Solved: Re: dial-peer-pstn

nettuno8_20111 · ‎11-22-2021

hi i am sorrenrino ciro i have a router 2901 cme 7.0, i configured a dial-peer .T that goes on the pstn and i configured the g0 / 0 interface as pppoe which is connected to the internet, but i have a problem sometimes the pstn line and busy I did a dial-peer show and I saw that there are numbers like 0065349980 that I think come from the internet and I occupy the pstn that I can do to prevent this.

nettuno8_20111 · ‎11-23-2021

Current configuration : 10836 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router-isp
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp pool voice
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
option 150 ip 192.168.200.1
!
ip dhcp pool data
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4 192.168.10.10 192.168.20.20
!
ip dhcp pool server10
network 192.168.10.0 255.255.255.240
default-router 192.168.10.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip host voice 172.31.0.2
ip host primary 192.168.200.10
ip host switch-poe 192.168.200.11
ip name-server 109.232.88.3
ip name-server 109.232.88.4
ip ddns update method dns
HTTP
add http://server0001:Cisco123456.@12@update.dyndns.it/nic/updatesystem=dyndns&hostname=server-remoto.homepc.it
interval maximum 24 0 0 0
interval minimum 24 0 0 0
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
dsp services dspfarm
!
!
!
!
voice logout-profile 1
pin 1234
user 1111 password 1111
number 2001,2000 type normal
speed-dial 1 2002 label "andrea" blf
speed-dial 2 30 label "direzione" blf
speed-dial 3 40 label "studio" blf
speed-dial 4 2004 label "enzo" blf
speed-dial 5 2000 label "CIT." blf
!
voice logout-profile 2
pin 1234
number 2002,2000 type normal
speed-dial 1 2001 label "fabio" blf
speed-dial 2 30 label "direzione" blf
speed-dial 3 40 label "studio" blf
speed-dial 4 2004 label "enzo" blf
speed-dial 5 2000 label "CIT." blf
!
voice user-profile 1
pin 1234
user 9999 password 9999
number 2001 type normal
speed-dial 1 2002 label "andrea" blf
speed-dial 2 2003 label "ciro" blf
speed-dial 3 2004 label "enzo" blf
speed-dial 4 2000 label "CIT." blf
privacy-button
!
!
voice translation-rule 2
rule 1 /2.../ /08180220550/
!
voice translation-rule 3
rule 1 /1111/ /2005/
!
!
voice translation-profile entrata-pstn
translate called 3
!
voice translation-profile uscita-pstn
translate calling 2
!
!
license udi pid CISCO2901/K9 sn FCZ1523C0C1
license boot module c2900 technology-package uck9
hw-module pvdm 0/0
!
!
!
vtp mode transparent
username ciro password 0 ciro
!
redundancy
!
!
vlan 10
name ciro
!
vlan 50
name R1-R2
!
!
class-map match-all video
match dscp af41
class-map match-all voice
match dscp ef
!
!
policy-map qos
class voice
priority 6000
class video
priority 10000
class class-default
bandwidth 84000
shape average 19000000 28500000 14250000
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output qos
!
interface GigabitEthernet0/1
description data
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
description vion server r2
encapsulation dot1Q 2
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.10
description server r2
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.20
description server r2
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.240
!
interface FastEthernet0/0/0
switchport access vlan 50
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan50
ip address 172.31.0.1 255.255.255.252
!
interface Dialer1
mtu 1492
ip ddns update hostname server-remoto.homepc.it.dyndns.it
ip ddns update dns
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash0:/gui
!
ip dns server
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.10 3389 interface Dialer1 3389
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit tcp host 34.255.218.242 eq www any
access-list 100 permit icmp host 192.168.200.1 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip any any
!
!
tftp-server flash:P0030801SR02.loads
tftp-server flash:P0030801SR02.sb2
tftp-server flash:P0030801SR02.bin
tftp-server flash:P0030801SR02.sbn
tftp-server flash:apps42.8-4-3-16.sbn
tftp-server flash:cnu42.8-4-3-16.sbn
tftp-server flash:cvm42sccp.8-4-3-16.sbn
tftp-server flash:dsp42.8-4-3-16.sbn
tftp-server flash:jar42sccp.8-4-3-16.sbn
tftp-server flash:SCCP42.8-4-4S.loads
tftp-server flash:term42.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:apps41.8-3-4-16.sbn
tftp-server flash:cnu41.8-3-4-16.sbn
tftp-server flash:cvm41sccp.8-3-4-16.sbn
tftp-server flash:dsp41.8-3-4-16.sbn
tftp-server flash:jar41sccp.8-3-4-16.sbn
tftp-server flash:SCCP41.8-3-5S.loads
tftp-server flash:term41.default.loads
tftp-server flash:term61.default.loads
tftp-server flash:apps75.8-5-4TH1-6.sbn
tftp-server flash:cnu75.8-5-4TH1-6.sbn
tftp-server flash:dsp75.8-5-4TH1-6.sbn
tftp-server flash:cvm75sccp.8-5-4TH1-6.sbn
tftp-server flash:jar75sccp.8-5-4TH1-6.sbn
tftp-server flash:SCCP75.8-5-4S.loads
tftp-server flash:term75.default.loads
tftp-server flash:B015-1-0-4-2.SBN
tftp-server flash:cp.8-5-4TH1-6.sbn
!
control-plane
!
!
voice-port 0/1/0
cptone IT
timeouts interdigit 5
connection plar 2005
impedance complex2
station-id name pstn
station-id number 2020
caller-id enable
!
voice-port 0/1/1
cptone IT
timeouts interdigit 5
station-id name tel.
station-id number 2021
!
voice-port 0/1/2
cptone IT
timeouts interdigit 5
station-id name tel.2
station-id number 2022
!
voice-port 0/1/3
cptone IT
timeouts interdigit 0
!
voice-port 0/2/0
cptone IT
timeouts interdigit 5
connection plar 2005
impedance complex2
station-id name pstn
caller-id enable
!
voice-port 0/2/1
cptone IT
timeouts interdigit 5
connection plar 2005
shutdown
impedance complex2
station-id name pstn 2
caller-id enable
!
voice-port 0/2/2
shutdown
!
voice-port 0/2/3
shutdown
!
!
!
!
dspfarm profile 1 transcode universal
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g722-64
codec ilbc
maximum sessions 10
associate application SCCP
!
dial-peer cor custom
name linea-pstn
!
!
dial-peer cor list pstn
member linea-pstn
!
!
dial-peer voice 1 voip
destination-pattern 2...
codec g711ulaw
!
dial-peer voice 10 pots
shutdown
destination-pattern 2022
no digit-strip
port 0/1/2
!
dial-peer voice 9 pots
description tel.1
destination-pattern 2021
no digit-strip
port 0/1/1
!
dial-peer voice 7 pots
destination-pattern 2020
no digit-strip
port 0/1/0
!
dial-peer voice 8 pots
description pstn
destination-pattern 0T
port 0/2/0
!
dial-peer voice 6 pots
description pstn 2
destination-pattern 9T
port 0/2/1
!
!
presence
presence call-list
max-subscription 200
watcher all
allow subscribe
!
!
!
gatekeeper
shutdown
!
!
telephony-service
no auto-reg-ephone
max-ephones 20
max-dn 20
ip source-address 192.168.200.1 port 2000
timeouts interdigit 5
system message call manager express
user-locale IT
network-locale IT
load 7915-24 B015-1-0-4-2
load 7960-7940 P0030801SR02
load 7941 SCCP41.8-3-5S
load 7942 SCCP42.8-4-4S
load 7975 SCCP75.8-5-4S
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
moh flash:moh-4.au
transfer-system full-consult
directory entry 1 2021 name noemi sorrentino
directory entry 2 2022 name teresa sorrentino
create cnf-files version-stamp 7960 May 31 2019 13:56:01
!
!
ephone-template 1
service phone webAccess 0
softkeys remote-in-use CBarge
softkeys idle Mobility HLog ConfList
softkeys seized Meetme HLog
softkeys connected Flash Hold Mobility
softkeys ringing HLog Answer Dnd
!
!
ephone-dn 1
number 2001
label fabio
name fabio
allow watch
!
!
ephone-dn 2
number 2002
label andrea
name andrea
allow watch
!
!
ephone-dn 3
number 30
park-slot timeout 40 limit 20
label direzione
name direzione
allow watch
!
!
ephone-dn 4
number 40
park-slot
label studio
name studio
allow watch
!
!
ephone-dn 5
number 2003
label ciro
name ciro
allow watch
!
!
ephone-dn 6
number 2004
label enzo
name enzo
mobility
allow watch
!
!
ephone-dn 7
number 2005
label mario
name mario
allow watch
!
!
ephone-dn 8
number 2006
label carlo
name carlo
allow watch
!
!
ephone-dn 9
number 2007
label teresa
name teresa
allow watch
!
!
ephone-dn 10
number 2000
label CIT.
name CIT.
allow watch
!
!
ephone-dn 11
number 2008
label segreteria
name segreteria
allow watch
!
!
ephone 1
no multicast-moh
mac-address 0016.C7EA.297E
presence call-list
codec g711alaw
type 7960 addon 1 7915-24
logout-profile 1
!
!
!
ephone 2
mac-address 0016.C7EA.231F
presence call-list
codec g711alaw
type 7960
logout-profile 2
!
!
!
ephone 3
mac-address 001E.F7C3.6CB2
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
codec g711alaw
type 7941
button 1:5
!
!
!
ephone 4
mac-address C07B.BCA0.99EB
presence call-list
blf-speed-dial 1 2002 label "andrea" device
type 7942
button 1:6 2:10
!
!
!
ephone 5
mac-address 108C.CFE1.3244
presence call-list
blf-speed-dial 1 2002 label "andrea" device
codec g711alaw
type 7942
button 1:7 2:10
!
!
!
ephone 6
mac-address 0013.C4FC.D36A
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
blf-speed-dial 5 2005 label "mario" device
codec g711alaw
type 7960 addon 1 7915-12
button 1:8 6:10
!
!
!
ephone 7
mac-address 0019.E76C.2132
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
codec g711alaw
button 1:9
!
!
!
ephone 8
mac-address 001D.45E9.5D43
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
blf-speed-dial 5 2005 label "mario" device
blf-speed-dial 6 2004 label "enzo" device
blf-speed-dial 7 2006 label "carlo" device
codec g711alaw
type 7975 addon 1 7915-24
button 1:11 8:10
!
!
ephone-hunt 1 sequential
pilot 0001
list 2004, 2001, 2005
final 3917560746
timeout 10, 10, 10
no-reg pilot
!
!
!
line con 0 hi as requested by you, here is the configuration, as I said from the interface g0 / 0 I enter some packages for signaling the numbers such as 0009974653 and end up in the dial-peer 0T

View solution in original post

Nithin Eluvathingal · ‎11-23-2021

At the Minimum configure Toll Fraud Prevention using ip address trusted list

Refer below guide.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/manual/cmeadm/cmetoll.html

View solution in original post

Roger Kallberg · ‎11-24-2021

At a minimum I would recommend you to create an ACL that you attach on the Dialer interface as @Scott Leport suggested. This should only allows the required traffic inbound from internet. Looking at your VoIP configuration I see no apparent reason for why you would have the router attached to internet. What is your use case for having this?

In general I would recommend you to do these changes in your gateway.

service password-encryption
!
dspfarm profile 1 transcode universal
shut
yes
no max sess
no codec g729abr8 !this is for VAD and that's not generally a good thing to have enabled
max sess 10 !or more if applicable
no shut

!Change this to something more secure
username ciro password 0 ciro

!Turn on the built in toll fraud mechanism
voice service voip
 ip address trusted list

!If you need to add specific addresses that are not defined as voip dial-peers you do it by this command under the above section.
ipv4 <IP address>

Apart from this I would recommend you to create an ACL that you attach to the VTYs in the router, if not done already, that restricts access to the router CLI to known networks or hosts on your inside network(s). An example of this would be this.

ip access-list standard 99
 10 permit 10.64.0.0 0.7.255.255
 20 permit 10.138.0.0 0.0.255.255
 30 permit 10.147.64.0 0.0.63.255
 40 permit 10.192.0.0 0.0.255.255
!
line vty 0 15
 access-class 99 in

View solution in original post

Scott Leport · ‎11-26-2021

Hi,

ACL 101 looks correct, but I would think you also need a line in there to permit established tcp connections.

So add:

ip access-list extended 101
60 permit tcp any any established

You may also want to put the following lines listed below at the bottom of you ACL in the interim for visibility. For example if something isn't working because it wasn't added to your inbound ACL, you should see traffic from those sources attempting to come in. It's helpful to aid you in any troubleshooting as the implicit deny on it's own won't help:

ip access-list extended 101 
  200 deny udp any any log
  210 deny tcp any any log
  220 deny ip any any log

And don't forget this:

int Dialer1
 ip access-group 101 in

View solution in original post

Nithin Eluvathingal · ‎11-22-2021

Could you please share more details about your setup and if possible please share Your config.

nettuno8_20111 · ‎11-23-2021

Current configuration : 10836 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router-isp
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp pool voice
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
option 150 ip 192.168.200.1
!
ip dhcp pool data
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4 192.168.10.10 192.168.20.20
!
ip dhcp pool server10
network 192.168.10.0 255.255.255.240
default-router 192.168.10.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip host voice 172.31.0.2
ip host primary 192.168.200.10
ip host switch-poe 192.168.200.11
ip name-server 109.232.88.3
ip name-server 109.232.88.4
ip ddns update method dns
HTTP
add http://server0001:Cisco123456.@12@update.dyndns.it/nic/updatesystem=dyndns&hostname=server-remoto.homepc.it
interval maximum 24 0 0 0
interval minimum 24 0 0 0
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
dsp services dspfarm
!
!
!
!
voice logout-profile 1
pin 1234
user 1111 password 1111
number 2001,2000 type normal
speed-dial 1 2002 label "andrea" blf
speed-dial 2 30 label "direzione" blf
speed-dial 3 40 label "studio" blf
speed-dial 4 2004 label "enzo" blf
speed-dial 5 2000 label "CIT." blf
!
voice logout-profile 2
pin 1234
number 2002,2000 type normal
speed-dial 1 2001 label "fabio" blf
speed-dial 2 30 label "direzione" blf
speed-dial 3 40 label "studio" blf
speed-dial 4 2004 label "enzo" blf
speed-dial 5 2000 label "CIT." blf
!
voice user-profile 1
pin 1234
user 9999 password 9999
number 2001 type normal
speed-dial 1 2002 label "andrea" blf
speed-dial 2 2003 label "ciro" blf
speed-dial 3 2004 label "enzo" blf
speed-dial 4 2000 label "CIT." blf
privacy-button
!
!
voice translation-rule 2
rule 1 /2.../ /08180220550/
!
voice translation-rule 3
rule 1 /1111/ /2005/
!
!
voice translation-profile entrata-pstn
translate called 3
!
voice translation-profile uscita-pstn
translate calling 2
!
!
license udi pid CISCO2901/K9 sn FCZ1523C0C1
license boot module c2900 technology-package uck9
hw-module pvdm 0/0
!
!
!
vtp mode transparent
username ciro password 0 ciro
!
redundancy
!
!
vlan 10
name ciro
!
vlan 50
name R1-R2
!
!
class-map match-all video
match dscp af41
class-map match-all voice
match dscp ef
!
!
policy-map qos
class voice
priority 6000
class video
priority 10000
class class-default
bandwidth 84000
shape average 19000000 28500000 14250000
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output qos
!
interface GigabitEthernet0/1
description data
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
description vion server r2
encapsulation dot1Q 2
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.10
description server r2
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.20
description server r2
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.240
!
interface FastEthernet0/0/0
switchport access vlan 50
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan50
ip address 172.31.0.1 255.255.255.252
!
interface Dialer1
mtu 1492
ip ddns update hostname server-remoto.homepc.it.dyndns.it
ip ddns update dns
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash0:/gui
!
ip dns server
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.10 3389 interface Dialer1 3389
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit tcp host 34.255.218.242 eq www any
access-list 100 permit icmp host 192.168.200.1 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip any any
!
!
tftp-server flash:P0030801SR02.loads
tftp-server flash:P0030801SR02.sb2
tftp-server flash:P0030801SR02.bin
tftp-server flash:P0030801SR02.sbn
tftp-server flash:apps42.8-4-3-16.sbn
tftp-server flash:cnu42.8-4-3-16.sbn
tftp-server flash:cvm42sccp.8-4-3-16.sbn
tftp-server flash:dsp42.8-4-3-16.sbn
tftp-server flash:jar42sccp.8-4-3-16.sbn
tftp-server flash:SCCP42.8-4-4S.loads
tftp-server flash:term42.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:apps41.8-3-4-16.sbn
tftp-server flash:cnu41.8-3-4-16.sbn
tftp-server flash:cvm41sccp.8-3-4-16.sbn
tftp-server flash:dsp41.8-3-4-16.sbn
tftp-server flash:jar41sccp.8-3-4-16.sbn
tftp-server flash:SCCP41.8-3-5S.loads
tftp-server flash:term41.default.loads
tftp-server flash:term61.default.loads
tftp-server flash:apps75.8-5-4TH1-6.sbn
tftp-server flash:cnu75.8-5-4TH1-6.sbn
tftp-server flash:dsp75.8-5-4TH1-6.sbn
tftp-server flash:cvm75sccp.8-5-4TH1-6.sbn
tftp-server flash:jar75sccp.8-5-4TH1-6.sbn
tftp-server flash:SCCP75.8-5-4S.loads
tftp-server flash:term75.default.loads
tftp-server flash:B015-1-0-4-2.SBN
tftp-server flash:cp.8-5-4TH1-6.sbn
!
control-plane
!
!
voice-port 0/1/0
cptone IT
timeouts interdigit 5
connection plar 2005
impedance complex2
station-id name pstn
station-id number 2020
caller-id enable
!
voice-port 0/1/1
cptone IT
timeouts interdigit 5
station-id name tel.
station-id number 2021
!
voice-port 0/1/2
cptone IT
timeouts interdigit 5
station-id name tel.2
station-id number 2022
!
voice-port 0/1/3
cptone IT
timeouts interdigit 0
!
voice-port 0/2/0
cptone IT
timeouts interdigit 5
connection plar 2005
impedance complex2
station-id name pstn
caller-id enable
!
voice-port 0/2/1
cptone IT
timeouts interdigit 5
connection plar 2005
shutdown
impedance complex2
station-id name pstn 2
caller-id enable
!
voice-port 0/2/2
shutdown
!
voice-port 0/2/3
shutdown
!
!
!
!
dspfarm profile 1 transcode universal
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g722-64
codec ilbc
maximum sessions 10
associate application SCCP
!
dial-peer cor custom
name linea-pstn
!
!
dial-peer cor list pstn
member linea-pstn
!
!
dial-peer voice 1 voip
destination-pattern 2...
codec g711ulaw
!
dial-peer voice 10 pots
shutdown
destination-pattern 2022
no digit-strip
port 0/1/2
!
dial-peer voice 9 pots
description tel.1
destination-pattern 2021
no digit-strip
port 0/1/1
!
dial-peer voice 7 pots
destination-pattern 2020
no digit-strip
port 0/1/0
!
dial-peer voice 8 pots
description pstn
destination-pattern 0T
port 0/2/0
!
dial-peer voice 6 pots
description pstn 2
destination-pattern 9T
port 0/2/1
!
!
presence
presence call-list
max-subscription 200
watcher all
allow subscribe
!
!
!
gatekeeper
shutdown
!
!
telephony-service
no auto-reg-ephone
max-ephones 20
max-dn 20
ip source-address 192.168.200.1 port 2000
timeouts interdigit 5
system message call manager express
user-locale IT
network-locale IT
load 7915-24 B015-1-0-4-2
load 7960-7940 P0030801SR02
load 7941 SCCP41.8-3-5S
load 7942 SCCP42.8-4-4S
load 7975 SCCP75.8-5-4S
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
moh flash:moh-4.au
transfer-system full-consult
directory entry 1 2021 name noemi sorrentino
directory entry 2 2022 name teresa sorrentino
create cnf-files version-stamp 7960 May 31 2019 13:56:01
!
!
ephone-template 1
service phone webAccess 0
softkeys remote-in-use CBarge
softkeys idle Mobility HLog ConfList
softkeys seized Meetme HLog
softkeys connected Flash Hold Mobility
softkeys ringing HLog Answer Dnd
!
!
ephone-dn 1
number 2001
label fabio
name fabio
allow watch
!
!
ephone-dn 2
number 2002
label andrea
name andrea
allow watch
!
!
ephone-dn 3
number 30
park-slot timeout 40 limit 20
label direzione
name direzione
allow watch
!
!
ephone-dn 4
number 40
park-slot
label studio
name studio
allow watch
!
!
ephone-dn 5
number 2003
label ciro
name ciro
allow watch
!
!
ephone-dn 6
number 2004
label enzo
name enzo
mobility
allow watch
!
!
ephone-dn 7
number 2005
label mario
name mario
allow watch
!
!
ephone-dn 8
number 2006
label carlo
name carlo
allow watch
!
!
ephone-dn 9
number 2007
label teresa
name teresa
allow watch
!
!
ephone-dn 10
number 2000
label CIT.
name CIT.
allow watch
!
!
ephone-dn 11
number 2008
label segreteria
name segreteria
allow watch
!
!
ephone 1
no multicast-moh
mac-address 0016.C7EA.297E
presence call-list
codec g711alaw
type 7960 addon 1 7915-24
logout-profile 1
!
!
!
ephone 2
mac-address 0016.C7EA.231F
presence call-list
codec g711alaw
type 7960
logout-profile 2
!
!
!
ephone 3
mac-address 001E.F7C3.6CB2
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
codec g711alaw
type 7941
button 1:5
!
!
!
ephone 4
mac-address C07B.BCA0.99EB
presence call-list
blf-speed-dial 1 2002 label "andrea" device
type 7942
button 1:6 2:10
!
!
!
ephone 5
mac-address 108C.CFE1.3244
presence call-list
blf-speed-dial 1 2002 label "andrea" device
codec g711alaw
type 7942
button 1:7 2:10
!
!
!
ephone 6
mac-address 0013.C4FC.D36A
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
blf-speed-dial 5 2005 label "mario" device
codec g711alaw
type 7960 addon 1 7915-12
button 1:8 6:10
!
!
!
ephone 7
mac-address 0019.E76C.2132
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
codec g711alaw
button 1:9
!
!
!
ephone 8
mac-address 001D.45E9.5D43
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
blf-speed-dial 5 2005 label "mario" device
blf-speed-dial 6 2004 label "enzo" device
blf-speed-dial 7 2006 label "carlo" device
codec g711alaw
type 7975 addon 1 7915-24
button 1:11 8:10
!
!
ephone-hunt 1 sequential
pilot 0001
list 2004, 2001, 2005
final 3917560746
timeout 10, 10, 10
no-reg pilot
!
!
!
line con 0 hi as requested by you, here is the configuration, as I said from the interface g0 / 0 I enter some packages for signaling the numbers such as 0009974653 and end up in the dial-peer 0T

Nithin Eluvathingal · ‎11-23-2021

At the Minimum configure Toll Fraud Prevention using ip address trusted list

Refer below guide.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/manual/cmeadm/cmetoll.html

Roger Kallberg · ‎11-23-2021

Why have you marked your own reply as the answer to your question?

Roger Kallberg · ‎11-22-2021

Not all that easy to understand exactly what you mean, but from what I can comprehend I think that you might not have any security measures in place on your SIP circuit so your system is used for toll fraud. If so it would be recommended to at a minimum use the built in toll fraud protection in IOS and also to have a ACL attached to your interface towards internet that only allows the needed traffic between you and your service provider. Apart from this it would also be advisable to use encrypted communication as well as the bearer of your phone traffic travels on an unprotected media, aka internet.

nettuno8_20111 · ‎11-23-2021

Current configuration : 10836 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router-isp
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp pool voice
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
option 150 ip 192.168.200.1
!
ip dhcp pool data
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4 192.168.10.10 192.168.20.20
!
ip dhcp pool server10
network 192.168.10.0 255.255.255.240
default-router 192.168.10.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip host voice 172.31.0.2
ip host primary 192.168.200.10
ip host switch-poe 192.168.200.11
ip name-server 109.232.88.3
ip name-server 109.232.88.4
ip ddns update method dns
HTTP
add http://server0001:Cisco123456.@12@update.dyndns.it/nic/updatesystem=dyndns&hostname=server-remoto.homepc.it
interval maximum 24 0 0 0
interval minimum 24 0 0 0
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
dsp services dspfarm
!
!
!
!
voice logout-profile 1
pin 1234
user 1111 password 1111
number 2001,2000 type normal
speed-dial 1 2002 label "andrea" blf
speed-dial 2 30 label "direzione" blf
speed-dial 3 40 label "studio" blf
speed-dial 4 2004 label "enzo" blf
speed-dial 5 2000 label "CIT." blf
!
voice logout-profile 2
pin 1234
number 2002,2000 type normal
speed-dial 1 2001 label "fabio" blf
speed-dial 2 30 label "direzione" blf
speed-dial 3 40 label "studio" blf
speed-dial 4 2004 label "enzo" blf
speed-dial 5 2000 label "CIT." blf
!
voice user-profile 1
pin 1234
user 9999 password 9999
number 2001 type normal
speed-dial 1 2002 label "andrea" blf
speed-dial 2 2003 label "ciro" blf
speed-dial 3 2004 label "enzo" blf
speed-dial 4 2000 label "CIT." blf
privacy-button
!
!
voice translation-rule 2
rule 1 /2.../ /08180220550/
!
voice translation-rule 3
rule 1 /1111/ /2005/
!
!
voice translation-profile entrata-pstn
translate called 3
!
voice translation-profile uscita-pstn
translate calling 2
!
!
license udi pid CISCO2901/K9 sn FCZ1523C0C1
license boot module c2900 technology-package uck9
hw-module pvdm 0/0
!
!
!
vtp mode transparent
username ciro password 0 ciro
!
redundancy
!
!
vlan 10
name ciro
!
vlan 50
name R1-R2
!
!
class-map match-all video
match dscp af41
class-map match-all voice
match dscp ef
!
!
policy-map qos
class voice
priority 6000
class video
priority 10000
class class-default
bandwidth 84000
shape average 19000000 28500000 14250000
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output qos
!
interface GigabitEthernet0/1
description data
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
description vion server r2
encapsulation dot1Q 2
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.10
description server r2
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.20
description server r2
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.240
!
interface FastEthernet0/0/0
switchport access vlan 50
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan50
ip address 172.31.0.1 255.255.255.252
!
interface Dialer1
mtu 1492
ip ddns update hostname server-remoto.homepc.it.dyndns.it
ip ddns update dns
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash0:/gui
!
ip dns server
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.10 3389 interface Dialer1 3389
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit tcp host 34.255.218.242 eq www any
access-list 100 permit icmp host 192.168.200.1 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip any any
!
!
tftp-server flash:P0030801SR02.loads
tftp-server flash:P0030801SR02.sb2
tftp-server flash:P0030801SR02.bin
tftp-server flash:P0030801SR02.sbn
tftp-server flash:apps42.8-4-3-16.sbn
tftp-server flash:cnu42.8-4-3-16.sbn
tftp-server flash:cvm42sccp.8-4-3-16.sbn
tftp-server flash:dsp42.8-4-3-16.sbn
tftp-server flash:jar42sccp.8-4-3-16.sbn
tftp-server flash:SCCP42.8-4-4S.loads
tftp-server flash:term42.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:apps41.8-3-4-16.sbn
tftp-server flash:cnu41.8-3-4-16.sbn
tftp-server flash:cvm41sccp.8-3-4-16.sbn
tftp-server flash:dsp41.8-3-4-16.sbn
tftp-server flash:jar41sccp.8-3-4-16.sbn
tftp-server flash:SCCP41.8-3-5S.loads
tftp-server flash:term41.default.loads
tftp-server flash:term61.default.loads
tftp-server flash:apps75.8-5-4TH1-6.sbn
tftp-server flash:cnu75.8-5-4TH1-6.sbn
tftp-server flash:dsp75.8-5-4TH1-6.sbn
tftp-server flash:cvm75sccp.8-5-4TH1-6.sbn
tftp-server flash:jar75sccp.8-5-4TH1-6.sbn
tftp-server flash:SCCP75.8-5-4S.loads
tftp-server flash:term75.default.loads
tftp-server flash:B015-1-0-4-2.SBN
tftp-server flash:cp.8-5-4TH1-6.sbn
!
control-plane
!
!
voice-port 0/1/0
cptone IT
timeouts interdigit 5
connection plar 2005
impedance complex2
station-id name pstn
station-id number 2020
caller-id enable
!
voice-port 0/1/1
cptone IT
timeouts interdigit 5
station-id name tel.
station-id number 2021
!
voice-port 0/1/2
cptone IT
timeouts interdigit 5
station-id name tel.2
station-id number 2022
!
voice-port 0/1/3
cptone IT
timeouts interdigit 0
!
voice-port 0/2/0
cptone IT
timeouts interdigit 5
connection plar 2005
impedance complex2
station-id name pstn
caller-id enable
!
voice-port 0/2/1
cptone IT
timeouts interdigit 5
connection plar 2005
shutdown
impedance complex2
station-id name pstn 2
caller-id enable
!
voice-port 0/2/2
shutdown
!
voice-port 0/2/3
shutdown
!
!
!
!
dspfarm profile 1 transcode universal
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g722-64
codec ilbc
maximum sessions 10
associate application SCCP
!
dial-peer cor custom
name linea-pstn
!
!
dial-peer cor list pstn
member linea-pstn
!
!
dial-peer voice 1 voip
destination-pattern 2...
codec g711ulaw
!
dial-peer voice 10 pots
shutdown
destination-pattern 2022
no digit-strip
port 0/1/2
!
dial-peer voice 9 pots
description tel.1
destination-pattern 2021
no digit-strip
port 0/1/1
!
dial-peer voice 7 pots
destination-pattern 2020
no digit-strip
port 0/1/0
!
dial-peer voice 8 pots
description pstn
destination-pattern 0T
port 0/2/0
!
dial-peer voice 6 pots
description pstn 2
destination-pattern 9T
port 0/2/1
!
!
presence
presence call-list
max-subscription 200
watcher all
allow subscribe
!
!
!
gatekeeper
shutdown
!
!
telephony-service
no auto-reg-ephone
max-ephones 20
max-dn 20
ip source-address 192.168.200.1 port 2000
timeouts interdigit 5
system message call manager express
user-locale IT
network-locale IT
load 7915-24 B015-1-0-4-2
load 7960-7940 P0030801SR02
load 7941 SCCP41.8-3-5S
load 7942 SCCP42.8-4-4S
load 7975 SCCP75.8-5-4S
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
moh flash:moh-4.au
transfer-system full-consult
directory entry 1 2021 name noemi sorrentino
directory entry 2 2022 name teresa sorrentino
create cnf-files version-stamp 7960 May 31 2019 13:56:01
!
!
ephone-template 1
service phone webAccess 0
softkeys remote-in-use CBarge
softkeys idle Mobility HLog ConfList
softkeys seized Meetme HLog
softkeys connected Flash Hold Mobility
softkeys ringing HLog Answer Dnd
!
!
ephone-dn 1
number 2001
label fabio
name fabio
allow watch
!
!
ephone-dn 2
number 2002
label andrea
name andrea
allow watch
!
!
ephone-dn 3
number 30
park-slot timeout 40 limit 20
label direzione
name direzione
allow watch
!
!
ephone-dn 4
number 40
park-slot
label studio
name studio
allow watch
!
!
ephone-dn 5
number 2003
label ciro
name ciro
allow watch
!
!
ephone-dn 6
number 2004
label enzo
name enzo
mobility
allow watch
!
!
ephone-dn 7
number 2005
label mario
name mario
allow watch
!
!
ephone-dn 8
number 2006
label carlo
name carlo
allow watch
!
!
ephone-dn 9
number 2007
label teresa
name teresa
allow watch
!
!
ephone-dn 10
number 2000
label CIT.
name CIT.
allow watch
!
!
ephone-dn 11
number 2008
label segreteria
name segreteria
allow watch
!
!
ephone 1
no multicast-moh
mac-address 0016.C7EA.297E
presence call-list
codec g711alaw
type 7960 addon 1 7915-24
logout-profile 1
!
!
!
ephone 2
mac-address 0016.C7EA.231F
presence call-list
codec g711alaw
type 7960
logout-profile 2
!
!
!
ephone 3
mac-address 001E.F7C3.6CB2
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
codec g711alaw
type 7941
button 1:5
!
!
!
ephone 4
mac-address C07B.BCA0.99EB
presence call-list
blf-speed-dial 1 2002 label "andrea" device
type 7942
button 1:6 2:10
!
!
!
ephone 5
mac-address 108C.CFE1.3244
presence call-list
blf-speed-dial 1 2002 label "andrea" device
codec g711alaw
type 7942
button 1:7 2:10
!
!
!
ephone 6
mac-address 0013.C4FC.D36A
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
blf-speed-dial 5 2005 label "mario" device
codec g711alaw
type 7960 addon 1 7915-12
button 1:8 6:10
!
!
!
ephone 7
mac-address 0019.E76C.2132
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
codec g711alaw
button 1:9
!
!
!
ephone 8
mac-address 001D.45E9.5D43
presence call-list
blf-speed-dial 1 2002 label "andrea" device
blf-speed-dial 2 2001 label "fabio" device
blf-speed-dial 3 40 label "studio"
blf-speed-dial 4 30 label "direzione"
blf-speed-dial 5 2005 label "mario" device
blf-speed-dial 6 2004 label "enzo" device
blf-speed-dial 7 2006 label "carlo" device
codec g711alaw
type 7975 addon 1 7915-24
button 1:11 8:10
!
!
ephone-hunt 1 sequential
pilot 0001
list 2004, 2001, 2005
final 3917560746
timeout 10, 10, 10
no-reg pilot
!
!
!
line con 0 hi as requested by you, here is the configuration, as I said from the interface g0 / 0 I enter some packages for signaling the numbers such as 0009974653 and end up in the dial-peer 0T

nettuno8_20111 · ‎11-23-2021

hi for the ACL I know how to do it but for the rest of the configuration you wrote me I don't know how to do it you could write me the configuration thanks.

Scott Leport · ‎11-23-2021

Hi,

Looking at the config you have supplied, you need to configure an inbound ACL applied to your dialer interface because you have no security policies which restrict what comes into your network.

The ACL you have configured is used in your NAT / PAT statement to translate the IPs in that ACL to the interface configured on your dialer interface.

I don't think the toll fraud feature is going to be of much help here.

Advise you to create an extended named ACL, configure that to restrict traffic inbound from trusted sources (you may need to initially setup the ACL to allow and log to figure out what that may be, if you don't know already) and apply inbound to your dialer interface.

nettuno8_20111 · ‎11-23-2021

*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
Calling Number=00972595501258, Called Number=00972595501258, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
Match Rule=DP_MATCH_DEST; Called Number=00972595501258
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Dial String=00972595501258, Expanded String=00972595501258, Calling Number=00972595501258T
Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/MatchNextPeer:
Result=Success(0); Outgoing Dial-peer=8 Is Matched
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:
Result=Success(0) after DP_MATCH_DEST
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:
dialstring=00972595501258, saf_enabled=1, saf_dndb_lookup=1, dp_result=0
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersMoreArg:
Result=SUCCESS(0)
List of Matched Outgoing Dial-peer(s):
1: Dial-peer Tag=8
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:
Calling Number=209, Called Number=, Voice-Interface=0x0,
Timeout=TRUE, Peer Encap Type=ENCAP_VOIP, Peer Search Type=PEER_TYPE_VOICE,
Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_ANSWER; Calling Number=209
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=209T
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_ORIGINATE; Calling Number=209
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=209T
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.367: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:
Result=NO_MATCH(-1) After All Match Rules Attempt
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:
dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=-1
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeer:exit@6520
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:
Calling Number=209, Called Number=, Voice-Interface=0x0,
Timeout=TRUE, Peer Encap Type=ENCAP_VOIP, Peer Search Type=PEER_TYPE_VOICE,
Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_ANSWER; Calling Number=209
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=209T
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_ORIGINATE; Calling Number=209
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=209T
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:
Result=NO_MATCH(-1) After All Match Rules Attempt
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:
dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=-1
*Nov 23 21:28:51.371: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeer:exit@6520
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerCore:
Calling Number=209, Called Number=00972595501258, Voice-Interface=0x0,
Timeout=TRUE, Peer Encap Type=ENCAP_VOIP, Peer Search Type=PEER_TYPE_VOICE,
Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_REQUEST_URI; URI=sip:00972595501258@79.46.191.183
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_TO_URI; URI=sip:00972595501258@79.46.191.183
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_FROM_URI; URI=sip:209@79.46.191.183
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_INCOMING_DNIS; Called Number=00972595501258
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Dial String=00972595501258, Expanded String=00972595501258, Calling Number=
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_ANSWER; Calling Number=209
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=209T
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerCore:
Match Rule=DP_MATCH_ORIGINATE; Calling Number=209
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:
Is Incoming=TRUE, Number Expansion=FALSE
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Dial String=, Expanded String=, Calling Number=209T
Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchCore:
Result=-1
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchPeertype:exit@5908
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerCore:
Result=NO_MATCH(-1) After All Match Rules Attempt
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpMatchSafModulePlugin:
dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=-1
*Nov 23 21:28:51.371: //-1/2FCF3336808B/DPM/dpAssociateIncomingPeerSPI:exit@6471
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchPeersCore:
Calling Number=, Called Number=00972595501258, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchPeersCore:
Match Rule=DP_MATCH_DEST; Called Number=00972595501258
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchCore:
Dial String=00972595501258, Expanded String=00972595501258, Calling Number=
Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/MatchNextPeer:
Result=Success(0); Outgoing Dial-peer=8 Is Matched
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchPeersCore:
Result=Success(0) after DP_MATCH_DEST
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchSafModulePlugin:
dialstring=00972595501258, saf_enabled=0, saf_dndb_lookup=1, dp_result=0
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchPeersMoreArg:
Result=SUCCESS(0)
List of Matched Outgoing Dial-peer(s):
1: Dial-peer Tag=8
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchPeersCore:
Calling Number=, Called Number=00972595501258, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchPeersCore:
Match Rule=DP_MATCH_DEST; Called Number=00972595501258
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchCore:
Dial String=00972595501258, Expanded String=00972595501258, Calling Number=
Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/MatchNextPeer:
Result=Success(0); Outgoing Dial-peer=8 Is Matched
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchPeersCore:
Result=Success(0) after DP_MATCH_DEST
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchSafModulePlugin:
dialstring=00972595501258, saf_enabled=0, saf_dndb_lookup=1, dp_result=0
*Nov 23 21:28:51.375: //-1/2FCF3336808B/DPM/dpMatchPeersMoreArg:
Result=SUCCESS(0) hi these are packets coming in from g0 / 0 and they are udp-rtp packets as i saw from the right output?

Scott Leport · ‎11-24-2021

Hi,

A debug ccsip messages would likely highlight the source. If it says "sip.vicious" or "friendly-scanner" or something to that effect, it means you're being compromised and you really need to get the proper security mechanisms in place, starting with an ACL applied in the inbound direction to your dialer interface.

Roger Kallberg · ‎11-24-2021

At a minimum I would recommend you to create an ACL that you attach on the Dialer interface as @Scott Leport suggested. This should only allows the required traffic inbound from internet. Looking at your VoIP configuration I see no apparent reason for why you would have the router attached to internet. What is your use case for having this?

In general I would recommend you to do these changes in your gateway.

service password-encryption
!
dspfarm profile 1 transcode universal
shut
yes
no max sess
no codec g729abr8 !this is for VAD and that's not generally a good thing to have enabled
max sess 10 !or more if applicable
no shut

!Change this to something more secure
username ciro password 0 ciro

!Turn on the built in toll fraud mechanism
voice service voip
 ip address trusted list

!If you need to add specific addresses that are not defined as voip dial-peers you do it by this command under the above section.
ipv4 <IP address>

Apart from this I would recommend you to create an ACL that you attach to the VTYs in the router, if not done already, that restricts access to the router CLI to known networks or hosts on your inside network(s). An example of this would be this.

ip access-list standard 99
 10 permit 10.64.0.0 0.7.255.255
 20 permit 10.138.0.0 0.0.255.255
 30 permit 10.147.64.0 0.0.63.255
 40 permit 10.192.0.0 0.0.255.255
!
line vty 0 15
 access-class 99 in

nettuno8_20111 · ‎11-25-2021

Extended IP access list 100 this is the outgoing ACL 100
10 permit tcp host 34.255.218.242 eq www any
50 permit ip 192.168.0.0 0.0.0.255 any (10525 matches)
60 permit ip 192.168.10.0 0.0.0.255 any (51 matches)
Extended IP access list 101 this is the inbound ACL 101
10 permit tcp any 192.168.0.0 0.0.0.255 eq www
20 permit tcp any 192.168.0.0 0.0.0.255 eq 443
29 permit udp any 192.168.0.0 0.0.0.255
30 permit tcp any 192.168.0.0 0.0.0.255 eq domain
40 permit tcp any any gt 1023 (16687 matches)
50 permit udp any any gt 1023 (2547 matches)
router-isp(config)# hello this inbound ACL configuration is correct? also because only permit 40 and permit 50 match

Roger Kallberg · ‎11-26-2021

Sorry but I cannot tell you if it’s correct or not. It depends on what traffic you want to allow.

Scott Leport · ‎11-26-2021

Hi,

ACL 101 looks correct, but I would think you also need a line in there to permit established tcp connections.

So add:

ip access-list extended 101
60 permit tcp any any established

You may also want to put the following lines listed below at the bottom of you ACL in the interim for visibility. For example if something isn't working because it wasn't added to your inbound ACL, you should see traffic from those sources attempting to come in. It's helpful to aid you in any troubleshooting as the implicit deny on it's own won't help:

ip access-list extended 101 
  200 deny udp any any log
  210 deny tcp any any log
  220 deny ip any any log

And don't forget this:

int Dialer1
 ip access-group 101 in