation 4000
deny-allocation 32000
anonymous-sdp disabled
arp-msg-bandwidth 32000
fragment-msg-bandwidth 0
rfc2833-timestamp disabled
default-2833-duration 100
rfc2833-end-pkts-only-for-non-sig enabled
translate-non-rfc2833-event disabled
dnsalg-server-failover disabled
last-modified-by admin
last-modified-date 2011-04-20 13:24:26
network-interface
name s0p0
sub-port-id 0
description Public_Network_Interface_Remote_Worker
hostname
ip-address pub.ip.goes.here
pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway pub.ip.gw.here
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
last-modified-by admin
last-modified-date 2011-04-20 13:07:53
network-interface
name s1p0
sub-port-id 0
description Network_Interface_Connected_to_Internal_Network
hostname
ip-address <sipX_ip>
pri-utility-addr
sec-utility-addr
netmask <netmask>
gateway <gateway>
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list <sipX_ip>
ftp-address <sipX_ip>
icmp-address <sipX_ip>
snmp-address
telnet-address
last-modified-by admin@10.10.10.12
last-modified-date 2010-10-14 10:46:37
ntp-config
server <ntp_ip>
last-modified-by admin@console
last-modified-date 2010-10-14 09:15:15
phy-interface
name s0p0
operation-type Media
port 0
slot 0
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
last-modified-by admin@10.10.10.12
last-modified-date 2010-10-14 09:19:50
phy-interface
name s1p0
operation-type Media
port 0
slot 1
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
last-modified-by admin@console
last-modified-date 2011-02-18 12:29:05
realm-config
identifier outside
description Remote_Worker_to_SBC
addr-prefix 0.0.0.0
network-interfaces
s0p0:0
mm-in-realm enabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid addRouteHdr
out-manipulationid
manipulation-string
class-profile
average-rate-limit 0
access-control-trust-level medium
invalid-signal-threshold 1
maximum-signal-threshold 4000
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 60
ext-policy-svr
symmetric-latching enabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
last-modified-by admin
last-modified-date 2011-12-01 16:18:18
realm-config
identifier inside
description SBC_TO_SIPX
addr-prefix 0.0.0.0
network-interfaces
s1p0:0
mm-in-realm enabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit 0
access-control-trust-level high
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
last-modified-by admin
last-modified-date 2011-04-20 12:37:50
response-map
last-modified-by admin
last-modified-date 2011-10-07 14:40:55
name 503Rogue
entries
503 -> 677 (Rogue)
session-agent
hostname <sipX_ip>
ip-address <sipX_ip>
port 5060
state enabled
app-protocol SIP
app-type
transport-method UDP
realm-id *
egress-realm-id
description To_Core_sipXecs_1
carriers
allow-next-hop-lp enabled
constraints disabled
max-sessions 0
max-inbound-sessions 0
max-outbound-sessions 0
max-burst-rate 0
max-inbound-burst-rate 0
max-outbound-burst-rate 0
max-sustain-rate 0
max-inbound-sustain-rate 0
max-outbound-sustain-rate 0
min-seizures 5
min-asr 0
time-to-resume 10
ttr-no-response 16
in-service-period 0
burst-rate-window 0
sustain-rate-window 0
req-uri-carrier-mode None
proxy-mode
redirect-action
loose-routing enabled
send-media-session enabled
response-map
ping-method OPTIONS;hops=0
ping-interval 60
ping-send-mode keep-alive
ping-in-service-response-codes
out-service-response-codes
options trans-timeouts=1
media-profiles
in-translationid
out-translationid
trust-me disabled
request-uri-headers
stop-recurse
local-response-map
ping-to-user-part
ping-from-user-part
li-trust-me disabled
in-manipulationid
out-manipulationid
manipulation-string
p-asserted-id
trunk-group
max-register-sustain-rate 0
early-media-allow
invalidate-registrations disabled
rfc2833-mode transparent
rfc2833-payload 0
codec-policy
enforcement-profile
refer-call-transfer disabled
reuse-connections NONE
tcp-keepalive none
tcp-reconn-interval 0
max-register-burst-rate 0
register-burst-window 0
last-modified-by admin
last-modified-date 2011-09-06 20:59:24
session-agent
hostname 10.12.13.14
ip-address
port 5060
state disabled
app-protocol SIP
app-type
transport-method UDP
realm-id *
egress-realm-id
description SIPVicious Protection
carriers
allow-next-hop-lp enabled
constraints disabled
max-sessions 0
max-inbound-sessions 0
max-outbound-sessions 0
max-burst-rate 0
max-inbound-burst-rate 0
max-outbound-burst-rate 0
max-sustain-rate 0
max-inbound-sustain-rate 0
max-outbound-sustain-rate 0
min-seizures 5
min-asr 0
time-to-resume 0
ttr-no-response 0
in-service-period 0
burst-rate-window 0
sustain-rate-window 0
req-uri-carrier-mode None
proxy-mode
redirect-action
loose-routing enabled
send-media-session enabled
response-map
ping-method
ping-interval 0
ping-send-mode keep-alive
ping-in-service-response-codes
out-service-response-codes
media-profiles
in-translationid
out-translationid
trust-me disabled
request-uri-headers
stop-recurse
local-response-map 503Rogue
ping-to-user-part
ping-from-user-part
li-trust-me disabled
in-manipulationid
out-manipulationid
manipulation-string
p-asserted-id
trunk-group
max-register-sustain-rate 0
early-media-allow
invalidate-registrations disabled
rfc2833-mode none
rfc2833-payload 0
codec-policy
enforcement-profile
refer-call-transfer disabled
reuse-connections NONE
tcp-keepalive none
tcp-reconn-interval 0
max-register-burst-rate 0
register-burst-window 0
last-modified-by admin
last-modified-date 2011-10-07 14:41:34
session-group
group-name sipXecs
description
state enabled
app-protocol SIP
strategy Hunt
dest
<sipX_ip>
trunk-group
sag-recursion enabled
stop-sag-recurse 401,407
last-modified-by admin
last-modified-date 2012-01-09 22:34:11
sip-config
state enabled
operation-mode dialog
dialog-transparency enabled
home-realm-id inside
egress-realm-id inside
nat-mode None
registrar-domain *
registrar-host *
registrar-port 5060
register-service-route always
init-timer 500
max-timer 4000
trans-expire 32
invite-expire 180
inactive-dynamic-conn 32
enforcement-profile
pac-method
pac-interval 10
pac-strategy PropDist
pac-load-weight 1
pac-session-weight 1
pac-route-weight 1
pac-callid-lifetime 600
pac-user-lifetime 3600
red-sip-port 1988
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
add-reason-header disabled
sip-message-len 4096
enum-sag-match disabled
extra-method-stats enabled
registration-cache-limit 0
register-use-to-for-lp disabled
options cache-challenges
max-register-forward=5000
max-register-refresh=112
max-udp-length=0
reg-overload-protect
register-grace-timer=120
reject-register=refresh
set-inv-exp-at-100-resp
add-ucid-header disabled
proxy-sub-events
last-modified-by admin
last-modified-date 2011-10-07 14:38:53
sip-interface
state enabled
realm-id outside
description Remote_Worker_to_SBC
sip-port
address pub.ip.goes.here
port 5060
transport-protocol UDP
tls-profile
allow-anonymous registered
ims-aka-profile
sip-port
address pub.ip.goes.here
port 5061
transport-protocol TLS
tls-profile SSA
allow-anonymous registered
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0
proxy-mode
redirect-action Proxy
contact-mode none
nat-traversal always
nat-interval 45
tcp-nat-interval 90
registration-caching enabled
min-reg-expire 300
registration-interval 3600
route-to-registrar enabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
options reg-via-key
trust-mode all
max-nat-interval 3600
nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
refer-call-transfer disabled
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
last-modified-by admin
last-modified-date 2011-11-29 21:09:06
sip-interface
state enabled
realm-id inside
description PBX_to_SBC
sip-port
address <sipX_ip>
port 5060
transport-protocol UDP
tls-profile
allow-anonymous all
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0
proxy-mode
redirect-action Recurse
contact-mode none
nat-traversal none
nat-interval 30
tcp-nat-interval 90
registration-caching disabled
min-reg-expire 300
registration-interval 3600
route-to-registrar disabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600
nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
refer-call-transfer disabled
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
last-modified-by admin@10.10.10.12
last-modified-date 2010-10-14 09:36:42
sip-manipulation
name addRouteHdr
description SIPVicious Protection
header-rule
name isScanner
header-name User-Agent
action store
comparison-type pattern-rule
match-value ^friend.*
msg-type any
new-value
methods
header-rule
name addNullRoute
header-name Route
action add
comparison-type boolean
match-value $isScanner.$0
msg-type request
new-value "<sip:10.12.13.14;lr>"
methods
last-modified-by admin<sipX_ip>
last-modified-date 2011-10-07 14:40:26
steering-pool
ip-address <sipX_ip>
start-port 31000
end-port 34999
realm-id inside
network-interface
last-modified-by admin
last-modified-date 2011-10-07 14:35:54
steering-pool
ip-address pub.ip.goes.here
start-port 31000
end-port 34999
realm-id outside
network-interface
last-modified-by admin
last-modified-date 2011-10-07 14:36:04
system-config
hostname
description
location
mib-system-contact
mib-system-name
mib-system-location
snmp-enabled enabled
enable-snmp-auth-traps disabled
enable-snmp-syslog-notify disabled
enable-snmp-monitor-traps disabled
enable-env-monitor-traps disabled
snmp-syslog-his-table-length 1
snmp-syslog-level WARNING
system-log-level WARNING
process-log-level NOTICE
process-log-ip-address 0.0.0.0
process-log-port 0
collect
sample-interval 5
push-interval 15
boot-state disabled
start-time now
end-time never
red-collect-state disabled
red-max-trans 1000
red-sync-start-time 5000
red-sync-comp-time 1000
push-success-trap-state disabled
call-trace disabled
internal-trace disabled
log-filter all
default-gateway <gateway>
restart enabled
exceptions
telnet-timeout 0
console-timeout 0
remote-control enabled
cli-audit-trail enabled
link-redundancy-state disabled
source-routing enabled
cli-more disabled
terminal-height 24
debug-timeout 0
trap-event-lifetime 0
cleanup-time-of-day 00:00
last-modified-by admin
last-modified-date 2010-11-15 17:17:39
tls-profile
name SSA
end-entity-certificate SDcert
trusted-ca-certificates
cipher-list
ALL
verify-depth 10
mutual-authenticate disabled
tls-version compatibility
last-modified-by admin
last-modified-date 2011-11-29 20:13:14
capture-receiver
state disabled
address
network-interface s1p0:0
last-modified-by admin
last-modified-date 2010-11-01 14:19:17
|