Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
5
Helpful
4
Replies

blocking SIP calls on VCS-E

carl_townshend
Spotlight
Spotlight

‎03-11-2022 03:33 AM

Hi guys

I have had a round of spoofed sip calls come in again to our EXP-E and they are getting through to users, I have tried to block the below but I believe they are still coming in, is the below syntax correct, I have removed our domain for privacy.

I have put the 2 reject rules in

src pattern

1000@192.168.1.1 

dest pattern

(.*)(@vc.xyz.com).*

 

I can see the logs blocking it but I believe they are still coming in

 

tvcs: Event="Call Rejected" Service="SIP" Src-ip="23.19.77.1" Src-port="18151" Src-alias-type="SIP" Src-alias="sip:1000@192.168.1.1" Dst-alias-type="SIP" Dst-alias="sip:69@xyz-expressway-e-1.xyz.com" Call-serial-number="e8a12efd-7289-4bb3-ac4b-8eaaa88ca23f" Tag="2c783c7b-6db8-43b9-a7d8-f1d2fad1179d" Detail="Not found" Protocol="TCP" Response-code="404" Level="1" UTCTime="2022-03-11 11:30:32,487"

 

Does the above log mean it is being blocked on the EXP-E ?

And is my syntax for the string correct? I want to block anything coming from 1000 at any ip or domain to any of our devices.

 

cheers

Labels:
0 Helpful
4 Replies 4

b.winter
VIP
VIP

‎03-11-2022 05:28 AM

As you see in your error log, it gives a "404 Not found". Which means, it isn't hitting any search rule.

If it would be blocked, then you would get a "403 Forbidden".

 

Your src pattern only blocks calls from this specific pattern, and not like you want "block calls from 1000 with any ip or domain"

You need something like 1000\@.*

0 Helpful

Vinod16
Level 1
Level 1

‎03-11-2022 10:45 AM

Hi carl,

 

This manual entry will not work... Try to upload xml based cpl ..they are 100% effective and also you can use firewall option in expressway ...

Oleksandr Yurchenko
Level 7
Level 7

‎03-12-2022 11:07 AM

Hi , carl

You should check CPL Reference Chapter from Expressway Administrator Guide

In this Chapter you can find ideas and examples which resolves your issue.

BR Oleksandr

0 Helpful

Mohamed H. Abdelmotaleb
Level 1
Level 1

‎05-28-2022 10:49 PM

I think the best available solution right now is blocking B2B incoming calls by using call policy rules, just block any traffic .* at source pattern to reach any extension in your organization for example.*@OTLD , and later if you need to allow particular B2B incoming call, you can whitelist it through the call policy rules

0 Helpful
Customers Also Viewed These Support Documents