This is a sample config for an Acme Packet Net-Net 3820 sbc to enable Remote Workers with sipXecs 4.4 in a distributed environment. It includes basic SIPVicious protection. This is a work in progress as the config will require some tweaking to get all sipX features working for Remote phones. Additionally, the config for passing phone provisioning through the sbc is not included, but hopefully will be added at some time.
apkt01-phx2# sh run certificate-record name SDcert country US state xx locality yyy organization zzz unit common-name pub.ip.goes.here key-size 1024 alternate-name trusted enabled key-usage-list digitalSignature keyEncipherment extended-key-usage-list serverAuth options last-modified-by admin last-modified-date 2010-11-01 14:58:49 host-routes dest-network <sipx> netmask <netmask> gateway <gateway> description sipXecs last-modified-by admin@console last-modified-date 2010-11-15 19:12:42 host-routes dest-network <ntp-source> netmask <netmask> gateway <gateway description ntp last-modified-by admin last-modified-date 2011-03-29 09:13:26 local-policy from-address * to-address * source-realm outside description Remote_Worker_Route_Policy_to_Core activate-time N/A deactivate-time N/A state enabled policy-priority none last-modified-by admin@10.10.10.12 last-modified-date 2010-10-14 09:45:39 policy-attribute next-hop sag:sipXecs realm inside action none terminate-recursion disabled carrier start-time 0000 end-time 2400 days-of-week U-S cost 0 app-protocol SIP state enabled methods media-profiles media-manager state enabled latching enabled flow-time-limit 86400 initial-guard-timer 300 subsq-guard-timer 300 tcp-flow-time-limit 86400 tcp-initial-guard-timer 300 tcp-subsq-guard-timer 300 tcp-number-of-ports-per-flow 2 hnt-rtcp disabled algd-log-level NOTICE mbcd-log-level NOTICE red-flow-port 1985 red-mgcp-port 1986 red-max-trans 10000 red-sync-start-time 5000 red-sync-comp-time 1000 media-policing enabled max-signaling-bandwidth 1041040 max-untrusted-signaling 11 min-untrusted-signaling 10 app-signaling-bandwidth 0 tolerance-window 30 rtcp-rate-limit 0 min-media-allocation 2000 min-trusted-allocation 4000 deny-allocation 32000 anonymous-sdp disabled arp-msg-bandwidth 32000 fragment-msg-bandwidth 0 rfc2833-timestamp disabled default-2833-duration 100 rfc2833-end-pkts-only-for-non-sig enabled translate-non-rfc2833-event disabled dnsalg-server-failover disabled last-modified-by admin last-modified-date 2011-04-20 13:24:26 network-interface name s0p0 sub-port-id 0 description Public_Network_Interface_Remote_Worker hostname ip-address pub.ip.goes.here pri-utility-addr sec-utility-addr netmask 255.255.255.0 gateway pub.ip.gw.here sec-gateway gw-heartbeat state disabled heartbeat 0 retry-count 0 retry-timeout 1 health-score 0 dns-ip-primary dns-ip-backup1 dns-ip-backup2 dns-domain dns-timeout 11 hip-ip-list ftp-address icmp-address snmp-address telnet-address last-modified-by admin last-modified-date 2011-04-20 13:07:53 network-interface name s1p0 sub-port-id 0 description Network_Interface_Connected_to_Internal_Network hostname ip-address <sipX_ip> pri-utility-addr sec-utility-addr netmask <netmask> gateway <gateway> sec-gateway gw-heartbeat state disabled heartbeat 0 retry-count 0 retry-timeout 1 health-score 0 dns-ip-primary dns-ip-backup1 dns-ip-backup2 dns-domain dns-timeout 11 hip-ip-list <sipX_ip> ftp-address <sipX_ip> icmp-address <sipX_ip> snmp-address telnet-address last-modified-by admin@10.10.10.12 last-modified-date 2010-10-14 10:46:37 ntp-config server <ntp_ip> last-modified-by admin@console last-modified-date 2010-10-14 09:15:15 phy-interface name s0p0 operation-type Media port 0 slot 0 virtual-mac admin-state enabled auto-negotiation enabled duplex-mode FULL speed 100 last-modified-by admin@10.10.10.12 last-modified-date 2010-10-14 09:19:50 phy-interface name s1p0 operation-type Media port 0 slot 1 virtual-mac admin-state enabled auto-negotiation enabled duplex-mode FULL speed 100 last-modified-by admin@console last-modified-date 2011-02-18 12:29:05 realm-config identifier outside description Remote_Worker_to_SBC addr-prefix 0.0.0.0 network-interfaces s0p0:0 mm-in-realm enabled mm-in-network enabled mm-same-ip enabled mm-in-system enabled bw-cac-non-mm disabled msm-release disabled qos-enable disabled generate-UDP-checksum disabled max-bandwidth 0 fallback-bandwidth 0 max-priority-bandwidth 0 max-latency 0 max-jitter 0 max-packet-loss 0 observ-window-size 0 parent-realm dns-realm media-policy in-translationid out-translationid in-manipulationid addRouteHdr out-manipulationid manipulation-string class-profile average-rate-limit 0 access-control-trust-level medium invalid-signal-threshold 1 maximum-signal-threshold 4000 untrusted-signal-threshold 0 nat-trust-threshold 0 deny-period 60 ext-policy-svr symmetric-latching enabled pai-strip disabled trunk-context early-media-allow enforcement-profile additional-prefixes restricted-latching none restriction-mask 32 accounting-enable enabled user-cac-mode none user-cac-bandwidth 0 user-cac-sessions 0 icmp-detect-multiplier 0 icmp-advertisement-interval 0 icmp-target-ip monthly-minutes 0 net-management-control disabled delay-media-update disabled refer-call-transfer disabled codec-policy codec-manip-in-realm disabled constraint-name call-recording-server-id stun-enable disabled stun-server-ip 0.0.0.0 stun-server-port 3478 stun-changed-ip 0.0.0.0 stun-changed-port 3479 match-media-profiles qos-constraint last-modified-by admin last-modified-date 2011-12-01 16:18:18 realm-config identifier inside description SBC_TO_SIPX addr-prefix 0.0.0.0 network-interfaces s1p0:0 mm-in-realm enabled mm-in-network enabled mm-same-ip enabled mm-in-system enabled bw-cac-non-mm disabled msm-release disabled qos-enable disabled generate-UDP-checksum disabled max-bandwidth 0 fallback-bandwidth 0 max-priority-bandwidth 0 max-latency 0 max-jitter 0 max-packet-loss 0 observ-window-size 0 parent-realm dns-realm media-policy in-translationid out-translationid in-manipulationid out-manipulationid manipulation-string class-profile average-rate-limit 0 access-control-trust-level high invalid-signal-threshold 0 maximum-signal-threshold 0 untrusted-signal-threshold 0 nat-trust-threshold 0 deny-period 30 ext-policy-svr symmetric-latching disabled pai-strip disabled trunk-context early-media-allow enforcement-profile additional-prefixes restricted-latching none restriction-mask 32 accounting-enable enabled user-cac-mode none user-cac-bandwidth 0 user-cac-sessions 0 icmp-detect-multiplier 0 icmp-advertisement-interval 0 icmp-target-ip monthly-minutes 0 net-management-control disabled delay-media-update disabled refer-call-transfer disabled codec-policy codec-manip-in-realm disabled constraint-name call-recording-server-id stun-enable disabled stun-server-ip 0.0.0.0 stun-server-port 3478 stun-changed-ip 0.0.0.0 stun-changed-port 3479 match-media-profiles qos-constraint last-modified-by admin last-modified-date 2011-04-20 12:37:50 response-map last-modified-by admin last-modified-date 2011-10-07 14:40:55 name 503Rogue entries 503 -> 677 (Rogue) session-agent hostname <sipX_ip> ip-address <sipX_ip> port 5060 state enabled app-protocol SIP app-type transport-method UDP realm-id * egress-realm-id description To_Core_sipXecs_1 carriers allow-next-hop-lp enabled constraints disabled max-sessions 0 max-inbound-sessions 0 max-outbound-sessions 0 max-burst-rate 0 max-inbound-burst-rate 0 max-outbound-burst-rate 0 max-sustain-rate 0 max-inbound-sustain-rate 0 max-outbound-sustain-rate 0 min-seizures 5 min-asr 0 time-to-resume 10 ttr-no-response 16 in-service-period 0 burst-rate-window 0 sustain-rate-window 0 req-uri-carrier-mode None proxy-mode redirect-action loose-routing enabled send-media-session enabled response-map ping-method OPTIONS;hops=0 ping-interval 60 ping-send-mode keep-alive ping-in-service-response-codes out-service-response-codes options trans-timeouts=1 media-profiles in-translationid out-translationid trust-me disabled request-uri-headers stop-recurse local-response-map ping-to-user-part ping-from-user-part li-trust-me disabled in-manipulationid out-manipulationid manipulation-string p-asserted-id trunk-group max-register-sustain-rate 0 early-media-allow invalidate-registrations disabled rfc2833-mode transparent rfc2833-payload 0 codec-policy enforcement-profile refer-call-transfer disabled reuse-connections NONE tcp-keepalive none tcp-reconn-interval 0 max-register-burst-rate 0 register-burst-window 0 last-modified-by admin last-modified-date 2011-09-06 20:59:24 session-agent hostname 10.12.13.14 ip-address port 5060 state disabled app-protocol SIP app-type transport-method UDP realm-id * egress-realm-id description SIPVicious Protection carriers allow-next-hop-lp enabled constraints disabled max-sessions 0 max-inbound-sessions 0 max-outbound-sessions 0 max-burst-rate 0 max-inbound-burst-rate 0 max-outbound-burst-rate 0 max-sustain-rate 0 max-inbound-sustain-rate 0 max-outbound-sustain-rate 0 min-seizures 5 min-asr 0 time-to-resume 0 ttr-no-response 0 in-service-period 0 burst-rate-window 0 sustain-rate-window 0 req-uri-carrier-mode None proxy-mode redirect-action loose-routing enabled send-media-session enabled response-map ping-method ping-interval 0 ping-send-mode keep-alive ping-in-service-response-codes out-service-response-codes media-profiles in-translationid out-translationid trust-me disabled request-uri-headers stop-recurse local-response-map 503Rogue ping-to-user-part ping-from-user-part li-trust-me disabled in-manipulationid out-manipulationid manipulation-string p-asserted-id trunk-group max-register-sustain-rate 0 early-media-allow invalidate-registrations disabled rfc2833-mode none rfc2833-payload 0 codec-policy enforcement-profile refer-call-transfer disabled reuse-connections NONE tcp-keepalive none tcp-reconn-interval 0 max-register-burst-rate 0 register-burst-window 0 last-modified-by admin last-modified-date 2011-10-07 14:41:34 session-group group-name sipXecs description state enabled app-protocol SIP strategy Hunt dest <sipX_ip> trunk-group sag-recursion enabled stop-sag-recurse 401,407 last-modified-by admin last-modified-date 2012-01-09 22:34:11 sip-config state enabled operation-mode dialog dialog-transparency enabled home-realm-id inside egress-realm-id inside nat-mode None registrar-domain * registrar-host * registrar-port 5060 register-service-route always init-timer 500 max-timer 4000 trans-expire 32 invite-expire 180 inactive-dynamic-conn 32 enforcement-profile pac-method pac-interval 10 pac-strategy PropDist pac-load-weight 1 pac-session-weight 1 pac-route-weight 1 pac-callid-lifetime 600 pac-user-lifetime 3600 red-sip-port 1988 red-max-trans 10000 red-sync-start-time 5000 red-sync-comp-time 1000 add-reason-header disabled sip-message-len 4096 enum-sag-match disabled extra-method-stats enabled registration-cache-limit 0 register-use-to-for-lp disabled options cache-challenges max-register-forward=5000 max-register-refresh=112 max-udp-length=0 reg-overload-protect register-grace-timer=120 reject-register=refresh set-inv-exp-at-100-resp add-ucid-header disabled proxy-sub-events last-modified-by admin last-modified-date 2011-10-07 14:38:53 sip-interface state enabled realm-id outside description Remote_Worker_to_SBC sip-port address pub.ip.goes.here port 5060 transport-protocol UDP tls-profile allow-anonymous registered ims-aka-profile sip-port address pub.ip.goes.here port 5061 transport-protocol TLS tls-profile SSA allow-anonymous registered ims-aka-profile carriers trans-expire 0 invite-expire 0 max-redirect-contacts 0 proxy-mode redirect-action Proxy contact-mode none nat-traversal always nat-interval 45 tcp-nat-interval 90 registration-caching enabled min-reg-expire 300 registration-interval 3600 route-to-registrar enabled secured-network disabled teluri-scheme disabled uri-fqdn-domain options reg-via-key trust-mode all max-nat-interval 3600 nat-int-increment 10 nat-test-increment 30 sip-dynamic-hnt disabled stop-recurse 401,407 port-map-start 0 port-map-end 0 in-manipulationid out-manipulationid manipulation-string sip-ims-feature disabled operator-identifier anonymous-priority none max-incoming-conns 0 per-src-ip-max-incoming-conns 0 inactive-conn-timeout 0 untrusted-conn-timeout 0 network-id ext-policy-server default-location-string charging-vector-mode pass charging-function-address-mode pass ccf-address ecf-address term-tgrp-mode none implicit-service-route disabled rfc2833-payload 101 rfc2833-mode transparent constraint-name response-map local-response-map ims-aka-feature disabled enforcement-profile refer-call-transfer disabled route-unauthorized-calls tcp-keepalive none add-sdp-invite disabled add-sdp-profiles last-modified-by admin last-modified-date 2011-11-29 21:09:06 sip-interface state enabled realm-id inside description PBX_to_SBC sip-port address <sipX_ip> port 5060 transport-protocol UDP tls-profile allow-anonymous all ims-aka-profile carriers trans-expire 0 invite-expire 0 max-redirect-contacts 0 proxy-mode redirect-action Recurse contact-mode none nat-traversal none nat-interval 30 tcp-nat-interval 90 registration-caching disabled min-reg-expire 300 registration-interval 3600 route-to-registrar disabled secured-network disabled teluri-scheme disabled uri-fqdn-domain trust-mode all max-nat-interval 3600 nat-int-increment 10 nat-test-increment 30 sip-dynamic-hnt disabled stop-recurse 401,407 port-map-start 0 port-map-end 0 in-manipulationid out-manipulationid manipulation-string sip-ims-feature disabled operator-identifier anonymous-priority none max-incoming-conns 0 per-src-ip-max-incoming-conns 0 inactive-conn-timeout 0 untrusted-conn-timeout 0 network-id ext-policy-server default-location-string charging-vector-mode pass charging-function-address-mode pass ccf-address ecf-address term-tgrp-mode none implicit-service-route disabled rfc2833-payload 101 rfc2833-mode transparent constraint-name response-map local-response-map ims-aka-feature disabled enforcement-profile refer-call-transfer disabled route-unauthorized-calls tcp-keepalive none add-sdp-invite disabled add-sdp-profiles last-modified-by admin@10.10.10.12 last-modified-date 2010-10-14 09:36:42 sip-manipulation name addRouteHdr description SIPVicious Protection header-rule name isScanner header-name User-Agent action store comparison-type pattern-rule match-value ^friend.* msg-type any new-value methods header-rule name addNullRoute header-name Route action add comparison-type boolean match-value $isScanner.$0 msg-type request new-value "<sip:10.12.13.14;lr>" methods last-modified-by admin<sipX_ip> last-modified-date 2011-10-07 14:40:26 steering-pool ip-address <sipX_ip> start-port 31000 end-port 34999 realm-id inside network-interface last-modified-by admin last-modified-date 2011-10-07 14:35:54 steering-pool ip-address pub.ip.goes.here start-port 31000 end-port 34999 realm-id outside network-interface last-modified-by admin last-modified-date 2011-10-07 14:36:04 system-config hostname description location mib-system-contact mib-system-name mib-system-location snmp-enabled enabled enable-snmp-auth-traps disabled enable-snmp-syslog-notify disabled enable-snmp-monitor-traps disabled enable-env-monitor-traps disabled snmp-syslog-his-table-length 1 snmp-syslog-level WARNING system-log-level WARNING process-log-level NOTICE process-log-ip-address 0.0.0.0 process-log-port 0 collect sample-interval 5 push-interval 15 boot-state disabled start-time now end-time never red-collect-state disabled red-max-trans 1000 red-sync-start-time 5000 red-sync-comp-time 1000 push-success-trap-state disabled call-trace disabled internal-trace disabled log-filter all default-gateway <gateway> restart enabled exceptions telnet-timeout 0 console-timeout 0 remote-control enabled cli-audit-trail enabled link-redundancy-state disabled source-routing enabled cli-more disabled terminal-height 24 debug-timeout 0 trap-event-lifetime 0 cleanup-time-of-day 00:00 last-modified-by admin last-modified-date 2010-11-15 17:17:39 tls-profile name SSA end-entity-certificate SDcert trusted-ca-certificates cipher-list ALL verify-depth 10 mutual-authenticate disabled tls-version compatibility last-modified-by admin last-modified-date 2011-11-29 20:13:14 capture-receiver state disabled address network-interface s1p0:0 last-modified-by admin last-modified-date 2010-11-01 14:19:17 |