Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4413
Views
25
Helpful
8
Replies

Cisco SIP, CUBE router hardening

Go to solution
johnlloyd_13
Level 9
Level 9

‎06-12-2018 05:56 AM - edited ‎03-18-2019 02:10 PM

hi,

first of all, i would like to apologize for being a noob as i'm not really a voice guy.

i'm trying to 'harden' our cisco voice gateways and so far all i could see is this whitepaper.

https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/white_paper_c11-620461.html

i'm not going to redesign the current setup, i.e. put a FW for demarc, due to budget, time, engineering constraints, etc.

1) are there any other practical security config i could apply? i.e. disabling unneeded services (CDP, telnet, finger, etc)?

2) is below config enough? or can i apply L3 ACL facing the external SIP trunk provider?

3) what other SIP/H323 ports to open (is it only SIP TCP/UDP 5060) without impacting the voice services?

 

voice service voip
 ip address trusted list
  ipv4 <CUCM_IP_1> 255.255.255.255
  ipv4 <CUCM_IP_n> 255.255.255.255

 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎06-12-2018 06:20 AM - edited ‎06-12-2018 06:21 AM

Hi @johnlloyd_13

 

First, don't apologize we are all here to learn and share with pleasure aknowledgments. We learn every day something new.

 

1) yes disable unneeded services. Take care with CDP with voice vlan you have configured for audio endpoints. Let CDP on interfaces where an audio/video endpoint is plugged.

 

2) the config below on your post allow your CUBE to terminate calls from one control to another control. These commands don't secure your CUBE.

You trusted list is configured with the ip add of cucm pub and sub.... but I think you have got dial-peer configured on your CUBE that pointed these servers...then the trusted list is automatically full fill with the ip add configured with the session target ipv4 command. 

Then you can erase your trusted list on voice service voip menu and check:

Show ip address trusted list

 

If you haven't got fw, then you can configure ACLs in inbound and outbound on your WAN interface.

 

3) don't forget to dissociate control qnd media in order to match all the ports for voice call:

Control sip = udp/tcp 5060

Control h323 = tcp/1720

Media= udp(rtp) / 16384 to 32767

But on the CUBE you can configure the range of the udp/rtp:

voice service voip

rtp port-range 16384 16400 

 

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

8 Replies 8

Go to solution
M02@rt37
VIP
VIP

‎06-12-2018 06:20 AM - edited ‎06-12-2018 06:21 AM

Hi @johnlloyd_13

 

First, don't apologize we are all here to learn and share with pleasure aknowledgments. We learn every day something new.

 

1) yes disable unneeded services. Take care with CDP with voice vlan you have configured for audio endpoints. Let CDP on interfaces where an audio/video endpoint is plugged.

 

2) the config below on your post allow your CUBE to terminate calls from one control to another control. These commands don't secure your CUBE.

You trusted list is configured with the ip add of cucm pub and sub.... but I think you have got dial-peer configured on your CUBE that pointed these servers...then the trusted list is automatically full fill with the ip add configured with the session target ipv4 command. 

Then you can erase your trusted list on voice service voip menu and check:

Show ip address trusted list

 

If you haven't got fw, then you can configure ACLs in inbound and outbound on your WAN interface.

 

3) don't forget to dissociate control qnd media in order to match all the ports for voice call:

Control sip = udp/tcp 5060

Control h323 = tcp/1720

Media= udp(rtp) / 16384 to 32767

But on the CUBE you can configure the range of the udp/rtp:

voice service voip

rtp port-range 16384 16400 

 

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
johnlloyd_13
Level 9
Level 9
In response to M02@rt37

‎06-12-2018 06:29 AM

thanks! these are nice suggestions.

will keep this in mind and do more research :)

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to M02@rt37

‎06-13-2018 10:50 PM

hi,

can someone give their expert advise if below ACL will help protect from external SIP provider and just allow SIP/voice services?

 

ip access-list extended SIP_ACL
 remark PERMIT SIP PORTS
 permit tcp host <SIP-PROVIDER-IP> any range 5060 5061
 permit udp host <SIP-PROVIDER-IP> any range 5060 5061
 remark PERMIT UDP RTP PORTS
 permit udp host <SIP-PROVIDER-IP> any range 16384 32767
 remark PERMIT H323 PORTS
 permit tcp host <SIP-PROVIDER-IP> any range 1718 1720
 permit udp host <SIP-PROVIDER-IP> any range 1718 1720
 permit tcp host <SIP-PROVIDER-IP> any range 11000 65535
 remark PERMIT MGCP PORTS
 permit tcp host <SIP-PROVIDER-IP> any range 2427 2428
 permit udp host <SIP-PROVIDER-IP> any range 2427 2428
 remark PERMIT SCCP PORTS
 permit tcp host <SIP-PROVIDER-IP> any range 2000 2002
 deny ip any any log

Go to solution
M02@rt37
VIP
VIP
In response to johnlloyd_13

‎06-13-2018 11:09 PM - edited ‎06-13-2018 11:11 PM

Ok @johnlloyd_13

 

Why do you match SCCP protocol?

Do you use MGCP also?

If it's just for SIP call....and you don't have H323 dial-peer then allow only SIP conrol and media RTP flow.

Extended ACLs is the good way.

But as I concerned, I will configure also inbound ACLs on the same interface. Why? Because the ACLs don't "work" in a statefull way.

Then, in order to match also in inbound and make the router working with only the "matched necessary packed" I will do that.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
johnlloyd_13
Level 9
Level 9
In response to M02@rt37

‎06-13-2018 11:37 PM

hi,

i can see  h323-gateway voip bind srcaddr <IP> configured on the router interface. so i would assume this is for H323 service?

if i need a 'stateful' ACL, can i use the 'established' keyword instead?

permit tcp host <SIP-PROVIDER-IP> any range 5060 5061 established

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to johnlloyd_13

‎06-14-2018 12:58 AM

Ok @johnlloyd_13

 

You can permit outgoing packets, but then you need to permit the responses. You're right, one way is to permit any packet that is a followup to an established connection.

Then for TCP connection you are right!!!

 

Take care with UDP (rtp) for incoming calls.

It's up to you.

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
M02@rt37
VIP
VIP
In response to johnlloyd_13

‎06-14-2018 01:08 AM

To be shape @johnlloyd_13

 

The "established" option allows TCP traffic to pass if the packet is a reply to an outbound initiated session. It is specifically for inbound TCP only.

 

Check reflexive ACL also here:

https://supportforums.cisco.com/t5/security-documents/reflexive-access-list-on-ios/ta-p/3130741

 

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
mathanmogan
Level 1
Level 1
In response to johnlloyd_13

‎05-17-2022 11:56 PM

** just to be added over ACL

remark PERMIT UDP RTP PORTS
permit udp any host X.X.X.X range 8000 48198
permit udp any host X.X.X.X range 8000 48198

 

 

show voip rtp connections

0 Helpful
Customers Also Viewed These Support Documents