cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
236
Views
0
Helpful
7
Replies
Highlighted
Beginner

ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Hello, 

I'm probably overlooking something here but I have a urgent need for blocking outside traffic to hairpin to a CME 12 router (ISR4331 with IOS 16). Since yesterday our provider notified us that we have a breach on this box that is being used to dial out to toll numbers. We only use IP Phones 88xx SIP and Dial in/out via a SIP trunk.ollaboration

I'm trying to build an extended ACL that I can use to block traffic on the WAN interface. The issue is that this router is also used as a normal internet router for that branch and therefore runs NAT. ollaborat

Is there any way of adding something like below to the "outside" interface of the NAT ? :

object-group network ISP-addresses
host 1.2.3.4
host 1.2.3.5
host 1.2.3.6

ip access-list extended SIP-INBOUND
permit tcp object-group ISP-addresses any eq 5061
permit tcp object-group ISP-addresses any eq 5060
permit udp object-group ISP-addresses any eq 5060
permit tcp object-group ISP-addresses eq 5060 any
permit tcp object-group ISP-addresses eq 5061 any
permit udp object-group ISP-addresses eq 5060 any

permit ip any any 

 

 

 

 

 

Everyone's tags (4)
7 REPLIES 7
VIP Advisor

Re: ACL for Toll Fraud protection on SIP Trunk with CME 12.1

why the permit up any any at the end?

 

why not doL

 

ip access-list extended SIP-INBOUND
permit tcp object-group ISP-addresses any eq 5061
permit tcp object-group ISP-addresses any eq 5060
permit udp object-group ISP-addresses any eq 5060
permit tcp object-group ISP-addresses eq 5060 any
permit tcp object-group ISP-addresses eq 5061 any
permit udp object-group ISP-addresses eq 5060 any

deny tcp any eq 5060 any

deny tcp any eq 5061 any

permit ip any any 

permit ip any any 

 

 

Please remember to rate useful posts, by clicking on the stars below.

Beginner

Re: ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Hello Dennis, 

 

Thank you for your reply, I think I haven't been really clear on what the issue is.

Because this router is running nat when I apply the ACL to the WAN interface 

everything stops working. it does have the "ip nat inside source list ACL-NAME interface GigabitEthernet 0/0/0 overload" active.

I cant figure out how to apply the ACL for incoming requests.

Re: ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Stephen,
Just a comment , you can easily achieve this by using trusted listed feature in the cube. Instead of no ip address trusted authenticate command in voice register global,define your internal network and also provider network and try this.
Beginner

Re: ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Hello Asfal, 

 

Thank you for your reply we have a trusted list in place for the trunk, this is not the issue. the issue is that I need to secure the WAN interface to not allow SIP registers outside of our LAN. On the trusted list is also just our internal IP range + Provider but they still mange to connect to the CME externally.

Cisco Employee

Re: ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Just do CoPP. Read about it.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Beginner

Re: ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Thanks nipun, 

 

But the box is a 4331 not really willing to run Copp on it.

Cisco Employee

Re: ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Any reason why ? ISR-4k's have a split plane. I believe they would benefit more from CoPP than previous generation boxes.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards