Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
0
Helpful
2
Replies

Voice Intrusion

Jason Ryan
Level 1
Level 1

‎04-02-2013 02:53 PM - edited ‎03-11-2019 06:22 PM

Hello!

I have some odd calls showing in my call history voice on my Cisco 2911 ISR. Just started within the past week.

I have SIP, H323, Skinny, etc being dropped from the WAN to Self (Router) using a zone based firewall. Yet I still see these calls.

My ISP is not reporting any i n t e r n a t i o n a l calls being seen on his end.

Attached is a peice of the calls in question from the sh call history voice compact.

Again attached is a peice of the call history voice brief.

Any thoughts on how to stop these?

As a side note, my zone firewall also blocks Voice protocols to and from our client VPN interface and to and from our WAN to LAN zones. (Only from out router to the WAN are voice protocols allowed.)

Labels:
15357644-Call History Voice Brief.txt.zip
15357648-Call History Voice Compact.txt.zip
0 Helpful
2 Replies 2

Jason Ryan
Level 1
Level 1

‎04-03-2013 08:29 AM

I may have figured out some of the mystery.

While my WAN interfaces and such were locked down with a firewall, my ISM interface in (which is what the calls were being made on) was not.

I added it as a member of the necessary zone on the firewall.

Lets see if it helps.

0 Helpful

Jason Ryan
Level 1
Level 1
In response to Jason Ryan

‎04-03-2013 11:29 AM

So my first hunch was wrong.

Turns out that SIP and other voice protocols were not being blocked from the WAN to my router. I'll explain.

Im pretty comfortable with the CLI on routers (used everyday for hours) but I used CCP to configure the Firewall rules because its easier to read and security is still my weak spot.

So according to CCP, the SIP, Skinny, etc. protocols were being dropped coming in from the WAN.

However, the CLI showed this to be false. While the CLI did show that it was set to look for those protocols, it never had an action assigned to it when that traffic was noticed! Yet CCP show that it was set to drop those packets.

I went into the CLI and looked for any other occurences of this (there were only a few) and added the necessary drop actions to the traffic.

Suddenly I can see SIP traffic being dropped from the WAN to the router!

Another GUI bites me in the butt! I know it was likely some Java issues or some misconfig by me, but I just want to caution users to use the CLI as much as possible!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card