A lot of calls with numbers "100" and "101". Looks like self cal - Page 2

Razumets17 · ‎07-05-2013

Hi!!

Some our codecs have same problem. They recieve outbound calls from numbers "100" and "101". And if look clother this calls cominf from the same white IP address as address of codecs. So it means codecs calls by itself. And this call repeats too often last time(approximetly 30 times per day)

Why it happens and How to solve it?

With Best Regards,

Andrei Razumets.

Martin Koch · ‎07-11-2013

There are many organiations which see port and service scns already as a malicous action.

So I would say you can not say NOT as it might depend of your position.

There are option packets but the main annoying parts are INVITES, and if you have

a VCS for example it will consume a call license if the call gets established.

As this will eat up a call license and this is an unwanted call I also understand

if somebody sees that as a malicious act.

Anyhow if its malicious or just annoying, it sucks if your endpoint rings all the time

or your log is flooded with such invites/options so you cant see anymore what you

would like to see, ...

Please remember to rate helpful responses and identify

MIKE ZINNER · ‎07-29-2013

I did say the program is not malicious "AS IS", but the script kiddies have mutated it & abused it. What I did here was use entries in the router's access-list that permits 5060/61 only from our own SIP Registrars & Servers. This may not be possible in all cases. Another option is to turn on SIP only when you're expecting a call. Really bad option, tough to keep up, but it would work. About as elegant as a 3-legged elephant tho.

In the VCS I have a lot of Call Policies that drastically reduced the chance that a call will connect at all. Where I used to see my VCS show high numbers in the peak calls, on the main status page, I now see only valid call peaks. They still try, but get nowhere. Be happy to share the policy entries with anyone who'd like them.

Razumets17 · ‎07-30-2013

So how I understood customer have just some ways of wrestle with it - buy VCS and special license for it.

Or probably he could ask his Internet provider just block current ports(5060/5061)? In what cases it may be not possible?

Martin Koch · ‎07-30-2013

Your assumption is not fully correct.

Like mentioned as the first step you could evaluate if you really need to use sip.

Instead of buying a VCS he could also use a service offering the registration as a service.

Depending on the firmware and the setup it might even be that you will experience the same problems

when you register the endpoint to a vcs if the endpoint stays on a non firewalled public ip.

If the ISP can block it sure, normaly its done on a router of the customer itself.

You would need to allow traffic from the sites you want to have sip calls from and block it from

everyone else, if you can only block it completely, could also simply disable sip, ...

Please remember to rate helpful responses and identify

Bhaskar Jha · ‎07-30-2013

Hey Martin,

Outbound needs to be configured on EP and that works with VCS only.

And as per that only it will be allowed to get incoming calls, when we have outbound on and registered with VCS.

I am talking in regards to the listen port command to set OFF.

Thanks

Bhaskar

Razumets17 · ‎07-30-2013

Looks customer would like call from his jabber to SX20 with public Ip.

So what I could offer to him?

When I try to block this ports(5060/5061) nobody will call to this endpoint, right? The same story with setting in OFF Listen port. Right?

So I could just offer him buy VCS for registrate his Jabber on this Vcs. On the same moment swith off Sip on SX20. After this action VCS will convert Sip call from jabber to h323 to this endpoint and TA DA!! We win with this annoing thing.

Do we have another ways?

Bhaskar Jha · ‎07-30-2013

Hey Andrei,

See this what it says..

xConfiguration SIP ListenPort

Turn on or off the listening for incoming connections on the SIP TCP/UDP ports. If turned off, the

endpoint will only be reachable through the SIP registrar (CUCM or VCS). It is recommended to

leave this setting at its default value.

Requires user role: ADMIN

Value space:

On: Listening for incoming connections on the SIP TCP/UDP ports is turned on.

Off: Listening for incoming connections on the SIP TCP/UDP ports is turned off.

Example: xConfiguration SIP ListenPort: On

--------------------------Your questions..----------------------

Looks customer would like call from his jabber to SX20 with public Ip.

So what I could offer to him? This is a design part and better will be to involve Cisco pre-sales on this.

When I try to block this ports(5060/5061) nobody will call to this endpoint, right? The same story with setting in OFF Listen port. Right? Correct and only workable through CUCM and VCS in later case.

So I could just offer him buy VCS for registrate his Jabber on this Vcs. On the same moment swith off Sip on SX20. After this action VCS will convert Sip call from jabber to h323 to this endpoint and TA DA!! We win with this annoing thing.

Do we have another ways?

As I said please involve Cisco Pre-sales team they can guide you. If you want to avoide that SIP scanner there will be a price to pay as it is related to unwanted attacks from internet in un-secured network.

You buy devices when we want to tighten the security and for new features per requirements..

Thanks

Bhaskar

Razumets17 · ‎10-14-2013

Hello!

I am sorry that standing up this question again- customer bought VCS for his one office.

So right now I am trying give advise to our pre- sales team. Like a technical specialist I should to do it.

In attached picture I displayed our current situation. Customer have VCS in one city on Public IP and have stand alone Endpoint with public IP also.

So I should switch off Sip on Endpoint and register it to VCS.

If anybody would like connect with this Endpoint by Sip or Jabber they will forward by Vcs.

Am i think right?

Razumets17 · ‎10-14-2013

Hello!

Please share policies of your Vcs and additional cheme of work organization of eqiepments. I mean are they use only one public IP address and firewall.

Thanks for advance.

Martin Koch · ‎10-14-2013

An external system can register via sip and h323 to the VCS-E.

It can be on a public ip, but it can also be behind NAT (no l3 h323 or sip features enabled!).

You should not disable SIP but either block the communication for other systems then the VCS.

On a public ip it should work to disable the sip listening port and enable sip outbound.

The remote systems shall call the endpointaddress@domain.com and not the public ip of the endpoint or the VCS.

Regards policies, they are more to define who shall be able to call who or do additional action

like call forking, action on non reachable, ...

In a case where you want do not want know who to block or only allow it will not help you.

Unless you do not have an ISDN gw or something else what can generate costs when dialing

you and others should run fine without additional policies.

Using secure passwords and firewall management and non used ports is more important.

If you have more questions, I would recommend that you open new threads for them.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

A lot of calls with numbers "100" and "101". Looks like self calls.