Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
0
Helpful
4
Replies

Need help For Cisco SIP Trunk Toll Fraud

mabuzaid1
Level 1
Level 1

‎11-03-2017 03:07 AM - edited ‎03-17-2019 11:32 AM

Hi guys ,

I would like to thank you all the member of cisco community who is always supporting us .

As of now i am facing an issue with our ISP Sip trunk we have Cisco 2911 CME with Sip trunk to ISP .

Unfortunately , now we are facing a Toll Fraud (usually after working hours ) regarding the configuration we didnt do any security to the configuration .

We did only COR List so if you dont mind i would like to know what to do (with commands if possible ) .

ISO is 15.4

 

Regards

Mansour

Labels:
0 Helpful
4 Replies 4

Slavik Bialik
Level 7
Level 7

‎11-03-2017 05:18 AM

Hi, 

It is very simple, you can just add the following:

voice service voip
ip address trusted list
ipv4 xxx.xxx.xxx.xxx
ipv4 yyy.yyy.yyy.yyy

 

Just put in this list all your known SIP IP addresses, like the IP address of the service provider (if he has a few, add them all), and also add your CUCM IP's. Should do the trick fine.

0 Helpful

mabuzaid1
Level 1
Level 1
In response to Slavik Bialik

‎11-05-2017 12:58 AM

Thank you dear Slavik for your response .

I have only CME not CUCM and registered with SIP Trunk with local ISP .

So shall i include the ip address for the Sip ISP router , My CME router , do i need to include also the

Phones ip address ?.

Beside that can i require authintication for those needs to use the SIP trunk or this is ISP side ?

 

Thank you  

0 Helpful

Slavik Bialik
Level 7
Level 7
In response to mabuzaid1

‎11-05-2017 01:29 AM

Oh, right, forgot you're using CME. As much as I recall, you don't need to CME IP address. But you can easily check it out, by putting only the ISP SIP servers, and try making an inbound and outbound call.
If there'll be something wrong, just add the CME IP address.
About your last question, I'm not really sure that I understand. You want to restrict phones to make outbound calls on the SIP trunk? If that's the case, so using COR's is the solution.
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Slavik Bialik

‎11-05-2017 04:51 AM

Hi,

 

You need to start by placing security access-list on the incoming interface as follow:

object-group network itsp-addresses

ip-address-01 /32

ip-address-02 /32

....

 

ip access-l extend sip-security

per tcp object-group itsp-addresses any eq 5061

per tcp object-group itsp-addresses any eq 5060

per udp object-group itsp-addresses any eq 5060

per tcp object-group itsp-addresses eq 5060 any

per tcp object-group itsp-addresses eq 5061 any

per udp object-group itsp-addresses eq 5060 any

 

Then on top of this you need to add the trusted authentication mentioned by Slavik. This way you avoid any bugs related ip trusted authentication or denial of service attacks on SIP port of the CME

0 Helpful
Customers Also Viewed These Support Documents