Cisco 2901 CME VoIP Telekom

Lieber Admins,

Vorerst bitte meine Schreibfehler überschauen, ich bin Englander und gebe mich die mühe diese ohne Googlehilfe zum Schreiben

Hab Seit Wochen probiert meine C2901 (ios 15.1) mittels CME 8.6 an den Telekom SIP VoIP zu Registrieren. Plan ist mit zwei Cisco 7961's unsere kleine Heimbüro mit 2 Festnetzanschlüsse auszustatten. Da meine DeutschlandLAN Voice/Data Packet bereits 3 Tel Nummern hat und ich eine bereits eine davon schon mal mit eine SPA112 zu laufen gebracht hab, dachte ich es wäre Zeit meine IOS CLI Skills auszupacken und make it happen!!

Leider Es geht viele SIP Messages raus an den SIP register aber nichts kommt zurück. Hab den ZBF mehrmals überprüft ob ich etwas vergessen hab, weis nicht ob ich evtl. eine NAT issue hab.... es kommt einfach gar nichts zurück?! Den SIP Server DNA name Kann ich im CLI auflösen und erfolgreich Pingen... bin ratlos und nach viele mühe im Web gibt es auch nichts was hilft

Falls jemand von euch ein paar Ideen/Vorshläge hat wäre ich sehr dankbar!!

Anbei meine Running Config....

! Last configuration change at 18:33:09 CET Sat Nov 24 2018 by admin
! NVRAM config last updated at 18:35:29 CET Sat Nov 24 2018 by admin
! NVRAM config last updated at 18:35:29 CET Sat Nov 24 2018 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname C2901_RT1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 128000
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauth local
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.100
ip dhcp excluded-address 192.168.2.111 192.168.2.254
!
ip dhcp pool VoIP_Scope
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.100
 dns-server 8.8.8.8
 option 150 ip 192.168.2.100
 domain-name mynet.local
!
!
no ip bootp server
ip domain name mynet.local
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip port-map sip port udp from 30000 to 31000  description Telekom SIP
ip port-map sip port udp from 40000 to 41000  description Telekom SIP
ip port-map sip port udp 5070 5080 description Telekom SIP
!
multilink bundle-name authenticated
!
parameter-map type ooo global
 tcp reassembly timeout 10
 tcp reassembly queue length 1024
 tcp reassembly memory limit 4096
 tcp reassembly alarm on
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
voice service voip
 ip address trusted list
  ipv4 0.0.0.0 0.0.0.0
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 supplementary-service h450.12
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
 sip
  registrar server
!
voice class codec 1
 codec preference 1 g722-64
 codec preference 2 g722-56
 codec preference 3 g722-48
 codec preference 4 g711alaw
!
!
!
!
voice translation-rule 1
 rule 1 /07xxxxx1833/ /1833/
 rule 2 /07xxxxx1844/ /1844/
 rule 3 /07xxxxx1855/ /1855/
!
voice translation-rule 2
 rule 1 /1833/ /07xxxxx1833/
 rule 2 /1844/ /07xxxxx1844/
 rule 3 /1855/ /07xxxxx1855/
!
voice translation-rule 10
 rule 1 /\(^0\)/ //
 rule 2 /1833/ /07xxxxx1833/
 rule 3 /1844/ /07xxxxx1844/
 rule 4 /1855/ /07xxxxx1855/
!
!
voice translation-profile DiscardDigit0
 translate called 10
!
voice translation-profile in
 translate called 1
!
voice translation-profile out
 translate calling 2
!
!
license udi pid CISCO2901/K9 sn FCZ1635C1KY
license boot module c2900 technology-package datak9
hw-module pvdm 0/0
!
!
!
username xxxxx secret 4 8D2cBKuTUsP3tYFBzzw84MdgTzst7Y0Kk2lef2nqge.
username xxxxx secret 4 8D2cBKuTUsP3tYFBzzw84MdgTzst7Y0Kk2lef2nqge.
username xxxxx secret 4 71qbskKVj/rBufkhCQjxK4DHhXp1T2.5ZInL6EaV93o
username xxxxx privilege 15 secret 4 vtrcs31DdieNPveHNIvhnZcFcszBSQ2WLB05DxZT9nM
!
redundancy
!
!
!
!
controller VDSL 0/2/0
 firmware filename flash:VA_A_39h_B_38h3_24h_j.bin
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-all IPSEC-inspect
 match access-group name ISAKMP_IPSEC
class-map type inspect sip match-any sip-class1
 match  request method invite
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect sip match-any sip-class2
 match  request method message
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-dmz-protocols
 match protocol https
 match protocol http
 match access-group name PS4_Ports
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-dmz-traffic
 match access-group name dmz-traffic
 match class-map ccp-dmz-protocols
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect ccp-sip-inspect
  pass
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class type inspect IPSEC-inspect
  pass
 class class-default
  drop log
policy-map type inspect ccp-permit-dmzservice
 class type inspect ccp-dmz-traffic
  inspect
 class type inspect ccp-icmp-access
  inspect
 class class-default
  drop log
policy-map type inspect ccp-dmz-inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-dmz-protocols
  inspect
 class class-default
  drop log
!
zone security in-zone
zone security out-zone
zone security dmz-zone
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
 service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
 service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-dmz-out source dmz-zone destination out-zone
 service-policy type inspect ccp-dmz-inspect
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxxxx
 key xxxxxxxx
 dns 192.168.201.185
 domain mynet.local
 pool vpnpool
 save-password
 max-users 2
 banner ^C === Welcome to mine VPN ===                      ^C
crypto isakmp profile VPNclient
   description VPN Client Profil
   match identity group xxxxx
   client authentication list clientauth
   isakmp authorization list groupauth
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto ipsec profile vpn-vti2
 set transform-set myset
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description DMZ_spare
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security dmz-zone
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description DMZ_PS4
 ip address 172.16.201.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security dmz-zone
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/2/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 cdp enable
 pvc 1/32
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0/2/0
 description PPPoE
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no ip route-cache
 load-interval 60
 no fair-queue
 no mop enabled
!
interface Ethernet0/2/0.7
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no ip route-cache
 pppoe enable group global
!
interface ATM0/3/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 no atm ilmi-keepalive
 cdp enable
!
interface ATM0/3/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 cdp enable
 pvc 1/32
  pppoe-client dial-pool-number 2
 !
!
interface GigabitEthernet0/1/0
 description Trunk_Port1
 switchport trunk native vlan 101
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/1/1
 description VoIP1
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet0/1/2
 description VoIP2
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet0/1/3
 description VoIP3
 switchport access vlan 2
 no ip address
 shutdown
!
interface GigabitEthernet0/1/4
 description SEC1
 switchport access vlan 221
 no ip address
!
interface GigabitEthernet0/1/5
 description SEC2
 switchport access vlan 221
 no ip address
!
interface GigabitEthernet0/1/6
 description SEC3
 switchport access vlan 221
 no ip address
!
interface GigabitEthernet0/1/7
 description SEC4
 switchport access vlan 221
 no ip address
!
interface Virtual-Template2 type tunnel
 description IPsec VPN Dialin
 ip unnumbered Vlan10
 zone-member security in-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpn-vti2
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
!
interface Vlan2
 description VoIP
 ip address 192.168.2.100 255.255.255.0
 ip helper-address 192.168.2.100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Vlan10
 description VPN_Dial-in
 ip address 192.168.100.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface Vlan101
 description H-Net Gateway
 ip address 192.168.101.5 255.255.255.0
 ip helper-address 192.168.201.185
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Vlan221
 description S-Net Gateway
 ip address 192.168.221.5 255.255.255.0
 ip helper-address 192.168.201.185
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Dialer0
 description DSL Dialer
 mtu 1488
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 ip tcp adjust-mss 1448
 dialer pool 1
 dialer-group 1
 no keepalive
 ppp authentication pap callin
 ppp pap sent-username 00xxxxxxxxxxxxxxxxxxxxxx0001@t-online.de password 7 xxxxxxxxxxxxxxxx
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp route default
!
!
ip local pool vpnpool 192.168.100.240 192.168.100.243
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:/cme-gui-8.6.0
!
ip dns server
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 172.16.201.151 1935 interface Dialer0 1935
ip nat inside source static tcp 172.16.201.151 3478 interface Dialer0 3478
ip nat inside source static tcp 172.16.201.151 3479 interface Dialer0 3479
ip nat inside source static tcp 172.16.201.151 3480 interface Dialer0 3480
ip nat inside source static udp 172.16.201.151 2001 interface Dialer0 2001
ip nat inside source static udp 172.16.201.151 3074 interface Dialer0 3074
ip nat inside source static udp 172.16.201.151 3478 interface Dialer0 3478
ip nat inside source static udp 172.16.201.151 3479 interface Dialer0 3479
ip nat inside source static tcp 172.16.201.151 443 interface Dialer0 443
ip nat inside source static tcp 172.16.201.151 80 interface Dialer0 80
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.200.0 255.255.255.0 192.168.101.10
ip route 192.168.0.0 255.255.0.0 192.168.101.254
!
ip access-list extended ISAKMP_IPSEC
 permit udp any any eq isakmp
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp
ip access-list extended PS4_Ports
 permit tcp any host 172.16.201.151 eq 1935
 permit tcp any host 172.16.201.151 eq 3478
 permit tcp any host 172.16.201.151 eq 3479
 permit tcp any host 172.16.201.151 eq 3480
 permit udp any host 172.16.201.151 eq 2001
 permit udp any host 172.16.201.151 eq 3074
 permit udp any host 172.16.201.151 eq 3478
 permit udp any host 172.16.201.151 eq 3479
ip access-list extended dmz-traffic
 remark CCP_ACL Category=1
 permit ip any host 172.16.200.151
 permit ip any host 172.16.201.151
 permit ip any host 10.10.10.10
!
logging trap debugging
logging 192.168.201.185
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 172.16.200.0 0.0.0.255 any
access-list 100 permit ip 172.16.201.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 host 192.168.100.240
access-list 101 deny   ip 192.168.0.0 0.0.255.255 host 192.168.100.241
access-list 101 deny   ip 192.168.0.0 0.0.255.255 host 192.168.100.242
access-list 101 deny   ip 192.168.0.0 0.0.255.255 host 192.168.100.243
access-list 101 deny   ip 192.168.0.0 0.0.255.255 host 192.168.100.244
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip host 172.16.200.151 any
access-list 101 permit ip host 172.16.201.151 any
access-list 103 remark =Timed Access SCHOOLWEEK=
access-list 103 permit ip any any time-range SCHOOLWEEK
access-list 104 remark =Timed Access NIGHTDOWN=
access-list 104 permit ip any any time-range NIGHTDOWN
dialer-list 1 protocol ip list 101
!
!
!
!
!
snmp-server community xxxxxxxxxxxxx RO
tftp-server flash0:/SCCP41.9-1-1SR1S.loads
tftp-server flash:SCCP41.9-1-1SR1S.loads
tftp-server flash:term41.default.loads alias term41.default.loads
tftp-server flash:term61.default.loads alias term61.default.loads
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
dial-peer voice 1 voip
 description *** Incoming calls to SIP Trunk ***
 session protocol sipv2
 session target sip-server
 incoming called-number .T
 voice-class codec 1
 no vad
!
dial-peer voice 10 voip
 description *** Outgoung SIP Trunk ***
 translation-profile outgoing out
 destination-pattern 0T
 session protocol sipv2
 session target sip-server
 voice-class codec 1
 dtmf-relay rtp-nte
 no vad
!
!
sip-ua
 credentials username 07xxxxxx1833 password 7 xxxxxxxxxxxxxxxxx realm tel.t-online.de
 authentication username xxxxxxxxxxxxx@t-online.de password 7 xxxxxxxxxxxxxxxxxx
 no remote-party-id
 timers connect 100
 registrar dns:tel.t-online.de expires 3600
 sip-server dns:tel.t-online.de
!
!
!
gatekeeper
 shutdown
!
!
telephony-service
 max-ephones 4
 max-dn 8
 ip source-address 192.168.2.100 port 2000
 cnf-file location flash:
 load 7961 SCCP41.9-1-1SR1S.loads
 time-format 24
 date-format dd-mm-yy
 max-conferences 8 gain -6
 web admin system name xxxxx password xxxxxxxxxxxxx
 dn-webedit
 time-webedit
 transfer-system full-consult
 create cnf-files version-stamp 7960 Nov 22 2018 19:32:45
!
!
ephone-dn  1  dual-line
 number 1833 secondary 07xxxxx1833 no-reg primary
!
!
ephone-dn  2  dual-line
 number 1844 secondary 07xxxxx1844 no-reg primary
!
!
ephone  1
 device-security-mode none
 description MyOffice
 mac-address 001B.5452.45AB
 speed-dial 6 01xxxxxxxxx10 label "Matt Mobile"  
 type 7961
 button  1:1
!
!
!
ephone  2
 device-security-mode none
 description AliOffice
 mac-address 001D.A266.8701
 speed-dial 2 01xxxxxxxx10 label "Matt Mobile"  
 type 7941
 button  1:1
!
!
!
banner login ^C === Get Outta my Stuff! === ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 0 0
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 1.de.pool.ntp.org
time-range NIGHTDOWN
 periodic Monday 6:00 to Tuesday 0:00
 periodic Tuesday 6:00 to Wednesday 0:00
 periodic Wednesday 6:00 to Thursday 0:00
 periodic Thursday 6:00 to Friday 0:00
 periodic Friday 6:00 to Saturday 0:00
 periodic Saturday 6:00 to Sunday 0:00
 periodic Sunday 6:00 to Monday 0:00
!
time-range SCHOOLWEEK
 periodic Monday 6:00 to 8:00
 periodic Monday 16:00 to 21:30
 periodic Tuesday 6:00 to 8:00
 periodic Tuesday 16:00 to 21:30
 periodic Wednesday 6:00 to 8:00
 periodic Wednesday 16:00 to 21:30
 periodic Thursday 6:00 to 8:00
 periodic Thursday 16:00 to 21:30
 periodic Friday 6:00 to 8:00
 periodic Friday 16:00 to 23:59
 periodic Saturday 6:00 to 23:59
 periodic Sunday 6:00 to 21:30
!
end

Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben

Content-ID: 393815

Url: https://administrator.de/contentid/393815

Ausgedruckt am: 24.11.2024 um 02:11 Uhr

5 Kommentare

Neuester Kommentar

We can continue in English if you like, no problem.
At first you should provide some debug messages which show that SIP connections pass through the ZFW. Especially the answers form the provider. That way we might get an idea about the SIP session status.
If in doubt you can also disable ZFW for a short term to make sure SIP and RTP can pass through to the provider.
Following your config shows that you only inspect ICMP traffic from the router itself (self zone).
Due to the fact that your router itself is the SIP endpoint you should have a closer look to what you pass from the self zone to the internet. Its pollible that the ZFW filters all non ICMP traffic here.
Here you definitely need to open the Firewall for SIP and RTP or as a first shotgun approach to test TCP and UDP globally.
I guess here is a point to look at.
Overall your ZFW config looks a bit overloaded. You should maybe as a first step keep it a bit simpler and less specific to create not so much possible traps.
Maybe in a first step to just bring a simple local LAN to internet scenario to work including voice and extend that afterwards to the other segments and more tighter ZFW rules.
That way you have control over the single steps and can quickly move back.
Take a look at the 880/890 tutorial here which has some further details to the ZFW config:
Cisco 880, 890 und ISR Router Konfiguration mit xDSL, Kabel oder FTTH Anschluss plus VPN und IP-TV
Unfortunately in German...

Hey Aqui, I followed your C880 with my first Cisco 886 Router in 2016, great tutorial

Great Point (slaps head), let me try and add RTP as this is missing everywhere :/

I admit the ZFW is heavy, it started out quite lean, then the DMZ was added, and the Voice protocols just overload it completely, don't believe I need half of them.

It looks like I am getting SIP messages out, but no responses.

Below is the only zone where SIP packets are counted, 0 packets on all other zones. I will add the RTP and compare your 880 basis ZFW with my current, see if I can loosen it up a bit

policy exists on zp ccp-zp-out-self
Zone-pair: ccp-zp-out-self
Service-policy inspect : ccp-permit
Class-map: ccp-sip-inspect (match-any)
Match: protocol sip
15543 packets, 8602757 bytes
30 second rate 0 bps
Pass
14233 packets, 8032935 bytes
Class-map: ccp-h323-inspect (match-any)
Match: protocol h323
4 packets, 88 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h323annexe-inspect (match-any)
Match: protocol h323-annexe
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h225ras-inspect (match-any)
Match: protocol h225ras
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-h323nxg-inspect (match-any)
Match: protocol h323-nxg
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ccp-skinny-inspect (match-any)
Match: protocol skinny
34 packets, 760 bytes
30 second rate 0 bps
Inspect
Class-map: IPSEC-inspect (match-all)
Match: access-group name ISAKMP_IPSEC
Pass
14 packets, 3268 bytes
Class-map: class-default (match-any)
Match: any
Drop
30563 packets, 1092510 bytes

Currently only messages sent appear in the console:

027454: Nov 24 20:18:43.673 CET: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:tel.t-online.de:5060 SIP/2.0
Via: SIP/2.0/UDP 87.138.114.72:5060;branch=z9hG4bK41F15DE
From: <sip:07xxxxx1833@tel.t-online.de>;tag=295B09E4-513
To: <sip:07xxxxx1833@tel.t-online.de>
Date: Sat, 24 Nov 2018 19:18:43 GMT
Call-ID: 4AxxxxBA-EFxxxxE8-80xxxx90-DBxxxx95
User-Agent: Cisco-SIPGateway/IOS-12.x
C2901_RT1#debug sip
Timestamp: 1543087123
CSeq: 32 REGISTER
Contact: <sip:07xxxxx1833@87.xx.xx.72:5060>
Expires: 3600
Supported: path
Content-Length: 0

Here the SIP Stats:

SIP Response Statistics (Inbound/Outbound)
Informational:
Trying 0/0, Ringing 0/0,
Forwarded 0/0, Queued 0/0,
SessionProgress 0/0
Success:
OkInvite 0/0, OkBye 0/0,
OkCancel 0/0, OkOptions 0/0,
OkPrack 0/0, OkRegister 0/0
OkSubscribe 0/0, OkNotify 0/0, OkPublish 0/0
OkInfo 0/0, OkUpdate 0/0,
202Accepted 0/0, OkOptions 0/0
Redirection (Inbound only except for MovedTemp(Inbound/Outbound)) :
MultipleChoice 0, MovedPermanently 0,
MovedTemporarily 0/0, UseProxy 0,
AlternateService 0
Client Error:
BadRequest 0/0, Unauthorized 0/0,
PaymentRequired 0/0, Forbidden 0/0,
NotFound 0/0, MethodNotAllowed 0/0,
NotAcceptable 0/0, ProxyAuthReqd 0/0,
ReqTimeout 0/0, Conflict 0/0, Gone 0/0,
ConditionalRequestFailed 0/0,
ReqEntityTooLarge 0/0, ReqURITooLarge 0/0,
UnsupportedMediaType 0/0, UnsupportedURIScheme 0/0,
BadExtension 0/0, IntervalTooBrief 0/0,
TempNotAvailable 0/0, CallLegNonExistent 0/0,
LoopDetected 0/0, TooManyHops 0/0,
AddrIncomplete 0/0, Ambiguous 0/0,
BusyHere 0/0, RequestCancel 0/0,
NotAcceptableMedia 0/0, BadEvent 0/0,
SETooSmall 0/0, , RequestPending 0/0
UnsupportedResourcePriority 0/0
Server Error:
InternalError 0/0, NotImplemented 0/0,
BadGateway 0/0, ServiceUnavail 0/0,
GatewayTimeout 0/0, BadSipVer 0/0,
PreCondFailure 0/0
Global Failure:
BusyEverywhere 0/0, Decline 0/0,
NotExistAnywhere 0/0, NotAcceptable 0/0
Miscellaneous counters:
RedirectRspMappedToClientErr 0
SIP Total Traffic Statistics (Inbound/Outbound)
Invite 0/49, Ack 0/0, Bye 0/0,
Cancel 0/0, Options 0/0,
Prack 0/0, Update 0/0,
Subscribe 0/0, Notify 0/0, Publish 0/0
Refer 0/0, Info 0/0,
Register 0/14828
Retry Statistics
Invite 42, Bye 0, Cancel 0, Response 0,
Prack 0, Reliable1xx 0, Notify 0, Info 0
Register 12709 Subscribe 0 Update 0 Options 0
Publish 0
SDP application statistics:
Parses: 0, Builds 7
Invalid token order: 0, Invalid param: 51
Not SDP desc: 0, No resource: 0
Last time SIP Statistics were cleared: <never>

It looks like I am getting SIP messages out, but no responses.

That you definitely need to check !
Best way is to watch that with an external Wireshark if possible.
It can have two reasons:

Provider did not receive your SIP pakets
Answer pakets form the provider were blocked somewhere

First option is pretty seldom. That would mean you have another firewall or another blocking device between your Cisco and the provider which is in a direct internet scenario of course pretty seldom.
So if we assume SIP pakets went out to the provider you should have a closer look to the SIP return pakets from the provider !
I fear that they were blocked inside your ZFW somehow. Remember: that is your self zone. If you inspect only ICMP there all other traffic is blocked !
Your provided statistics proof that. Only invites were send out. There is nothing which comes in return.
So first goal is to check the ZFW config ! Or temporarily lett it off to first check SIP connectivity and in case that works finetune the ZFW.

Hey Aqui, quick update...

Managed to find the issue in the firewall (conflicting argument), now phones are registering and had some luck in dialing in and out (although not so reliable and audio wasn't fantastic).

Found out there was a known DSP bug in the 15.1 IOS image which cancelled calls sporadically with DSP status unknown errors, so upgraded that and now trying to reconfigure as 15.7 has some deprecated and new commands/config querks

Need to get CME 12 phone firmeware files from somewhere.

Noticed quite a lot of port scans and "SIPVICIOUS" OPTION requests coming in, so wanna make it more secure also, see below

Received:
OPTIONS sip:100@87.xxx.xxx.72 SIP/2.0
Via: SIP/2.0/UDP 185.53.91.58:5060;branch=z9hG4bK-1415067283;rport
Content-Length: 0
From: "sipvicious"<sip:100@1.1.1.1>;tag=3537386137323438313363340131303235333533353631
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"<sip:100@1.1.1.1>
Contact: sip:100@185.53.91.58:5060
CSeq: 1 OPTIONS
Call-ID: 1003516087935210252948973
Max-Forwards: 70

I have the SIP server address ranges from telekom, so I can use the (voice service voip) ip address trusted authenticate command and manually add and authenticate the requests my SIP end-point responds too. I believe I can also limit OPTION requests which should stop the malicious scanners out there.

Once I get it running reliably I'll post back here. Maybe other forum members could benefit from a CME Telekom config guide, I have found lots of requests for one on the web but no tutorial or guide anywhere. Wouldn't want to post it without an experienced eye checking I haven't opened the world to my network though ;)

All the best! Matt