permit udp host 184.108.40.206 host 220.127.116.11 range 6000 40000
deny ip any any log
I also set the call spike feature
call spike 5
I also limit the number of connections on the SIP ITSP dial peer
dial-peer voice 100 voip
description Outbound SIP calls
session protocol sipv2
session target ipv4:222.222.222
voice-class codec 1
voice-class sip privacy-policy passthru
voice-class sip early-offer forced
Note that the ITSP does not offer SIP registration by username/password or any form of encryption.
I would be interested in how secure people think the above is. Good enough or do I need a firewall? - if yes which of the options below:
Watchguard Firewall - the customer has a Watchguard firewall in place. I could move the CUBE to the DMZ so inbound connections would have to traverse the firewall. The issue I see with this is that the Watchguard firewall NATs outside connection to the DMZ and I am not sure how well this will work with SIP. Watchguard can apparently do SIP inspection and NAT but I am a bit dubious about it as I have no access to the firewalls (although the guys who manage them seem to know what they are doing).
IOS Firewall - could I just enable this on the CUBE and get it to do SIP inspection? - I have been trying to find a sample confug for this without success.
ASA Transparent firewall - deploy one of these as a bump in the wire between the CUBE and the ISP router. Benefit is that it is an all Cisco solution so support should be easier to come by.
I am also interested in other security features that could be enabled. The suggestion below seems interesting. Has anyone done this?
Trunk Access Codes Using Translation Rules: Protect calls to expensive PSTN destinations or undesirable locations (perhaps international calls, calls to certain countries, etc.) with trunk access codes in front of the PSTN direct dial string. These codes can be transparent to your legitimate user base by inserting the code at your call agent (e.g. 89923 for calls to country-X) and deleting the code at Cisco UBE before passing the call to the PSTN. The use of this precludes a hacker directly addressing the SIP trunk and dialing direct to expensive locations (while bypassing your call agent).
Proud to announce a minor update of the unique resource and book about Cisco Meeting Server in amazon library, I pushed far the explanations to be simple as much possible with atypical chart call flow after a hard work. Enjoy studying and you will love it...
Cisco Meeting Server 3.2 supports the Blast Dial feature. With Blast Dial, you can add a predetermined list of participants to a space where you configure blast dial. When any participant dials in to the space, all the other participants are dialed out si...
Shortcut ActionCtrl+W Close Meeting CenterCtrl+T Transfer filesCtrl+Z Undo last actionCtrl+Y Redo last undone actionCtrl+Alt+F Display Font Formatting dialog boxCtrl+Alt+O Share presentation or documentCtrl+Alt+A Share applicationCtrl+Alt+D Share DesktopC...
Do you experience the following error on Cisco Unity Connection: Sometimes when you try to play or upload Audio Files for greetings in Unity Connection under the Call Handlers such as the System Call Handler Opening Greeting, in Standard/Closed/Holi...