Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
233
Views
0
Helpful
2
Replies

Sip security in a WAN (internet) ISR used for SIP gateway & Internet access

Go to solution
francisco.trigo
Level 1
Level 1

‎06-03-2017 04:54 PM - edited ‎03-17-2019 10:29 AM

Hi there!

I have a cisco router as a WAN router, is my home gateway router.

I set it like FXS & FXO gateway.

I'm using it with asterisk and FreePBX.

Now all looks great at works perfect, but talking about security some is really wrong with my config.

I'm having some external calls (intruders calls) from internet like this:

*Jun  3 22:47:42.403: //45/78445F178032/SIP/Call/sipSPICallInfo:

The Call Setup Information is:

Call Control Block (CCB) : 0x4A4F3920

State of The Call        : STATE_DEAD

TCP Sockets Used         : NO

Calling Number           : 1815

Called Number            : 900441224928466

Source IP Address (Sig  ): 190.55.225.200

Destn SIP Req Addr:Port  : 185.40.4.28:5070

Destn SIP Resp Addr:Port : 185.40.4.28:5070

Destination Name         : 185.40.4.28

 

*Jun  3 22:47:42.403: //45/78445F178032/SIP/Call/sipSPIMediaCallInfo:

Number of Media Streams: 1

Media Stream             : 1

Negotiated Codec         : g711ulaw

Negotiated Codec Bytes   : 160

Nego. Codec payload      : 0 (tx), 0 (rx)

Negotiated Dtmf-relay    : 6

Dtmf-relay Payload       : 101 (tx), 101 (rx)

Source IP Address (Media): 190.55.225.200

Source IP Port    (Media): 16834

Destn  IP Address (Media): 185.40.4.28

Destn  IP Port    (Media): 5072

Orig Destn IP Address:Port (Media): [ - ]:0

What is the cli commands to block all the sip signaling and other from my WAN interface (G0/0)?

Best Regards!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎06-04-2017 08:05 PM

If you know the public IP address of your SIP provider, permit that on port 5060/5061 and deny all else (implicitly).

also on you asteriks box, you might want  to put a dial plan in place that would restrict all numbers to be dialed but your own, so the 900441224928466 should not be allowed in as a called number and should just be dropped by your asterisk box.

Please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎06-04-2017 08:05 PM

If you know the public IP address of your SIP provider, permit that on port 5060/5061 and deny all else (implicitly).

also on you asteriks box, you might want  to put a dial plan in place that would restrict all numbers to be dialed but your own, so the 900441224928466 should not be allowed in as a called number and should just be dropped by your asterisk box.

Please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
francisco.trigo
Level 1
Level 1
In response to Dennis Mink

‎06-13-2017 05:20 PM

Hi Dennis!

I will perform that tasks!

Best Regards

0 Helpful
Customers Also Viewed These Support Documents