cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1261
Views
0
Helpful
7
Replies

ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Stephan_BI
Level 1
Level 1

Hello, 

I'm probably overlooking something here but I have a urgent need for blocking outside traffic to hairpin to a CME 12 router (ISR4331 with IOS 16). Since yesterday our provider notified us that we have a breach on this box that is being used to dial out to toll numbers. We only use IP Phones 88xx SIP and Dial in/out via a SIP trunk.ollaboration

I'm trying to build an extended ACL that I can use to block traffic on the WAN interface. The issue is that this router is also used as a normal internet router for that branch and therefore runs NAT. ollaborat

Is there any way of adding something like below to the "outside" interface of the NAT ? :

object-group network ISP-addresses
host 1.2.3.4
host 1.2.3.5
host 1.2.3.6

ip access-list extended SIP-INBOUND
permit tcp object-group ISP-addresses any eq 5061
permit tcp object-group ISP-addresses any eq 5060
permit udp object-group ISP-addresses any eq 5060
permit tcp object-group ISP-addresses eq 5060 any
permit tcp object-group ISP-addresses eq 5061 any
permit udp object-group ISP-addresses eq 5060 any

permit ip any any 

 

 

 

 

 

7 Replies 7

Dennis Mink
VIP Alumni
VIP Alumni

why the permit up any any at the end?

 

why not doL

 

ip access-list extended SIP-INBOUND
permit tcp object-group ISP-addresses any eq 5061
permit tcp object-group ISP-addresses any eq 5060
permit udp object-group ISP-addresses any eq 5060
permit tcp object-group ISP-addresses eq 5060 any
permit tcp object-group ISP-addresses eq 5061 any
permit udp object-group ISP-addresses eq 5060 any

deny tcp any eq 5060 any

deny tcp any eq 5061 any

permit ip any any 

permit ip any any 

 

 

Please remember to rate useful posts, by clicking on the stars below.

Hello Dennis, 

 

Thank you for your reply, I think I haven't been really clear on what the issue is.

Because this router is running nat when I apply the ACL to the WAN interface 

everything stops working. it does have the "ip nat inside source list ACL-NAME interface GigabitEthernet 0/0/0 overload" active.

I cant figure out how to apply the ACL for incoming requests.

Stephen,
Just a comment , you can easily achieve this by using trusted listed feature in the cube. Instead of no ip address trusted authenticate command in voice register global,define your internal network and also provider network and try this.

Hello Asfal, 

 

Thank you for your reply we have a trusted list in place for the trunk, this is not the issue. the issue is that I need to secure the WAN interface to not allow SIP registers outside of our LAN. On the trusted list is also just our internal IP range + Provider but they still mange to connect to the CME externally.

Just do CoPP. Read about it.

Thanks nipun, 

 

But the box is a 4331 not really willing to run Copp on it.

Any reason why ? ISR-4k's have a split plane. I believe they would benefit more from CoPP than previous generation boxes.