Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
3
Replies

Intrusion Prevention

Go to solution
Ryan Raines
Level 1
Level 1

‎11-17-2016 05:24 PM - edited ‎03-17-2019 08:42 AM

Thanks for reading.  I'm not a CCNA-VOICE, so please excuse any technical faux pas. 

I have a 2811 on  Version 12.4(15)T9 and I suspect an intrusion. 

I've noticed short, random calls during off business hours on the last couple phone bills. 

I took at look at the config and call history in the telephony system and I see some fishy looking calls. 

Example:

hostname#show call history voice compact
<callID> A/O FAX T<sec> Codec type Peer Address IP R<ip>:<udp> disc-cause
78781    ORG T0 g729r8 TELE P92011441613540633 D29
78780    ANS T0 g729r8 VOIP P 42.38.22.18:17462 D29
78790    ORG T0 g729r8 TELE P23900441613540661 D29
78789    ANS T0 g729r8 VOIP P 42.38.22.18:17462 D29
78792    ORG T0 None TELE P1500441613540615 D1
78791    ANS T0 g729r8 VOIP P 42.38.22.18:17462 D1
78794    ORG T0 g729r8 TELE P23011441613540624 D29
78793 A  NS T0 g729r8 VOIP P 42.38.22.18:17462 D29

A quick who is ip lookup confirms that those IPs are malicious in this case.

What should/can I do?  Any advise you can give would be helpful. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aseem Anand
Cisco Employee
Cisco Employee

‎11-17-2016 05:40 PM

Hi,

You can create an access-list to allow only a particular subnet to call out. For example:

ip access-list extended Voice
permit udp X.X.X.X X.X.X.X range 16384 32767
permit udp X.X.X.X X.X.X.X eq 5060
permit tcp X.X.X.X X.X.X.X eq 5060
permit udp X.X.X.X X.X.X.X eq 5061
permit tcp X.X.X.X X.X.X.X eq 1720
permit tcp X.X.X.X X.X.X.X eq 1719

Add extra ports based on the protocols you are using and test it during off hours.

Aseem

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Aseem Anand
Cisco Employee
Cisco Employee

‎11-17-2016 05:40 PM

Hi,

You can create an access-list to allow only a particular subnet to call out. For example:

ip access-list extended Voice
permit udp X.X.X.X X.X.X.X range 16384 32767
permit udp X.X.X.X X.X.X.X eq 5060
permit tcp X.X.X.X X.X.X.X eq 5060
permit udp X.X.X.X X.X.X.X eq 5061
permit tcp X.X.X.X X.X.X.X eq 1720
permit tcp X.X.X.X X.X.X.X eq 1719

Add extra ports based on the protocols you are using and test it during off hours.

Aseem

0 Helpful

Go to solution
Ryan Raines
Level 1
Level 1
In response to Aseem Anand

‎11-17-2016 05:49 PM

Aseem, thanks for the reply. 

voice is on VLAN 192.168.1.0/24

Your saying I want to allow only outbound UDP/TCP traffic on ports 16384-32767, 5060, 5061, 1720, 1719?  All other traffic should be dropped? 

Am I understanding that correctly? 

0 Helpful

Go to solution
Aseem Anand
Cisco Employee
Cisco Employee
In response to Ryan Raines

‎11-17-2016 05:53 PM

Hi Ryan,

Your understanding is correct. You should only allow traffic on voice ports from a particular subnet. The list i gave you only covers SIP, RTP and H323 traffic. You can add more based on the protocols you are using.

Aseem

0 Helpful
Customers Also Viewed These Support Documents