Re: ACL for Toll Fraud protection on SIP Trunk with CME 12.1

Stephan_BI · ‎09-25-2018

Hello,

I'm probably overlooking something here but I have a urgent need for blocking outside traffic to hairpin to a CME 12 router (ISR4331 with IOS 16). Since yesterday our provider notified us that we have a breach on this box that is being used to dial out to toll numbers. We only use IP Phones 88xx SIP and Dial in/out via a SIP trunk.ollaboration

I'm trying to build an extended ACL that I can use to block traffic on the WAN interface. The issue is that this router is also used as a normal internet router for that branch and therefore runs NAT. ollaborat

Is there any way of adding something like below to the "outside" interface of the NAT ? :

object-group network ISP-addresses
host 1.2.3.4
host 1.2.3.5
host 1.2.3.6

ip access-list extended SIP-INBOUND
permit tcp object-group ISP-addresses any eq 5061
permit tcp object-group ISP-addresses any eq 5060
permit udp object-group ISP-addresses any eq 5060
permit tcp object-group ISP-addresses eq 5060 any
permit tcp object-group ISP-addresses eq 5061 any
permit udp object-group ISP-addresses eq 5060 any

permit ip any any

Dennis Mink · ‎09-25-2018

why the permit up any any at the end?

why not doL

ip access-list extended SIP-INBOUND
permit tcp object-group ISP-addresses any eq 5061
permit tcp object-group ISP-addresses any eq 5060
permit udp object-group ISP-addresses any eq 5060
permit tcp object-group ISP-addresses eq 5060 any
permit tcp object-group ISP-addresses eq 5061 any
permit udp object-group ISP-addresses eq 5060 any

deny tcp any eq 5060 any

deny tcp any eq 5061 any

permit ip any any

Please remember to rate useful posts, by clicking on the stars below.

Stephan_BI · ‎09-26-2018

Hello Dennis,

Thank you for your reply, I think I haven't been really clear on what the issue is.

Because this router is running nat when I apply the ACL to the WAN interface

everything stops working. it does have the "ip nat inside source list ACL-NAME interface GigabitEthernet 0/0/0 overload" active.

I cant figure out how to apply the ACL for incoming requests.

afsal abdul gafoor · ‎09-26-2018

Stephen,
Just a comment , you can easily achieve this by using trusted listed feature in the cube. Instead of no ip address trusted authenticate command in voice register global,define your internal network and also provider network and try this.

Stephan_BI · ‎09-26-2018

Hello Asfal,

Thank you for your reply we have a trusted list in place for the trunk, this is not the issue. the issue is that I need to secure the WAN interface to not allow SIP registers outside of our LAN. On the trusted list is also just our internal IP range + Provider but they still mange to connect to the CME externally.

R0g22 · ‎09-26-2018

Just do CoPP. Read about it.

Stephan_BI · ‎09-26-2018

Thanks nipun,

But the box is a 4331 not really willing to run Copp on it.

R0g22 · ‎09-26-2018

Any reason why ? ISR-4k's have a split plane. I believe they would benefit more from CoPP than previous generation boxes.