This seems decent, but what if I have sip endpoints coming from different networks with dynamic ip addresses?

The whole idea of Toll prevention is that you identify the devices that will be making calls of your infrastructure. If your deployment is such that you are unable to identify them, then I cant see any way you can enforce this. Even if you have devices with dynamic IPs, those ips must belong to a certain subnet/vlan etc. It is assumed that these devices are in your control hence you should be able to define a set of network addresses that are authorised to use your infrastructure.

So just configure all the subnet within your infrastructure and you should be good, I dont see any issue with that at all

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Let's say I have 5 endpoints. They're coming in through 5 different locations. Those ips change say, once every 24 hours, same subnet. Do I add those 5 different whole subnets, allowing anyone who happens to be using that same isp to make free phone calls through me if they happen to find my install?

I'm coming over from asterisk. In this setup, you had to be authenticated with the SIP proxy to be able to make outbound calls through this. Testing the security on my setup, I was able to load up X-Lite, put in a random extension number (doesn't exist in voice register dn), the CUCME ip and make a call with no effort.

For authenticated devices, I know how to use cor. For unauthenticated devices, I want a way to keep the call from going through. Perhaps there's a tcl script that could handle this? Something that would maintain an ACL/ip list of registered SIP endpoints.

If a phone registers to your CCME without them been configured, that suggests you have auto registration enabled. Why dont you disable auto-registration. Thats a good start, this way only devices that are manually configured will register. If an endpoint in not registered on your CCME, they cant make calls through it.

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

I'm talking SIP here not SCCP. auto-registration only applies to SCCP phones afaik. It's also already turned off.

Like I said, I load up X-Lite, put in the CUCME ip, random extension number, turn off register, no password. Dial a number, it goes through. If I want to be able to allow SIP endpoints to connect remotely, without the need for VPN, I need to open up the SIP port to the WAN. If someone runs across my ip while looking for open SIP servers, they'll get free phone calls.

What I want is to allow the legitimate (authorised) people in, whilse keeping everyone else out.

With SIP endpoints you can configure then to authenticate with authenticate register command e.g.

voice register global                    

mode cme 

source-address x.x.x.x port 5060

authenticate register

authneticate realm all

You will then need to configure each phone with a username and password as follows:

voice register pool 1
id mac x.x.x.x..xx.x..x

type 9951

number 1 dn 1

username cisco password cisco

! --- configure username and password for SIP registration

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

That's already been set... here is an excert of my config:

!
! Last configuration change at 11:19:37 PDT Thu Jul 5 2012
! NVRAM config last updated at 11:19:38 PDT Thu Jul 5 2012
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime
service password-encryption
! 
boot-start-marker
boot system flash:c2600-adventerprisek9-mz.124-15.T14.bin
boot-end-marker
!
enable secret 5 #
enable password 7 #
!
aaa new-model
!
!
aaa authentication login default line
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
clock save interval 8
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef
!
!
no ip domain lookup
ip name-server 10.0.0.10
! 
multilink bundle-name authenticated
!
voice service voip 
 allow-connections sip to sip
 no supplementary-service sip refer
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback cisco
 sip
  bind control source-interface FastEthernet0/0
  bind media source-interface FastEthernet0/0
  registrar server expires max 300 min 60
!
!
voice class codec 1
 codec preference 1 g711alaw
 codec preference 2 g711ulaw
 codec preference 3 g729r8
 video codec h264
!
voice register global
 mode cme
 source-address 10.0.0.5 port 5060
 max-dn 10
 max-pool 10
 authenticate register
 authenticate realm yourmom
 date-format D/M/Y
 mwi stutter
 voicemail 1571
 tftp-path flash:
 create profile sync 002218297029116A
 network-locale GB
 ntp-server 10.0.0.10 mode directedbroadcast
!
voice register dn  1
 number 2008
 call-forward b2bua busy 1572  
 call-forward b2bua mailbox 2006  
 call-forward b2bua noan 1571 timeout 20
 call-forward b2bua unreachable 1573
 no-reg
 mwi
!
voice register pool  1
 id mac 0000.0000.0000
 number 1 dn 1
 emergency response location 1
 presence call-list
 dtmf-relay rtp-nte
 username 2008 password #
 codec g711alaw
 no vad
!
voice emergency response location 1
 elin 1 2096224625
!
!
call-history-mib retain-timer 500
call-history-mib max-size 500
dial-control-mib retain-timer 35791
dial-control-mib max-size 1200
archive
 log config
  hidekeys
!
gw-accounting syslog
!
interface FastEthernet0/0
 ip address 10.0.0.5 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed 100
!
ip default-gateway 10.0.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
!
ip http server
no ip http secure-server
ip http path flash:
!
logging 10.0.0.10
!
control-plane
!
!
dial-peer voice 101 voip
 description Voicemail
 preference 7
 destination-pattern 157[1-4]
 session protocol sipv2
 session target ipv4:10.0.0.10
 dtmf-relay rtp-nte
 codec g711alaw
!
dial-peer voice 102 voip
 description UK Directory Enquiries
 translation-profile outgoing 1
 destination-pattern 118...
 session protocol sipv2
 session target ipv4:10.0.0.10
 dtmf-relay rtp-nte
 codec g711alaw
!
dial-peer voice 201 voip
 description Outbound Calls to Short UK Numbers
 translation-profile outgoing 1
 destination-pattern 0[1-9]........T 
 translate-outgoing calling 1 
 session protocol sipv2 
 session target sip-server 
 dtmf-relay rtp-nte 
 codec g711alaw 
! 
dial-peer voice 202 voip 
 description Outbound Calls to the UK
 translation-profile outgoing 1
 destination-pattern 0[1-9].........
 session protocol sipv2
 session target sip-server
 dtmf-relay rtp-nte
 codec g711alaw
!
dial-peer voice 301 voip 
 description Outbound Calls to the US
 translation-profile outgoing 10
 destination-pattern 001..........
 session protocol sipv2
 session target sip-server
 dtmf-relay rtp-nte
 codec g711alaw
!
dial-peer voice 401 voip
 description Outbound Calls to the US
 translation-profile outgoing 10
 destination-pattern [2-9].........
 session protocol sipv2
 session target sip-server
 dtmf-relay rtp-nte
 codec g711alaw
!
dial-peer voice 403 voip
 description Calls to the US with 1 infront
 translation-profile outgoing 10
 destination-pattern 1[2-9].........
 session protocol sipv2
 session target sip-server
 dtmf-relay rtp-nte
 codec g711alaw
!
dial-peer voice 903 voip
 description Emergency Services
 emergency response callback
 emergency response zone
 destination-pattern 911
 session protocol sipv2
 session target ipv4:10.0.0.10
 codec g711alaw
!
dial-peer terminator A
sip-ua 
 credentials username # password # realm #
 authentication username # password 7 #
 no remote-party-id
 retry invite 2
 mwi-server ipv4:10.0.0.10 expires 3600 port 5060 transport udp unsolicited
 registrar dns:.net:5060 expires 300
 sip-server dns:.net
connection-reuse
 permit hostname dns:voiptalk.org
 permit hostname dns:.net
!
telephony-service
 video
 no auto-reg-ephone
 load 7960-7940 P00308000500
 load 7920 cmterm_7920.4.0-03-02
 max-ephones 10
 max-dn 20
 ip source-address 10.0.0.5 port 2000 strict-match
 timeouts interdigit 2
 url services http://10.0.0.10/cisco/services/
 network-locale GB
 time-zone 5
 time-format 24
 date-format dd-mm-yy
 voicemail 1571
 mwi relay
 max-conferences 4 gain -6
 moh flash:moh.au
 web admin system name # password #
 dn-webedit 
 time-webedit 
 transfer-system full-consult
 transfer-pattern 001.........
 transfer-pattern T
 create cnf-files version-stamp 7960 Jul 05 2012 07:05:17
!
!
ephone-dn  1
 ring internal primary
 number 2001 no-reg primary
 label 2001
 name Holbrook Bunting
 preference 1
 call-forward busy 1572
 call-forward noan 1571 timeout 18
 mwi-type both
 hold-alert 60 idle
!
!
line con 0
 password 7 #
line aux 0
 password 7 #
line vty 0 4
 password 7 #
!
ntp clock-period 17180381
ntp server 10.0.0.10
!
end

Whats the mac address of the x-lite?

Can you do a debug tftp events and a debug ccsip messages. Pls put the output in a text file and attach  here.

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

I'm not authenticating against mac. Not doing anything with tftp. I put in the user: 100, password: random,

there is no voice register pool for '100'. This is me, using x-lite as 100 to call voicemail at 1571 in ccsip debug:

Also, X-Lite is set to not try to authenticate to the server, it is only sending an invite as shown below.

Received: 
INVITE sip:1571@10.0.0.5 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-66a0eb138318a27e-1---d8754z-;rport
Max-Forwards: 70
Contact: <100>
To: <1571>
From: "Holbrook Bunting"<100>;tag=84161d22
Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
Content-Type: application/sdp
Supported: replaces
User-Agent: X-Lite 4 release 4.1 stamp 63215
Content-Length: 368

v=0
o=- 1341514242917947 1 IN IP4 10.0.0.112
s=CounterPath X-Lite 4.1
c=IN IP4 10.0.0.112
t=0 0
a=ice-ufrag:764d30
a=ice-pwd:86a38c0354a795fdbd44d2ba728664e3
m=audio 54432 RTP/AVP 0 8 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=candidate:1 1 UDP 659136 10.0.0.112 54432 typ host
a=candidate:1 2 UDP 659134 10.0.0.112 54433 typ host

Jul  5 18:50:42.977: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent: 
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-66a0eb138318a27e-1---d8754z-;rport
From: "Holbrook Bunting"<100>;tag=84161d22
To: <1571>
Date: Thu, 05 Jul 2012 18:50:42 GMT
Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.
CSeq: 1 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0

Jul  5 18:50:43.009: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent: 
INVITE sip:1571@10.0.0.10:5060 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15B1EC5
From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808
To: <1571>
Date: Thu, 05 Jul 2012 18:50:43 GMT
Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5
Supported: 100rel,timer,resource-priority,replaces
Min-SE:  1800
Cisco-Guid: 674579218-3322483169-2191628517-341066522
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1341514243
Contact: <100>
Expires: 180
Allow-Events: telephone-event
Max-Forwards: 69
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 259

v=0
o=CiscoSystemsSIP-GW-UserAgent 5217 9966 IN IP4 10.0.0.5
s=SIP Call
c=IN IP4 10.0.0.5
t=0 0
m=audio 19542 RTP/AVP 8 101 19
c=IN IP4 10.0.0.5
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:19 CN/8000
a=ptime:20

Jul  5 18:50:43.029: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received: 
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15B1EC5;received=10.0.0.5;rport=5060
From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808
To: <1571>
Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5
CSeq: 101 INVITE
Server: Asterisk PBX 1.8.14.0-rc1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Contact: <1571>
Content-Length: 0

Jul  5 18:50:43.037: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received: 
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15B1EC5;received=10.0.0.5;rport=5060
From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808
To: <1571>;tag=as76eb1181
Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5
CSeq: 101 INVITE
Server: Asterisk PBX 1.8.14.0-rc1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Contact: <1571>
Content-Type: application/sdp
Content-Length: 260

v=0
o=root 951921662 951921662 IN IP4 10.0.0.10
s=Asterisk PBX 1.8.14.0-rc1
c=IN IP4 10.0.0.10
t=0 0
m=audio 10380 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=silenceSupp:off - - - -
a=ptime:20
a=sendrecv

Jul  5 18:50:43.057: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent: 
ACK sip:1571@10.0.0.10:5060 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15C796
From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808
To: <1571>;tag=as76eb1181
Date: Thu, 05 Jul 2012 18:50:43 GMT
Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5
Max-Forwards: 70
CSeq: 101 ACK
Allow-Events: telephone-event
Content-Length: 0

Jul  5 18:50:43.081: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent: 
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-66a0eb138318a27e-1---d8754z-;rport
From: "Holbrook Bunting"<100>;tag=84161d22
To: <1571>;tag=3AFEE74-E5D
Date: Thu, 05 Jul 2012 18:50:42 GMT
Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.
CSeq: 1 INVITE
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
Contact: <1571>
Supported: replaces
Server: Cisco-SIPGateway/IOS-12.x
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 262

v=0
o=CiscoSystemsSIP-GW-UserAgent 2921 9932 IN IP4 10.0.0.5
s=SIP Call
c=IN IP4 10.0.0.5
t=0 0
m=audio 18942 RTP/AVP 8 101
c=IN IP4 10.0.0.5
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=silenceSupp:off - - - -

Jul  5 18:50:43.097: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received: 
ACK sip:1571@10.0.0.5:5060 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-c4d913069f90f573-1---d8754z-;rport
Max-Forwards: 70
Contact: <100>
To: <1571>;tag=3AFEE74-E5D
From: "Holbrook Bunting"<100>;tag=84161d22
Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.
CSeq: 1 ACK
User-Agent: X-Lite 4 release 4.1 stamp 63215
Content-Length: 0

Jul  5 18:50:44.557: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received: 
BYE sip:1571@10.0.0.5:5060 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-fbcb1966311d4207-1---d8754z-;rport
Max-Forwards: 70
Contact: <100>
To: <1571>;tag=3AFEE74-E5D
From: "Holbrook Bunting"<100>;tag=84161d22
Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.
CSeq: 2 BYE
User-Agent: X-Lite 4 release 4.1 stamp 63215
Content-Length: 0

Jul  5 11:50:44.573: %VOIPAAA-5-VOIP_CALL_HISTORY: CallLegType 2, ConnectionId 28354312C60911E182A198E51454431A, SetupTime 11:50:42.963 PDT Thu Jul 5 2012, PeerAddress 100, PeerSubAddress , DisconnectCause 10  , DisconnectText normal call clearing (16), ConnectTime 11:50:43.073 PDT Thu Jul 5 2012, DisconnectTime 11:50:44.573 PDT Thu Jul 5 2012, CallOrigin 2, ChargedUnits 0, InfoType 2, TransmitPackets 73, TransmitBytes 11680, ReceivePackets 60, ReceiveBytes 9600
Jul  5 11:50:44.577: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:07/05/2012 11:50:42.965,cgn:100,cdn:1571,frs:0,fid:129,fcid:28354312C60911E182A198E51454431A,legID:296,bguid:28354312C60911E182A198E51454431A
Jul  5 18:50:44.585: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:  
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-fbcb1966311d4207-1---d8754z-;rport
From: "Holbrook Bunting"<100>;tag=84161d22
To: <1571>;tag=3AFEE74-E5D
Date: Thu, 05 Jul 2012 18:50:44 GMT
Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.
Server: Cisco-SIPGateway/IOS-12.x
CSeq: 2 BYE
Reason: Q.850;cause=16
Content-Length: 0

Jul  5 18:50:44.589: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:  
BYE sip:1571@10.0.0.10:5060 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15D301
From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808
To: <1571>;tag=as76eb1181
Date: Thu, 05 Jul 2012 18:50:43 GMT
Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1341514244
CSeq: 102 BYE
Reason: Q.850;cause=16
Content-Length: 0

Jul  5 18:50:44.601: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received: 
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15D301;received=10.0.0.5;rport=5060
From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808
To: <1571>;tag=as76eb1181
Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5
CSeq: 102 BYE
Server: Asterisk PBX 1.8.14.0-rc1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Length: 0

Well, are you saying that this x-lite phone is not registered to your ccme? I only asked for mac because the the authentication credential is defined on the phone and the phone is identified by the mac.  All the while i assume the phome is registered. If the phone is  not registered then afaik the only way to prevent this is to use ip address trust list as I mentioned earlier

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Hi,

the configuration area you should be looking at is called "Class of Restriction" or COR.

The COR implements a lock/key model where phone and dial-peers are given keys/locks definitions (essentially matching outgoing/incoming COR identifier).

I found the most understandable description of this in the (Cisco Press) book: "Cisco Voice Gateways and Gatekeepers" - Chapter 12.

This provides a much clearer description of how COR works that the ios example on Cisco site.... which are very hard to follow.

I am currently trying to solve a simillar problem via COR, so cannot provide definitive answer, but believe this the right place to start digging.

Cheers,

John.

Hi John,

Thanks for the suggestion. I fiddled around a little with COR earlier, only placing one on the voicemail

extension and seeing what happened. From my observation, it looks like COR only works when it is

applied to a phone/dn. When there is no COR on one, it has unlimited access.

This is kind of an irony, that Cisco would develop a system like COR and ip restrictions, but leave such

a big hole. You go to the trouble of placing COR's in place, Employee John can't call India, but alas (as

long as SIP is running and he gets the CUCME ip from his phone), he loads up a SIP soft client onto

his workstation and presto, he can call India (so long as the dial-peer exists matching the dial patterm).

I have done a few research on this and I also found out that with SIP endpoints, the IP address trust authenticate I mentioned is ignored. So that is not even an option. The only other option is to use ACL.

ip extended access-list PREVENT_TOLL_FRAUD

permit tcp host (trusted_remote_ip/phone subnet) host (my_rtr_loopback_ip/ccme ip) eq 5060

Then apply it to your interface

interface

ip access-group PREVENT_TOLL_FRAUD in

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"