Block incoming Calls based off of ANI. (incoming or originating phone number)

Joshua Engels · ‎06-25-2012

The following is an example of how to setup call blocking based off of incoming Caller's ANI.

In this example, my voice environment consist of an 8.6 CUCM Pub with 3 Subscribers. I have three Cisco 2911 H.323 voice gateways with 1 PRI in each. I put together this simple 3 step process based off of a Cisco configuration guide. I tested it on my cell phone and a coupe of others and it worked great. Here are the three steps:

Block Incoming Calls based off of ANI

The following configuration must be applied to each voice gateway. It is done in basically 3 steps:

1. Create a Translation Rule

Within the translation rule you will use the reject command followed by the pattern you wish to block. In this case we use the entire phone number.

router#conf t

router(config)#voice translation-rule 1

router(config-xxx)#rule 1 reject /^8055553538$/
router(config-xxx)#rule 2 reject /^4805557904$/

Moving forward, you can continue to add rules to reject numbers as you see fit.

Example:

router(config-xxx)#rule 3 reject /^4805557905$/ and so on.

2. Apply the Translation rule to a Translation Profile and give it a name

(This will be used to apply to the incoming Dial-peer(s).)

router#conf t

router(config)#voice translation-profile call_block

router(config-xxx)#translate calling 1

In this case we named the Translation Profile "call_block"

3. Apply Translation Profile to incoming Dial-peers (only) on each router

router#conf t

router(config)#dial-peer voice 1 pots

router(config-xxx)#call-block translation-profile incoming call_block

router(config-xxx)#call-block disconnect-cause incoming call-reject

In our case, we apply this to dial-peer 1 on each voice gateway as this is the incoming dial-peer for each location.

The dial-peer looks like this after configuration: (At least in our environment)

dial-peer voice 1 pots

call-block translation-profile incoming call_block

call-block disconnect-cause incoming call-reject

incoming called-number .

direct-inward-dial

Hope this helps for anyone out there looking to block based on incoming calling numbers.

fpavicic · ‎09-28-2012

Nice work there, i made a similar conf, and blocked all numbers begining with 060 and 064:

rule 1 /^060/ /9999/

rule 2 /^064/ /9999/

antoniosantosneto · ‎01-16-2013

is possible redirect a call to especific hunt-goup using similar configuration?

wdgarfield1 · ‎09-13-2013

We used this method successfully until we quickly reached the maximum number of blocking rules (15). I see we can do this on the CUCM (8x & later) with a couple of CSS & Partitions, then build Xlate patterns to block based on calling party number. That's fine except I'd like to be able to do the blocking on the GW router if I could. How do I get around this limit of 15? Someone mentioned IOS 15.3(T) expanded this capacity to 100 rules, which again is fine, but where do I go after I hit 100 reject rules?

TIA

Bill

Joshua Engels · ‎09-26-2013

Hi Bill, that is a good question. Typically we purge out the older rules when and if we reach our maximum if we are blocking specific numbers. Or you can block out groups of numbers using expressions the way fpavici describes above.

conie saga · ‎05-25-2014

Excellent document !!

Thanks for sharing

Regards

Mitch McGill · ‎06-11-2015

Bill,

I found an interesting way to block more if needed. You can create incoming dial-peers matching by answer-address and then apply a translation rule that rejects the call or reroutes the called number to something invalid.

You can create as many as you have memory for (Dial-peers consume 6k per peer).

Example:

voice translation-rule 99
rule 1 /^..../ /7778/
voice translation-profile FILTER_LIST
translate called 99

dial-peer voice 99 pots
translation-profile incoming FILTER_LIST
answer-address 5558675309

This will take calls that patch the peer and forward them to 7778, which I have configured in Unity as a call handler that says "goodbye" then hangs up.

Keep in mind if you are running CUBE that if you match the inbound calls using a "incoming called number .T" dial-peer it will take precedence over answer address. You will have to convert you peer to "answer-address .T".

I hope that is helpful!

Mitch

pietro colosio · ‎06-19-2015

Hi all,

I need to block an incoming call on my CME ver 9.1.

I follow the example but not working. Below my configuration:

voice translation-rule 1
rule 1 // /0/ type unknown unknown
rule 2 // /00/ type national national
rule 3 // /000/ type international international
!
voice translation-rule 2
rule 1 /^100/ /100/
rule 2 /^101/ /101/
rule 3 /^110/ /110/
rule 4 /^111/ /111/
rule 5 /^112/ /112/
rule 6 /^113/ /113/
rule 7 /^114/ /114/
rule 8 /^115/ /115/
rule 9 /^116/ /116/
rule 10 /^117/ /117/
rule 11 /^118/ /118/
rule 12 /^119/ /119/
rule 13 /^120/ /120/
!
voice translation-rule 3
rule 1 /101/ /xxxxxxx101/
rule 2 /.../ /xxxxxxx100/
!
voice translation-rule 4
rule 1 /^0$[0-9]$/ /\1/
!
voice translation-rule 6
rule 1 reject /009715297xxxxx/
rule 2 reject /^3903072xxxxx/
!
!
voice translation-profile IN-PSTN
translate calling 1
translate called 2
!
voice translation-profile OUT-PSTN
translate calling 3
translate called 4
!
voice translation-profile call_block
translate calling 6
!

dial-peer voice 10 pots
trunkgroup BRITrunk
tone ringback alert-no-PI
translation-profile incoming IN-PSTN
incoming called-number .T
no digit-strip
direct-inward-dial
!
dial-peer voice 20 pots
trunkgroup BRITrunk
corlist outgoing Internazionali
tone ringback alert-no-PI
description Outgoingdp
translation-profile outgoing OUT-PSTN
destination-pattern 000T
no digit-strip
direct-inward-dial
!
dial-peer voice 30 pots
trunkgroup BRITrunk
corlist outgoing Nazionali
tone ringback alert-no-PI
description Outgoingdp
translation-profile outgoing OUT-PSTN
destination-pattern 00T
no digit-strip
direct-inward-dial
!
dial-peer voice 40 pots
trunkgroup BRITrunk
corlist outgoing Cellulari
tone ringback alert-no-PI
translation-profile outgoing OUT-PSTN
preference 1
destination-pattern 03T
no digit-strip
direct-inward-dial
!
dial-peer voice 50 pots
trunkgroup BRITrunk
tone ringback alert-no-PI
translation-profile outgoing OUT-PSTN
preference 1
destination-pattern 11.
no digit-strip
direct-inward-dial
!
dial-peer voice 60 pots
trunkgroup BRITrunk
tone ringback alert-no-PI
translation-profile outgoing OUT-PSTN
preference 1
destination-pattern 011.
no digit-strip
direct-inward-dial
!
dial-peer voice 1 pots
service stcapp
port 0/2/1
!
dial-peer voice 2 pots
service stcapp
port 0/2/2
!
dial-peer voice 70 pots
trunkgroup BRITrunk
call-block translation-profile incoming call_block
call-block disconnect-cause incoming call-reject
incoming called-number .

Can you kindly help me?

Best regards

Pietro

pietro colosio · ‎06-22-2015

Hi Joshua Engels

i have followed your guide but not work.

The number is not blocked by my call manager relesa 9.1 (below my rule)

voice translation-rule 1
rule 1 // /0/ type unknown unknown
rule 2 // /00/ type national national
rule 3 // /000/ type international international
!
voice translation-rule 2
rule 1 /^100/ /100/
rule 2 /^101/ /101/
rule 3 /^110/ /110/
rule 4 /^111/ /111/
rule 5 /^112/ /112/
rule 6 /^113/ /113/
rule 7 /^114/ /114/
rule 8 /^115/ /115/
rule 9 /^116/ /116/
rule 10 /^117/ /117/
rule 11 /^118/ /118/
rule 12 /^119/ /119/
rule 13 /^120/ /120/
!
voice translation-rule 3
rule 1 /101/ /xxxxxxx101/
rule 2 /.../ /xxxxxxx100/
!
voice translation-rule 4
rule 1 /^0$[0-9]$/ /\1/
!
voice translation-rule 6
rule 1 reject /009715297xxxxx/
rule 2 reject /^3903072xxxxx/
!
!
voice translation-profile IN-PSTN
translate calling 1
translate called 2
!
voice translation-profile OUT-PSTN
translate calling 3
translate called 4
!
voice translation-profile call_block
translate calling 6
!

dial-peer voice 10 pots
trunkgroup BRITrunk
tone ringback alert-no-PI
translation-profile incoming IN-PSTN
incoming called-number .T
no digit-strip
direct-inward-dial
!
dial-peer voice 20 pots
trunkgroup BRITrunk
corlist outgoing Internazionali
tone ringback alert-no-PI
description Outgoingdp
translation-profile outgoing OUT-PSTN
destination-pattern 000T
no digit-strip
direct-inward-dial
!
dial-peer voice 30 pots
trunkgroup BRITrunk
corlist outgoing Nazionali
tone ringback alert-no-PI
description Outgoingdp
translation-profile outgoing OUT-PSTN
destination-pattern 00T
no digit-strip
direct-inward-dial
!
dial-peer voice 40 pots
trunkgroup BRITrunk
corlist outgoing Cellulari
tone ringback alert-no-PI
translation-profile outgoing OUT-PSTN
preference 1
destination-pattern 03T
no digit-strip
direct-inward-dial
!
dial-peer voice 50 pots
trunkgroup BRITrunk
tone ringback alert-no-PI
translation-profile outgoing OUT-PSTN
preference 1
destination-pattern 11.
no digit-strip
direct-inward-dial
!
dial-peer voice 60 pots
trunkgroup BRITrunk
tone ringback alert-no-PI
translation-profile outgoing OUT-PSTN
preference 1
destination-pattern 011.
no digit-strip
direct-inward-dial
!
dial-peer voice 1 pots
service stcapp
port 0/2/1
!
dial-peer voice 2 pots
service stcapp
port 0/2/2
!
dial-peer voice 70 pots
trunkgroup BRITrunk
call-block translation-profile incoming call_block
call-block disconnect-cause incoming call-reject
incoming called-number .

Can you kindly help me?

Best regards

Pietro

Aomar bahloul · ‎11-03-2015

you need to add the two lines below too your inbound dial-peer, on your case dial-peer voice 10 pot

call-block translation-profile incoming call_block
call-block disconnect-cause incoming call-reject

Aomar bahloul · ‎11-03-2015

I agree

YoloCourts ISDept · ‎10-21-2016

My apologies for not starting a new thread but so much of this thread could apply to my version of the question.

What if you had a certain block of numbers being used by your CER for the ERL masking and you only wanted to allow inbound calls from the PSAP to reach those numbers, not errant calls because the DIDs had been assigned by your provider prior to your assignment. Basically, there are only maybe 100 numbers I would allow that are part of a block, let's say 321-456-78XX and then to block any other numbers inbound for your set of DIDs. Imagine you already have a few hundred DIDs for normal calling concerns. You are trying to avoid your onsite emergency response desk from being overwhelmed with solicitor calls.

Thank you in advance for any reply

kaylap · ‎04-17-2018

Hey,

I am having issues with setting up our 2921 Voice Router to block calls from a particular number. This is what I have added to the router:

voice translation-rule 200
rule 1 reject /225571****/

voice translation-profile Call_Block
translate calling 200

dial-peer voice 10 pots (which is our incoming call dial-peer)
call-block translation-profile incoming Call_Block
call-block disconnect-cause incoming call-reject

Do you see anything I am missing or need to change?

Roger Kallberg · ‎02-15-2024

@Joshua Engels I know this is an old post, but I stumbled upon it as I linked to it for a question in the community. While reading it and the comments made by a few I noticed that you did have an error in step 2. You did not specify the rule to use for blocking the calling number in the profile, you had put in one of the commands that you'd use on the dial peer. As I have edit rights to this part of the community, I guess by being a Designated VIP, I took the liberty to edit that part and also remove the comments from others that pointed this error out to you as it's no longer contains that error. Other than that great post.

Vinay Bajpai · ‎02-18-2025

Current configuration : 8283 bytes

!

voice service voip

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

!

voice class codec 100

codec preference 1 g711alaw

codec preference 2 g729r8

codec preference 3 g711ulaw

!

voice class h323 200

h225 timeout tcp establish 10

h225 timeout setup 10

!

voice translation-rule 10

rule 1 /^/ /9/ type national national

rule 2 /^/ /90/ type international international

!

voice translation-rule 111

rule 1 reject /^7566440344$/

!

voice translation-profile Block_Call

translate calling 111

!

voice translation-profile PSTN-INCOMING

translate called 2

!

voice translation-profile outbond-calling

translate calling 10

!

voice translation-profile profile1

translate calling 10

application

global

service alternate default

!

vxml logging-tag

license udi pid CISCO2911/K9 sn FGL201711BN

hw-module pvdm 0/0

!

object-group network local_cws_net

!

object-group network local_lan_subnets

any

!

object-group network vpn_remote_subnets

any

!

redundancy

!

controller E1 0/0/0

pri-group timeslots 1-31 service mgcp

description *** DID 0777 6666666 ***

!

controller E1 0/0/1

pri-group timeslots 1-31 service mgcp

description *** DID 7777777 ***

!

controller E1 0/1/0

pri-group timeslots 1-31 service mgcp

description *** DID 0777 8888888 ***

!

controller E1 0/1/1

shutdown

pri-group timeslots 1-31 service mgcp

description 0777 8888888

!

zone security LAN

zone security WAN

zone security VPN

zone security DMZ

!

interface Tunnel1

no ip address

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 10.10.10.254 255.255.0.0

ip helper-address 10.10.10.31

duplex auto

speed auto

h323-gateway voip interface

h323-gateway voip bind srcaddr 10.10.10.254

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0:15

no ip address

encapsulation hdlc

no cdp enable

isdn switch-type primary-net5

isdn incoming-voice voice

isdn bind-l3 ccm-manager

interface Serial0/0/1:15

no ip address

encapsulation hdlc

no cdp enable

isdn switch-type primary-net5

isdn incoming-voice voice

isdn bind-l3 ccm-manager

!

interface Serial0/1/0:15

no ip address

encapsulation hdlc

no cdp enable

isdn switch-type primary-net5

isdn incoming-voice voice

isdn bind-l3 ccm-manager

!

interface Serial0/1/1:15

no ip address

encapsulation hdlc

no cdp enable

isdn switch-type primary-net5

isdn incoming-voice voice

isdn bind-l3 ccm-manager

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 10.10.10.250

!

ip access-list extended nat-list

permit ip object-group local_lan_subnets any

!

control-plane

!

voice-port 0/0/0:15

!

voice-port 0/1/0:15

!

voice-port 0/1/1:15

!

voice-port 0/0/1:15

!

mgcp

mgcp call-agent 10.10.10.31 2427 service-type mgcp version 0.1

mgcp rtp unreachable timeout 1000 action notify

mgcp modem passthrough voip mode nse

mgcp package-capability rtp-package

mgcp package-capability sst-package

mgcp package-capability pre-package

no mgcp package-capability res-package

no mgcp timer receive-rtcp

mgcp sdp simple

mgcp fax t38 inhibit

mgcp bind control source-interface GigabitEthernet0/1

mgcp bind media source-interface GigabitEthernet0/1

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

sccp local GigabitEthernet0/1

sccp ccm 10.10.10.31 identifier 1 version 7.0

sccp ccm 10.10.10.30 identifier 2 version 7.0

sccp

sccp ccm group 1

associate ccm 1 priority 1

associate ccm 2 priority 2

associate profile 2 register transcoder

associate profile 1 register conference

!

ccm-manager music-on-hold

!

ccm-manager fallback-mgcp

ccm-manager redundant-host 10.10.10.30

ccm-manager mgcp

no ccm-manager fax protocol cisco

ccm-manager config server 10.10.10.31

ccm-manager config

!

dspfarm profile 2 transcode

codec g729abr8

codec g729ar8

codec g711alaw

codec g711ulaw

codec g729r8

maximum sessions 3

associate application SCCP

!

dspfarm profile 1 conference

codec g729br8

codec g729r8

codec g729abr8

codec g729ar8

codec g711alaw

codec g711ulaw

maximum sessions 4

associate application SCCP

!

dial-peer voice 5 pots

!

dial-peer voice 2 pots

!

dial-peer voice 100 pots

call-block translation-profile incoming Block_Call

call-block disconnect-cause incoming call-reject

destination-pattern .T

!

gatekeeper

shutdown

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

transport input all

!

scheduler allocate 20000 1000

ntp master

ntp update-calendar

ntp server ntp.iiserb.ac.in

!

end

I tried to use the above highlighted configuration for the blocking of 7566440344 as an incoming call.
But somehow it is not working. I seek any help in this regard to solve this issue. Thank you.

Roger Kallberg · ‎02-18-2025

@Vinay Bajpai It looks like your dial peer is not setup as an inbound dial peer. Try adding these two lines.

incoming called-number .
direct-inward-dial

If that doesn't work then turn on these debugs and redo the call and collect the output so that we can look at what's going on.

debug voip ccapi inout
debug voip translation