Hi Alan,
Thanks, that config helps a lot.
I have a couple of questions if you don't mind:
-I don't see you're using SIP-Options-Keepalive 10 and 20 that were configured. Perhaps they're applied somewhere else in the config?
-DPG 10 used in the inbound Dial-peer 20 directs the call to the outbound Dial-peer 21, sending the call back out. Is this just an editing blip? In my case I would need to send the call from Genesys to my Call Manager cluster.
-In dial-peer 20, the line " youryourcompanyoming uri via GENESYS" should be "incoming uri via GENESYS", correct?
-And one more, any recommendations on making TLS work? I'm finding many people having problems with that.
Thanks again for your helpful reply.
OJ
------------------------------
OSCAR M JAIME
------------------------------
Original Message:
Sent: 06-23-2026 22:45
From: Alan Lin
Subject: Configuration for Cisco CUBE (with NAT) for Genesys Cloud BYOC integration
Hi Oscar,
Below the edited sample. Hope it helps.
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform sslvpn use-pd
platform console virtual
!
hostname GENESYS-SBC
!
boot-start-marker
boot-end-marker
!
!
logging buffered 99999999
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 10.10.20.49 10.10.50.249
!
!
!
login on-success log
!
!
subscriber templating
vtp version 1
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
pae
!
!
crypto pki trustpoint TP-self-signed-999998888
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-999998888
revocation-check none
rsakeypair TP-self-signed-999998888
hash sha256
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
hash sha256
!
crypto pki trustpoint EmptyTP
revocation-check none
hash sha256
!
crypto pki trustpoint CUBE-2025
enrollment terminal
fqdn GENESYS-SBC.yourcompany.com
subject-name cn=GENESYS-SBC.yourcompany.com
subject-alt-name GENESYS-SBC.yourcompany.com
revocation-check none
rsakeypair CUBE
hash sha256
!
crypto pki trustpoint DigiCertHighAssuranceEVRoot
enrollment terminal
revocation-check none
hash sha256
!
crypto pki trustpoint DigiCertGlobalRootG2
enrollment terminal
revocation-check none
hash sha256
!
crypto pki trustpoint DigiCertGlobalRootG3
enrollment terminal
revocation-check none
hash sha256
!
crypto pki trustpoint CUBE-2026
enrollment terminal
fqdn GENESYS-SBC.yourcompany.com
subject-name cn=GENESYS-SBC.yourcompany.com
subject-alt-name GENESYS-SBC.yourcompany.com
revocation-check none
rsakeypair CUBE
hash sha256
!
!
crypto pki certificate chain TP-self-signed-999998888
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
!
!
voice service voip
ip address trusted list
ipv4 52.129.96.0 255.255.240.0
ipv4 167.234.48.0 255.255.240.0
ipv4 136.245.64.0 255.255.192.0
ipv4 169.150.104.0 255.255.248.0
rtcp keepalive
address-hiding
mode border-element
allow-connections sip to sip
no supplementary-service sip refer
supplementary-service media-renegotiate
trace
sip
session refresh
header-passing
midcall-signaling passthru media-change
early-offer forced
!
voice class uri GENESYS sip
host ipv4:52.203.12.137
host ipv4:54.82.241.192
host ipv4:54.82.241.68
host ipv4:54.82.188.43
!
voice class sip-profiles 20
rule 10 request ANY sip-header Contact modify "@INTERNAL_IP:" "@EXTERNAL_IP:"
rule 20 response ANY sip-header Contact modify "@INTERNAL_IP:" "@EXTERNAL_IP:"
rule 30 request ANY sip-header SIP-Req-URI modify "sip:(.*):5061 (.*)" "sip:\1:5061;user=phone \2"
rule 70 response 200 sdp-header Audio-Connection-Info modify "0.0.0.0" "EXTERNAL_IP"
rule 71 response ANY sdp-header Connection-Info modify "IN IP4 INTERNAL_IP" "IN IP4 EXTERNAL_IP"
rule 72 response ANY sdp-header Audio-Connection-Info modify "IN IP4 INTERNAL_IP" "IN IP4 EXTERNAL_IP"
rule 73 request ANY sdp-header Connection-Info modify "IN IP4 INTERNAL_IP" "IN IP4 EXTERNAL_IP"
rule 74 request ANY sdp-header Audio-Connection-Info modify "IN IP4 INTERNAL_IP" "IN IP4 EXTERNAL_IP"
rule 130 response ANY sdp-header Audio-Attribute modify "a=rtcp:(.) IN IP4 INTERNAL_IP " "a=rtcp:\1 IN IP4 205.1 67.79.15 "
rule 140 request ANY sdp-header Audio-Attribute modify "a=rtcp:(.) IN IP4 INTERNAL_IP " "a=rtcp:\1 IN IP4 205.16 7.79.15 "
rule 150 response ANY sdp-header Audio-Attribute modify "a=candidate:1 1(.) INTERNAL_IP (.) " "a=candidate:1 1\1 EXTERNAL_IP \2"
rule 160 request ANY sdp-header Audio-Attribute modify "a=candidate:1 1(.) INTERNAL_IP (.) " "a=candidate:1 1\1 EXTERNAL_IP \2"
rule 170 response ANY sdp-header Audio-Attribute modify "a=candidate:1 2(.) INTERNAL_IP (.) " "a=candidate:1 2\1 EXTERNAL_IP \2"
rule 180 request ANY sdp-header Audio-Attribute modify "a=candidate:1 2(.) INTERNAL_IP (.) " "a=candidate:1 2\1 EXTERNAL_IP \2"
!
voice class sip-profiles 21
request ANY sip-header Contact modify "INTERNAL_IP" "EXTERNAL_IP"
response ANY sip-header Contact modify "INTERNAL_IP" "EXTERNAL_IP"
request ANY sip-header From modify "INTERNAL_IP" "EXTERNAL_IP"
request ANY sip-header Via modify "INTERNAL_IP" "EXTERNAL_IP"
response ANY sdp-header Audio-Connection-Info modify "INTERNAL_IP" "EXTERNAL_IP"
response ANY sdp-header Connection-Info modify "INTERNAL_IP" "EXTERNAL_IP"
response ANY sdp-header Session-Owner modify "INTERNAL_IP" "EXTERNAL_IP"
request ANY sdp-header Session-Owner modify "INTERNAL_IP" "EXTERNAL_IP"
request ANY sdp-header Connection-Info modify "INTERNAL_IP" "EXTERNAL_IP"
request ANY sdp-header Audio-Connection-Info modify "INTERNAL_IP" "EXTERNAL_IP"
!
!
voice class dpg 20
description to Genesys
dial-peer 21
!
voice class server-group 20
ipv4 52.203.12.137 preference 1
ipv4 54.82.241.192 preference 2
ipv4 54.82.241.68 preference 3
ipv4 54.82.188.43 preference 4
description Genesys
!
voice class sip-options-keepalive 10
!
voice class sip-options-keepalive 20
transport tcp tls
sip-profiles 21
!
voice class tenant 10
no remote-party-id
retry invite 3
timers trying 150
connection-reuse
rel1xx disable
bind control source-interface GigabitEthernet2
bind media source-interface GigabitEthernet2
!
voice class tenant 20
no remote-party-id
retry invite 3
timers trying 150
connection-reuse
srtp-crypto 20
session transport tcp tls
rel1xx disable
bind control source-interface GigabitEthernet2
bind media source-interface GigabitEthernet2
sip-profiles 20
!
voice class srtp-crypto 20
crypto 1 AES_CM_128_HMAC_SHA1_80
!
memory free low-watermark processor 202935
diagnostic bootup level minimal
!
!
spanning-tree extend system-id
!
!
redundancy
!
interface GigabitEthernet2
ip address INTERNAL_IP 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint CUBE-2026
ip route 0.0.0.0 0.0.0.0 8.8.8.8
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
dial-peer voice 20 voip
description INBOUND FROM GENESYS
session protocol sipv2
destination dpg 10
youryourcompanyoming uri via GENESYS
voice-class sip tenant 20
dtmf-relay rtp-nte
srtp
codec g711ulaw
no vad
!
dial-peer voice 21 voip
description OUTBOUND TO GENESYS
destination-pattern BBB.BBB
session protocol sipv2
session target dns:youryourcompany.byoc.mypurecloud.com:5061
session transport tcp tls
voice-class sip profiles 21
voice-class sip tenant 20
dtmf-relay rtp-nte
srtp
codec g711ulaw
no vad
!
!
sip-ua
retry invite 2
timers connection establish tls 10
transport tcp tls v1.2
crypto signaling default trustpoint CUBE-2026
!
------------------------------
Alan Lin
Architect
------------------------------