cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7467
Views
0
Helpful
3
Replies

Creating default COR (Class of Restriction) with CME

johnhart
Level 1
Level 1

Hi IOS and CME users,

I have got a simple CME configuration up and running on 2901, which supports:

1. REGISTER & INVITE of SIP phones within LAN

2. International Calling via external SIP Service Provider using "dial-peer" to SIP Trunk

3. National & Local Calling via Linksys/Cisco SPA3102 using "dial-peer" to SIP Trunk.

I am still having issues with getting access to this from WAN side of router, but before I solve this problem, I need to ensure that I have correctly configured "Class of Restriction" configuration in place to avoid "Toll Fraud" (ie internet user sending in INVITE which goes through dial-peer and thus allows anyone to make international or local calls at my expense).

I have added cor definitions to both phones and dial-peers:

<Sample COR Config>

dial-peer cor custom

name international

name national

name local

name emergency

name toll-free

name internal

name private

!

dial-peer cor list authourised

member international

member national

member local

member emergency

member toll-free

member internal

member private

!

dial-peer cor list national

member national

member local

member emergency

member toll-free

!

dial-peer cor list internal

member internal

member private

!

dial-peer cor list international

member international

!

dial-peer cor list external

member internal

!

dial-peer cor list staff

member local

member emergency

member toll-free

member internal

member private

!

dial-peer cor list private

member private

!

dial-peer cor list emergency

member emergency

!

dial-peer cor list local

member local

!

dial-peer cor list toll-free

member toll-free

!

voice register pool 1

  id mac 0000.0002.0003

  number 1 dn 1

  core incoming 1 authourised 1 615555 <- Setup COR to allow full access

  core outgoing internal 1 615555

  voice-class code 1

  username frogb password XXXX

!

voice register pool 4

  id mac 0000.0001.0002

  number 1 dn 4

  cor incoming internal 1 6117777 <- Setup COR to constrain access

  cor outgoing private 1 6117777

  voice-class codec 1

  username froga password XXXX

!

!

dial-peer voice 13 voip

corlist outgoing national <- Setup COR so only incoming with "national" key can access this dial peer

description national-61Nxxxxxxxx

translation-profile outgoing outbound-national

preference 5

destination-pattern 61[2-9]........

b2bua

session protocol sipv2

session target ipv4:200.30.200.30:5061

voice-class codec 2

voice-class sip localhost dns:spa.FROGHOP.COM

voice-class sip dtmf-relay force rtp-nte

dtmf-relay rtp-nte

!

<<End of Config Example>>

However I have not been able to find where in CME do you provide a default COR definition, which would apply to someone doing a call in (INVITE) to CME via internet ie:

INVITE:

From: 999@ANY-DOMAIN.com

To: 615555@FROGHOP.com

Where FROGHOP.com is CME.

As the INVITE does not come from Registered User, ther COR is empty and so CME will let the call request through, irrespective of what COR definitions are on the "dial-peers" or "voice register pool" defined numbers.

I would like to have a default COR which restricts access to "internal" only.

I know that with SRST this could be achived via:

call-manager-fallback

  cor outgoing internal default <- Make "internal" the default outgoing cor

  cor incoming internal default <- Make "internal" the default ingoing core

How can I acheive a simillar default configuration with CME??

Thanks in advance for any help.

John.

3 Replies 3

paolo bevilacqua
Hall of Fame
Hall of Fame

COR doesn't apply to invite or other protocol specific stuff.

It only applies to call attempts.

Hi Paulo,

I know that INVITE is sip specific mechanism to establish a "call" so while COR is not applied to sip operations I assume it does apply to logical call operations.

I presume, from the fact that no-one has provided a definitive response to my posting, that there is no way to define a default COR list with CME...

Which in turn means that CME has a security hole so big that it is not viable for use as a general and publiclly exposed SIP Proxy...

It looks like it is back to "opensips" for public sip gateway.

Cheers,

John.

Actually CME is perfectly secure system when configured correctly. See for example

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmetoll.html

At the same time it was never menat to be a SIP proxy, as it's feature and purpose are diffrent from that.