10-27-2020 02:04 PM
Hello I am configuring a SIP TRUNK from my CUCM to a Gateway through Internet and the call arrives to the Gatewayy and it's processed successfully. The problem here is that as I am using Internet to create my SIP trunk I am receiving a lot of unknown SIP Resquest to process call that fortunately they are not processed because I have configured an trusted list on my gateway.
Anyway, I want to know if there is a way to secure my GW that only received SIP Request from my CUCM? I suppose I have to configured it too on my CUCM.
10-27-2020 03:47 PM
Anything that can receive SIP that's open to the public internet is going to get scanned, probed, and targeted.
The CUCM will ignore requests not destined for it that don't match a trunk or a registered client, but, that's not a good idea to expose it to the internet. It is likely to expose it to unnecessary traffic or resource usage, thus the use of a session border controller or some other proxy or whatever. The remote gateway is going to receive these requests but as you note, if you want to secure the two things, then you need to do so via some VPN tunnel (or equivalent "SD-" buzzword product), or firewall using an external firewall or access control list.
In the case of a gateway like the Expressway which is designed to allow B2B and unsolicited traffic, you can use call processing rules or call processing language on the device to tell it which traffic to match, and which to not. This requires you to be somewhat specific, and still has a processing impact on the appliance, but it has been fine in my experience.
10-28-2020 05:23 AM
What do you have as your gateway, is it a Cisco router running CUBE? And is it directly connected to the Internet or do you have a separate firewall? I would normally configure an ACL blocking inbound SIP from anything other than the service provider, however this does depend on the ITSP using a fixed IP address or at least a known range of possible addresses.
10-28-2020 08:36 PM
Hello
My gateway is a Cisco Router running H.323 and SIP but It doesn't have CUBE license. How do you create a ACL that only permit SIP request from my CUCM? Also I have to make sure that all the IP Traffic to Internet to be allow for my users
10-28-2020 11:23 PM
It’s not the traffic from CUCM that would be what you should worry about to limit with an ACL. You should have an ACL that limit the traffic on your outside interface in your router to only allow traffic from your ITSP.
You really do need to turn on Cube functionality in your router. It’s not very vice to connect with internet in an unprotected way like it sounds like you do. It would open up for many possible exploits.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide