Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9441
Views
50
Helpful
26
Replies

source=[h323Id='cisco' ] IncomingCalls

Go to solution
Ozgur Shahin
Level 1
Level 1

‎10-27-2014 12:56 AM - edited ‎03-18-2019 03:34 AM

Hi!

Help me please

i have not sip server 

the device has global_IP

i configured "sip listenport off"  

but

"Cisco" cals me 

Oct 24 14:23:52.816 ppc appl[2786]: 163.82 H323Call I: h323_call_handler::handleH323CallInd(s=1) Incoming call indication (rate=64000 lang='' tlph=1 source=[h323Id='cisco' ipv4 ='202.57.32.35' ] dest=[ipv4 ='MY_IP' e164=' ' ])

Oct 24 14:23:52.828 ppc appl[2786]: 163.83 IxCtrl I: iXController(0x49e00514) registerProtocolUser: proto=1, user=0x49e0060c

Oct 24 14:23:52.836 ppc appl[2786]: 163.84 MainEvents I: LayoutUpdated(p=1) outputNo=2 og=8

Oct 24 14:23:52.854 ppc appl[2786]: 163.86 MainEvents I: LayoutUpdated(p=1) outputNo=2 og=8

Oct 24 14:23:52.856 ppc appl[2786]: 163.86 MainEvents I: LayoutUpdated ...frame[SelfviewPip] selfviewPip p=1 src=1 ig=3 x=7487 y=7499 w=2409 h=2409 l=1 b=1 snapBorder stretch

Oct 24 14:23:52.866 ppc appl[2786]: 163.87 MainEvents I: IncomingCallInvite(p=2) remoteURI='h323:cisco' displayName='cisco' localURI='h323:MY_IP'

Oct 24 14:23:52.882 ppc appl[2786]: 163.88 MediaStreamController I: SC::PlayReq(og=12) path='/sounds/nordic.mp4', toneType=file

 

8 people had this problem
Labels:
0 Helpful
26 Replies 26

Go to solution
tec cou
Level 1
Level 1
In response to Jens Didriksen

‎10-31-2014 12:47 AM

add to CPL "unauthenticated-origin="cisco" destination=".*"><reject status="403"/> " works well.

 

I think there should be better protection, but will be watching ...

thanks a lot.

0 Helpful

Go to solution
Jens Didriksen
Level 9
Level 9
In response to tec cou

‎10-31-2014 01:48 AM

As you can see from my earlier post that's exactly what I'm using.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Go to solution
tec cou
Level 1
Level 1
In response to Jens Didriksen

‎10-31-2014 01:51 AM

is right !!

 

 

0 Helpful

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to tec cou

‎10-31-2014 08:26 AM

Attached is the CPL script I'm using.  We're checking credentials on the Expressway DefaultZone.

As you can see it's working for us below:

H323 (Setup) cisco 0441227806181 Denied by policy View
H323 (Setup) cisco 00441315070102 Denied by policy View
H323 (Setup) cisco 000441227806181 Denied by policy View
H323 (Setup) cisco 00000441315070102 Denied by policy

I typically usually add both authenticated and unauthenticated in cases like this, just to make sure I catch anything that might somehow find it's way through the other.

block_unwanted_calls_cpl_2.zip

Go to solution
Chris Swinney
Level 5
Level 5
In response to Patrick Sparkman

‎10-31-2014 08:26 AM

Tidy, like. Well done all.

0 Helpful

Go to solution
Jens Didriksen
Level 9
Level 9
In response to Patrick Sparkman

‎10-31-2014 03:09 PM

 

"We're checking credentials on the Expressway DefaultZone."

Looks like that might be the key as I currently don't do that as I found in the past that it broke my JabberVideo service for our external users.

Haven't looked at it again since then (x6 or so), so guess it's time to take another look at it.

Having said that, the CPL worked fine blocking the unwanted SIP calls without checking the credentials on the VCS-E DZ, but this is a different thing altogether.

Just checked the VCS-E and haven't had any of these calls since I last edited the CPL - so, gonna have to wait and see for now.

/jens

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Go to solution
Martin Koch
VIP Alumni
VIP Alumni
In response to Jens Didriksen

‎10-31-2014 04:08 PM

you can easy simulate them, just put an endpoint on a public ip, call the h323 "cisco" and dial 00442234234234234@yourvcsip ;-)

 

happy Halloween

Please remember to rate helpful responses and identify

0 Helpful

Go to solution
Jens Didriksen
Level 9
Level 9
In response to Martin Koch

‎11-02-2014 02:37 PM

Tried that remotely from home with an MXP, but it won't accept E.164 Alias or H.323 ID unless the call mode is "Gatekeeper/Callmanager", but for this purpose it has to be "Direct". Also, the calls appear to use a range of ip addresses as the origin in the same attack, not cisco@VCS_IP (which I can easily block).

/jens

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Go to solution
tec cou
Level 1
Level 1
In response to Patrick Sparkman

‎10-28-2014 02:53 AM

I can add as CPL? please do not do this constantly and intruding

 

0 Helpful

Go to solution
renee.arena1
Level 1
Level 1
In response to Patrick Sparkman

‎01-10-2017 08:20 AM

what is CPL?

0 Helpful

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to renee.arena1

‎01-10-2017 08:59 AM

Call Processing Language, you can use a CPL script with the VCS/Expressway products to manipulate how calls are being made or received.

0 Helpful

Go to solution
mark hackett
Level 1
Level 1
In response to Jens Didriksen

‎11-18-2014 08:02 AM

Now, it could be I'm missing something obvious, but it's interesting that these attempts are not reaching or piling up in the auto-attendant either of our MCU's (4210&5320)

 

I believe I'm seeing them fail here in the error log:

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents