Hi IOS and CME users,
I have got a simple CME configuration up and running on 2901, which supports:
1. REGISTER & INVITE of SIP phones within LAN
2. International Calling via external SIP Service Provider using "dial-peer" to SIP Trunk
3. National & Local Calling via Linksys/Cisco SPA3102 using "dial-peer" to SIP Trunk.
I am still having issues with getting access to this from WAN side of router, but before I solve this problem, I need to ensure that I have correctly configured "Class of Restriction" configuration in place to avoid "Toll Fraud" (ie internet user sending in INVITE which goes through dial-peer and thus allows anyone to make international or local calls at my expense).
I have added cor definitions to both phones and dial-peers:
<Sample COR Config>
dial-peer cor custom
dial-peer cor list authourised
dial-peer cor list national
dial-peer cor list internal
dial-peer cor list international
dial-peer cor list external
dial-peer cor list staff
dial-peer cor list private
dial-peer cor list emergency
dial-peer cor list local
dial-peer cor list toll-free
voice register pool 1
id mac 0000.0002.0003
number 1 dn 1
core incoming 1 authourised 1 615555 <- Setup COR to allow full access
core outgoing internal 1 615555
voice-class code 1
username frogb password XXXX
voice register pool 4
id mac 0000.0001.0002
number 1 dn 4
cor incoming internal 1 6117777 <- Setup COR to constrain access
cor outgoing private 1 6117777
voice-class codec 1
username froga password XXXX
dial-peer voice 13 voip
corlist outgoing national <- Setup COR so only incoming with "national" key can access this dial peer
translation-profile outgoing outbound-national
session protocol sipv2
session target ipv4:220.127.116.11:5061
voice-class codec 2
voice-class sip localhost dns:spa.FROGHOP.COM
voice-class sip dtmf-relay force rtp-nte
<<End of Config Example>>
However I have not been able to find where in CME do you provide a default COR definition, which would apply to someone doing a call in (INVITE) to CME via internet ie:
Where FROGHOP.com is CME.
As the INVITE does not come from Registered User, ther COR is empty and so CME will let the call request through, irrespective of what COR definitions are on the "dial-peers" or "voice register pool" defined numbers.
I would like to have a default COR which restricts access to "internal" only.
I know that with SRST this could be achived via:
cor outgoing internal default <- Make "internal" the default outgoing cor
cor incoming internal default <- Make "internal" the default ingoing core
How can I acheive a simillar default configuration with CME??
Thanks in advance for any help.
I know that INVITE is sip specific mechanism to establish a "call" so while COR is not applied to sip operations I assume it does apply to logical call operations.
I presume, from the fact that no-one has provided a definitive response to my posting, that there is no way to define a default COR list with CME...
Which in turn means that CME has a security hole so big that it is not viable for use as a general and publiclly exposed SIP Proxy...
It looks like it is back to "opensips" for public sip gateway.
Actually CME is perfectly secure system when configured correctly. See for example
At the same time it was never menat to be a SIP proxy, as it's feature and purpose are diffrent from that.