Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
3
Replies

Toll Fraud and ACLs

3rustrada
Level 1
Level 1

‎09-23-2016 02:11 PM - edited ‎03-17-2019 08:10 AM

I have toll fraud enabled with a list of trusted carrier IPs on them. I want to put an ACL in place that denies all traffic, except for the traffic coming from the trusted IPs list. Should I add the ip's from the trusted ip's list to the ACL and permit them or is that not needed? 

Thanks.

Labels:
0 Helpful
3 Replies 3

Deepak Rawat
Cisco Employee
Cisco Employee

‎09-23-2016 11:28 PM

With Toll Fraud Prevention Feature, router by default will reject the calls from the IP Addresses that are not in the Trusted List. Hence there is no specific need to create an ACL and put the trusted IP's there as well however from a double preventive measure point of view, there is no harm in doing it either

http://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html

Regards

Deepak

0 Helpful

Aseem Anand
Cisco Employee
Cisco Employee

‎09-23-2016 11:55 PM

You can create an access list which first permits the traffic from the nodes defined in the trusted list and then block the rest of the traffic on port 5060/5061 or the entire SIP port range based on TCP & UDP.

Sample Configuration:

ip extended access-list PREVENT_TOLL_FRAUD
10 permit tcp host (trusted_remote_ip) host (my_rtr_loopback_ip) eq 5060
20 permit udp host (trusted_remote_ip) host (my_rtr_loopback_ip) eq 5060
50 deny tcp any host (my_rtr_loopback_ip) eq 5060
60 deny udp any host (my_rtr_loopback_ip) eq 5060
90 permit ip any any
!
interface
ip access-group PREVENT_TOLL_FRAUD in


Aseem

(Please rate if useful)

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎09-24-2016 01:07 AM

Hi,

As deepak mentioned, you don't need to have an ACL if you want to enable toll fraud. Defining addresses in trusted list will be enough to block calls from any other IP.

If you want toll fraud with ACLs, then you can create voice source group and associate the ACL which includes the trusted IPs as permitted IPs.

Also, Aseem mentioned how to protect your network against none-trusted traffic (this isn't specific to toll fraud). With ACLs on interfaces, you can secure your voip network against attacks such as SIP DDoS, SIP Reconnaissance which is very common using dummy SIP messages (OPTIONS, REGISTER, INVITE).

To define ACLs on interface you need to understand what protocols used in your network. The ports listed below are specific to SIP. In you are using MGCP, H323, SCCP, CTI, etc then you have a different set of ports to be allowed. Also, you need to allow media range which varies between UDP 16384 to 65535 (Cisco extended the range from 32767 to 65535).

Personally, I suggest you combine both which I do to secure your network.

0 Helpful
Customers Also Viewed These Support Documents