Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
4
Replies

SIP Calls through Internet CUCM-GATEWAY

mdrangell22
Level 1
Level 1

‎10-27-2020 02:04 PM

Hello I am configuring a SIP TRUNK from my CUCM to a Gateway through Internet and the call arrives to the Gatewayy and it's processed successfully. The problem here is that as I am using Internet to create my SIP trunk I am receiving a lot of unknown SIP Resquest to process call that fortunately they are not processed because I have configured an trusted list on my gateway.

 

Anyway, I want to know if there is a way to secure my GW that only received SIP Request from my CUCM? I suppose I have to configured it too on my CUCM.

Labels:
0 Helpful
4 Replies 4

Adam Pawlowski
VIP Alumni
VIP Alumni

‎10-27-2020 03:47 PM

Anything that can receive SIP that's open to the public internet is going to get scanned, probed, and targeted.

 

The CUCM will ignore requests not destined for it that don't match a trunk or a registered client, but, that's not a good idea to expose it to the internet. It is likely to expose it to unnecessary traffic or resource usage, thus the use of a session border controller or some other proxy or whatever. The remote gateway is going to receive these requests but as you note, if you want to secure the two things, then you need to do so via some VPN tunnel (or equivalent "SD-" buzzword product), or firewall using an external firewall or access control list.

 

In the case of a gateway like the Expressway which is designed to allow B2B and unsolicited traffic, you can use call processing rules or call processing language on the device to tell it which traffic to match, and which to not. This requires you to be somewhat specific, and still has a processing impact on the appliance, but it has been fine in my experience.

0 Helpful

TONY SMITH
Spotlight
Spotlight

‎10-28-2020 05:23 AM

What do you have as your gateway, is it a Cisco router running CUBE?   And is it directly connected to the Internet or do you have a separate firewall?   I would normally configure an ACL blocking inbound SIP from anything other than the service provider, however this does depend on the ITSP using a fixed IP address or at least a known range of possible addresses.

0 Helpful

mdrangell22
Level 1
Level 1
In response to TONY SMITH

‎10-28-2020 08:36 PM

Hello 

 

My gateway is a Cisco Router running H.323 and SIP but It doesn't have CUBE license. How do you create a ACL that only permit SIP request from my CUCM? Also I have to make sure that all the IP Traffic to Internet to be allow for my users

0 Helpful

Roger Kallberg
VIP
VIP
In response to mdrangell22

‎10-28-2020 11:23 PM

It’s not the traffic from CUCM that would be what you should worry about to limit with an ACL. You should have an ACL that limit the traffic on your outside interface in your router to only allow traffic from your ITSP.

You really do need to turn on Cube functionality in your router. It’s not very vice to connect with internet in an unprotected way like it sounds like you do. It would open up for many possible exploits.



Response Signature


0 Helpful
Customers Also Viewed These Support Documents