Call History disc-cause reason D1,D13 and call from untrusted SIP IP

gossa1973 · ‎11-19-2021

Hi

I have some strange behavior of my CME, some calls are made from CME on ISR 2900 IOS (c2900-universalk9-mz.SPA.156-3.M7.bin) at night when no one was present in the office, and calls where made to some private numbers outside organization. When they notify me, first thing I issue command sh call history voice compact, in result list I saw some strange records with disc-cause D1 and D13.

I try to find list of codes on net without success , what this Disk-Couse mean?

More strange is that I have in history list call record received from untrusted public IP address 2.57.121.3 with Disk-Couse D1

RUTER_EKO# sh call history voice compact
<callID> A/O FAX T<sec> Codec type Peer Address IP R<ip>:<udp> disc-cause
1138 ANS T0 g711alaw VOIP P0612263707 10.0.0.2:35158 D10
1139 ORG T0 g711alaw VOIP P101 0.0.0.0:0 D10
1159 ANS T0 g711alaw VOIP P0612263707 10.0.0.2:35818 D10
1160 ORG T0 g711alaw VOIP P114 0.0.0.0:0 D10
1329 ORG T0 g711alaw VOIP P100 0.0.0.0:0 D13
1328 ANS T0 g711alaw VOIP P100 0.0.0.0:0 D13
1524 ANS T0 g711alaw VOIP P100 2.57.121.3:5078 D1
1534 ANS T0 g711alaw VOIP P100 2.57.121.3:5072 D1

..........

In call history list I did not see private numbers from which we receive complain but I saw this untrusted public IP

and I saw Remote Agents connection from same address when I issue command

sh sip-ua connections udp detail

RUTER_EKO#sh sip-ua connections udp detail
Total active connections : 16
No. of send failures : 14
No. of remote closures : 0
No. of conn. failures : 0
No. of inactive conn. ageouts : 1396

---------Printing Detailed Connection Report---------
Note:
** Tuples with no matching socket entry
- Do 'clear sip <tcp[tls]/udp> conn t ipv4:<addr>:<port>'
to overcome this error condition
++ Tuples with mismatched address/port entry
- Do 'clear sip <tcp[tls]/udp> conn t ipv4:<addr>:<port> id <connid>'
to overcome this error condition

Remote-Agent:10.0.0.2, Connections-Count:1
Remote-Port Conn-Id Conn-State WriteQ-Size Local-Address
=========== ======= =========== =========== ===========
5060 2 Established 0 -

Remote-Agent:192.168.0.8, Connections-Count:1
Remote-Port Conn-Id Conn-State WriteQ-Size Local-Address
=========== ======= =========== =========== ===========
5060 11 Established 0 -

Remote-Agent:192.168.0.17, Connections-Count:1
Remote-Port Conn-Id Conn-State WriteQ-Size Local-Address
=========== ======= =========== =========== ===========
5072 17 Established 0 -

Remote-Agent:2.57.121.3, Connections-Count:1
Remote-Port Conn-Id Conn-State WriteQ-Size Local-Address

......

-------------- SIP Transport Layer Listen Sockets ---------------
Conn-Id Local-Address
=========== =============================
0 [0.0.0.0]:5060:

My config VoIP is:

voice service voip
ip address trusted list
ipv4 192.168.0.0 255.255.255.0
ipv4 10.0.0.2 255.255.255.255
callmonitor
allow-connections sip to sip
supplementary-service h450.12

.....

voice register global
mode cme
source-address 192.168.0.210 port 5060
max-dn 24
max-pool 24
authenticate register

......

I have only one SIP trunk on private ISP IP 10.0.0.2 and Cisco SIP 78xx phones on privet LAN 192.168.0.x

How possible is to make SIP calls or SIP connection from outside of my trusted IP addresses in SIP config.

This router is also used for NAT for comps on same network as phones, SIP IP Trusted list should repel this SIP connections from untrusted (not listed) public IP address. I also add for SIP in NAT config.

no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

I have three interfaces :

one for internet and NAT with public IP (VLAN 2610 on ISP connection)

one for SIP trunk with private IP of my ISP (VLAN 3250 on ISP connection)

one for LAN for Cisco phones and Windows comps

How to prohibit on NAT interface any SIP communication?

Can you give mi hint what I need to check or to secure this CME ?

And what this Disc-Couse Mean?

Thanks in advanced