cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
645
Views
8
Helpful
6
Replies

H323 Gateway Security. Can you Authenticate CUCM

David.Pellat
Beginner
Beginner

    Hi,

We are running 3825 routers and CUCM 7.x.  We have been asked to look at vulnerabilites in the security.

We have found that from inside the network we  can setup an H323 soft phone, point it at our gateway and make external calls.

Besides applying ACL's on the interfaces specifying IP addresses, is there a way to secure the H323 devices that can connect to the gateway?

Thanks

David

2 Accepted Solutions

Accepted Solutions

Hi,

You can invoke the IP toll fraud implementation feature if you upgrade your

3800 to at least 15.1.2T

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a0080b3e123.shtml

This allows you to build a kind of access list that only allows the IP addresses you state to access the gateway to

make calls

HTH

Alex

Regards, Alex. Please rate useful posts.

View solution in original post

Or simply use static ACL denying access to TCP port 1720 and TCP/UDP ports 5060/5061 from non-authorised IPs.

_____ Please rate helpful posts Пожалуйста оценивайте полезные сообщения

View solution in original post

6 Replies 6

Vipul Jindal
Cisco Employee
Cisco Employee

Hi,

The Link does not seem to work.

Thanks

David

Try now:

http://www.cisco.com/en/US/docs/ios/12_0t/voip/feature/guide/gwsecacc.html

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

This Document was around Gateway to Gatekeeper security.

I was hoping to find out if there is a way to secure the Cisco Callmanager  to Cisco H323 Gateway  communications.

IE, only allowing the gateway to accept outgoing call requests from the CUCM cluster/

Thanks

David

Hi,

You can invoke the IP toll fraud implementation feature if you upgrade your

3800 to at least 15.1.2T

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a0080b3e123.shtml

This allows you to build a kind of access list that only allows the IP addresses you state to access the gateway to

make calls

HTH

Alex

Regards, Alex. Please rate useful posts.

Or simply use static ACL denying access to TCP port 1720 and TCP/UDP ports 5060/5061 from non-authorised IPs.

_____ Please rate helpful posts Пожалуйста оценивайте полезные сообщения
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers